User based authorization
I have a question about role based authorization. Guess we have 100 transactions and 100 users. I know we have to create a new role for a new combination of transaction list. Ex: 1,2,3,4,14,15 is RoleA and 1,4,25,34 for RoleB and so on. What will it be If we have a really mixed authorization combination. Guess 15 users use A Role and 20 B Role. But we have a three new user. They mustn't use only two transaction in A Role. Now we came subject of my question. I don't want to create a new role for these users. Is it possible to restrict authorization? As if in same role but restricted to use these transactions. (without abap coding) In a clear expression user based transaction authorization, not role based.
Hi,
in my opinion that isn't possible without coding.
Sorry ;-(
Regards
Bernd
Similar Messages
-
User based authorization to create Purchase Orders out of Purchase Req.?
Hello,
I have the following requiment for my client:
User based authorization to create Purchase Orders out of Purchase Req.?
I am told the same can be achieved using same standard menu path in IMG/Customizing.
Please advise with the menu path and detials, Usefull answers will be rewarded.
ThanksUsing OMET Function Authorization, you can restrict users to create Purchase orders without Purchase Reqn.
Using OMET trxn code Create one Function Authorixation Called pr and in General Parameters tab Select the Field Selection and in Possible reference Objects Tab Mark the With ref to Prs check box and save.
Next, you've got to associate via SU01
Click Parameters, insert a new parameter id EFB to the authorization code.
Type in Parameters value you want e.g. XX
You have to assign the control for ALL the SAP buyers via thier SAP users id.
Logoff and login again. Then try to create a Purchase Order without a reference.
From Next time whenever you try to create with out referring PR it will not allow you to Save PO.
Regards,
Ashok -
User Based Authorization with ISE
I am trying to configure ISE to limit the activitiy of individual users once they have logged in from an authorized PC into our netowrk. We basically only want them to be able to connect to specific systems. Is ISE able to do this on a per user basis?
Yes.
One of the things you can do via your Authorization policy is to push a downloadable ACL (dACL) to the port (for wired users). For wireless users you can apply a pre-defined Airespace ACL from the WLC to the user session. -
User based Authorization for Documents
Hi All,
Is it possible to have following scenario?
1)
There is a folder A. Inside this folder there is a file abc.txt & xyz.txt.
Now User 1 & User 2 both has access to folder A.
User 1 can read / download the file abc.txt & xyz.txt
User 2 can see only the name of the file inside this folder, but he cant download this file. And he can read / download xyz.txt file.
and instead of user can it be given role based also???
like abc.txt can be downloaded only by R&D role and noth any other users.
The main perpose of this feature is to let user know there is a document stored in a particular folder but he can only see the name of this document.
Regards,
PuravHi Jitendar,
From permission we can do only read, write, read & write, Full control thats it.
see the scenario I have given.
User2 cant even read the file, he can only see the name of that file.
I have seen the KM Permission link http://help.sap.com/saphelp_nw04/helpdata/en/4c/9d953fc405330ee10000000a114084/frameset.htm
but still counldnt find the solution to my scenario.
Regards,
Purav -
BI Bex Query prompt based on User's Authorization....
Hi
In BI, I created 1 BEx Query based on Authorization. If a user runs the query, it prompts for 'Customer Name' to get data of particular customer. And Customer values are populated in the prompt based on User's Authorization.
For example:
User1 is authorized to see data of Customer1 & Customer2. So, Query prompt will show 2 values: 'Customer1' & 'Customer2'.
But User2 is authorized to see data of Customer1, so Query prompt will show 'Customer1' only.
I created 2 variables on Customer field:
1) Authorization Variable in Filter Section
2) Manual, Single Entry, Mandatory on Default Value section.
My Requirement:
If user is authorized to link with only 1 Customer, he should not get prompt & on the background prompt value should be populated from his authorization value. But if user is authorized to see multi-customers, then prompt should appear.
If possible pls. provide some suggestions....
Thanks...Yes, this can be done.
but there is little work around.. Using guided navigations
1. Create a report with column fx as case when 1=0 then markets.region else user() end
2. apply filter on this column is equal to User_1
3. Create another report with column fx as case when 1=0 then markets.region else user() end
4. apply filter on this column is equal to User_2
5. Now add all your prompts to dashboard, but each prompt should in each section object of dashboard.
6. For first section click on section properties, go to Guided Navigation...
7. Browse Source Request as first report.. and keep If request returns rows selected.
8. Repeat above step for another section.. but this time browse 2nd report.
9. Just save dashboard.
Check now..
Hope you understood..
Regards
Kishore Guggilla
Edited by: Kishore Guggilla on Feb 18, 2009 12:57 PM -
Broadcast based on user's authorization
Hi
I have to broadcast the reports based on the user authorization. What are the possible ways of achieving this?
1. Is it possible to execute the report only once and send the reports to different users based on thier authorization?
2. For example, there are four sales organization and i want to send reports to users with only the sales org data he/she authorized to see. For this, do we have to create four user roles restricting it to the sales org? if any other way, please suggest.
3. Is it possible to apply user's authorization on the file created by broadcasting? Basically i want to execute the report only once through broadcasting and apply the user's authorization and then burst the report data to the different users based on thier authorization.
Thanks in advance.
Regards
SadeeshDear Sadeesh,
We have teh similar Req in our project. We need to Broadcast BI Repotrt to Multiple User based on Their Authorization which has been maintained in BI. Do you have solution for this? Do we need to make some necesssary Settings in User Profile?
Thanks In Adv.
Deepika -
Row-/instance-based authorization
Hi,
I'm looking for ways to implement row-/instance-based authorization using Toplink 9.0.4+ and Oracle DB 9.204. The domain objects are represented by standard Java objects (POJO's) not entity-beans.
My question: what are well-know working approaches to implement this? How did you do that in a project using Toplink and POJO's?
I guess Label security/Virtual Private Databases would be interesting to consider. But I wonder if it's possible to use that with Toplink. Issues that I see right now:
- how to propagate the credentials of the user to the database and still use connectionpooling?
- can Toplink generally make use of Label Security
Another approach would be to implement a JAAS extension following the lines of the article "Extending JAAS for class-instance authorization" http://www-106.ibm.com/developerworks/java/library/j-jaas/
I expect this can easily result in a separate query per object. Which probably results in atrocious performance.
Or this could be implemented by an aspect. But still this would probably necessitate n+1 queries for n objects. In other words: this would still let the appserver do the constraining of results while that is right task for the database of course.
Your comments and advice are highly appreciated,
Joost de Vries
the NetherlandsThe main decision to make is whether to handle the instance level security in the application, or the database.
As you mentioned there are many ways to handle security in the application.
Oracle database supports VPD and OLS for row level security. The TopLink 10g 10.0.3 preview has added support for this refer to:
http://otn.oracle.com/products/ias/toplink/preview/index.html -
How to set role based Authorization in JAAS
how to set role based Authorization in JAAS
i had user name , password and role in FileLogin
thanks
arun .v.http://dev2dev.bea.com/pub/a/2003/04/Kemp_Helton.html?page=last
-
Person responsible based Authorization in Projects is not working for me
Hi,
Does 'Person responsible' based authorization for WBSE works for the WBS element only, or for the hierarchically sub-ordinate non-WBS objects (meaning Networks, Activities, Materials etc) as well?
Details:
(Authorization objects: C_PROJ_VNR and C_PRPS_VNR)
-- User1 is assigned with role TESTROLE1. This role has the Project manager based WBS & project authorization objects, with person number 101.
-- User2 is assigned with role TESTROLE2. This role has the Project manager based WBS & project authorization objects, with person number 102.
Following sample project is created by a super-user:
PROJ123 (Details: person responsible - 101)
WBS-1 (Details: person responsible - 101)
WBS-1/1 (Details: person responsible - 101)
NETWORK1
ACTIVITY11
MATERIAL111
MATERIAL112
WBS-1/2 (Details: person responsible - 102)
NETWORK2
ACTIVITY21
MATERIAL211
MATERIAL212
Now the requirement of super-user is that WBS-1/1 and its subordinate elements (Activities, Materials etc) should be editable only by User1. And similarly, WBS-1/2 and its subordinate elements should be editable by User2 only.
My issue:
Although WBS-1/1 is not accessible to User2, BUT User2 can edit the subordinate elements (NETWORK1, ACTIVITY11, MATERIAL111, MATERIAL112) of WBS-1/1. I do not want User2 to have edit access to subordinate elements of WBS-1/1.
Above issue is with User1 for WBS-1/2 as well.
Hope I am clear in explaining my issue. Can anyone please help me understand the standard authorization concept of Person responsible based roles. I suspect that I am going wrong somewhere but I am not able to identify the problem.
I want to allow access of a part of project to one user, and another part to some other user. And I do not want to go for an ABAP option if I can do above using basis authorizations.
(Above mentioned problem is not just with part of projects, but with a complete project as well.)
Hope to see some quick replies. Thanks in anticipation.Thanks for the inputs Sreenivas.
Are you aware of any authorization objects which can restrict access to Networks, Activities, Material components and Milestones, using 'Person responsible' or any other suitable field? I hope you got what I am looking for.
Restricting WBSE based on 'Person responsible' without restricting sub-ordinate elements is not much useful according to me. It helps only with simple project structures (having only WBSE) and nothing much. Right?
Thanks again -
Restrict users based on Customers
Hi ,
In ECC system, we have general requirements to restrict users based on customer account group where customer account group is represented as Site/Store.
Possible values for Customer Account group -
- Reference Store
- Head Store
- Wholly Owner Store etc.
Till this point everything is fine. However, Client has few additional External Stores which are represented as one Dummy Site and Customers belonging to that store are actual external Stores.
Example, we have additional Value for Customer Account Group -
- Dummy Site
And now all the Customers part of dummy site is actual stores and we are needed to drill down our restriction to this Customer (So called Stores).
To restrict used based on customer account group/Stores, we can utilize F_KNA1_GRP with filed KTOKD (Customer Account Group). However, is it possible to create roles based on individual customers of these Stores?
If yes, how can we do that?
P.S. I had a look at authorization object F_KNA1_BED with filed BRGRU. Can this object help us in fulfilling our requirement? Or there is any other SAP provided authorization object which can help us to restrict on Customer values?
Thanks,
SheenamYou could use F_KNA1_BED, I guess - but that would mean excessive maintenance of both: BEGRU and customers, if I understood your scenario correctly and you really, really want to break that down to single customers.
It would be even more excessive to utilize F_KNA1_GRP. Can be done, though.
Both solutions are completely un-elegant and I am not happy proposing them. But I am curious as a cat: what exactly is the business process expecting you to restrict access to customer data down to a single customer?
Edited by: Mylène Dorias on Mar 24, 2010 8:39 AM -
I would like to know if is't posible deploy time-based authorization commands. In order to rescrict the operator modify the configuration router only in windows maintenance. ACS 4.1
Please refer to this link,
Setting Default Time-of-Day Access for a User Group
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMgt.html#wp478788
Regards,
~JG
Do rate helpful posts -
I am trying to find a way to access the instance of a Resource in an AuthorizationProvider
in order to be able to determine if a specific user can access one instance of
that resource.
Example, my Resource is an EntityBean named: TestEntityBean, the code is as follow:
public abstract class TestEntityBean implements EntityBean{
// some defaul methods
public java.lang.Long ejbCreate(Long key, String name) throws CreateException
System.out.println("TestEntityBean.ejbCreate");
setSecurityid(key);
setSecurityname(name);
return getSecurityid();
public abstract Long getSecurityid();
public abstract void setSecurityid(Long securityid);
public abstract String getSecurityname();
public abstract void setSecurityname(String securityname);
public void ejbPostCreate(Long key, String name) throws CreateException {
System.out.println("TestEntityBean.ejbPostCreate");
I am using CMP, and my DB is ORACLE. When my authorization provider intercepts
the request to getSecurityName() I can see:
This defines my resource being used (aka my TestEntityBean and the method) but
how can I find out what is the EntityBean content? i.e. for example how can I
define what is the primary key of this object?
If I am offline, would u have recommendations on how to implement an instance
based authorization model? (ref to articles...?)
Thank youThis is what the AuthorizationProvider named MmlFileAuthorizationProviderImpl gives
me:
MmlFileAuthorizationProviderImpl.isAccessAllowed
subject = Subject:
Principal: user1
Principal: myGroup
Principal: developers
Principal: mySecondGroup
Private Credential: principals=[user1, myGroup, developers, mySecondGrou
p]
roles = Anonymous,writer_user,reader_user,creator_user
resource = type=<ejb>, application=_appsdir_mml_ear, module=tests
ecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Local,
s
ignature={}
direction = ONCE
handler = weblogic.ejb20.internal.DummyContextHandler@1c32369
MmlFileAuthorizationProviderImpl.isAccessAllowed
subject = Subject:
Principal: user1
Principal: myGroup
Principal: developers
Principal: mySecondGroup
Private Credential: principals=[user1, myGroup, developers, mySecondGrou
p]
roles = Anonymous,writer_user,reader_user,creator_user
resource = type=<ejb>, application=_appsdir_mml_ear, module=tests
ecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Local,
s
ignature={}
direction = ONCE
handler = weblogic.ejb20.internal.EJBContextHandler@1372a7a
Resource hashcode: -1318771256
ID: 2145579658558124
Type: <ejb>
Keys[0]: application
Keys[1]: module
Keys[2]: ejb
Keys[3]: method
Keys[4]: methodInterface
Keys[5]: signature
Values[0]: appsdirmml_ear
Values[1]: testsecurity.jar
Values[2]: TestEntityEJB
Values[3]: getSecurityname
Values[4]: Local
Values[5]: {}
Looking for policy for resource(type=<ejb>, application=_appsdir_mml_ear, module
=testsecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Lo
cal, signature={})
I get all the information about the resource ... i.e. which entitybean object
is being used, but I can not have access to nay of the bean onformation, and this
is what I need to enable Instance base Authorization for this bean.
Basically how else can I say:
User Paul can do anyhting with this TestEntityBean being object "123" ?
User Jonh can only read the TestEntityBean "123" but can access and write in all
other bean TestEntityBean ?
Am i making sense? Can anyon help?
"Seyvet" <[email protected]> wrote:
>
I am trying to find a way to access the instance of a Resource in an
AuthorizationProvider
in order to be able to determine if a specific user can access one instance
of
that resource.
Example, my Resource is an EntityBean named: TestEntityBean, the code
is as follow:
public abstract class TestEntityBean implements EntityBean{
// some defaul methods
public java.lang.Long ejbCreate(Long key, String name) throws CreateException
System.out.println("TestEntityBean.ejbCreate");
setSecurityid(key);
setSecurityname(name);
return getSecurityid();
public abstract Long getSecurityid();
public abstract void setSecurityid(Long securityid);
public abstract String getSecurityname();
public abstract void setSecurityname(String securityname);
public void ejbPostCreate(Long key, String name) throws CreateException
System.out.println("TestEntityBean.ejbPostCreate");
I am using CMP, and my DB is ORACLE. When my authorization provider
intercepts
the request to getSecurityName() I can see:
This defines my resource being used (aka my TestEntityBean and the method)
but
how can I find out what is the EntityBean content? i.e. for example how
can I
define what is the primary key of this object?
If I am offline, would u have recommendations on how to implement an
instance
based authorization model? (ref to articles...?)
Thank you -
Aurgent: Can any body help of User-based sizing
Hi Experts.
iam new to the implementation .can anybody help on Inital user based sizing.Do n't send the links of service market place.I want know abt wat type of user has to consider for the A/s Ecc6.0 and how to consider their roles in the appli.server. And also give me the information of users Like low,medium,high in the Quizertool.
Replied answer could be rewarded.
Thanx.....Hi,
Sizeing basically doesn't depends on users. It is based on active users only.
Sit with y'r functional leads , and discuss roles and authorizations also.
Roles will be parent and child etc.
In the initial project blue print, we can find or estimation of no. of users and active users.
Initially go with normal settings according to Installation guide.
Read the Sizer well.
Note: Points always encourage me to reply !! -
Can't use role-based authorization
We can't use role-based authorization because the permissions
and their assignments change frequently. Is there any alternative
where we can still use WLS to handle security?Dave,
If you're using WLS6 the console supports dynamic user updates so you could
change each users configuration as needed.
Alex
Dave <[email protected]> wrote in message
news:3a672c81$[email protected]..
>
We can't use role-based authorization because the permissions
and their assignments change frequently. Is there any alternative
where we can still use WLS to handle security? -
OIM - Email notification to a specific user based on a dynamic rule
Hello, After creation of account in a particular target resource I need to send an email to a specific user based on the location of the user (e.g area admin).
In the notification tab of process tasks, I see only "Assignee", "Requestor", "User", "User Manager"? How can I achive the above specified requirement?
Before posting this question, I tried to search the forum for any previous posts related to this. But I couldn't find any. May be I was not searching with right key words.
Any help is appreciated. Thanks in advance.You'll need to custom code an adapter to send the email, then you can send to any user you want. Create a new task and trigger it off the completion response code. You can use the following apis:
tcEmailNotificationUtil sendMail = new tcEmailNotificationUtil(ioDatabase);
sendMail.setBody("Type your body here or use a string variable");
sendMail.setSubject("Type your subject here or use a string variable");
sendMail.setFromAddress("[email protected]");
sendMail.sendEmail("[email protected]");
Just populate the above pieces with the information needed.
-Kevin
Maybe you are looking for
-
Hi, I am trying to make a presentation of a bunch of photos. I want to use the Ken Burns effect. I am presently doing this in iMovie HD but the quality is not as good as I would like. Question: Will FCE produce better quality than iMovieHD using the
-
Can't put music into itunes????
I have spent the last few days inputting my old CD's into itunes. I pressed the import CD button at lower right and then they went into the 'music' folder. Now, when I click 'import CD' it seems to be inputting the music but when I click on the music
-
Trouble converting powerpoint to Keynote
Using Keynote 08 and I want to open my powerpoint presentations in keynote. I have tried the open existing files. I have also tried the dragging the file over. Keynote begins the opening process but then stalls and becomes non-responsive. I am using
-
Archiving SD_VBKA - Zero Documents Archived.
Hi!! Following is the scenario: I'm trying to the archiving of the archiving object SD_VBKA. There are around 90,000 documents in the given time period; I've archived around 30,000 documents, not even a single one got archived. Below are the details
-
Hi, While cancelling the process in SM66, how to find out the corresponding job in SM37 to make sure that we are cancelling the right job? Thanks.