ABAP roles v/s Portal Roles

Hi All,
Currently I was going through  EP security docs where I came across this
"An important difference between ABAP roles and Portal roles is that in the portal,no authorizations are defined for the backend application itself. This must still be
done within the backend applications (for example, mySAP ERP)."
Can somebody plz explain me this..
Would also like to know more difference  between ECC and EP security,
Thanks,
Ajit

Hi Ajit,
I have been looking into this for some time as well, but am still not sure of some things myself nor which scenarios fit best to which security aspects.
My understanding is that it depends on how the portal is connecting to the backend.
If the portal user is the backend user, then the portal role is just a permission to click on things in the portal. The portal roles are mapped to the backend roles in the ABAP system (so you can, and need to, define what that portal role can infact do when the portal user "clicks" in the backend, using the backend roles of the same backend user context).
If the portal user is not the backend user (i.e. it is a system service for generic access to the backend), then you should restrict the backend access to the bare minimum of that service and control the security in the portal application (the calling application) as the backend user context is not the same.
So it is a "design" answer as well...
There are a few good posts about this if you use the search. If you find a good one, then please link it here so that others who use the search and follow up on their questions can use it as well.
At the top of the forum, there is a sticky thread on FAQs and other usefull discussions. Sadly, portal security does not have any links yet, so if you find a good one then let me know.
Cheers,
Julius

Similar Messages

  • Role Mapping For Portal Role Assignment and ABAP Role Assignment

    Summary:
    - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
    - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
    - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
    Problem Description:
    Our Scenarios we tested:
    Scenario 1:
    Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
    Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
    *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
    Scenario 2:
    Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
    Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
    *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
    Questions:
    1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
    2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
    Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

    I tested this set up.
    1.  Defined ABAP role as Manin role
    2.  Defined Non-ABAP role as dependednt role
    3. ABAP role  is set up in initiator requiring business approval.
    4.  Non-ABAP role is set up in initiator with no approval required.
    Results Where Business Approver approves the ABAP Role
    1. Only the ABAP role is displayed in approver view which is desirable.
    2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
    Results Where Business Approver rejects the ABAP Role
    1. Only the ABAP role is displayed in approver view which is desirable.
    2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
    Thanks again for your help.

  • Mapping SRM Portal roles with SRM backend roles

    Using ABAP as UME when we create a user in SRM backend and assign backend roles, then corresponding portal roles should also get assigned to the
    user so that portal roles are not to be assigned separately by portal admin.
    Currently for the requirement I followed the following steps:
    1. To SAPJSF user in SRM backend assigned roles SAP_BC_JSF_COMMUNICATIONand SAP_BC_JSF_COMMUNICATION_RO.
    2. Created a RFC SPML of type 'G'.
    3. Activated UME-SPML connection in SPRO.
    4. Then in PFCG for the role personalization assigned PCD path of portalrole.
    But I am not able to achieve the requirement through the aforesaid steps.
    Please Guide.
    Regards,
    Gagandeep.

    If you are using ABAP persistency for UME your ABAP roles should appear in the UME as groups. Just assign the portal roles you need to your ABAP roles/groups. Thats it,
    cheers

  • How to fetch Portal Roles ??

    Hi,
    I am using UME Api for handling users. But i am uable to fetch the Portal roles. Using ume apis we can fetch ume roles but not portal roles.
    I am able to manage the users  using the same ume apis.
    The current version EP 6.0 SPS02 is the what i am using at my end.
    The program which i am running outside the EP, I am trying to fetch the portal roles on standalone java program (not a servlet but a simple java program using ume apis) and i am unable to fetch any roles.
    if someone have faced the similar program then pls let me know how i can fix it this issue since it is little urgent and i have been stuck with this problem for quite sometime.  If you can give a sample code that would be great.

    HI,
    Refer to this Threads
    Re: Extracting information from PCD through java program
    Re: How to retrieve role Info

  • Assign Security Zone Permissions to Portal Role

    Hi all
    I have created a portal role, say 'ABC', in my folder and assigned some users to this role. Now I want to assign security zone permissions for this role, ABC. When I try to do so, I am not able to find this role under 'Assign New Permissions' of permissions editor.
    What more do I need to do to get this role for assigning permissions?
    I am using Netweaver 2004s.
    I appreciate your answers with good points.
    Thanks in advance
    Tejo

    HI Fabien
    Thanks for the reply. I tried with wildcard search. I am not able to find that role. When I search for all roles in permissions editor I see some 32 roles. When I searched the number of roles in User Administration tab, there are 55 roles( 40 in Portal Role datasource and 15 in UME database datasource).
    I can see my role in User Administration window, but not in Permission editor.
    Thanks
    Tejo

  • J2EE roles vs Portal roles vs ABAP roles

    (I also posted this on portal implementation, but i hope i receive more reactions here )
    Dear all,
    I have a question about the information on the following link:
    http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
    It says the following:
    "These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
    1. These "...certain functions..." they talk about, can someome give an example of these functions?
    2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
    3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
    4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
    From what I've read on help.sap.com, you always need to do certain actions in both places.
    A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
    I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
    Kind regards,
    Joren

    Hi Jorem
    Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
    Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
    Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
    Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

  • Abap+java stack, users not mapping to portal role.

    We have the ABAP+java add-on install.
    The UME is by default ABAP engine.
    From Portal:
    1 I create a portal user, it ALWAYS creates ABAP user in ABAP stack of WAS.
    2. I create a portal role, it creates a role in the Portal.
    3. When I assign the user this portal role,
    having worksets and pages,
    I get no pages or worksets shown in the portal page as soon
    user logs in.
    Can you help configure this so that I could see the pages and iviews inside this workset when user logs in.
    Thanks  a lot.
    PS:  posted this in webdynpro-ABAP.  no reply came.  Sorry to double post.

    Hi Mike,
    can you check into your WorkSet (or Pages) if you have setting up the <b>Entry Point</b> flag?
    PS: Award points for good answers.
    Best regards,
    Gianluca Barile

  • Abap+java abap-user and portal-role PROBLEM?? help

    We have the ABAP+java add-on install.
    The UME is by default ABAP engine.
    From Portal:
    1 I create a portal user, it ALWAYS creates ABAP user in ABAP engine.
    2. I create a portal role, it creates a role in the Portal.
    3. When I assign the user this portal role,
    having worksets and pages,
    I get no pages or worksets shown in the portal page as soon
    user logs in.
    Can you help configure this so that I could see the pages and iviews inside this workset when user logs in.
    Thanks  a lot.

    Hi Mike,
    You did right,
    Just check the Entry Point Property of your iView, page and workset to YES
    there are two radio buttons yes and no select the yes one,
    you can see your pages afte rlogin with the new user.
    Regards
    Abhimanyu L

  • Find user SAP Portal role in an abap program

    Dear all,
    We would like to check the SAP Portal role of a Portal user in a R/3 abap program.
    do you know if there is a bapi or a RFC module function to do that ?
    For example : the user CCDEMO (exists in EP and in R/3 backend) has a Buyer Portal role. In an abap program, I would like to have this information.
    Thanks
    kind regards
    Véronique

    Dear all,
    We would like to check the SAP Portal role of a Portal user in a R/3 abap program.
    do you know if there is a bapi or a RFC module function to do that ?
    For example : the user CCDEMO (exists in EP and in R/3 backend) has a Buyer Portal role. In an abap program, I would like to have this information.
    Thanks
    kind regards
    Véronique

  • Portal Roles (ABAP & JAVA)

    Hi,
    We are planning to go for a portal implementation for our BW reports..
    I had a few questions with regards to the roles (BW & Portal) or (ABAP & JAVA)
    Question 1:
    I want a single place (BW) where I can assign all the roles (BI & Portal) to users, so when ever a user account has to be createu2026the support team will create it BW System and assign all the relevant roles in BI system
    If YESu2026then how can I move the Navigational Role in portal (Role in which we publish iviews) that I created in portal to BW.
    And also
    How can I create a JAVA role in BW so that that role can be assigned to user and his portal options will be updated..
    Thanks

    Hi
    Thanks for all the updates.
    Few questions
    How can i know Which user repository is my portal system connected to ? (LDAP or ABAP datasource)
    and
    If you have configured your BW system as the ume datasource for your portal - then your backend roles in BW will show up in portal as Groups. You may choose to assign your portal roles to these groups.
    In BW if i assigned a Composite role to a user ...will it show as a group in portal and
    As my requirment is to single place to create user either in portal or BW....if BW user roles are avaliable in portal as groups...
    Can i insted of create a user account in BW and come to portal and assign portal roles to the user or user group to get portal previliges
    Can i create user account in portal and assing the user to the corresponding groups in portal....will this action will create a user account in BW as well
    Thanks

  • Portal Roles link to ABAP Roles

    Hi,
    i want the user to get the roles that are assigned to him in the ABAP system. We have roles for specific functional area like MM, Sales & Finance. I know if i create a portal roleand link the role to the abap role and set the prperty fo the role to be entry point i can get the roles as in the abap.
    What i want to achieve is some thing like this. The every user core role will have a BW Home and BW reports Tab by default in the level one. When the user selects BW Reports the level 2 should be filled with the abap roles assgined to him. Can any one help me if this can be achieved and if so the steps to be follow.
    Thank you,
    Ravi.

    Hi ,
    check the below document to get roles from erp into portal
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/f1cbe7ee-0901-0010-12b9-e6c74d94e132
    After bringing  roles into portal , do necessary settings in portal to appear in second level navigation ( do not set entry point =yes)
    Koti Reddy

  • Can I get the portal rol thought webdynpro abap?

    I am working webdynpro abap and I need to get the rol portal.
    Can I get the portal rol thought webdynpro abap?
    Tkanks and best regards.
    Maria Elena

    I am working webdynpro abap and I need to get the rol portal.
    Can I get the portal rol thought webdynpro abap?
    Tkanks and best regards.
    Maria Elena

  • No portal roles are assigned for this user.If this problem persists, contac

    I am trying to access portal first time using j2ee_admin user. It is saying "No portal roles are assigned for this user.If this problem persists, contact your system administrator."
    iam using abap+java enginee how config in abap enginne ,iwant which role to assign  j2ee_admin  user
    i already asiigned sap_j2ee_admin,SAP_BC_JSF_COMMUNICATION,SAP_BC_JSF_COMMUNICATION_RO   but it show same problem
    please help me..
    Edited by: Mugala Balu on Aug 7, 2010 5:53 PM
    Edited by: Mugala Balu on Aug 8, 2010 7:48 AM

    Balu,
    Well this issue has been discussed many a times in forums. You would have to point your data source to ABAP system.
    Check this thread in [here|J2EE Failed to start  , after changing UME datasource;.
    Good Luck!
    Sandeep Tudumu

  • Pass parameter to all iViews in a portal role

    Hi,
    we have a portal role containing several iViews for ABAP Web Dynpro applications. Now we want to assign the parameter sap-wd-lightspeed=X to all these applications. Is it possible to do this in the portal application and can the customer set it off if they want to?
    One idea is to define a dummy iView with this parameter set in property Application Parameters, and define all iViews as delta-links of this dummy iView. But we have some iViews which need their one Application Parameters.
    Thanks & regards,
    Carlo

    Hi Bies,
    I hope you are calling the Webdynpro ABAP applications using AppIntegrator iview (com.sap.portal.appintegrator.sap.WebDynpro).
    Application Name : ABAP application
    Application Parameters:sap-wd-lightspeed=X
    Thanks
    Srikanth M

  • Report or ways to find who removed portal roles for an user id ?

    Hi Experts,
    Scenario: if admin removes super admin role or any other portal role for my id. is there any possibility to see who exactly deleted the roles for my id?
    Many Thanks
    Sekhar

    HI,
    as Anja wrote, this is not possible with a default installation of the SAP Portal.
    What you can do is to provide role provisioning with IIDM, GRC or ABAP user store solution instead of giving the portal admin the permission to change role <-> user attribution.
    br,
    Tobias

Maybe you are looking for

  • "Missing parameter values" error on Export

    Hi, I am getting "Missing Parameter Values" error if all required parameter values are not passed in the report through application. Same error is not coming when all the parameters are passed. And parameter window also not displaying if all paramete

  • Unable to select DVD for booting

    I've searched the forums but did not find anything that helped solve my problem so I'm posting a new question here. My system is a Mac Mini Core Duo with OS X 10.4.8. I've just recently discivered that my hard drive need to be repaired so I decided t

  • Software Update Won't Download 10.5 Updates

    Our software update server (running 10.5) will not download any of the newest 10.5 software updates--all we get is small exclamation points in front of any of the 4 latest updates that have anything to do with 10.5. All of the other updates are fine,

  • Cannot adjust price for orders

    I'm creating an order through the DI.  When I create the lines, it doesn't use the price that is put in.  The actual order uses the price from the price list. Am I missing something? With oSalesOrder   .CardCode = CardCode   .DocType = SAPbobsCOM.BoD

  • Lov choice in enumeration mode

    hi All, i am using JDeveloper 9051+adf+uix. i just want to use message choice on my page, in which i want to bind my table data to other data,ie suppose i m having a field month - NUMBER(2) in my table. how i can able to show names of month in place