SAP roles and BW

I am new to SAP and BW.  A goal of mine, straight from my GEM form, is to "Increase my knowledge of the security in the SAP application by understanding SAP roles and how they apply to Business Warehousing".  Please point me to websites, books, white papers, etc.
[email protected]

Please check these links and hope it helps

Similar Messages

  • SAP Roles and Access for SAP Implementation team members

    Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
    If not, what is the correct practice?
    Kindly let me know

    It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
    You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
    Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
    But I know just how demanding they can be....
    Best of luck

  • SAP Roles and Profiles provisioning

    Hi all,
    I am trying to provision SAP CUA using the SAP UM Connector.
    User gets provisioned, but its role and profile do not get assigned.
    The tasks "Add Role" and "Add Profile" are seen as completed.
    But the roles and profiles are not seen in SAP.
    Thanks in advance

    Any inputs from anyone ???


    Hi all,
    If you give a look at idm\sample\forms\SapUserform.xml you'll find line 525 (in the code below "name" is the name of the SAP resource):
    <Field name='agObjs[$(colName)].AGR_NAME'>
                        <Display class='Select'>
                          <Property name='required' value='true'/>
                          <Property name='allowedValues'>
                            <invoke name='listResourceObjects' class='com.waveset.ui.FormUtil'>
                      </Field>AGR_NAME is the technical name of a SAP Role. If you look more carefully at the object agObjs[$(colName)] you can see that there is also an AGR_TEXT element which is the description of the SAP Role.
    If you need to get the AGR_TEXT value you'll have to do:
    <Field name='AGList-$(name)'>
        <invoke name='listResourceObjects' class='com.waveset.ui.FormUtil'>
    Problem: AGR_TEXT is only present for an already existing SAP role and if you add a role using "addAGRowButton", AGR_NAME doesn't have any value (it will only if you checkin and checkout the addition of the role in the SAP resource).
    My need: replacing "allowedValues" of the "AGR_NAME" Select code given above by a "valueMap" which would have "AGR_NAME" as a key and "AGR_TEXT" as a value, so that it is more understandable for the user.
    Question: How can I get the "AGR_TEXT" value that is associated with an "AGR_NAME" value without doing a checkin/checkout ?
    Thanks a lot for your help,

    hello Michael,
    I could fix the transport system, was a network issue, but the DB13 error continue, now when I test the DB connection the following error is show by the PRD system.
    Connect. test with "dbmcli db_state"                         Unsuccessful
    I decided to close this message and open another in MaxDB forum.
    Edited by: Hernando Polanía C on Oct 18, 2011 6:32 PM

  • Roles and Authorization strategy for SAP BIBO

    Hello All,
    We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
    Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
    Current structure is like,
    User 1 belongs to Plant1 of Country1
    User 2 belongs to Plant2 of Country2
    user 3 belongs to Plant3 of Country1 etc..     
    We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
    As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
    The options we considered are,
    1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant  1, 2 or 3 and provide necessary authorizations.
    2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
    We are also forced to avoid Bex queries in BW and hence,  trying to connect Multiproviders directly in BO universe.
    How should we go forward in designing the authorization concept? Any better ideas?
    Thanks and Regards,

    There are two ways which we can implement this kind of authorization based on my knowledge.
    1. Data Security purely at BW
    If the data is secured based on roles and users, there is no  need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
    Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
    2. Data Security from BO
    Let's assume that, if nothing is set at BW and every thing to be take care from BO.
    Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
    Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
    So you would need to create many restrictions for different permutations and combinations.
    I never tries this option with Multiprovider. But It worked well with NON-SAP data.
    Hope this helps!

  • SAP Technical roles and IDM Business roles mapping

    Hi Guys
    Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?

    Thanks Matt,
    I think get I the picture now
    One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
    Here is what Ive done so far
    1. HCM data loaded into productive identity store via vds
    2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
    3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
    4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
    But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
    Thanks again for all your help!

  • Announcing General Availability of PowerShell Connector and Release Candidate of Generic SQL and SAP Roles/Users

    The FIM team is pleased to announce the availability of some additional Connectors for FIM2010R2.
    General Availability of PowerShell Connector
    The PowerShell Connector can be used to communicate with a system through PowerShell scripts. This allows an easy and flexible way to communicate with other systems but also to pre-/post-process data and files before handed over to the FIM Synchronization
    Service. We believe the community will help providing scripts for this Connector for various systems and will open a place where scripts can be published for reuse.
    TechNet docs:
    Release Candidate of Generic SQL Connector
    The Generic SQL Connector will allow you to connect to any database where you have an ODBC driver available. It enables new features compared to the built-in MA such as support for Stored Procedures, running SQL scripts, built-in delta import support, import
    multiple object types, connect to multiple tables, and much more. This Connector is built on ECMA2.3 which allows schema discoverability to be customized in the Sync Engine UI. A pre-release of the next Sync Engine hotfix is included with the Connector download
    and is required for the Connector to work.
    Release Candidate of SAP Users and Roles/Groups
    The updated SAP templates for Users and Roles/Groups allows you to manage Users, Roles, and Groups in SAP. This also include password sync for Users to SAP. The Connector will make sure roles are represented as groups to make it possible to manage these
    with bhold. This template will require the previously published WebService Connector:
    If you have participated in any other Connector preview program you will have access to the Release Candidate downloads. If you have not participated before then to get access to the preview programs on Connect either join the program “Identity and Access
    Management”, “FIM Synchronization Service Connectors Pre-release” on or follow this link
    We have also published an update to the Generic LDAP Connector adding support for some additional LDAP directories, see If you have additional LDAP directories you think we should support, please feel free to contact me.
                    On behalf of the FIM Sync team,
                    /Andreas Kjellman

    On Tue, 18 Mar 2014 08:09:43 +0000, David Burghgraeve wrote:
    We've been using the OpenLDAPXMA to be able to connect to ACF2 CA-LDAP (from Computer Associates) running on a IBM Z-OS Mainframe System. We've been using it for password synchronization since 2004 on MIIS. Today it's still used via the
    OpenLDAPXMA (64bit) on FIM 2010 R2.
    We had to tweak the password management component in the OpenLDAPXMA to support the error messages we get from the ACF2 System, as we support a multi-master password setup between Mainframe and Active Directory (one can change the password on
    MF and/or on Windows). by example  "LDP0406E ACF2 error modifying lid(ACF00155 NEW PASSWORD CANNOT BE THE SAME AS CURRENT PASSWORD)".
    Additionally, we cannot get the delta import to work with the CA-LDAP, there's no capability in it and we tried to use the time attribute to use in the query for recent changes, but it does not work. (I think we need it in a large integer format
    or unix time integer).
    Would be great to have Microsofts' support in this :)
    In a case like this where your follow-up has nothing to do with the
    original post you should create a new thread.
    Having said that, neither of the MAs to which you refer are official
    Microsoft MAs and as such there is no support from Microsoft available.
    Also, keep in mind that the ECMA1/XMA extensibility framework has been
    deprecated and replaced by the ECMA 2.0. You should plan on replacing
    existing ECMA1 management agents with ECMA2.0 connectors.
    Paul Adare - FIM CM MVP
    "It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
    a half a pack of cigarettes, it's dark, and we're wearing visors."
    "Hotsync." -- Paul Tomblin & Peter da Silva

  • Sap-abap Technical Team Leader Roles and Responsibilities

    Can u give  me Sap-abap Technical Team Leader Roles and Responsibilities.

    Yes I can, but I don't think I'll share my experience with you.
    Here's a tip for you though, how about only applying for jobs you are skilled at and not try to lie yourself into a job.
    Warm regards, Rob Dielemans

  • Sap b1 roles and responsibilities

    Hi can anyone give me roles and responsibilities of SAP BUSINESS ONE Co-ordinator.

    Hi Paul,
    I just wanted to know what are SAP CO-ORDITATOR Roles and Resposibilities. what he does in a corporate company. He is responsible for what.
    In a company where SAP is implemented by their Client Company, and now supporting by the same client.

  • SAP instance dies when I try to make a change to the role and save

    Hello Friends
    I am an ABAP and XI guy, but am working on Enterprise Portal.
    I have created an IVIEW (URL) and am trying to associate it with a user and role.  I have created user and then when I try to assign role by clicking on AssignROles and then select a role and try to save, it consistently kills the SAP instance (dm36939 0) and this instance turns to yellow (instead of staying green). I have to restart this again. I have installed ECC and EP on this server and ECC (ABAP programs tables etc.,) works without any problem. EP also works most of the time, but consistently fails at this point as explained above.
    I am not sure if there is any specific settings I should be looking at. Any feedback will be highly appreciated.

    NOone responded and so closing here to open it again in a relevant area.

  • Please tell me sap bw consultant roles and responsiblities in immp project?

    this is shyam plz inform

    Please go through the below link.
    Assign point if this is useful.

  • Role and responsibilities of SAP BW support consultant

    Hi Guru's,
    What is the Role and responsibilities of SAP BW support consultant?
    Sabari kannan.S

    XI Architect:
    He plays the role in the analyzing the landscape for which XI will be used...will take the special not on the number for legacy systems involved...type of much amount of data will flow what has to be taken care for better performance etc........
    1. Design the XI for the currentl lanscape for high performance...
    2. Idebtiy the bottle necks which can appear.
    3. understanding the busnies requirement withrespective to XI
    4. Configure the XI according to the standrds
    5. Lays ground rules on the developemtnenv till golive.
    6. what's the good appproach of design when systems like CRM,BW etc are invloved.
    7 tranports methods till  production and so on

  • What are the Roles and Responsibilities of SAP Testing Consultant?

               i want to know about The Roles and Responsibility of SAP Testing Consultant,,pls anybody guide me Real time scenarios.

    Understanding the business scenarios
    Organization Structure to incorporate the tune of the script.
    Preparation of test scripts
    Execute and record results to see if it is fine before going to approval.
    Make changes to your test script if required.
    What is Test Script (Scenario Testing)
    Header Data
    Step in Process
    Transaction Code / Program (FB60)
    Menu Path
    Field Data and actions to complete
    Expected Results
    Actual Results
    Closing Period
    F.19 Clearing GR/IR Account
    F.13 Adjustments GR/IR Account
    Using of these above two accounts will help us in clearing the balances and adjustments to those respective clearing accounts so that the GR/IR account will be zero balance and the balances will appear in respective reconciliation accounts accordingly the balances will be carried forwarded to next fiscal year.
    GR/IR Clears the following Documents
    GL Document
    Customer Documents
    Vendor Documents
    Assignment Field is important in any document (ZUONR), Amount (DMBTR)
    Foreign Currency Valuation
    Lowest Value Method, If we are in loss then only we will account for it.
    GL Accounts which are important in Testing
    Enjoy Transaction   - FB50
    Normal Transaction - FB01
    Document Parking   - FV50
    Post with Clearing   - F-04
    Incoming Payment   - F-06
    Outgoing Payment   - F-07
    Document Related
    Reset Cleared Items   - FBRA
    Parking Document Posting  - FBVO
    Reversal Documents   - F-14
    Company Code Clearing A/C
    (Trial Balance purposes) reversal  -  (FBUB)
    Clearing Account
    Partial clearing Invoice  - 100 - Open Item
                               Paid  -   70 - Open Item
                           Balance -   30
    In Partial Clearing you can see 100 and 70 are cleared line items and 30 as balance and if it is in Residual you can only 30 as balance as it creates new line item and you canu2019t see the other cleared line items.
    As no company will use residual clearing as it affects on ageing reports.
    Open Items in Foreign Currency in all Modules GL/AP/AR  - F.05
    Master Data
    Company Code
    Only Balances in local currencies
    Reconciliation Account Type
    Year End Scripts
    Re Grouping Receivables / Payables  - (F101)
    Bad Debts Provisions u2013 Scripts
    We assume that the customer has not paid at the end of the year you doubt whether this receivable will ever be paid. So you make a transfer posting for the receivables to an account for individual value adjustments using special GL Indicator E and Transaction Code F-21
    Carry forward Balances
    Sub Ledgers and General Ledger balances to be forwarded to next Fiscal Year
    Accounts Payables
    Vendor Down Payments
    Outgoing Payments
    Automatic Clearing
    Manual Clearing
    Advance (Down Payment)
    Post with Clearing
    Post without Clearing
    Reset Clearing
    Carry forward
    Foreign Currency Valuations
    Accounts Receivables
    Customer Down Payments
    Incoming Payments
    Manual Clearing
    Advance (Down Payment)
    Post with Clearing
    Post without Clearing
    Reset Clearing
    Carry forward
    Foreign Currency Valuations
    Other than that, it is important to know the following:
    Unit Testing
    When you test every single document is called unit testing.
    String Testing
    One transaction full activity is called string testing . For example Vendor invoice, goods received and vendor payment.
    Integration Testing
    It is purely with other modules and we have to check whether the FI testing is working with other related modules or not.
    Regression Testing
    Testing for whole database. Bring all the data into another server and do the testing is called regression.
    When we test any particular document with the user and if it is ok immediately we have to take the signature on the document, which is signed off and can be forwarded to the immediate boss. There are some steps to be followed when we go for user acceptance testing.
    Transaction u2013 Script Writing u2013 Expected Results u2013 Compare with Actual Results
    TPR (Transaction Problem Reporting)
    While doing the user acceptance testing if we get any problems then there are some methodologies to be followed according to the companyu2019s policy and normally as a tester we always need to write on Test Script itself.
    Hope this helps you.

  • Roles and responsebilities of sap sd implementation consultant?

    what are the roles and responsebilities of sap sd implementation consultant?

    Refer to this website for  roles and responsebilities of sap sd implementation consultant.
    Simple - he is responsbile for implementation of SAP SD Module.
    Regarding Implemenation
    Please let me know if you need more information.
    Assign points if useful.
    Sridhar M

  • Roles and authorisations in SAP BI...


    Hi Anand,
    Refer these links from
    BI Authorisations
    BI Analysis Authorisation

Maybe you are looking for

  • Why do I have grey 'Mac' window bars when a document is floating, and how do I get rid of them?

    This is really annoying, as I'm used to working with the new black 'tabbed' look, but I find my PS now looks like this screen grab. How do I switch back to the black tabbed look for floating windows, rather than the Mac traffic lights?

  • IMovie upgrade to 10.6.3 problem

    Has anyone upgraded iMovie version to 10.6.3 and failed then on to get any audio ?? How to fix this please ?? Running on iMac (21.5 inch) Thanks. Jim

  • Change of state between ViewWillAppear and ViewDidAppear

    I'm making an iPhone app, and I'm having an issue in a custom UITableViewController subclass. I've programmatically created a UINavigationBar item to have as a view at the top of the screen with an edit button on the right hand side. That all works f

  • Outlook 2013 appcrash print preview

    We have several Windows 2008 R2 Terminal Server running with Xenapp 6.5 installed. Also the universal print Server from Citrix in Version 7.1.1 is being used. When we open the print preview Outlook (32 bit Version) sometimes crashes, mostly with foll

  • Shuffle songs in for alarm

    Is it possible to have the iPod Classic shuffle the songs in a playlist that I use for an alarm?