Role prefix for XI custom composite/single roles
We have XI custom composite roles which start with TI_XI_* and contain single SAP roles (SAP_) and single custom roles (AAW:). Are we forced to use a certain XI role naming standard at the composite and single role levels due to Java authorizations?
Thanks,
Brad
Just transport it rather than upload it. The generated profiles will be carried through with their existing convention.
If you need to have different profile names due to the naming constraints then LSMW or SECATT will let you do this easily. If you are not familiar with the tools then 1. Take time to learn one of them (they are very useful) or 2. Do it manually. 60 profiles can be named in 30 minutes or less if you already have created the profile names in a spreadsheet, text file etc.
Similar Messages
-
Role prefix for custom composite/single roles
We have custom composite roles which start with TI_XI_* and contain single SAP roles (SAP_) and single custom roles (AAW:). Are we forced to use a certain role naming standard at the composite and single role levels due to Java authorizations?
Thanks,
BradJust transport it rather than upload it. The generated profiles will be carried through with their existing convention.
If you need to have different profile names due to the naming constraints then LSMW or SECATT will let you do this easily. If you are not familiar with the tools then 1. Take time to learn one of them (they are very useful) or 2. Do it manually. 60 profiles can be named in 30 minutes or less if you already have created the profile names in a spreadsheet, text file etc. -
Assign single role to composite role with alternate logsys assignments
Dear gurus,
In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
Cheers,
JuliusHi Martin and others,
I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
That is a bit of a bummer because it means that you also cannot ever test anything...
Did anyone ever try to actually use this?
Cheers,
Julius -
GRC 10 ERM Not able to create Business/Single Role
Hello Experts,
In GRC 10, ERM, i have completed all the pre-requisites i.e. Maintaining Connectors, Configuration for Role Management, Maintained and generated the default MSMP workflow (methodology), maintaining role owners.
Now when i am trying to create a business role or let's say a single role i am unable to to do so as the edit button is disabled.
I just can't get through this.
Have i missed anything, and for the record when i tried to Import the Role(Under Role mass maintenance) from backend system i was successfully able to do so and that way only i could get my first role in GRC via import.
Now if i open this role and try to edit it, can;t do again, because edit button is disabled. But if i perform Role Update(Under Role Mass Maintenance) i can successfully change the attributes and other information and am able to see the new values.
Why is it like this, i am not able to create Roles in GRC, just i am able to import and update from backend.
This is really frustrating..what i am missing over here.
Experts pl. Kindly help!Hi Triera,
1) After opening BRM, Create button is not greyed out. Its available, and if i click on it, then i see all the possible type of Roles that i can create i.e. Business role, composite role, Group, PD Profile, Profile, Single Role, Template etc.
2) When i try to edit a role by clicking on "Open" , and when the role opens, and then if I click on "Additional Details" (you said "More Details" , i believe you meant that only) link, then also the Edit button is not enabled. Its still greyed.
What else could this issue be possibly about.
Configuration- Check.
Authorizations- Check.
Workflow- Check.
Should i raise it with SAP.
Thanks. -
GRC 10 BRM - Approve Single Role assignment in Business Roles
Hello,
I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
Do you know any way to configure this?
Thanks,
FernandoHi Claudio - thanks for breaking it down
@ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
By using this role approval methodology your single role approvers are indirectly allowing any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
As mentioned - you are using two different workflow process ids
Role Build - using BRM to approve the single roles being part of the business role
Access Assignment - approving the user to receive the business role which includes the single roles
Regards
Colleen -
Hi,
Created the single role in child system and not able to find the same in CUA system so please let me know the process to push this role from child to CUA.
Thanks,
Lisa PlThanks for that Jurjen.
I agree on your comment if you are assigning the role(child role) to the user in CUA directly then only text comparison will do!!!
>This actually copies the whole role from the child.
This only copies the description and role menu from the Child system not the entire role.
>For CUA purposes the CUA master only needs to know about the existence of the role on a child system. In SU01 on the CUA master go to the tab where you assign roles to the user and look for the 'text comparison' button.
But when composite roles exsist in CUA and further single roles from the child system are mapped to the composites in CUA, In that case you need to perform an RFC read of the single role so as to refresh the menu of the composite role.
Rakesh -
Add a single role to different composite roles in one step
Hello everybody,
I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
I don't want to believe that there is no easier way. Any ideas?
Thank you
FloHi Soma,
great to find a place to be welcome..Thanks
What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
-> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
-> Which again... our security manager disallowed me...
So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
Comments?
Cheers
Florian -
Composite menu regeneration from single roles
Hello,
When I have to maintain (add or remove tcodes) and transport a "single" role that is part of a composite role, the role menu for the composite is out of synch with the single role's transaction content.
The manual fix for this is to go into the composite role via PFCG in the destination system and push the Read Menu button. This will read the latest menus of the single roles.
I would like to know if there is a job that I can schedule that can synchonize the composite role to the single roles assigned to it, or basically a refresh of the composite menus. Is there any function that can do a mass menu update for a selection of composite roles?
The only other way I can think of doing this is writing an LSMW or CATT script to do this, but I would like to find a better way of doing this if available.
Thanks,
RyanI don't think this is a feasible approach because 1 single role change can be linked to many composites (as designed) in our environment. I would not want to change every composite and transport them together with the single role. Also, it seems that composite transports take a lot of time to import, so I don't think our basis guys would be happy with us doing that. I have found that the menus can be re-imported in the production system w/o the need for transport, etc. I just think that manually refreshing the menus is going to be a maintenance struggle, especially since we have around 200 designed composite roles in our production environment.
Thanks,
Ryan -
FM to assign Single PFCG Roles to Composite PFCG Roles?
Hello everybody,
Can you tell me a Function Module which assigns/removes a Single PFCG Role to a Composite PFCG Role.
Regards MaxThank you very much for your quick answer. I am afraid the mentioned reports doesn't solve my problem.
I am looking for an ordinary function Module, which adds and removes PFCG Single Role to an PFCG Composite Role.
Best Regards,
Sebastian -
Report to list the Single Roles contained in each Composite Role...
Hi,
Can someone tell me how I can produce a report in a 4.6C system that shows the Single rolse contained in all Composite roles?
Thanks
SharonHi Jurjen,
Thankyou for that.
Can you also tell me what the difference is between a "Composite role, Indirect (HR)" and a "composite Role"? (I see these two Activity Group Types when running a report in SUIM to list users and their activity groups).
Thanks
S -
ECATT to mass delete singles roles from a composite
Hi,
I am creating an eCATT to delete singles roles from multiples Composites roles. The eCATT takes the same position of the single role for each composite. And of course the single role may differ per role.
Could someone help?
Thank you in advance,
YolandaHI Garcia,
I didnot quite get your example as I am not familiar with the roles tables or transactions.
But, if I understood ur requirement, you want to delete all those single roles (some specific role) from a list of roles.
I am not sure how the transaction looks here, but a standard way of doing it is to record one execution of deleting the role using TCD or SAPGUI using the position button when available, entering the role name, selecting the delete button on the screen and then save.
Now, when you check the database table for the number of occurances that this type of role is present, collect the count of the table into a local parameter and execute the earlier script of deleting multiple times using DO command.
Select count from <tabname> where <role field> is <value> into <Local parameter>.
and use the earlier script with in
DO (<local parameter>).
SCRIPT
ENDDO.
This ideally works. You can come back if u need any additional inputs.
Best regards,
Harsha -
How to find the T-codes that's in a Single Role & Composite Role??
Hi all,
Some of the user have authorization to particular t-codes. However single roles are not created for them.
Now I need to assign authorization to that particular t-code to a new employee.
Since the single role is not there, I do not know how to find if it is inside a composite role.
Which table should I find all the t-codes that are assigned to a single role / composite role?
pls help.
Regards,
PriRakesh Kulkarni wrote:>
> Table AGRS_TCODES give the roles with their tcode assignment.
Beware of AGR_TCODES, it only reports transactions entered into the role menu. If you query table AGR_1251 filtered on object S_TCODE you get the actual transaction authorizations.
Besides that, authorizations are always in single roles, so if you cannot find them there there's no point in searching through the composites. -
SOX report containing only composite, without single roles.
Hello SAP experts.
I have a question regarding SOX report. Would it be possible to somehow set/filter the report to only display COMPOSITE roles but not the generated single roles?
For example role ZHRFIC_EMPLOYEE has a generated role ZHRFIS_EMPLOYEE. When i run SOX, both of the roles are displayed, which is what i do not want. Only ZHRFIC_EMPLOYEE is what i want to be displayed and afterward to be put in the excel.
Thanks for replies in advance.Hi,
I am actually doing this throug SUIM > USER > By complex selection criteria. Then i fill User Group field with the needed user group and execute.
A bunch of users comes out with all of their profiles / roles and if the user has any composite role then also the single roles appear in the report. Is there any option to disable displaying of generated single roles?
Thanks in advance! -
Error during create CR for MDGC "Enter a relevant role for creation of customer master data"
Hello Experts,
I am unable to create a Customer CR in 'MDG 6.1 Customer UI' , the UI throws an error saying "Enter a relevant role for creation of customer master data".It looks like it is expecting me to mention the BP role ( like FLCU01 Customer or FLCU00 FI Customer ) , but I don't see that BP role section in the Customer UI to mention .
While creating the vendor CR , I am able to enter the BP role ( like FLVN01 vendor or FLVN00 FI Vendor ) in the UI BP Role section.
Following are the UI's for Customer and Vendor
Customers BS_OVP_BP: BS_OVP_CU > OVP: BS_CU_OVP - I do not see BP role section here.
Vendors BS_OVP_BP: BS_OVP_SP > OVP: BS_SP_OVP - This is working fine , I see BP role section here.
Please advice what I am missing here , what should I do for the successful CR creation . Should I change the UI for Customers or do I need to do anything in CVI configuration.
Thanks,Hi Abdullah,
You were right in the first place the UIBB is missing , the UIBB 'Role' was present in the 'Search Customer' page but not available in the 'Create Customer CR' page , so I created the 'Role' UIBB again and was able to create the CR now . Not sure how it got deleted in the first place , is there any options where we reset the UI screen to the default initial configuration
But after approving the CR , only the Business Partner BP is getting created and the Customer is not getting created . Not sure what might be the issue now. Is there any config that tells to automatically create customer when BP is created. I was able to create Vendor using the create Vendor CR before.
Thanks -
How to set new role for new custom entity only
I created a new custom entity, I want to create new role for it only. So I created new role and set custom entity User role. But When I login the user with created role, it show now right to access CRM.
AwenAre you trying to grant access so that users can use this custom entity but no other data at all?
You will still have to include access to all sorts of bits of CRM just to make the user interface work - especially the things on the Business Management and Customization tabs of your security role. You also need to check these 6 settings:
Special privileges in CRM Security Roles
If this is the only security role you plan to give to your users, I would suggest you start from a standard role and remove access to other entities, rather than start from blank and work upwards.
Hope this helps.
Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
UK CRM Guru Blog
Maybe you are looking for
-
Installing Yosemite on iMac 2013 hangs with status bar midway
Trying to install Yosemite, but screen just displays a white screen with apple logo and the status bar is around 50 % been running for about 4.5 hrs, will leave overnight, but then what if no joy. I Thought that Apple was good over these types of thi
-
RH 8 crashes on Save All when copying content between two open projects
[Win XP SP2] I've submitted a bug report for this issue. Note that RH does seem to save the content as it's dying (a very noble act, I must say), but the behavior is bothersome. ******BUG****** With two instances of RH8 running (dual monitors), and c
-
Good evening ! recently, i noticed that my macbook pro make a weird sound when i open the screen, it's like there is something keeping the screen from moving correctly.the little noise comes exactly from the left side of the axis.please advice me wha
-
I just got a Samsung SyncMaster 2033 SW Plus monitor and tried connecting through the DVI port of my MacBook Pro, but its not getting detected. I'm using the mini display port to DVI adapter to connect. The monitor seems to work perfectly when I conn
-
Back button not working in iTunes 11
The "Back" button in iTunes 11.1 doesn't work correctly. It doesn't go back to previous screen, but farther back, so that with each "Back" you have to navigate again to where you were. For example, if you are viewing "See All Songs" of a particular s