J2EE roles vs Portal roles vs ABAP roles

Similar Messages

• Role Mapping For Portal Role Assignment and ABAP Role Assignment

  Summary:
  - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
  - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Problem Description:
  Our Scenarios we tested:
  Scenario 1:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
  *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
  Scenario 2:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
  *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
  Questions:
  1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
  2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
  Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

  I tested this set up.
  1.  Defined ABAP role as Manin role
  2.  Defined Non-ABAP role as dependednt role
  3. ABAP role  is set up in initiator requiring business approval.
  4.  Non-ABAP role is set up in initiator with no approval required.
  Results Where Business Approver approves the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
  Results Where Business Approver rejects the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
  Thanks again for your help.

• Abap role in the enterprise portal?

  Can anyone give me a clear picture abt the enterprise protal and abap role in that?

  Hi when there is an integration between EP and R/3 and you click on the User Adinistration of the Portal you will find two types od users available there.
  1. UME Database - this is nothing but the Portal Roles here you will find all the roles related to portal administration, such as eu_role, eu_corerole etc etc .
  We assign portal developer roles to the user form here like Content Admin, System Admin, etc etc.
  2. ABAP Role : whatever role are defined for the user in the backened will appear here ...
  for instance if you implement ESS, hence the user must be able to apply for Travel so a backend r/3 travel role will be attached in SU01 for that user. This is visible on portal.
  Hope this clarifies!
  Cheers!
  SJ.

• How to upload ABAP roles in Portal 6.0 N/W ABAP + Java

  Hi ,
  I have portal 6.0. How can i see the ABAP roles in portal. I know there is some backend system need to configured. please write step by step. I can create users in portal which is replicated in ABAP.
  i have gone thru some forums but did not get the answer.
  Regards
  Atul-

  Thanks for your reply... I am new to Portal. the document you sent me I did not understand where to configured backend system. please let me know where do I configured below information in portal
  When you create a system with a connection to an ABAP-based backend system, you must maintain at least the following property categories and properties:
  Property Category
  Property
  Connector
  Group;
  Logical System Name, e.g. QWACLNT100;
  Message Server;
  SAP Client;
  Message Server;
  SAP System ID
  User Management
  Logon method
  User mapping type (if you want to take advantage of user mapping)
  Internet Transaction Server (ITS)
  ITS Description, e.g. qwa_its
  ITS Host Name
  ITS Path
  ITS Protocol  
  Appreciate for your reply...
  Regards
  Atul

• R/3 Transaction Iviews vs Imported ABAP Roles on Portal

  Hi,
  In one of our requirement, Business needs to set up such that client should be able to have web based access to R/3 Transaction through Portal.
  We can achieve that by creating system in portal and create Transaction iview with required T-code of R/3.
  Whats wrong if we can define roles in ABAP system for a user with full hierirachy and import those ABAP roles into portals.and through portal we can give unified web based access to imported roles?
  Does both the possibilities accomplish our need?what are main gaps between these two methods?
  I want to go by Import method,Any suggestions please?
  Cheers
  Rani

  Hi Michael,
    I agree with you that the ABAP role has a complicated menu structure and uploading has to be done at regular basis.
  Is there any mechanism through which any change in ABAP role structure in R/3 reflects in portal exactly so that there is no need of regular uploading?
  If not?So in which business scenario uploading of ABAP roles into portals are helpful?whats the use?
  Coming back to your second solution
  It is much easier to have one transaction iView that starts transaction SMEN, which presents the user's full SAP menu in a single screen
  But about about a user if he wants to navigate from this transaction SMEN to another transactions to which he is authorised to(R/3 Back-end)through this single Transaction iview.
  In other words if we want to have access to 5 transaction iviews in R/3,do we need to create 5 corresponding transaction iviews in portals?How to achieve this requirement in a better way?
  Waiting for you Reply
  Bye and have a Nice Day
  Rani

• ABAP roles v/s Portal Roles

  Hi All,
  Currently I was going through  EP security docs where I came across this
  "An important difference between ABAP roles and Portal roles is that in the portal,no authorizations are defined for the backend application itself. This must still be
  done within the backend applications (for example, mySAP ERP)."
  Can somebody plz explain me this..
  Would also like to know more difference  between ECC and EP security,
  Thanks,
  Ajit

  Hi Ajit,
  I have been looking into this for some time as well, but am still not sure of some things myself nor which scenarios fit best to which security aspects.
  My understanding is that it depends on how the portal is connecting to the backend.
  If the portal user is the backend user, then the portal role is just a permission to click on things in the portal. The portal roles are mapped to the backend roles in the ABAP system (so you can, and need to, define what that portal role can infact do when the portal user "clicks" in the backend, using the backend roles of the same backend user context).
  If the portal user is not the backend user (i.e. it is a system service for generic access to the backend), then you should restrict the backend access to the bare minimum of that service and control the security in the portal application (the calling application) as the backend user context is not the same.
  So it is a "design" answer as well...
  There are a few good posts about this if you use the search. If you find a good one, then please link it here so that others who use the search and follow up on their questions can use it as well.
  At the top of the forum, there is a sticky thread on FAQs and other usefull discussions. Sadly, portal security does not have any links yet, so if you find a good one then let me know.
  Cheers,
  Julius

• Portal Roles link to ABAP Roles

  Hi,
  i want the user to get the roles that are assigned to him in the ABAP system. We have roles for specific functional area like MM, Sales & Finance. I know if i create a portal roleand link the role to the abap role and set the prperty fo the role to be entry point i can get the roles as in the abap.
  What i want to achieve is some thing like this. The every user core role will have a BW Home and BW reports Tab by default in the level one. When the user selects BW Reports the level 2 should be filled with the abap roles assgined to him. Can any one help me if this can be achieved and if so the steps to be follow.
  Thank you,
  Ravi.

  Hi ,
  check the below document to get roles from erp into portal
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/f1cbe7ee-0901-0010-12b9-e6c74d94e132
  After bringing  roles into portal , do necessary settings in portal to appear in second level navigation ( do not set entry point =yes)
  Koti Reddy

• Portal Groups vs. ABAP Roles

  Hi,
  We have the following scenario:
  SAP EP (6.0 SP19) with content from BW and HR (ESS&MSS).
  The backend systems and the portal use CUA.
  The problem is that for example when a new user(employee) is created in HR, we would like that the user automatically gets a certain role in the portal (employee or manager, depending on the role given to him in the backend system).
  At the moment we first have to give the user a role in the backendsystem + assign the user to a group in the portal. Is there a better solution for this ?
  Regards,
  Kristian Rantakoski

  You can import backend roles in portal. After importing these backend roles in portal, these roles appear as Groups in portal.  As users are automatically part of these group in portal, You can assign manager roles of portal to Manager group ( which is actually a role in the backend) in Portal.
  The above approach worked for me in case when I configured Portal UME to ECC6.0 user database. I am not sure if the same approach will work in case of CUA.
  You can give it a try.
  Best Wishes
  Prabhakar

• Roles In SAP Web AS ABAP would not appear automatically in J2EE Engine

  I have an ABAP+Java Addin Instance Installed.
  When I create a user, it shows up in the Jave Engine when I goto Services->Security Provider.
  But the ABAP roles would not show up in the Java Engine.
  Please advise..

  HI,
  It depends on the UME chosen,
  You need to ensure your ume config allows groups to be created. check the xml you have chosen,
  also permission for sapjsf.
  Cheers,
  Chetan

• ABAP Role Assignments stored in MSAD

  Hi all,
  unfortunately I have only found contradicting information in relation to the possibility to manage ABAP role assignments using a MS Active Directory.
  We plan to implement a WAS (ABAP) 6.40 SP14, synchronise data between the WAS and the corporate MSAD. While WAS (ABAP) is not capable of MSAD based authentication I suspect it is possible to manage the user/role assignments in MSAD. Am I right in my assumptions (see list below) that the following data entities can/cannot be managed and synchronised/stored with the WAS (ABAP) out of the box?
  WAS ABAP
  1. possible - user master data (e.g. userName, address, etc.)
  2. possible - user/role assignments
  3. not possible - user passwords (however, can be bypassed through SSO based on NTLM)
  Portal UME
  1. possible  - user master data
  2. possible - user password
  3. possible - role/group assignments
  4. possible - group/user assignments
  5. possible - user/group assignments
  6. possible - user/role assignments
  Thanks for the help!!
  Cheers Stefan

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• Mapping ABAP roles and assignments to EP UserGroups and EP Roles

  Hello.
  I have set up my EP7 UME to upload ABAP roles as Portal Groups . Im expecting the ABAP role to user assignment to also reflect as EP Group to User assignment.
  All my roles that 'exist' in the ABAP source system are created in EP7 correctly as expected. However, only "direct" user to role assignments are uploaded. NONE of my "indirect" user to role assignments (ie: Via HR Org in ABAP system) are reflected in EP.
  Qtn: Is there a way I can encorporate indirect user-role assignments into the upload into EP as well ??
  Thanks
  Andrew
  ps: I have played with HR org active switch in vain in ABAP syst

  Hi Kumar,
  Have you tested the connection of your R3 system?
  Do you want to connect to the ABAP UME?  If so do the following:
  1.     Logon to the portal as administrator
  2.     Go to:
  1.     System Administrator
  2.     System Configuration
  3.     UME Configuration
  4.     Click Modify Configuration
  5.     From the drop down select ABAP system
  Fill in the details for your system. 
  Click on the User Mapping tab
  Click on the reference system combo box and select the relevant system
  (in this case R3)
  Click on the ‘Test Connection button’.  If the test has been successful you should get a ‘Connection test successful’. ~<b>It is important to test the connection before saving otherwise this could cause you lots of problems!</b>
  Thanks,
  Nick

• Documentation for PI ABAP roles

  Hi all,
  is there a general documentation for the PI ABAP roles? I assume something like that:
  - User should access J2EE Adapter Engines / SOAP Adapter (used for sending a Webservice to PI from a 3rd Party Application) --> necessary role abc
  - User should be able to process Alerts in Alert Inbox --> necessary role def
  - User should be able to create repository objects --> necessary role ghi
  - User should be able to create scenario objects in intergration directory --> necessary role jkl
  What I still don't know which ABAP role is used for which purpose. We'd like to assign minimal roles to the users.
  BR
  Holger

  Hi,
  Check in this link:
  http://www.erpgenie.com/sap/netweaver/xi/xiauthorizations.htm
  For alerts refer this:
  The following predefined user roles are available for customizing and administration:
  • SAP_BC_ALM_CUST for customizing authorization.
  • SAP_BC_ALM_ADMIN for administration authorization. The administrator has the authorization for all activities. He or she can also read and confirm alerts for other users. In addition, the administrator can execute report RSALRTPROC to delete, escalate, and deliver alerts as well as to delete logs.
  • For the sending of alerts via external communication methods (e-mail, sms, fax) and for inbound processing, an RFC user has to be created on the central alert server with the role SAP_BC_ALM_ALERT_USER. The authorization objects contained in this role are S_OC_SEND and S_RFC.
  • Accessing alert inbox the userid has to have the role SAP_XI_MONITOR.
  • SAP_ALM_ADMINISTRATOR - Alert Management Administrator Give this rights
  Refer the SAP_XI_ADMI topic and see the roles.
  http://www.erpgenie.com/sap/netweaver/xi/xiauthorizations.htm
  Refer link for user roles: http://help.sap.com/saphelp_nw2004s/helpdata/en/74/03b140ade49c2ae10000000a155106/content.htm
  Roles needed for IR and ID:
  Role: SAP_XI_Developer
  SAP_XI_DEVELOPER (Composite)
  SAP_SLD_DEVELOPER
  SAP_XI_DEMOAPP
  SAP_XI_DEVELOPER_ABAP
  SAP_XI_DEVELOPER_J2EE
  Role: SAP_XI_Configurator
  SAP_XI_CONFIGURATOR (Composite)
  SAP_SLD_CONFIGURATOR
  SAP_XI_BPE_CONFIGURATOR_ABAP
  SAP_XI_CONFIGURATOR_ABAP
  SAP_XI_CONFIGURATOR_J2EE
  SAP_XI_DEMOAPP
  Regards,
  Nithiyanandam
  Edited by: Nithiyanandam A.U. on Feb 18, 2008 2:31 PM

• How to programmatically upload roles to Portals.

  How can we programmatically upload roles from CUA to Portal. Are there any BAPI's or any other methods that we can use to accomplish this. We currently have a program that runs as a job every night to create users and assigns them roles in R/3, EBP and WP systems and we would it to do the same thing for portals.
  Any ideas/suggestions will be greatly appreciated.
  Thanks.

  Marek,
  Thank you very much for your guidance. We are still stuck, we checked the configuration and it's set to SAP system but we don't see any R/3 roles in portals. Can you give us a little more details on:
  1). Are there any specific entries in dataSourceConfiguration_r3_roles_db.xml file that would need to be changed?
  2). Do we have to create roles in R/3 any differently in order for them to appear as groups in portal? Should these roles be created in ABAP side of Portal client or in R/3 client. Also, Where do these roles appear as groups in portal(path to get to those groups).
  Any ideas/suggestions will be greatly appreciated.
  Regards
  Aurang

• Link ECC roles to Portal roles (Portal is using LDAP source for UME)

  Hi all,
  If a user is assigned a certain ECC ABAP role, they should also receive a related portal role.  Our portal is using LDAP.
  If our portal ume source was an ABAP system, I think it would be easy to achieve the ECC to ABAP role linkage.
  We were thinking of developing a UME java webservice and have an ABAP proxy class consume it to allow our abap system to assign the correct portal role, and delete the portal role.
  Any other ideas?

  Rajendra,
  Thx for your reply.  Can you provide any more details as to the design of your solution with the web service?  We are thinking of running a batch job nightly with a some mapping table in ECC to determine what ABAP role should link to the portal group then call the webservice to add the user to the portal group or delete the user from the portal group. 
  A second question is...does SAP Identity Manager offer any solution for this type of requirement?
  Thanks

• Federation, remote role assignment based on ABAP roles on producer

  Hi all,
  We have implemented the federated portal solution for our ESS users. We use the ABAP stack of the producer portal as user store for consumer and have no problems in assigning portal roles on our consumer based on ABAP roles in the backend (displayed as groups in the portal).
  Now we want to add some extra functionality (eg SRM and eRec) and we encounter some problems. These systems all have their own ABAP stack as user store. We have maintained the functional authorization model in the ABAP roles for instance in SRM. So an example:
  System I: ABAP + JAVA --> ECC 6.0
  Here we have the standard R/3 functionality and the producer portal (A) installed. Roles created on producer portal and assigned based on ABAP roles.
  System II: JAVA --> NW 7.0 Portal
  Our consumer portal (B) where we use roles created on the producer portal (A) on System I.
  System III: ABAP + JAVA --> SRM
  Our SRM system with SRM producer portal (C). In the ABAP stack of this sytem the functional SRM roles have been assigned to the users. We have created functional SRM Portal roles in order to use remote role assignment on consumer portal (B).
  +PROBLEM+
  We want to remotely assign portal roles created on the SRM Producer (C) to users on the consumer portal (B), based on the ABAP role assignment in the backend of system III. How can we achieve this in a fast and efficient way?
  Looking forward to your ideas. Anything helpfull will be gladly awarded with SDN points.
  Best regards,
  Jan Laros

  Jan,
  Interesting question. Let me share my experience and hope that's of some use to you.
  We started off federating corporate NetWeaver Portal (lets say B, parallel to your convention) as consumers to BI Portals (Lets say A).
  - B's UME points to Active Directory
  - A's UME points to BI ABAP user store
  - User ids are identical in both systems
  We ran into the problem of dual administration ((de)assigning portal role on both portals instead of just one) for a long time. The issue was because of different reasons at different times as we patched B's and A's. At one point we were on SP15 on both portals and we were told by SAP that RRA can be done on B for remote roles and the assignment propagates to A automatically if the following configuration is set up on both A and B.
  - A's permissions are relaxed allowing "Everyone" group checked for "End User" access as per ([http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm|http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm]
  However, we chose not to do the permission relaxation as enabling "Everyone" group with "End User" access can allow anyone to launch an iView (if the URL is known somehow) and the user would be able to see the layout of the iView, which can include text, etc. The user won't be able to access any data though, however, there is certain compromise on security which we decided that its not okay. So, we digressed in SAP's suggested practice because of security reasons.
  Today we, manage security on B using Active Directory groups and on A using Java groups (ABAP roles).
  In your case, I suggest investigating the option of relaxing the security on producer portal like in the above link. If you think its okay, all you have to do is, provision users on B by assigning remote roles from C and A.
  Either my story is applicable or I must have got you totally wrong,
  Kiran