Users with direct access to tables

Similar Messages

• Security batch job to evaluate users with SAP_ALL access:

  Hello,
  I need to run some kind of batch report or program that runs for users that have SAP_ALL access.
  Basically we need to run a report or program that shows what these users that currently have SAP_ALL are executing on a daily basis.
  Do you have or know of a report/program that we can schedule nightly to find this information out ?
  Thanks,
  Steve

  Hi Steve,
  I don't think any SAP standard report or query is available for this. You probably have to design your own Z report/query to achive this.
  However since SAP_ALL is a restricted access and you will have very few users with this access, if you want to find it out programs/transation being executed by these users, it can be done manually from ST03, through "Memory Use Statistics", probably this may help to identify the tables using which you can design your own report.
  Regards,
  Sanujit
  Edited by: Sanujit Purohit on Jul 20, 2010 2:25 AM

• List of users with authorised reports and tables.

  hi all
  i have another requirement, that is List of users with authorised reports and tables in SAP.
  that means user wise which reports and tables have authorisations to execute.  for that what is the tcode or table name?.  please help me in this..
  Thank you.

  Hi,
  In SUIM tcode expand transactions node der ull have for users..........
  Cheers,
  jose.

• Set Single user with reviewer access to multiple conference room calendars

  Want to add a single user with reviewer access to multiple conference room calendars, used the below but it given a below error , Single user i am able to add but single user for multiple confernce room calendars hot happening.
  Import-csv C:\smtp1.csv | foreach-object {Add-MailboxFolderPermission -identity $_mail":\Calendar" -User "Mike" -AccessRights "Reviewer"}
  Smtp1.csv
  mail
  [email protected]
  [email protected]
  Error:--
  [PS] C:\>Import-csv "C:\smtp1.csv" | foreach-object {Add-MailboxFolderPermission -identity "$_mail:\Calendar" -User "Mike" -AccessRights "Reviewer"}
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

  i tried with that as well but getting the below
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  Cannot process argument transformation on parameter 'Identity'. Cannot convert value "" to type "Microsoft.Exchange.Configuration.Tasks.MailboxFolderIdParameter". Error: "Valu
  e cannot be null.
  Parameter name: mailboxFolderId"
      + CategoryInfo          : InvalidData: (:) [Add-MailboxFolderPermission], ParameterBindin...mationException
      + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-MailboxFolderPermission

• Auto deploying branch office printers with Direct Access

  Hello there
  I am implementing my first Direct Access topology and have a question. We will have branch offices with workstations deployed using Direct Access for administrative purposes. We have staff moving around from branch to branch with the goal to
  make logging on to the network and accessing resources for users as automated as possible. One of the questions I have regards auto configuring branch printers for users using Group Policy. The branch offices have workstations, printers and NAT modem/routers
  with DHCP - but no servers.
  If we have a stand alone network printer, how do we list that printer in Active Directory allowing the user to auto-configure it using group policy? If we install it on a server at Head Office, would the print job travel there first and then back to
  the branch? Obviously this is not ideal. Or can it be directed straight to the printer using a script or something?
  Alternatively we can install and share it on a branch workstation and list it in the directory, but would this not be same the problem as above? This is not ideal either as it would depend on the workstation being always on and available.
  Any input Direct Access gurus?
  Thanks in advance
  MIS5000

  Hi,
  Thanks for your post.
  We could have 2 possible solutions for natively deploy printers using Group Policy without the need for any scripting:
  1) Group Policy Preferences – available in Windows Server 2008 and later
  2) Print Management – available in Windows Server 2003 R2 and later
  http://blog.powershell.no/2009/11/08/deploying-printers-using-group-policy/
  Did you try to use the Print Management? You can share printers on a network and centralize print server and network printer management tasks using the Print Management Microsoft Management Console (MMC) snap-in. Print Management helps you to monitor print
  queues and receive notifications when print queues stop processing print jobs. It also enables you to migrate print servers and deploy printer connections using Group Policy.
  https://technet.microsoft.com/en-us/library/cc731857.aspx
  Meanwhile, if you have any Direct Access related issue, I think you may ask in network forums:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNIS
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Users with read access to the site unable to view Managed Metadata Navigation

  Hi everyone,
  I created a Managed Metadata service and created group, term-set and terms
  I gave read access to users
  I set up navigation to use Managed Navigation
  I am logged in as farm admin and able to view the navigation when i browse site. But user are not seeing navigation.
  One thing i noticed is when i give users full access or designer access to site they will be able to see the navigation. but i don't want to give users full access or designer access to the site.
  How can users with read only access to site can view Managed Metadata Navigation...Please help?

  Hi Sunil,
  Have you given your users permissions to actually read the MMS data from the service application?
  http://technet.microsoft.com/en-us/library/ff625176.aspx covers permissions on the MMS.
  Regards
  Paul.
  <<edit>> On reflection you might be hitting the issue in this Stackexchange post..
  http://sharepoint.stackexchange.com/questions/75636/permissions-and-managed-metadata-in-navigation Is yours behaving the same way?
  Please ensure that you mark a question as Answered once you receive a satisfactory response. This helps people in future when searching and helps prevent the same questions being asked multiple times.

• Enterprise DNS servers are not responding when using Windows NLB with Direct Access 2012

  Hi
  We have installed Direct Access 2012 as one server installation:
  - Two network cards. First one in DMZ and second one in internal network
  - Two consecutive IP addresses configured in DMZ because of Teredo
  - PKI because of Win7 Clients IPSec
  - Our corporate network is native IPv4 so we use DNS64/NAT64 and DA-server is configured as DNS
  - DA-servers are VMWare virtual machines 
  One server installation works fine and now we want to use Windows NLB as load balancing. NLB installation goes fine too,
  but problem is DNS. If we still try to use DA-server as DNS there comes error message below
  None of the enterprise DNS servers 2002:xxxx:xxxx:3333::1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
  When trying to configure DNS using Infrastructure access setup, DNS cannot be validated when using DA-servers DIP or cluster VIP. Only domain local DNS looks to be ok but those have no IPv6 addressess. So how DNS should be configured when using multicast
  NLB? 
  Tried to remove name suffix then adding again => Detect DNS server => DA-server IPv6 address found => validate => The specified DNS server is not responding...
  Then tried to ping detected address => General failure
  NLB clusters are configured as multicast and static ARPs are configured too. Both clusters can be connected from those subnets as they should be. 
  Any clues how to fix this?
  ~ Jukka ~

  Hi,
  Your question falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various
  paid support options that are available to better meet your needs.
  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• User with Full Access to mailbox cannot view calendar

  I have a user who one of several users that manages the schedules for several conference rooms using regular mailboxes on Exchange Server 2007.  She (and she alone), has lost the right to manage the mailbox calendar.  When she tries to access the
  calendar she gets the error message, "You do not have permission to view this calendar".
  I verified her rights as Full Access and even ran the cmdlet below which says, "Appropriate ACE is already present on object ".
  [PS] C:\Windows\system32>Add-MailboxPermission -Identity "mailbox" -User user -AccessRights FullAccess -InheritanceType All
  WARNING: Appropriate ACE is already present on object "CN=mailbox
  49,OU=Service Accounts,OU=  xxx,OU=xxxxx),OU=xxx,DC=xxx,DC=xx,DC=xxx" for
   account "user".
  Identity             User                 AccessRights        IsInherited Deny
  Domaim      domain\user       {FullAccess}        False       False
  When I get the permissions on the mailbox she has the following:
  AccessRights    : {FullAccess}
  Deny            : False
  InheritanceType : All
  User            : domain\user
  Identity        : domain/OU/OU/OU/mailbox
  IsInherited     : False
  IsValid         : True
  ObjectState     : Unchanged
  Any help out there?
  [email protected]

  Hi,
  According to your post, the permission seems to be configured properly in your Exchange server. This user has full access permission to Domaim’s mailbox.
  Please try to open shared mailbox in OWA to check whether she can access the calendar. In Outlook, we can open shared calendar in Calendar panel by clicking Open Calendar > Open shared calendar. If it fails, please try the following steps:
  1. Click File > Account Settings > Change > More Settings > Advanced.
  2. Add the Shared mailbox that you want to open and click OK.
  If there is any updates, please feel free to let us know.
  Best Regards,
  Winnie Liang
  TechNet Community Support

• Created a user with permissions to one table, but unable to access the table

  I've tried to create a Login that will have access to a single table from a few different databases.
  When I try and query the table, using the created Login I get the following error:
  "The server principal "log_Reader" is not able to access the database "MyDB" under the current security context."
  Here's the SQL I used to create the Login/User:
  USE MASTER
  GO
  CREATE LOGIN log_Reader
  WITH PASSWORD = '<password>'
  GO
  USE DB1
  GO
  CREATE USER log_Reader FOR LOGIN log_Reader
  GRANT SELECT ON dbo.logtable TO log_Reader
  USE DB2
  GO
  CREATE USER log_Reader FOR LOGIN log_Reader
  GRANT SELECT ON dbo.logtable TO log_Reader
  USE DB3
  GO
  CREATE USER log_Reader FOR LOGIN log_Reader
  GRANT SELECT ON dbo.logtable TO log_Reader
  USE DB4
  GO
  CREATE USER log_Reader FOR LOGIN log_Reader
  GRANT SELECT ON dbo.logtable TO log_Reader
  Does anyone have any ideas what I've missed ?
  Thanks, Jason
  MCITP BI Developer - MCTS SQL Server (http://bichopsuey.wordpress.com/)

  I cannot reproduce the error, can you run my script?
  USE [master]
  GO
  CREATE LOGIN [test1] WITH PASSWORD=N'test',
   DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
  GO
  USE [B]
  GO
  CREATE TABLE [dbo].[t1](
  [c] [int] NULL,
  [c2] [char](1) NULL
  ) ON [PRIMARY]
  CREATE USER [test1] FOR LOGIN [test1] WITH DEFAULT_SCHEMA=[dbo]
  GO
  GRANT SELECT ON [t1] TO [test1]
  EXECUTE AS USER = 'test1';
  --Use B database
  SELECT * FROM [t1] ---works
  REVERT
  USE master
  GO
  EXECUTE AS USER = 'test1';
  SELECT * FROM B.dbo.[t1] ---works
  REVERT
  Best Regards,Uri Dimant SQL Server MVP,
  http://sqlblog.com/blogs/uri_dimant/
  MS SQL optimization: MS SQL Development and Optimization
  MS SQL Consulting:
  Large scale of database and data cleansing
  Remote DBA Services:
  Improves MS SQL Database Performance
  SQL Server Integration Services:
  Business Intelligence

• Create user with read access for all tables SAP SID .*

  Hello all,
  could you please help me ? I would like to grant select privilege on all tables SAP<SID>.* for newly created user.
  I have created standard database user (not exclusive).
  I`m able to grant select for individual tables, but I would like to grant select for this user on all SAP<SID>
  schema in simplier way
  But as far as I know, the schema`s owner name must be different then schema name.
  Any idea please ?
  Thank you.
  Pavol

  create user <user_name> identified by <password> <options>;
  grant read on all tables:-
  CREATE OR REPLACE PROCEDURE GRANT_SELECT AS
  CURSOR ut_cur IS
  SELECT table_name
  FROM user_tables;
  RetVal NUMBER;
  sCursor INT;
  sqlstr VARCHAR2(250);
  BEGIN
  FOR ut_rec IN user_tabs_cur;
  LOOP
  sqlstr := 'GRANT SELECT ON '|| ut_rec.table_name
  || ' TO <user_name>';
  sCursor := dbms_sql.open_cursor;
  dbms_sql.parse(sCursor,sqlstr, dbms_sql.native);
  RetVal := dbms_sql.execute(sCursor);
  dbms_sql.close_cursor(sCursor);
  END LOOP;
  END grant_select;
  Edited by: varun4dba on Jan 18, 2011 4:13 PM

• SecurityAgent seems to be thrashing when ParentalControls logs out a user with limited access time.

  I have a 2007 iMac running OS X Lion, all latest updates and patches applied.
  My daughter has an account on the system, which I have limited to only being able to be used for a few hours a day.
  The problem arises when she leaves herself logged in, but walks away, and the time runs out.  When I sit down at the console, the first thing that happens is that the cursor disappears, and the systems starts to go into a logout.  Makes sesne so far, I guess.  However, the system then goes into what I can only presume is some sort of loop.  The cube animation starts, and rotates back and forth several times between two screens, both equally hessian wrapped, with no distinguising features.
  I can log into the system via ssh, and I can confirm that the system is spiking out on SecurityAgent:
  Processes: 661 total, 5 running, 29 stuck, 627 sleeping, 2082 threads                                                     
  19:59:08 Load Avg: 1.68, 3.07, 5.24  CPU usage: 43.38% user, 23.52% sys, 33.8% idle  SharedLibs: 3620K resident, 1948K data, 0B linkedit.
  MemRegions: 104350 total, 1295M resident, 189M private, 2974M shared.
  PhysMem: 1166M wired, 3312M active, 1655M inactive, 6133M used, 9560K free.
  VM: 1611G vsize, 1118M framework vsize, 34169473(356) pageins, 5796949(92) pageouts.
  Networks: packets: 100372238/47G in, 162918821/146G out.  Disks: 23914908/3252G read, 27697160/2570G written. 
  PID    COMMAND      %CPU      TIME     #TH  #WQ  #PORT #MREG RPRVT  RSHRD  RSIZE  VPRVT  VSIZE  PGRP  PPID  STATE    UID  FAULTS
  27013  SecurityAgen 98.0      37:41.27 2/1  1    88    84    508K   3904K  2664K  31M    2410M  27013 1     running  92   3028
  28561  top          25.9      02:27.05 1/1  0    32    43    3752K  216K   4176K  20M    2381M  28561 28505 running  0    1924014+
  1      launchd      4.6       50:43.63 3    0    3159- 343   2804K+ 2836K  2128K+ 15M+   2405M  1     0     stuck    0    553252+
  0      kernel_task  1.5       08:01:03 71/2 0    2     976   14M    0B     595M-  15M    5487M- 0     0     running  0    23008
  197    WindowServer 0.7       01:57:50 5    1    6653  6448  22M+   885M   486M+  137M   40G    197   1     sleeping 88   25934192+
  18548  Transmission 0.5       01:59:18 7    1    175   372   10M    7352K  16M-   47M    2550M  18548 282   sleeping 501  10297632
  14     opendirector 0.4       02:27.27 13   13   617+  108+  6072K+ 1872K  6860K+ 32M+   2417M+ 14    1     stuck    0    407028+
  25117  mcxalr       0.2       00:40.33 4/1  3    43    41    200K   252K   1780K  30M    2391M  25117 1     running  54   1580
  26441  SecurityAgen 0.2       00:01.55 2    1    121   245   2856K  19M    6820K  35M    2503M  26441 1     stuck    92   27427
  28001  ManagedClien 0.1       00:00.11 4    3    98+   86    1196K+ 4900K  3748K+ 31M    2413M  28001 27998 sleeping 0    3718+
  294    UserEventAge 0.1       00:20.22 3    1    212   140   976K+  3964K  2632K+ 34M    2422M  294   282   sleeping 501  294201+
  28006  ManagedClien 0.0       00:00.11 4    3    97    86    1184K+ 4904K  3700K+ 32M    2414M  28006 28003 sleeping 0    3725+
  28573  mdworker     0.0       00:00.41 4/1  2    55    101   8648K  6052K  13M    38M    2422M  28573 28443 running  89   4766+
  27831  loginwindow  0.0       00:00.50 4    2    153+  108+  1692K+ 4804K  3252K+ 35M+   2425M+ 27831 197   sleeping 0    4875+
  15     configd      0.0       00:33.57 6    1    2316  230   2392K  1788K  3524K+ 27M    2420M  15    1     sleeping 0    320735+
  28318  loginwindow  0.0       00:00.54 3    1    151   101   924K+  4712K  3120K+ 33M+   2423M  28318 197   sleeping 0    4778+
  Now, obviously, because I can ssh in, I can start a clean shutdown and restart, but I'd like a way to do this that doesn't involve me bringing down the system, when the whole point of multiple users and parental controls is that a system can be shared cleanly.
  Thoughts?
  Thanks,
  Will

  See if this blog post that our support team created helps you with the connection information. This can create the desktop Access application linked up to the Access 2013 web app tables you have.
  http://blogs.technet.com/b/the_microsoft_access_support_team_blog/archive/2014/03/24/how-to-make-external-connections-to-an-access-web-app-new.aspx
  Also, you might just try clicking the Create Reports button in the Access web app client interface and Access will create the reporting database for you with links to the web app tables. On the File menu (when using the Access web app in client) make sure
  to click the option to Allow Any Location under the Manage button. After that, just click the Create Reports button on the File menu (right above the Manage button) and wait a few seconds. Access will create a new desktop database linked up to all of the Access
  web app tables. You can then create as many reports or other desktop objects as you like.
  Hope that helps,
  Jeff Conrad - Access Junkie - MVP Alumnus
  Senior Content Developer - Office Content Development Team - Microsoft Corporation
  Author - Microsoft Access 2013 Inside Out
  Author - Microsoft Access 2010 Inside Out
  Co-author - Microsoft Office Access 2007 Inside Out
  Access 2007/2010/2013 Info: http://www.AccessJunkie.com
  This posting is provided "AS IS" with no warranties, and confers no rights.
  Use of included script samples are subject to the terms specified at
  http://www.microsoft.com/en-us/legal/Copyright/Default.aspx

• Roles with Change Access to Table Maintenance

  Hello,
  We have many roles that have S_TABU_DIS-Table Maintenance, 02-Change access, *-Auth. Group. Many of these roles have very few transactions and are not Basis\Development related. My questions are what transactions do I need to make sure these roles don't have to so they can't change data in Tables? I know SM30 and SE16, any others? Also second question, should I be worried if these roles do not have the access to start these transactions but do have the access given in the S_TABU_DIS object?
  Thank You,
  Alex

  1. Asides from SM30 and SE16 you already mentioned, 'SE16N' and 'N' come to mind. Maybe there are others.
  2. Yes. You should be worried. Users could get authorizations for any of the aforementioned transactions from another role and get authorization to change all the tables from this role. Bad Stuff.
  I suggest that you figure out why exactly these roles includes S_TABU_DIS object with change authorizations for all table groups. Once you have that figured out - you can take appropriate actions. In my mind, it would be very hard to justify having S_TABU_DIS with 02/* in any role.

• Same user with different access rights depending on internet or intranet

  Hi gurus,
  I'm faced with the following situation. Users are able to access our portal (EP7.0) via Intranet as well as via Internet. But via Internet the users shouldn't be able to access security critical content (sitting in an internet cafe and checking accurate BI reports wouldn't be a nice thing).
  So, how can we achvieve this?.
  - Dynamic role assignment? So after login we should determine internet/intranet (eg http header set by our reverse proxy).
  - PCD filtering? In this case we need to set custom attributes on iViews for restricting internet access and then write an PCD filter.
  Any other suggestions?
  Thanks a lot

  Hi,
  R u using SAP Web Despatcher?
  Then use URL Filtering and block the URL'S accessing from the internet in Web despatcher.
  If the user is in intranet any way he can access because he will access the server directly without web-despatcher.
  Thanks,
  gopal

• How do I create admin console users with full access to configuration and the directory in every instance?

  I want to be able to create directory user ID for the iPlanet administrators. They should be able to access the admin console and all the instances created. They should be able to configure each instance and directory. I was able tocreate Admin Server Administrators but they were only able to modify the directory(tab) and not the configurations(tab). Any help would be greatly appreciated!
  Thanks.
  Keith

  Hi Keith,
  In o=netscaperoot, edit the static group called cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot - this group contains the admins peer to your config admin. Since the console is quirky and doesn't let you add in users not in netscaperoot, just click advanced and put in the full dn of whoever you want in by hand, e.g., uid=scarter, ou=people, dc=mydomain,dc=com as a static member. then rebind to the console with the full dn and passwd, and away you go :)
  james

• Giving List Permission to users with no access to the main site

  On my sub site I have a list (where users from a specific store can report errors). This list I want to share with another group of users, those who will do something about the errors (entrepreneurs). I want them to be able to Edit in this list: they don't
  need delete and create items, just being able to change an item is fine. 
  The problem is, I don't want them to have access to the sub site itself, because there is  information on the sub site that they don't need to know about, they should only see this list. So they don't have any access at all to the sub site, but I'm giving
  them permission to the list. 
  However, it seems like since they can't access the sub site, no matter what permission I give them to the list (Edit, Contribute, Full Control), in the end they only have Reading-access to the list and can't even update an item. 
  This error message turns up whenever they try:
  "Unable to communicate with server".
  The entrepreneur group is external users, but that shouldn't matter, should it? I've added them to SharePoint groups with the right permissions.
  Is there any possible way to solve this problem?

  Hi  ,
  Here is the steps you can refer to:
  Go to your site ->Site Settings ->Site permissions ->Permission Levels ->Click “Add a Permission Level” and create a custom permission level with following permissions : 
  Edit Items, View Items, Open Items, View Pages , Open.
  Go to your list ->Shared With -> INVITE PEOPLE : 
  input your group, click  “SHOW OPTIONS” 
  and select the new custom permission level.
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support