To access an OData web service that exposes data from a Core Data Service (CDS) in SAP R/3, a user needs has to have an authorization role assigned that contains the authorization object S_SERVICE.
The authorization object S_SERVICE requires two parameters:
the service type (SRV_TYPE) which is set to HT = "TADIR Object" in my case
the service hash (SRV_NAME).
Using the debugger I found out, that the function module AUTHORITY_CHECK_TADIR_SERVICE compares the hash from the S_SERVICE authorization object with the hash stored in a record of table usobhash:
I also found out, that function module AUTH_TRACE_CALC_HASH uses the data from the columns PGMID, OBJECT and OBJ_NAME in table usobhash as input to generate the hash which is then stored in column NAME.
So far, whenever I wanted to grant a user/role permission to access a OData service I needed to know this hash. To get the hash, I either checked the usobhash table or manually executed AUTH_TRACE_CALC_HASH and then entered the hash when I assigned the authorization object to an authorization role in transaction pfcg. I guess there has to be an easier, more "official" way to do this. My approach feels like a dirty workaround but I was unable to find any documentation about how to do it right.
tl;dr How do I set the S_SERVICE authorization object without either debugging AUTH_TRACE_CALC_HASH or searching for the relevant entry in usobhash?
Create a role with the Service in it. Therefore please create a new or choose an existing role in the transaction PFCG → (+ pushbutton).
Choose the object type "Authorization Default".
Choose "TADIR Service"; Choose object type IWSV or IWSG.
Use the F4 help to select your service.
Save the role.
Assign the role to user.
Related
How to get the role definitions by Azure management API which can only be assigned at "Resource" scope?
When executing following query, all the role definitions are returned by the API:
GET https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Compute/virtualMachines/<virtualMachineName>/providers/Microsoft.Authorization/roleDefinitions?api-version=2018-01-01-preview
The above return role definitions like AcrPull or AcrImageSigner which seems not be right role definitions for a virtual machine. In Azure portal, don't see these role definitions listed also.
As per this Microsoft documentation, it seems that $filter=atScopeAndBelow() can be applied as OData filter, but it throws the bad request exception stating
The filter 'atScopeAndBelow()' is not supported. Supported filters are either roleName eq '{value}' or type eq 'BuiltInRole|CustomRole'.
Any guidance to get only the role definitions which are validate at Resource scope level?
Note - there was a similar question asked 5 years back but it has no responses.
You can give below command to list all the roles and their description.
Get-AzRoleDefinition | FT Name, Description
For assigning the role for resource scope you can directly do it from azure portal itself. This is the procedure that you can follow.
Select the resource that you want to assign.
Under Manage, select Roles to see the list of roles for Azure resources.
Select a member or group you want to assign to the role and then click Select.
For more information you can refer it from HERE.
I want to know the application name that executes a specific stored procedure. We have many applications and all have application name property inside the connection string.
Here I don't exactly know which application calling that stored procedure. I think we can get this by calling APP_NAME() but I don't know the exact query to get the correct application name.
SELECT APP_NAME()
The APP_NAME() is a built-in function to return the 'Application Name' token from the connection string used to set up the current session.
Here is a good article on setting up your connection string appropriately:
http://www.sqlerudition.com/using-a-meaningful-application-name-in-the-oledb-connection-string/
If you don't have control over the connection string, then you will need to use a combination of other session variables such as SESSION_USER() or ##SPID and possibly refer to the dmv called sys.dm_exec_sessions for a full record of what the server 'knows' about the connection.
https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-sessions-transact-sql?view=sql-server-2017
If you want detailed information, i would suggest to use Extended Events by selecting rpc_completed event. For detailed steps..
We need to configure the IdentityProvider from metadata stored in a database. It would seem though that the only way to specify the metadata to IdentityProvider is through metadataLocation property which supports a URL or file path.
Is there anyway, which I've missed, to pass a stream object that holds the metadata to the IdentityProvider?
Thanks
I'm not aware of any way using the standard code. The Load method that takes a stream is marked as internal, see here:
https://github.com/KentorIT/authservices/blob/master/Kentor.AuthServices/Metadata/MetadataLoader.cs
You could:
Write your database value to a temporary location and give this file path to load
Write an api route that serves up the metadata for a given Idp as a url
Make an open source contribution to add support for this
Don't use MetadataLocation but instead construct the IdentityProvider object and separately set signing key, entity id, binding etc.
etc.
I need to check how many invalid attempt a user taken at the time of log in.
This is becauase our requirement is to save the max attempt password value from db not config.
The default Membership API doesn't expose the invalid attempt counts, but they are indeed tracked in the database.
If you take a look at the documentation for the Sample Membership Provider Implementation you'll see the following in the Database schema section:
FailedPasswordAttemptCount Integer,
FailedPasswordAttemptWindowStart DateTime,
FailedPasswordAnswerAttemptCount Integer,
FailedPasswordAnswerAttemptWindowStart DateTime
These work in conjunction with the PasswordAttemptWindow setting to lock users out if they fail to supply the correct values, and the counts are updated by the default provider when the user fails to log in.
If you want to manage these through a database rather than the web.config you only really have one choice: Write a custom membership provider (based on the sample) that reads the required values from the DB rather than the config settings.
This is because the property on the provider is read-only so you can't modify it once the provider is loaded and instantiated.
How to create data base link in oracle 11 g to Access Tables.
You seem to have copied the example in the documentation without really understanding it.
The USING 'local' part of the statement is creating a link to 'the local database', where local is the service name of a database. (The example is a bit confusing, to be fair).
When the link is used it tries to interpret local as a service name, appending the current database's domain, as the docs say:
USING 'connect string'
Specify the service name of a remote database. If you specify only the
database name, then Oracle Database implicitly appends the database
domain to the connect string to create a complete service name.
Therefore, if the database domain of the remote database is different
from that of the current database, then you must specify the complete
service name.
If you're trying to create a link back into the same database - which would be a bit odd but I've seen it done in place of grant access across schemas, and that seems to be what the example is hinting at - then you can replace 'local' in the USING clause with the service name of your current database (e.g. USING 'orcl', or whatever).
You can also use a TNS alias; if your tnsnames.ora has an entry for SOME_DB which points to the SID or service name of another database, you can have USING'some_db'`. You should be able to use any connect string I think; certainly Easy Connect is allowed. There's more in the net services admin guide.