Profiles , roles and authorisations
hello all sap greats,
i have a problem in understanding about the hierarchy of profiles roles and authorisations
PROFILES(as it constitutes of roles)
I
I
ROLES(as it contitues of authorisations
I
I
AUTHORISATIONS
Hi ashish,
Check this link
http://help.sap.com/erp2005_ehp_03/helpdata/EN/52/671285439b11d1896f0000e8322d00/content.htm
Regards
Ashok
Similar Messages
-
Roles and authorisations in SEM BW
Hi All,
Our SAP SEM lies in BW, Business Planning and Simulation. I have configured everything, but now i want to create roles and authorisations which point to specific planning folders. How do I do that? I understand we do not use the standard transaction PFCG to create roles in BW SEM, what transaction do I need to use? May I get a little bit of detail from the transaction to the point at which i specify a certain role for a specific planning function or planning folder.
I will really appreciate your help.
Regards,
Tatenda.Hi,
please use the search function and read the great number of threads regarding this topic.
The SEM-part of SAP has a lot of role-stuff for authorsation (via PFCG) but also BW-authorisation which is done via "rsecadmin". Actually, forget pfcg because you can click on pfcg in the rsecadmin, so you never have to go back to pfcg anyway.
The BW-authorisation is created via rsecadmin, as i said, and included to a role via pfcg in the object S_RS_AUTH.
For example someone needs the reporting-auth for one company. You create via rsecadmin a BW-auth-object, call it "comp_01". Include there the infoobject 0COMPANY (if you use that one) and include the special infoobjects (there is a button on the top). Then go in rsecadmin to the tab User and switch there to PFCG. Select/create a role, put the S_RS_AUTH in there (and maybe if needed the BEx-Query stuff) and then type in that BW-auth-object "comp_01". That's it.
btw: Roles are only for the application, the BW-Auth is for infocubes, infoareas, infoobjects and so on...
Best Regards -
Roles and authorisations in SAP BI...
CAN ANY ONE EXPLAIN ME THE ROLES AND AUTHORISATIONS IN SAP BI /BW...???
THANKS IN ADVANCE...Hi Anand,
Refer these links from help.sap.
BI Authorisations
http://help.sap.com/saphelp_nw2004s/helpdata/en/be/076f3b6c980c3be10000000a11402f/frameset.htm
BI Analysis Authorisation
http://help.sap.com/saphelp_nw2004s/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm
Regards,
Hari -
User Profiles, Roles and Permission folder empty
Hi,
We installed Peoplesoft 8.49 Apps 9.0, and 10G Oracle on Windows 2003, everything working perfectly except User profiles and Roles and Permission Folders
I have ran AE scripts well, even then we are not able to browse those sections
Any help much appreciated
Thanks>
We installed Peoplesoft 8.49 Apps 9.0, and 10G Oracle on Windows 2003, everything working perfectly except User profiles and Roles and Permission Folders
>
What do you mean by this? What is not working? What are you expecting and what is happening? -
Regarding Role And Authorisation
Hello Experts,
I have got a request today from my help desk asking for , they are having some problem when they use some SD t.codes, they don't ahve authorization, so basis team is asking me to give the objects they can access and they are allowed to change or delete like this, for exp when they want o modify material they want are not able to see for some pants.
how can i achive this, how can i make sure the roles of two peopel are same i mean able to access same objects.? pls help urgent
thanks
Sunduhi,
u can do this with the use of Tcode su53.
when the user uses any tcode n he gets an message tht he is not authorised then u go to tcode su 53 immediately after tht transaction, then an Authorisation object appears in tht screen just give the same to ur basis person n tell him to give authorisation of that object to tht user id with the necessary permissions.
Regds,
Laxmikant -
Hi Freinds,
I have a question
For example
A) I have company code with several company codes and under one company code several Profitc centers and under one profit center many Gl Accounts.
My question is...
I know that we can restrict users on company code , i want certain users to give company code and particular profit centere and further drill down particula Gl account.is it possible.
do we need create many roles for this...can any one give me an idea about this
Thanks in advance
Reg
RamHi,
You can do this...but will have to carefull design your reports later on for that so that this kind of authorization work can be supported.
For these you will have to define all these objects as authorization relevant.
Try to create different authorization objects in RSECADMIM with the values for each char which you want.
In the end you will have as many roles for every combination set which you want to create
Assign users accordingly to each role.
So 1 comany code -> 2 profit centers->10 GL accounts =1 authorization object.
asign it to one role.
Now if you want various combination to go together then you can assign the different authorization object to one role.
Thanks
Ajeet -
Compliance Calibrator Design - Roles and Profiles
Hi guys,as you know SAP's authorization concept involves generation of Roles into Profile before it can be assigned to a User. In CC, i wonder why is there a need to segregate Roles and Profiles into 2 seperate functions. Isnt it already sufficient to analyse roles instead of profiles? Profile are names which is too technical which i feel should be omitted unless really necessary.
Well, unless it is to cater for indirect assignment where profiles are granted to position/org unit etc... I will also be trying out whether there is a difference when you only batch analyse a Role and intentionally excluding the 'profile' whenever a new role is created. Will the system work fine when i do a role analysis?
Cheers!I agree that profiles are old fashioned and should be phased out. The system has to stop people from being able to maintain profiles directly and assign them directly before they do this though. SAP_ALL etc can be converted and assigned as a role. It would make the whole authorisation concept just that little bit easier. We are talking about a German company though!
Also, you don't need profiles for indirect assignment. You can relate roles to the position using PFCG! Click on the organisational management button on the user-tab, next to the user comparison button.
Using profiles (ie, maintaining directly and assignment) is highly recommended against. -
I would like to download a list of all users and what roles and profiles each has. I did it once before but now I can't remember the table names. Can anyone help?
Hi,
Roles:
SAP_BW_DEVELOPER
Profile:
SAP_ALL
S_BW_D____
S_BW_D____1
Authorizations are
S_Rs_Admwb_a
S_rs_adw_a
S_rs_exp_a
S_rs_wb_all
Links for user roles:
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/42/271d24d86211d2961a0000e82de14a/content.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/e4/15e48efd6c11d296430000e82de14a/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/d3/559a4271c80a31e10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/4e/52b74065448431e10000000a1550b0/frameset.htm
For profiles and authorisations:
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/67151e439b11d1896f0000e8322d00/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/20/efcbfed8a511d397110000e82de14a/frameset.htm
Also chk this link..
http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
screenshots..
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
Hope this helps,
regards
CSM reddy -
Developing security Roles and profiles
Hi Team,
Can you guys let me know how to develop security roles and profiles. We are rolling out for a company in Japan, and the congif is completed. We are in the process of developing test cases ans also security roles and profiles for users? Can somebody guide and help me on this?
Regards,Hi,
Use Tcode = PFCG -->then create any customized roles and profiles for any users on module based.
user masters: USR01 to 09, UST04,
profiles: USR10, USR11, UST10S, UST10C,
authorisations: USR12, USR13, UST12.
password exceptions USR40.
History tables(may not be applicable but FYI): users: USH02, USH04,
profiles: USH10, auths USH12.
R/3 Security Tcodes
End User Transaction Code Menu Path Purpose
SU3 System > User Profile> Own Data Set address/defaults/parameters
SU53 System > Utilities > Display Authorization Check Display last authority check that failed
SU56 Tools --> Administration --> Monitor --> User Buffer Display user buffer
Role Administration Transaction Code Menu Path Purpose
PFCG
Tools --> Administration --> User Maintenance --> Roles Maintain roles using the Profile Generator
PFUD Work on SAP check indicators and field values
Select: Copy SAP check IDu2019s and field values
Installation
1. Initial Customer Tables Fill
Upgrade
2a. Preparation: Compare with SAP values
2b. Reconcile affected transactions
2c. Roles to be checked
2d. Display changed transaction codes
SU24
Same as for SU25:
Select: Change Check Indicators > Maintain Check Indicators>Maintain
Regards,
Srini Nookala -
Background job fails for BDC profile creation and role assignment
Hi Experts,
I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
Below is the process of job
1. ZMIS_AUTH_OBJECT_CREATE
Variant : auth-create
2. ZMIS_AUTH_ASSIGN_TO_ROLE
Variant : auth-assign
The problem is in second program, runs in foreground but fails in background.
Code which i have written in my second program
***BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
***Generation of Profile created
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14 .
Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
Regards,
ChetanHi Praveen,
Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
To achieve this i have written two programs
1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
"" Creation of Authorization Object
CALL FUNCTION 'ZAUTHOBJ'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
g_authname_001 = 'ZDUMMY_MIS'
g_targetauth_002 = wa_tab-auth
g_authtxt_003 = wa_tab-short_desc
g_authtxtmd_004 = wa_tab-med_desc
marked_04_005 = 'X'
g_authtxt_006 = wa_tab-short_desc
g_authtxtmd_007 = wa_tab-med_desc
tctiobjnm_04_008 = 'ZBUS_UNIT'
g_authtxt_009 = wa_tab-short_desc
g_authtxtmd_010 = wa_tab-med_desc
marked_05_011 = ''
opt_01_012 = 'EQ'
low_01_013 = wa_tab-bu
g_authtxt_014 = wa_tab-short_desc
g_authtxtmd_015 = wa_tab-med_desc
marked_04_016 = 'X'
g_authtxt_017 = wa_tab-short_desc
g_authtxtmd_018 = wa_tab-med_desc
tctiobjnm_04_019 = 'ZCONTRCT'
g_authtxt_020 = wa_tab-short_desc
g_authtxtmd_021 = wa_tab-med_desc
marked_05_022 = ''
opt_01_023 = 'EQ'
low_01_024 = lv_contract
g_authtxt_025 = wa_tab-short_desc
g_authtxtmd_026 = wa_tab-med_desc
g_authtxt_027 = wa_tab-short_desc
g_authtxtmd_028 = wa_tab-med_desc
g_authname_029 = wa_tab-auth
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
"" Creation of role
LOOP AT it_role INTO wa_role.
CLEAR wa_text.
wa_text-text = wa_role-desc.
wa_text-langu = 'E'.
APPEND wa_text TO it_text.
wa_jobrole-agr_name = wa_role-role_name.
wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
wa_method-usmethod = 'CHANGE'.
CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
EXPORTING
jobrole = wa_jobrole
parent = wa_parentrole
method = wa_method
TABLES
* RETURN =
shorttext = it_text
* LONGTEXT =
* MENU_NODES =
* MENU_TEXTS =.
ENDLOOP.
2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
""*BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message .
COMMIT WORK AND WAIT.
""*Generation of Profile created
LOOP AT it_role INTO wa_role.
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
ENDLOOP.
For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
Regards,
Chetan -
Trying to understand "User/Role/Profile Synchronization" and Batch Analysis
Hello,
Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job.
I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile to be included to the full and incremental jobs?
How the incremental analysis logic is built ?
br JanneJanne,
In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
In terms of CC tables:
VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
VIRSA_CC_GENOBJ >> User, Role and Profile master data
VIRSA_CC_GENACT >> User-action, role-action and profile-action data
VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
VIRSA_CC_SAPOBJ >> Action-permission
VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
Hope this helps.
Regards,
Imanol -
Table whihc contains the roles and its authorisations
i have to view all the authorisations and the roles in which they are present .
Please let me know the table for the SameHi,
From table AGR_USERS , you can see the roles corresponding to any user.
From table AGR_TCODES, you will get the tcodes corresponding to any role.
Hope this solves your problem
Well this will tell you the roles with respect to the users.
Also you can into transaction PFCG and search the roles, go to change mode for that particular role and there under authorizations see the objects clicking on change authorization objects.
reward with points. -
Hello,
Could you please provide information on "security roles and profiles "
I would appreciate.
Regards,
AlexRoles give you authorization to specific area of the system. Use TC pfcg and you will see different setting for a role.
In specific Role -> Authorization -> click on Display Authorization Data.
Here all specific InfoArea, Cube, ODS, Reporting componets: display, execute and other security rules are defined.
User Section: defines who has access to this role.
Multiple authorization are combined to create an Authorization Profile. You defined a profile at TC su01 and under profile section.
Hope that helps.
thanks.
Wond -
Implementing roles and rules based authorisation with Azure AD
Hi all,
I would greatly appreciate some input on feasibility and patterns I should look at for a complex technical requirement that I am currently tasked with designing.
We have a system that comprises a web and mobile app. In the past we have implemented session based authentication through ADAM and authorisation through custom business rules contained within the applications. The authentication mechanism is in the process
of being migrated to Azure AD and authorisation is planned to be moved to Azure AD for our next release.
Existing authorisation within our web application is already complex. We have users that belong to different groups with a range of permissions such as read, write or admin. Additionally each user is granted access to N customers and also N locations within
each customer. We have a requirement that any number of combinations of customers and locations be supported. Users also need to have different permissions for each entity, i.e. read access to customer 1 location 2, write access to customer 4 and administer
customer 7. Currently these privileges are maintained within a relational database and enforced as part of each PageLoad(). Essentially this is a combination of roles and rules based authorisation.
We are struggling to represent this complex matrix structure within Azure AD and efficiently implement the authorisation decision in Azure AD. The driver for this technical requirement is to provide re-usability of the authorisation component to other (as
yet unidentified) applications.
Currently the best option we have come up with is implementing custom attributes for each class of permissions and storing within this 2048 bit field a bitmask that represents whether this permission is granted for a given location (which has a many to one
relationship with customer).
Any help or comment would be gratefully received,
PhilHi
When "Advance routing" is used for Task assignment; the task service asserts the folllowing fact types : Task, PreviousOutcome and TaskAction to the rules engine. These facts gives all the reqd info about the task (like outcome of the participant, task stage .. etc)
Now in the defined ruleset; we can have rules as per our requirement that can extract info from the asserted fact types and assign task to the required/next participant.
Also note that we write the advance rules for exception cases only.
For example; let's say all participants have 2 possible Outcomes [COMPLETE, RECHECK]. We have defined the ideal task routing flow as :
Participant A -> Participant B -> Participant C. This is the flow when all participant selects "COMPLETE"
Now suppose B selects outcome as "RECHECK" then the task shld move back to A. So for this case only we need to write a advance rule.
Pls refer to the code sample at : http://download.oracle.com/technology/sample_code/hwf/workflow-106-IterativeDesign.zip
Also dev guide : refer to section 28.3.7.2 http://download.oracle.com/docs/cd/E14571_01/integration.1111/e10224/bp_hwfmodel.htm#BABBFEJJ
Thanks
Edited by: Kania on May 19, 2010 2:41 AM -
Hi Experts,
Could you guide me on how to activate a role and profile? Kindly suggest to me the proper procedure of doing this.
One more thing experts do you have any idea on what tcode used to change a password for multiple user's? Could you give to me as well the proper procedure of doing this.
Regards,To activate a profile, choose Profile Activate on the Profile List screen. If an active version of the profile exists, you will see the active and maintenance versions of the profile so that you can verify the changes.
New or modified profiles must be activated before they can be assigned to users or become effective in the system.Activation copies the maintenance version of a profile to the active version. If the activated profile already exists in a user master record, the changes to it become effective as each affected user logs onto the system. Changes are not effective for users who are already logged on when the profile is activated.
For it to take effect, you must hand over your role to the User Management Engine. You do so by activating the user role.
To activate a user role, choose Activate User Role ( ). To undo, choose Deactivate User Role.
If u want to change password number of user at a time .For my kind of information its not possible need to change password indivisualy.
Reg.
Deepak
Maybe you are looking for
-
Can see thumbnails but photos won't open
We have our iphoto library loaded on the shared directory, so that all 4 users can see it (me, my wife, my 2 sons). We each have our own login profile, and all had sharing permissions turned on for iphoto. For whatever reason, Iphoto cannot seem t
-
I have the iCloud storage and use it, and pay the 20$ a year for it but I can't figure out how to back up my music an photos onto iCloud so that I can free up some space. And when I can do this how can I access the information on iCloud?
-
HT201210 how come my ipod touch doesnt have auto update?
how come my ipod touch doesnt give mr auto updates for the ios?
-
My website created with Iweb and hosted on mobileMe is not uploading well on all computers. What could be the problem ?
-
Triggers, Stored Procedures and Java
Hi all. I started developing some useful (at least for me) Java Package, and I'm wondering if I'm doing the right thing. Let's say that I have a trigger that calls a Stored Procedure that calls a Java Package. Let's say that the Java Package can be u