Add a single role to different composite roles in one step

Hello everybody,
I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
I don't want to believe that there is no easier way. Any ideas?
Thank you
Flo

Hi Soma,
great to find a place to be welcome..Thanks
What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
-> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
-> Which again... our security manager disallowed me...
So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
Comments?
Cheers
Florian

Similar Messages

  • CUP 5.3, Risk test of all roles in a Composite Role - possible?

    We want to use a Function (Dummy) Role in CUP, that shall have Composite Roles connected in CUP.
    But when I do this - I only see the composite role when I make a SoD / Risk check in my cup WF.
    Can I somehow also check the single roles in the composite roles?
    Thank you
    Kristian

    Hi Kristen,
    It should definitely be possible to analyse the composite role via GRC.
    Either through simulation of the assignment of the additional single role into the composite or by the assignment of the composite role into the user's authorisations.
    The composite role itself will not have any authorisations but it should read through the single roles contained within it as it is those authorisations which end up with the user.
    Have you tried analysing the composite role directly in RAR to isolate it away form the CUP functionality as a unit test? If that works, you should then be able to prove that the risk analysis is indeed working. Then you can concentrate on the configuration of the workflow processes through CUP without being distracted from primary objective.
    Simon

  • Identifying Duplicate Roles and Traching Composite Role Assigned to the Use

    Dear Friends,
    I am novice to this website even after browsing for past 3 months. This website is so useful and huge with so many forums. I am lost many times where to post this questions. there is not a single SAP Security Forum or Basis/Security related forum. Can anyone direct me to the right forum or if there is no Security Forums, can anyone  direct me how to start new Forum so that all security related discussions and knowledge sharing takes place. I am requesting the Moderators of this website to direct me to the right forums.
    we have around 2000 users in Production. We assign Composite roles and single roles to all users. Sometime we use SECATT or LSMW to update User Master Data to Assign some Roles that are ALREADY assigned to the users. I have 2 questions. If there any way to clean up this mess. I mean Identifying all users who have these Duplicate Roles with Different Validity Dates. I am sure SUIM can not help me as I research a lot on this. I appreciate if anyone can direct me with some solution in this cleanup process. I mean some SQL or SAP Query will help me i guess. Any suggestions are greatly appreciated.
    My Second Question is Tracking Composite Role/User Assignment Changes. We had assigned some Composite roles to the user 3 months ago and deleted last week. when i check SUIM change documents, It does not show Composite Role history. It is Displaying all single roles that are assigned and deleted later. BUT It never showed any information on Composite Role Additions or Deletions in User Change Documents. I hope SUIM is not going to help. I still need to go to many places or write any Good SQL and execute them.
    Is anyone had written this Utility SQL programs for cleanup of roles/users in the SAP. Is there any way to check or debug this issue, going to see any tables that monitor these changes. I appreciate if can one can share this knowledge to resolving this issues.
    any ideas and suggestions are welcome.
    Thanks
    Kumar

    Satish,
    Please post this in the SAP NetWeaver Administrator Forum and close this thread here.
    SAP NetWeaver Administrator
    Regards,
    Ravi

  • Reg derived roles combination into composite role

    Dear All,
    We have a role called GR Clerk. This will be available across all stores and DC for our retail customer. We have devised a strategy wherein we will create one global role with * in org level for site. Then we will
    create derived roles for individual DC and stores (from global role) and maintain site for each derived role.
    Now our customer wants following:
    Example: Store 1's GR clerk shall have required authorizations on transaction for Store 1, plus, one
    additional authorization/transaction for Store2.
    What we initially though that we will create two individual global roles: One for all authorizations and
    second for additional authorization.
    Global GR Clerk role: GRC
    Transactions: t1, t2, t3          
    Global GR Clerk role: GRC_additional
    Transactions: t4
    Derived Roles
    for GRCStore1:     
    1. GRCStore1 with org level Site= Store1     
    2.GRCStore1_additional with org level Site= Store2
    Now I will assign both derived roles to user who is GR Clerk on Store1.
    Is this approach correct?
    Also, customer wants that only one role should be assigned to user. So shall I create a composite role out of 2 derived roles?
    Will the respective site org levels be maintained after combining derived roles into composite one?
    Thanks for your time in advance.
    regards, Sean.

    Hi,
    Regarding the transaction roles and authorization roles, it is also a good approach, however, you would still have to consider the above point in case the authorization objects overlaps and make sure that both are restricted to appropriate "stores".
    Whether it's a good approach or not, per me, depends on the overall scenario and the fact that how much maintenance would be required in long term.
    Like say, if it is a case that the transaction codes (t1,t2 and t3) are for specific stores and transaction t4 is like display activity of other store and not just store 2. Then creating a common role for transaction t4 and including it in the composite role apart with the store specific role with tcodes (t1,t2 and t4) would also be a good approach.
    ZZZ:STORE_CLERK_STORE1             (Composite Role)
    ZZS_STORE_CLERK_STORE1                      transaction code t1, t2 and t3
    ZZZ_STORE_CLERK_STANDARD                  transaction code t4 (Either no org level restriction or all store access)
    ZZZ_STORE_CLERK               (Parent Role)
    ZZS_STORE_CLERK_STORE1                  Org level Restricted to Store 1
    ZZS_STORE_CLERK_STORE2                  Org level restricted to Store 2
    and so on
    PS: Naming convention are for illustration only
    Cheers !!
    Zaheer

  • Common technical roles in different business roles in BRM & ARM

    Hi Gurus ,
    Some help please .
    We have the following situation with BRM & ARM role provisioning .
    In BRM we have for example two business roles setup (B1 & B2). We have in these two business roles a common technical role .
    E.g. B1 (has role T1 ,T2 )  , while B2 (has roles T1 & T3) .
    in our example an user already has role B1 (with T1 & T2) assigned. The user then needs access to role B2 as well .
    Since role T1 is common in both business roles  , When an user does an request , ARM then send them a notification saying that an duplicate role exist within the request. (which they have to remove before continuing) . This is confusing the some users .
    My question is as follows. Is there a way to for the user to process the request without having the warning displayed & without having the duplicate technical role assigned ?
    So essentially , they will get access to business role B1 & B2 (but technical role T1 will not be assigned twice) ?
    Your help is greatly appreciated .
    Regards,
    AJ

    Hi AJ,
    Could you share the notification message that  ARM generates.And what about role T1 assignment.
    Is it assigned two time in user profle?
    Thanks,
    Mamoon

  • Assign single role to composite role with alternate logsys assignments

    Dear gurus,
    In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
    Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
    But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
    Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
    Cheers,
    Julius

    Hi Martin and others,
    I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
    While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
    Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
    You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
    There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
    That is a bit of a bummer because it means that you also cannot ever test anything...
    Did anyone ever try to actually use this?
    Cheers,
    Julius

  • ECATT to mass delete singles roles from a composite

    Hi,
    I am creating an eCATT to delete singles roles from multiples Composites roles. The eCATT takes the same position of the single role for each composite.  And of course the single role may differ per role.
    Could someone help?
    Thank you in advance,
    Yolanda

    HI Garcia,
    I didnot quite get your example as I am not familiar with the roles tables or transactions.
    But, if I understood ur requirement, you want to delete all those single roles (some specific role) from a list of roles.
    I am not sure how the transaction looks here, but a standard way of doing it is to record one execution of deleting the role using TCD or SAPGUI using the position button when available, entering the role name, selecting the delete button on the screen and then save.
    Now, when you check the database table for the number of occurances that this type of role is present, collect the count of the table into a local parameter and execute the earlier script of deleting multiple times using DO command.
    Select count from <tabname> where <role field> is <value> into <Local parameter>.
    and use the earlier script with in
    DO (<local parameter>).
            SCRIPT
    ENDDO.
    This ideally works. You can come back if u need any additional inputs.
    Best regards,
    Harsha

  • Adding transactions in a composite role menu

    Hello All,
    I want to add transactions in the menu for a composite role. but I do not see the option to add it. Please guide how would it be possible. Do I need to create single roles and merge the menus for them or can I create aa separate menu for the composite role?
    Thanks in advance.
    Regards,
    Anju

    Hi There,
    No first of all you cant add transactions to the menu of a composite role as a composite role is a collection of several single roles.
    What you can do is create a single role, make addition/ deletions of tcodes inside the single role which will automatically reflect in the menu tab of single role and then you can add this single role to the composite role.
    If you want to make changes to the tcodes from the menu tab you need to go to the single role and make changes which will reflect automatically, but thru composite role its not possible to make changes to the menu tab simply because the composite role takes all the tcodes from the single roles contained within it.
    Hope this answers your query
    Best ,
    Suchitra

  • Reg: Change date of Composite role

    Hi,
    I just need to find out if one of the composite roles in 2 different systems are the same.
    Please let me know how to do this.
    Regards,

    Hi,
    If you go to SUIMComparisons Roles and provide the roles (here you can have option of Single as well as Composite Roles) you will get a cumulative list of all the roles which these both roles consists of.
    If any role is available in both the composite roles, it will have u201CGreenu201D cube in both the columns and if not then a u201CRedu201D start will be shown.
    As logically composite roles are just group of single roles to understand the real comparison you need to compare the single roles which are part of these composite roles.
    Please let me know for any issues,
    <removed_by_moderator>
    Regards
    Suhas
    Edited by: Julius Bussche on Nov 10, 2009 3:03 PM

  • Composite role not showing in Access request screen. (BRM not used)

    Dear All
    I have created a composite role in backend system with 2 single roles.
    a. I have imported the single roles using the NWBC screen.
    b. run the auth sync job.
    c. imported the composite role as a techincal role using the NWBC import screen.
    the import procedure was successfully completed.
    But when i try to search for the role in Access request screen for a user - i can only see the single roles & not the composite roles?
    Pls advise
    Raju

    Hi Raju,
    In addition to Alessandro's valuable inputs, you need to be sure whether or not you were able to generate the composite roles (in NWBC).
    The final stage of the composite role has to be in complete status.
    Regards,
    Ameet

  • SECATT to create a composite role

    hello,
    until now i was using secatt with succes to create composite roles.
    but i now have to create composite roles with a lot of included simples roles.
    and i have this problem : when i try to add more than 11 simples rôles to my composites roles, it doesn't works.
    i think it's problem related to scrolling but i cannot see how to resolve it.
    thanks for your help
    best regards

    JEROME TOCANNE wrote:
    > hello,
    >
    > until now i was using secatt with succes to create composite roles.
    >
    > but i now have to create composite roles with a lot of included simples roles.
    >
    > and i have this problem : when i try to add more than 11 simples rôles to my composites roles, it doesn't works.
    >
    > i think it's problem related to scrolling but i cannot see how to resolve it.
    >
    > thanks for your help
    >
    > best regards
    SECATT reads your source file sequentially, one line at a time.  Design your script to read each line with the name of the composite role then on the same line the simple role that needs to be added.  With this design you can add 1 or 20 simple roles on a composite role.  You might need two scripts to make it simpler, one to create the composite role and the other to add the simple role to the composite.
    Good luck!

  • Get child users of composite role

    Hello
    There is FM (ESS_USERS_OF_ROLE_GET ) which bring all user of roles but what i want it's more complicated
    IF there is composite role i want to get all the user that in the roles under the composite role .
    Let say i have composite role with two roles inside (in the role tree ) .
    Composite role
    user1"this is the users of the composite role
    user2
    user3
    Role number  1
    user4
    user7
    user9
    Role number 2
    user 8
    user 5
    user7
    user6
    What i want is to get all the users of the composite role  and the child  role (which is parent ) .
    which is .
    users 1 - 9.
    I read some previous post on this issue in the forum but what I need is to use just this FM without access  to the DB
    table such as T_AGR_AGRS and COLL_ACTGROUPS_GET_ACTGROUPS ,
    What i need to do is recursive call on  the FM ESS_USERS_OF_ROLE_GET  .
    Regards
    Joy
    Edited by: Joy Stpr on Aug 23, 2009 8:50 AM

    Hello Joy,
    How is it possible to use just function module ESS_USERS_OF_ROLE_GET to get data without DB access?
    I mean this function module takes input as Simple/Composite ROLE so you have to have some list maintained
    which will be input for this function module.
    I think you can load composite and simple role in table and loop at it to make calls to function module ESS_USERS_OF_ROLE_GET to get users for compsite/simple roles.
    Some input has to be there, That's what I feel.
    Check if this helps!
    Thanks,
    Augustin.

  • Stopping user compare when saving composite roles in 4.6c basis pack 25?

    One of the environments I look after is a 4.6c system with basis pack 25 – they can’t upgrade as it breaks a great deal of very heavy customisation in that system.
    We have encountered an issue with the saving of composite roles in that system - when a role is saved we must sit through a very long period of “user distribution in role XXX” while the system performs a user compare of every singular role in that composite role.  This is very painful as it can take nearly half an hour simply to save the composite role – we then need to rebuild the menu and compress it (we use the composite role’s menu structure).  The odd thing is that this behaviour wasn’t apparent for many years – it suddenly started happening about 2-3 years ago to a previous administrator but he wasn’t aware of any changes going through, it just began to force these lengthy compares on him when saving composites.
    I’ve tried in vain to disable this forced compare on every save – I’ve tried the PRGN_CUST modifications including adding the lines “AUTO_USERCOMPARE” with a value of “NO” and “USRCOMPARE_PFUD” with a value of “YES” to try and stop the profile generator from doing this but to no avail.  Unless these settings need a restart of the system to take effect (do they?) I’m at a loss to find any other options.
    The menu setting in the profile generator of “automatic user master adjustment when saving role” is switched off – though setting “auto_usercompare” seems to have broken the ability to bring up the “settings: role maintenance” dialogue box anyway.
    We have a very large number of roles to modify and would be grateful if anyone could offer any advice here.
    Thanks
    DT

    the problem with your issue is that none of use can reproduce that phenomenon, since none of use has that combination of primal release/support package level at hand any longer (at least i think so). so there's only two options left to you:
    first: update this special application until the problem goes away - do so by adding note after note on the very subject, like the one i mentioned plus [905924|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=905924&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] plus [662484|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=662484&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] and stop only when you hit one that is not implementable using SNOTE but only by implementing a support-package -> this will obviously be the point where you're stuck then.
    (and yes - for the sake of rob burbank: there are several other ways to implement corrections aside from SNOTE).
    second: open a call with SAP. mind you, this might become a lenghty one since they will also give you note after note ...
    as i said, i'm pretty sure no one in here can help you doing a proper analysis anymore (but maybe i'm wrong).
    anyone - any other (better) suggestions?

  • Single/Composite role

    Dear all,
    Do u know any table which should have composite roles, single role role, Authorisation object, etc...I want to know a table other than AGR_AGRS.
    The idea is to pick the corresponding composite roles from single role. I did this by reading from table AGR_AGRS but this is not working since it always picks the first composite role. So I am looking for a
    Table which should have 2 unique fields to match table AGR_1251.
    Start routine code which is currently used
    SELECT * FROM agr_agrs INTO TABLE lt_s_role.
    IF ls_s_role-agr_name = <fs_data>-/bic/singlerole.
          <fs_data>-/bic/comprol = ls_s_role-agr_name.
        ELSE.
          READ TABLE lt_s_role INTO ls_s_role
            WITH KEY child_agr = <fs_data>-/bic/singlerole.
          IF sy-subrc = 0.
            <fs_data>-/bic/comprol = ls_s_role-agr_name.
          ENDIF.
    But this above code will always pick the first composite role which is wrong.

    Hi,
    you should use a LOOP instead of a READ.
    As you already mentioned, there can be more than 1 composite role.
    If you want to add all, you wil need to accept that this willl add lines to your data package in your start routine.
    Best,
    Ralf

  • Multiple UWL for the single user with different Role

    Dear SAP Gurs,
    We have one critical requirement on the Universal worklist, as a functional requirement like some Approvers will play different roles as approver, needs to track saperately the approver inboxes for the same person.
    For Example :
    Approver A - is an Purchase Exicutive(Role)
    Approver B - Is an Purchase Manager(Role)
    Every time Apporver A has to access his approval requests seperately ( Belongs to Approver A) and take action, as well Approver A has to see Approver B's actions items seperatly and take action.
    currently we have 4 levels available and single person has to take action on based on the 4 different Approves(Role)
    Is there any work around for the abobe requirement.
    Thanks in advance,
    Vinod
    Edited by: Vinod Malagi on Jul 20, 2010 3:33 PM

    Hi Karri,
    The same requirement i want to tweak in by adding one more column in the UWL by enhancing the BOR.
    i have try with below , can you please suggenst can be done by Virtual attributes.
    Once data is comming in the UWL i will put 3 custome filters
    We need to add a new column in UWL, which is present as a Table SWWORGTASK, in this we have to pass WI_ID and get ORG_OBJ populate it as a column in UWL.
    Please suggent how can we impliment this ? do we needs to create virtual ttribute in the BOR from the same.
    as we have reffered the below link, we are not able to implimant the same. Kindly suggest.
    http://www.erpgenie.com/sap/abap/bor.htm
    Thanks in advance
    Vinod

Maybe you are looking for

  • Excise duty document with error code-15- table /BEV2/EDMSE after posting.

    Hi Experts, is created in STO process Hi, We are facing the problem in stock transport from plant to plant regarding Excise duty document which can be seen in table /BEV2/EDMSE after posting. Steps involved in process 1) Creation of PO(STO) ME21N- 2)

  • Can't use my iCloud

    I currently own a number of Apple products: MacBook Pro, x2 iPads, iPhone 4, iPhone 4S, Apple TV and a time capsule device. Needless to say iCloud would be extremely useful to me to be able to store data on iCloud which would be accessible to all my

  • Integration of Oracle Workflow with OWB

    Hi, I am using OWB 10gR2. Can you please give me some guidelines on integrating Oracle workflow with OWB? I have to deploy OWB schedules to Oracle Workflow. Thanks, Praveen

  • BO XI R2 - Random connection problem

    Hi, I installed a Citrix server dedicated for BO training. One user is domain admin. Seven users are users without special rights. Everybody can connect to the universe and can work correctly using deski. But approximatively every hours, the 7 users

  • Converting iTunes music to MP3 and/or WMA format

    Have a bunch of music (99% of which was originally loaded from my CD library) in iTunes on my Laptop.  I periodically sync that with my iPod Touch 3rd Gen.  Question:  Can a portion of this music be converted from iTunes to MP3 or WMA format?  My car