User level grants

Similar Messages

• Can we create wallet at User Level to implement TDE in Oracle 10g

  Hi
  I am going to use a Oracle 10g TDE security feature for data security.I have gone through with lots document.Everywhere there is mention to open or close a Wallet at system level.I mean ALTER SYSTEM..that means except DBA no one can see the encrypted column.
  But my requirement is bit different,I want to encrypt the column based on user.
  lets take example- Suppose we have one table TEST with C1,C2,C3,C4,C5,C6 column and there is U1,U2,U3 user.I want to encrypt C1 and C3 for U1 , C2 and C5 for U2 , C4 and C6 for U3 and U1,U2 and U3 can see only all columns except encrypted column.
  My question is Can we apply TDE at User level rather than system level.
  Any ideas or thought would be appreciable.
  Thanks in advance.
  ANwar

  The idea of TDE is to provide data protection on storage media, so when your backup tapes drop from the truck or the hard disk of a stolen laptop is sold online, encrypted data remains encrypted and can't be read by anyone.
  It seems to me as if you try to achieve access control by encryption, which you don't need: If users have sufficient privileges or the business need to see data, then they should be granted access and see the data de-crypted. Otherwise, access control mechanisms (roles, views, VPD, OLS) should kick in and hide the rows from them.
  So, for day-to-day business of your database, the wallet needs to be open, so that the database can de-crypt data for users who have been granted to see credit card numbers etc., but then limit access to credit card numbers they are not allowed to see with other measures. There is a little hands-on for TDE and VPD here:
  http://www.oracle.com/technology/obe/10gr2_db_vmware/security/tde/tde.htm
  Hope this helps,
  Peter

• Disable profile option updation at user level

  I want to disable the profile option HR: Security Profile or for that matter any other profile option at user level. The user should be able to see the value set by the system administrator (Field should be grayed out) and user should not be able to update it.
  How to do it??

  Try a personalization combined with custom PLSQL, like this:
  1) Acces System Profiles
  2) Help->Diagnostics->Custom Code->Personalize
  3) In the newly displayed Form Personalization form, create a line with a description like this: Prevent modification of USER_VISIBLE_VALUE
  4) In the Conditions tab, set Trigger Event = WHEN-NEW-ITEM-INSTANCE
  5) Set Trigger Object = PROFILE_VALUES.USER_VISIBLE_VALUE
  6) In the Condition text area, enter:
  apps.xxror_test_sysprofile(:PROFILE_VALUES.USER_PROFILE_OPTION_NAME,'USER')=1
  7) Set Processing Mode to Both
  8) Switch to the Actions tab and create two actions:
  first:
  type = property
  description = Don't update
  Language=all
  enabled=yes
  object type=Item
  target object=PROFILE_VALUES.USER_VISIBLE_VALUE
  property name=UPDATE_ALLOWED
  value=false
  second:
  type=property
  description=Don't enter
  language=all
  enabled=yes
  object type=Item
  target object=PROFILE_VALUES.USER_VISIBLE_VALUE
  property name=ALTERABLE_PLUS
  value=false
  9) Repeat steps 3-8 if desired for other levels, such as:
  Prevent modification of SITE_VISIBLE_VALUE
  Prevent modification of APPL_VISIBLE_VALUE
  Prevent modification of RESP_VISIBLE_VALUE
  Prevent modification of SERVER_VISIBLE_VALUE
  Prevent modification of ORG_VISIBLE_VALUE
  paying attention to update the corresponding names for xxx_VISIBLE_VALUE.
  10) Create the following PLSQL function:
  CREATE OR REPLACE function xxror_test_sysprofile (
  prof_opt_name in varchar2,
  lvl in varchar2
  return number
  is
  v_ret number;
  s_prof varchar2(1024);
  s_uname varchar2(100);
  s_lvl varchar2(10);
  begin
  -- returns 0 if the user "uname" must be granted access the profile named "prof_opt_name" at the "lvl" level
  -- returns 1 if the user "uname" must be forbidden to access such a profile at such a level.
  -- important assumption: the "lvl" parameter may have only one of the following values:'SITE', 'APPL', 'RESP', 'USER', 'SERVER', 'ORG'
  -- or else this function will return 1, thus forbidding the access
  s_uname:=substr(upper(trim(nvl(fnd_profile.value('USERNAME'),''))),1,100);
  if s_uname in ('MY_ADMIN_1','MY_ADMIN_2','SYSADMIN') then
  v_ret:=0; -- no restrictions
  else
       if s_uname in ('MY_POWERUSER_1','MY_POWERUSER_2') then
       -- restrict to only the below mentioned profiles
       s_prof:=substr(upper(trim(nvl(prof_opt_name,''))),1,1024);
            s_lvl:=substr(upper(trim(nvl(lvl,''))),1,10);
            if
            (s_prof like '%WHATEVER%')
            then
                 if s_lvl in ('SITE', 'APPL', 'RESP', 'USER', 'SERVER', 'ORG') then
                      v_ret:=0; -- level acceptable for these users on these profiles
                 else
                      v_ret:=1; -- unknown level, so reject
                 end if;
            else
                 -- these users may not access these profiles, so reject
                 v_ret:=1;
            end if;
       else
            if s_lvl = 'SITE' then
            -- no way any other user than those above may modify site-level profiles
            v_ret:=1;
            else
                 -- any other user than those above may modify lower-level profiles, but
                 -- for now reject all
                 v_ret:=1;
            end if;
       end if;
  end if;
  return v_ret;
  end;
  Pls be aware that testing first on a test instance is always advisable.

• Debug privilege - is it at object level or user level or both?

  Just want to know at what level Debug privilege can be granted? At object level or user-level or both?
  I'm under the impression that if an user say 'A' is given this privilege, then he can debug all the procedures/packages/objects in his schema . I guess it's like granting the privilege at user level.
  On the other hand when we say 'grant debug on proc_name to xyz' , it's at object level.
  Please check and correct my assumptions.

  in order to debug (i.e, activate dbms_debug) in a session you need:
  debug connect session
  in order to debug objects that you are not the owner you need:
  debug any procedure
  or
  grant debug on procedure from the user that own the pl/unit
  hope it helps,
  Amiel Davis

• URGENT...Help on User Level export and import

  User level export and import -
  In my db there are more than 20 users, i would like export only 2 users and they have constraints to other user tables in db.
  what are the precautions I need to take before exporting ???
  1. Disabling all constraints etc, .
  2. Synonymns, Procedures , Triggers etc.
  3. what are the parameters setting I should use for the export.
  For Importing back into DB (same users) - What are the sequences/steps to follow..
  1. what are the parameters setting I should use for the Import.
  2. Precautions like Disabling Constraints...
  3. Special actions for Synonyms/ Procedures.
  Using Oracle 8.1.7 on Solaris.. Total DB Size is 13.3 GB
  Any help will be appreciated....

  See to it that u have the DBA PRIVS to exp/imp.
  1.Grant export full database /import full database privileges to the user doing this.
  2.If this is the first time u are doing this u have to run the scripts CATEXP.SQL and CATPROC.SQL to create the necessary views,datadictionaries as user SYS/INTERNAL.These instructions are also mentioned in the scripts comments at the beginning .
  3.Also create the necessary tablespaces where u need to direct u'r imp.
  4.select the interactive option where u can interact with
  imp/exp process and u can do this selectively for users/tables/partitions and other preferences.
  5.look out for the version compatibility of your .DMP files

• Make all the forms at a user level or responsibility level to be read only

  Hi,
  Please suggest me to make all the forms at a user level or responsibility level to be read only. So that when a particular user logs in, he gets all the form in read only mode or at a particular responsibility all the forms are read only so that we can attach this responsibility to the user for the same purpose.
  Any ideas will be highly appreciated.

  check this blog,
  http://www.oracleappshub.com/11i/oracleapps-responsibility-vs-sap-functions/
  Re: How to change OM responsibility as read-only in oracle applications 11i
  read only responsibility-user

• How to create a profile value at user level programatically

  Dear all,
  I want to create a profile value at user level programatically, I refer to the developer guide and try to use fnd_profile.put() to create a new value.
  But I find out the value is just created in session level, not be inserted into base table.
  So is there anyone know how to realize this function in PL/SQL?
  Any idea is appreciated.
  Best Regards,
  Kenny

  Check Note: 364503.1 - How to Set a System Profile Value Without Logging in to the Applications
  https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=364503.1

• Error while performing Risk Analysis at user level for a cross system user

  Dear All,
  I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
  The error is as follows:
  "ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
  Can anyone please help.
  Regards,
  Gurugobinda

  Hi..
  Check the note # SAP Note 1121978
  SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
  Check for the following...
  CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
  ChangeThreadCountStep =50
  InitialThreadCount= 100
  MaxThreadCount =200
  MinThreadCount =50
  Regards
  Gangadhar

• LaserJet P1505n printing slow just for user-level accounts in Win7

  I have several workstations running Win7 Pro 64-bit that have been installed as replacements for XP machines.  All of them print to one of several P1505n printers, and are using the latest drivers from HP.  Under XP there were no problems printing to these printers, but the Win7 machines have significant delays when trying to print.  The Windows test page prints instantaneously, but printing from any other application has a delay of up to a full minute before the job begins to print.  Once the job prints, it prints without issue.
  One thing that I have noticed during my testing seems to point to permissions.  If I am logged in using my admin-level account, everything prints as it should, with no delays at all.  Once I log in with a user-level account, however, the delays begin.  I found the driver files at C:\Windows\System32\spool\drivers\x64\3, but giving "everyone" full control over those files does not help.
  Is there anything else that I should be looking at?
  Thanks in advance!
  Donny

  In the end, I was able to resolve the problem by installing the Vista x64 drivers.  No playing with permissions necessary.

• Windows Server 2012 Group Policy Block USB Storage devices @ User Level Not getting applied on a Domain Client machine with Windows Server 2008 R2. Why?

  Hello,
  I have a Windows Server 2012 R2.
  I have configured the Group Policy on it to block the usage of USB - Storage Devices @ user level on the client machines. It works properly for my Windows 7 client machines but it's not working on one of the machine having Windows Server 2008 R2 installed
  on it (this machine is also a domain client in the same domain).
  I will really be thankful if anyone can suggest some solution to this issue.
  Please feel free to write back in-case I have missed anything obvious to be shared.
  Thanks!
  -Vinay Pugalia
  If a post answers your question, please click "Mark As Answer" on that post or
  "Vote as Helpful".
  Web : Inkey Solutions
  Blog : My Blog
  Email : Vinay Pugalia

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet
  Subscriber Support
  If you are TechNet
  Subscription user and have any feedback on our support quality, please send your feedbackhere.
  Andy Qi
  TechNet Community Support

• Issue in User Level Simulation in GRC 10.0

  Hello Every one,
  Before i Jump into the question, please find below the screen shot which tells about the B.P(Business process),Functions created in test system(GRC 10.0), where as the roles and corresponding users which have been created in back end system connecting to GRC 10.0.
  Now when i am trying to run a risk analysis on user TEST_RISK(TEST_ROLE_RISK role is assigned and pfa the authorizations in the role), i will be shown the Risk R001.
  Now i am trying to run user Level Simulation on the above user TEST_RISK and i am trying to simulate by adding a new role TEST_ROLE_RISK3 as shown in the below screenshot at Action level,Permission Level,Critical Action level ,Critical permission level.
  Even though i select the option, Risk from Simulation only, when i try to execute at action level , it is also showing me the risk which coming from the actual role assigned but not from the simulating one.
  Thanks and Regards,
  Naga.

  Hi Naga,
  there are some notes which might help to fix the problem. Especially the first might fix your problem.
  http://service.sap.com/sap/support/notes/1895502
  http://service.sap.com/sap/support/notes/1953347
  Please let us know if it helped.
  Regards,
  Alessandro

• Permissions set at USER level

  Can I just confirm, that if I open a User within Server settings and I see any of the Global permission tickboxes ticked then these have at some point been set at the User Level. If however, best practice has been observed and users have only ever been
  selected against groups then I should NOT see any boxes in any of the Users permissions ticked at all?  Is that correct?
  Thanks in advance,
  Steve

  Steve --
  You are absolutely right, my friend.  If you see ANY checkboxes selected in the Categories or Global Permissions sections of a User page, then these selections represent an override to the permissions specified by the Groups to which the user belongs.
   Best practice dictates that permissions for each user be controlled by adding the user to Groups, which makes for a simpler and easier to understand security model.  This is a GREAT question, my friend, and I applaud you for asking it.  :)
  Dale A. Howard [MVP]

• How to forbid command field at user level?

  Does anyone know how can i forbid at user level the command field?
  Thanks
  M.

  Hi marco,
  1. In normal SAPGUI,
     there is some REGISTRY Value, (when gui installation is done)
  2. If that setting/value in registry is changed,
     then the command field won't come.
  3. For PORTALS,
      the setting is done in the ICF/Service parameter
     ~NOHEADEROKCODE=1
    (By doing this, it will come in SAP GUI,
    but won't come if we access r/3 from portal/internet explorer)
  regards,
  amit m.

• How to hide the columns at the end user level thru personalization

  Hi all
  how I can hide the columns that are displayed on the portal. Any personalize option for the end user? Any righ click or some thing?
  I am looking at hiding columns not while developing the iViews / Pages, But in the browsers as the end user.
  i can hide the columns what ever i want while creating the iViews for MDM data. but we cant provide the content administrator role to the end user for hiding the columns what ever they want. they want to hide the columns thru pesonalization option at the end user level.
  Can you please let me know whether we can able to hide the columns at the end user level thru personalization ?? is it posible with standard iViews??
  Regards
  Sunil

  Hi Sunil,
  I understood your requirement properly and seems valid and I tried this at my end but i didnt get the solution. Field list is not visible in Personalize option. I dont think it is possible with MDM standard iViews.
  I was thinking an alternative is if some how we manage to give the permissions to end user only on Result Set iView but if it would be possible it will not be a good design.
  Lets wait for some inputs from others.
  Regards,
  Jitesh Talreja

• What is Execution Count in User Level Analysis?

  Hi,
  Can anyone through a light on that what is Execution Count Column means in User Level Analysis Report ,If it is the number of counts of the users execte the action then how we can discover or from when it counts the number of count ....??
  is it count from the starting of the user using that tcode or action?

  Hi Pranjal,
  Yes, Prashant is correct it counts from the first job run, but as it takes data from STAD, so the counting is actually as per the STAD data store setting.
  So if STAD store data for 4 days and if you run job in today it will count from 17.05.2014, make sure you have this job running regularly, if you miss this job run for more days than the retention period of STAD data, you may miss execution count for those days.
  Hope this clears your query.
  BR,
  Mangesh