Useradmin rights revoked

Hi all,
We have a large problem..
In our NetWeaver 7.0 system, a user has sap_j2ee_adm rights. However, he wasn't supposed to have rights to access user administration on the portal. Someone has changed the rights of the role sap_j2ee_admin to establish this, but doing so, nobody is allowed to access the UME anymore. We cannot change anything! The users are validated against the ABAP stack, which we can access normally.
Does someone know how to reset these rights?

I know there is an emergency user sap* for ABAP, didn't know it also exists for JAVA. Case solved using /message/1388971#1388971 [original link is broken]

Similar Messages

SAP Query, user groups, revoking 'change' rights

Hi,
I have a problem regarding SAP Queries and revoking the change rights. This is what I have done:
1. Created the new user group in SQ03
2. Created the new InfoSet (SQ02), assigned it to the above UG (SQ03)
3. Created the new user, assigned it to the UG in SQ03 and removed the Change checkbox (revoke change rights)
4. Logged on as the new user
5. Started SQ01, switched user group to the new one
6. Created the new SAP query based on the new InfoSet, run the query
As I understand the principles of user groups and queries, I wasn't supposed to be allowed to do the step 6 as the new user, as it was revoked the change rights. Why wasn't I stopped?
I searched for reply in previous posts - everybody agrees on principles, but I didn't find explanation on why it doesn't work.
Thanks in advance!
KR,
Igor

The table AQGDBBN seems to display a mapping of User Group with use rindeed but the results are less than the actual assignment. And the mapping does not have the Z query usergroups that have users assigned in SQ03.
Anything that I may be missing?
Thanks,
Kashif

Exchange Admin without the right to assign / revoke the Full Access Permission

Hello,
I would like to create Exchange Administrator who can do all mail box related administration except assign/revoke Full Access Permission and Send As Permission to other users' mail box or hims own mail box.
Exchange: MS Exchange 2007
OS: Windows 2008

You would have to regularly update his rights on the mailboxes - you can't grant the rights to the distribution group and have them apply to the mailboxes it contains. This means that when someone moves from his department, you would need to immediately
have to remove his rights from that mailbox, since just basing his rights on mailboxes in the group would add more members, but never remove him from existing ones.
For instance, in your list above, Bill manages John, Paul, Jim, and Harry. Suppose Harry moves from Bill's department, and Dave joins it. If you just go by group membership, Dave would get added, but there's no easy way to see that Harry is no
longer in the department. You would either have to mark this in the notes of the group ("Harry left 3/16/2015'), or you would have to immediately remove Harry from the group. Consider if Harry was promoted to Bill's level - he wouldn't want
Bill to have rights on his mailbox just because he had them when he was Bill's direct report.
As for a script you can run each week to add the mailbox rights, that's pretty simple. You'd use
Get-Group <group alias> | % { $_.Members } to get the list of group members, and you'd use
Add-MailboxPermission $ChkMbx -User $_.Alias -AccessRights FullAccess
to add the full mailbox access rights. The following would be a good starting point:
Get-Group <group alias> | % { $_.Members } | % {
Add-MailboxPermission $_.DistinguishedName -User <manager alias> -AccessRights FullAccess
I'll caveat this response - I have Exchange 2010 and don't have an Exchange 2007 system to check the commands or their syntax with. Your mileage may vary.

Granting/Revoke Access Rights

I have a desktop application which is more of a db management thing. I have different user roles accessing it. Two roles that i am using are as follows:-
NOVICE
ADMIN
Till now, ive implemented:
adding new users,
Logging in for existing users
Ive done this by storing data about users in a table as follows::
NAME
PASSWORD
TYPE ie ADMIN / NOVICE
Now i want to add another functionality. Granting/revoking access rights and priviledges to users. I think a new person,who wants to add himself as ADMIN or NOVICE, would be allowed to do so only if he requests for such a role and is accepted by a SUPER user. This was a thought that came to my mind. Pls guide me in the right direction.
Thanks
Dexter

It's hard to interpret what you're trying to do. However I set up such an access control system recently which might point you in the right direction.
Basically there are three tables. One is a table of users (for efficiently most of these tables have "synthetic keys", unique numeric identifiers for references). In this would probably be the user's name and, perhaps, e-mail address etc.., And a digest of the username and password combined. You don't store the actual password text for security reasons (see MessageDigest class).
The second principal table is a list of roles or actions that are protected, each with a name and description.
Permissions are granted in a third table which is an intersection table between users and roles, each row granting one role to one user (can contain further constraints).
One of these roles is, of course, the ability to grant roles. A user with that permission can grant or revoke a role for another user (or some subset of other users) providiing they have the permission itself.
In the java program you can create a class which extends java.security.Permission, when the user logs in, store them in a PermissionCollection. Then you use the "implies" method when you want to test if the current user has a given permission.
Hope this is something to do with what you're trying to do.

I want to revoke rights so users cannot schedule periodic jobs

We do encourage users to run reports in Background but we want to prevent them from scheduling periodic jobs.
We want to have more controll over periodic jobs as we observed that users schedule them and then forget about them.
Morover this has become our audit recommendation.
As far as I can see there is no standard way to do it.
Has anyone managed to achieve it?

Hi..
while searching for the answer i have seen following interesting point.chk whether this will help you..
A job is eligible to start when both of the following are true:
The start condition specified for the job is met.
The job has been released to run.
No job can be run until it has been released, even those scheduled to start immediately. To monitor and control what jobs are submitted to run in background processing, the system can be configured so an administrator can check jobs before releasing them to run.
The release requirement can also be turned off on a per-user basis. Trusted users can be given a special authorization (authorization object S_BTCH_JOB (Batch Processing: Operations on Batch Jobs), value RELE) which will automatically and immediately release any job scheduled by that user.
http://help.sap.com/saphelp_nw2004s/helpdata/en/20/2d513897110872e10000009b38f889/content.htm
thank you
<b><removed_by_moderator></b>

Strange Case on Security Rights and Dynamic SQL (Execute Immediate)

Hi friends, (forgive me if I write with wrong grammar and sentence, I not used English for daily)
I got a weird trouble yesterday.
I created a package (we can called it X, OK!?) which containing Execute Immediate Statement, that function to delete a table (we can called it Y).
Several days ago, it's worked, but yesterday it wasn't. Last things happened before was recreate those table, and regrant to a role which including user account that execute package X.
Error Msg shown is ORA-00942 : Table or view does not exist. After rechecked and rechecked, I found nothing that could trigger that error, I used DBMS_OUTPUT.PUT_LINE to debug and show what statement resulted and executed, I cut and paste, and it's worked. I created anonymous PL/SQL Block, and wrote it and executed it, and worked.
Finally, today, We Grant explicitly those table to user account Y, not via Role, ... and it's work. Interesting thing I think :P
And, I revoke, execute package and run. I think, there's something about Oracle he..he.. :D .
Can somebody help me and explain me the reason of that strange symptomp? and right solution? I must know it, because several days again, it's launched / install.
TIA

Here is the procedure that get troubled into :)
PROCEDURE DeleteOld_Job(
p_Job_Code IN VARCHAR2,
p_User_Id IN VARCHAR2,
p_Parameter_Entry IN VARCHAR2,
p_Status OUT NUMBER )
IS
StrSql VARCHAR2(1000);
CURSOR CTable_Used_By_Report IS
SELECT TABLE_NAME
,TABLE_OWNER
FROM TABLE_USED_BY_JOB
WHERE
Job_Code = p_Job_Code
BEGIN
p_Status := 1;
DBMS_OUTPUT.PUT_LINE('p_Job_Code '| |p_Job_Code );
DBMS_OUTPUT.PUT_LINE('p_Parameter_Entry '| |p_Parameter_Entry );
FOR Item IN CTable_Used_By_Report
LOOP
StrSql := 'DELETE '| |Item.TABLE_OWNER| |'.'| |Item.TABLE_NAME| |' T WHERE EXISTS ( SELECT 1 FROM USERBATCH.HISTORY_JOB H WHERE H.USER_ID = ' ;
StrSql := StrSql| |''''| |p_User_Id| |''''| |' AND H.Job_Code = '| |''''| |p_Job_Code| |''''| |' AND H.PARAMETER_ENTRY = '| |'''' | |p_Parameter_Entry| |''''| |' AND T.SESSION_ID = H.TRANSACTION_ID)';
DBMS_OUTPUT.PUT_LINE(StrSql);
DBMS_OUTPUT.PUT_LINE(Item.TABLE_OWNER| |'.'| |Item.TABLE_NAME);
EXECUTE IMMEDIATE StrSql;
END LOOP;
DBMS_OUTPUT.PUT_LINE('DELETE USERBATCH.HISTORY_JOB WHERE USER_ID ='''| | p_User_Id | |'''
AND Job_Code ='''| | p_Job_Code | |''' AND PARAMETER_ENTRY = '''| | p_Parameter_Entry | |'''');
EXECUTE IMMEDIATE 'DELETE USERBATCH.HISTORY_JOB WHERE USER_ID ='''| | p_User_Id | |'''
AND Job_Code ='''| | p_Job_Code | |''' AND PARAMETER_ENTRY = '''| | p_Parameter_Entry | |'''';
COMMIT;
EXCEPTION
WHEN OTHERS THEN
ROLLBACK;
p_Status := 0;
DBMS_OUTPUT.PUT_LINE( SUBSTR(SQLERRM,1,255) );
END DeleteOld_Job;
TIA
null

Access rights in case of a tree-like structure, with inheritance

Hello,
the project I've just started to work on should include an easy way (from the user's point of view) to grant/revoke access rights on a tree-like structure with inheritance.
Basically we are working for several international companies who want to use our application to watch/manage some of their web projects - each project belongs to one company and consisting of several 'campaigns' in several countries (there can be several campaigns per country, but each campaign belongs to exactly one country).
From our point of view this is a tree-like structure, with a 'root' node at the top level, 'companies' at the first level, 'countries' at the second level, 'campaigns' at the third level, and modules of our application (for example a module to display overall stats of the campaing, and so on) at the fourth level. There could be (and probably will be) some more levels, but that's not important at this point - it will always be a tree-like structure.
The customer's reqirements are natural - the administrators should be able to grant/revoke access to 'subtrees' of this structure. For example the top managers should be able to see all the data related to their company, the local managers should be able to see all the data related to their company in the country they work in, etc. On the other hand the relular employees should not see some of the modules (with details about clients of the company).
I wonder whether this can be solved using JAAS in an elegant and flexible manner - from the documents / whitepapers / tutorials I've seen till now it seems to me it seems to me not too suitable.
All the data will be stored in relational database (Oracle, and in some cases PostgreSQL), and it would be nice to have the access rights stored in the same way (but it's not required). We have some ideas how to solve that using a single table containing paths in the tree, but at this point it's only an idea (not a single line of code written).
We are sure somebody has already to solve such a problem - maybe using JAAS, maybe some other technology - and we don't want to reinvent a wheel. Do you have an idea how to solve this (using JAAS or something else)?

Well, I forgot to explain what the 'inheritance' means ...
We do not want to set the access right on each node of the tree - we prefer (as well as the users) to set/store only as much information as needed. We'd like the nodes to inherit the access rights from their parent nodes. For example we'd like granting access to particular project to mean granting access to all campaigns in all countries (related to the project), without the need to set and store these rights for each of the campaigns/countries.

NCP Rights needed to create a file

I have to give users Read, Write, Create, Modify, File Scan and ERASE rights to create a file. There are some folders that we want users to be able to create documents in but not be able to delete them. I think what is going on is as the document is being created it is creating a temp file that has to be deleted and it cannot do it with out the erase right. It happens in all word processors that I have tested, Word, Word Perfect, notepad. Does anybody know if that is what is happening and is there a solution? Thanks

dgonnse wrote:
>
> I have to give users Read, Write, Create, Modify, File Scan and ERASE
> rights to create a file. There are some folders that we want users to
> be able to create documents in but not be able to delete them. I
> think what is going on is as the document is being created it is
> creating a temp file that has to be deleted and it cannot do it with
> out the erase right. It happens in all word processors that I have
> tested, Word, Word Perfect, notepad. Does anybody know if that is
> what is happening and is there a solution? Thanks
I know when you use MS Office apps, it creates a temporary, hidden
version of the file and then deletes it when you exit the application.
Your best solution here would be to advise users to create the file
locally, then when they are finished save it to the location on the
network. This would allow you to revoke E without causing any issues.
In fact, the only permission they would need is C but if you want them
to also see what's out there then give them R,F as well.
Your world is on the move. http://www.novell.com/mobility/
Supercharge your IT knowledge. http://www.novell.com/techtalks/

SQl Developer 3.0.04 Revoke doesn't generate any DDL. Bug?

Hi everyone,
trying Revoke while rightclicking on , e.g. a stored function doesn't generate any DDL. Specifically, opening "Perform Revoke Action", selecting the Properties tab and applying the desired action doesn't do anything. Interestingly enoguh, selecting the "SQL" tab shows no generated DDL no matter what properties were set. It looks to me as another bug. Any thoughts.
Cheers,
Bob

Hi Bob,
The SQL tab will remain empty until the privileges to be revoked have been selected. In the properties tab of the revoke dialog, the drop down list for "Users" contains a list of those users for which privileges on the object have been granted. (If this list is empty then you will need to do some grants first!) Select a user. You should now see some privilege names in the right hand side of the shuttle. Shuttle one or more of these to the left pane. You should now see generated SQL in the SQL tab.
Please let me know if this doesn't resolve the problem for you.
Best regards,
Philip Richens
SQLDev Development Team

How can I revoke S_CTS_ADMI from some users?

Hi all,
I want to revoke the authorization object S_CTS_ADMI from some users. In our environment, this authorization object is under T-D15000451 profile.
Which transactions/steps are envolved to accomplish this?
Thanks
Fabio Neukirchen

Hi,
In the Command field enter T-Code PFCG click on Enter
In the next screen you will be prompted with role
Enter the role name CONSULTOR_ABAP_ESPECIAL
Click on change icon button (pencil icon on the right to the role name)
In the next screen you will be displayed with multiple TABS (Descripton, Menu, Authorization, Users ....)
Click on the Authorization TAB
You will have two options
Click on
Change Authorization Data (pencil icon )
In the next screen you will have list of Objects and Objects class... etc..
Click on Search (Binoclar icon) or (CTRL + F)
You will prompoted with pop-up window
with follwoing options
Authorization object
or object text
Enter the Object Name (i.e S_CTS_ADMI ) in the Authorization Object field.
Click on find button.
If the techinical names are not on.
Click on Utilities on Menu
In the drop down list you will find option of techinical names on (click on this)
You will be displayed with objects as follows
Administration Functions in the Change and Transport System S_CTS_ADMI
Administration tasks for Chang (with some values here like EPS1, EPS2, IMP*, PROJ) CTS_ADMFC
Double click on this you will be prompted with pop-up to change values (do the necessary chages here and save)
Once saved Generate the profile by clicking on authorization tab on menu you will have a drop down list in that list you will have option of generate click on it or (shift + F5)
Once generated click on Back button (or F3)
In the next screen do the user comparsion in the USER TAB
I hope this is clear
If you need further help or if you are struck any where let me know I will help you in that contex.
Cheers
Soma

Dynamically adding to PDF after applying Extended Reader Rights

All,
I've created a PDF with a digital signature in Acrobat X Pro and applied the extended Reader rights. What I am trying (and failing) to do now is add new pages to the PDF via a Java library (BFO) on a server. When a user eventually brings up the PDF in Reader, they receive a warning about how the extended rights have been revoked since the PDF has been modified. Is there any way to maintain the rights while building the PDFs? Or is the only way to dynamically build a PDF with a digital signature that can be user-signed in Reader through the LiveCycle/ADEP services?

You have to prepare the PDF BEFORE you add the extended Rights. Once it's been rights enabled, you can't modify it w/o breaking the rights.
From: Adobe Forums <[email protected]<mailto:[email protected]>>
Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>
Date: Mon, 14 Nov 2011 14:32:38 -0800
To: Leonard Rosenthol <[email protected]<mailto:[email protected]>>
Subject: Dynamically adding to PDF after applying Extended Reader Rights
Dynamically adding to PDF after applying Extended Reader Rights
created by j.ross.e<http://forums.adobe.com/people/j.ross.e> in Acrobat SDK - View the full discussion<http://forums.adobe.com/message/4025497#4025497

User Rights Delegation via Powershell (Server 2012)

Hi
In the Exam Ref 70-414 book the author refers the the following powershell cmdlets in server 2012 to assign /delegate user rights by using the constant names.
The cmdlets;
Get-privilege
Grant-privilege
Revoke-privilege
Test-privilege
I am not sure if i'm missing something blatantly, but i seem not to find any information or syntax on this, even after updating powershell help, it doesn't recognize the cmdlets.
Any help will be appreciated.

Here this will tide you over:
PS C:\scripts> function Get-Privileges{whoami /priv /fo csv|Out-String|convertFrom-Csv}
PS C:\scripts> Get-Privileges
Privilege Name Description State
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
¯\_(ツ)_/¯

Oracle recommends that you revoke EXECUTE privileges on powerful packages f

Oracle recommends that you revoke EXECUTE privileges on powerful packages from PUBLIC
Got on error on the home page of Enterprise Manager and read that I should run the code below to correct the problem, but when I click on the link at the bottom of EM to go to iSQL*Plus and choose to connect as sysdba I get a popup asking for me to input a password for my computer so I tried my local computer username and password, my network username and password and even my database username and password and neither lets me in. I can login under Normal but then I do not have rights to execute the command.
revoke execute on utl_file from public;
I know I have my computer username and password correct because I had to enter it to shutdown the database yesterday.
And I had a problem with my listener not knowing the SID, but the error has since went away, but I do have an error on my listener saying
Disk Utilization for 0 C: is 151.45%
Edited by: jamesH2 on Aug 29, 2008 9:20 AM

Hi James,
Where you saw that Oracle recommend that? If you are refering to the Db console recomendations please take a look on this note also: Note:343620.1
If you revoke any privilege from PUBLIC it becomes your own responsibility
to ascertain that all your applications will keep working. The same goal can often be accomplished
by replacing the privileges formerly granted to PUBLIC to some individual users or
roles.
Please take a look on this Metalink Note: 247093.1 Be Cautious When Revoking Privileges Granted to PUBLIC
Regards,
Francisco Munoz Alvarez
www.oraclenz.com
Edited by: F. Munoz Alvarez on Aug 30, 2008 1:31 AM

Code sign...revoking certificate... problem

Hi,
I am having a breake down. I had the folowing problem:
Code Sign error: The identity 'iPhone Developer' doesn't match any valid, non-expired certificate/private key pair in your keychains
So i folowd the steps to solve this problem:
1) Open up Keychain Access app within /Applications/Utilities and click "All Items" under the Category sidebar. Type "iPhone" into the top-right search bar.
If you are replacing your Developer Certificate, delete your "iPhone Developer: <your_name>" Certificate by right-clicking and choosing "Delete"; if you have multiple "iPhone Developer: <your_name>" certificates, delete them all.
If you are replacing your Distribution Certificate, delete your "iPhone Distribution: <your_name>" Certificate by right-clicking and choosing "Delete"; if you have multiple "iPhone Distribution: <your_name>" certificates, delete them all.
2) Clean out your profile library according to the steps in section: Keep Your Profile Library Clean.
3) Log into the iOS Provisioning Portal. Click the Certificates sidebar. Click the DEVELOPMENT tab if you are replacing your Developer Certificate, and pick the the DISTRIBUTION tab if you are replacing your Distribution Certificate. Click Revoke in the Action column.
4) Perform the steps in section Provisioning Profile Refresh. Xcode will prompt to create the new certificates; choose "Submit Request" to allow Xcode to create the certificates.
After step 4:
I folowd this steps:
"To invoke Provisioning Profile Refresh, open Xcode's "Window" menu > Organizer > Devices tab > "Provisioning Profile" sidebar under Library and click the Refresh button. The first time refresh is pressed, a prompt appears requesting your team member credentials. It is important to answer positively when asked to create your signing certificates if they are needed. To do that, click "Submit Request" when you are prompted and Xcode will create, download and install the certificate(s)."
I had no button "Refresh" so i clickt "add device to Profsioning Portal" and get a device with this muber already exists. When i login to Portal, i dont see my developer Certificate>Development anymore. Before revoke i downloaded the certificate!!!.
How do i get it back? How do i solve this problem?
alix

Crap, TN2250 seems to be gone.
You may have used an outdated link or typed the address (URL) incorrectly. If you came to this page via a bookmark, please update it accordingly.
The page you requested: http://developer.apple.com/library/ios/technotes/tn2250/_index.html
The page to which you will be redirected: http://developer.apple.com/library/ios/index.html
Has it been replaced? I'm having a code signing issue and this seems to be the doc i need.

Bug: Grant/Revoke Privileges (11.1.0.5.10 Beta)

Started getting this when attempting to change Privileges on a proc:
"Could not launch the Grant/Revoke Privileges dialog:
Value was either too large or too small for an Int32."
This is happening consistently on one database but not on another.
John

I am also seeing this bug. When I right click on anything in the Server Explorer under my ODP based connection, I get this same message. It happens when I right click on any table icon and select "Privileges..."
-Valkyrie-MT

Useradmin rights revoked

Similar Messages

Maybe you are looking for