SAP roles and BW

Similar Messages

• SAP Roles and Access for SAP Implementation team members

  Hi,
  Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
  If not, what is the correct practice?
  Kindly let me know

  Madhu,
  It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
  You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
  Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
  But I know just how demanding they can be....
  Best of luck
  Tony

• SAP Roles and Profiles provisioning

  Hi all,
  I am trying to provision SAP CUA using the SAP UM Connector.
  User gets provisioned, but its role and profile do not get assigned.
  The tasks "Add Role" and "Add Profile" are seen as completed.
  But the roles and profiles are not seen in SAP.
  Thanks in advance

  Any inputs from anyone ???

• SAP, AGR_NAME and AGR_TEXT

  Hi all,
  If you give a look at idm\sample\forms\SapUserform.xml you'll find line 525 (in the code below "name" is the name of the SAP resource):
  <Field name='agObjs[$(colName)].AGR_NAME'>
                      <Display class='Select'>
                        <Property name='required' value='true'/>
                        <Property name='allowedValues'>
                          <invoke name='listResourceObjects' class='com.waveset.ui.FormUtil'>
                            <ref>display.session</ref>
                            <s>activityGroups</s>
                            <ref>name</ref>
                            <map>
                              <s>templateParameters</s>
                              <ref>accounts[$(name)].templateParameters</ref>
                            </map>
                            <s>true</s>
                          </invoke>
                        </Property>
                      </Display>
                    </Field>AGR_NAME is the technical name of a SAP Role. If you look more carefully at the object agObjs[$(colName)] you can see that there is also an AGR_TEXT element which is the description of the SAP Role.
  If you need to get the AGR_TEXT value you'll have to do:
  <Field name='AGList-$(name)'>
    <Default>
      <invoke name='listResourceObjects' class='com.waveset.ui.FormUtil'>
        <ref>display.session</ref>
        <s>activityGroups</s>
        <ref>name</ref>
        <map>
          <s>templateParameters</s>
          <ref>accounts[$(name)].templateParameters</ref>
        </map>
        <s>true</s>
      </invoke>
    </Default>
  </Field>
  Problem: AGR_TEXT is only present for an already existing SAP role and if you add a role using "addAGRowButton", AGR_NAME doesn't have any value (it will only if you checkin and checkout the addition of the role in the SAP resource).
  My need: replacing "allowedValues" of the "AGR_NAME" Select code given above by a "valueMap" which would have "AGR_NAME" as a key and "AGR_TEXT" as a value, so that it is more understandable for the user.
  Question: How can I get the "AGR_TEXT" value that is associated with an "AGR_NAME" value without doing a checkin/checkout ?
  Thanks a lot for your help,
  Ben

  hello Michael,
  I could fix the transport system, was a network issue, but the DB13 error continue, now when I test the DB connection the following error is show by the PRD system.
  Connect. test with "dbmcli db_state"                         Unsuccessful
  I decided to close this message and open another in MaxDB forum.
  Thanks
  HEPC
  Edited by: Hernando Polanía C on Oct 18, 2011 6:32 PM

• Roles and Authorization strategy for SAP BIBO

  Hello All,
  We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
  Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
  Current structure is like,
  User 1 belongs to Plant1 of Country1
  User 2 belongs to Plant2 of Country2
  user 3 belongs to Plant3 of Country1 etc..     
  We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
  As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
  The options we considered are,
  1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant  1, 2 or 3 and provide necessary authorizations.
  2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
  We are also forced to avoid Bex queries in BW and hence,  trying to connect Multiproviders directly in BO universe.
  How should we go forward in designing the authorization concept? Any better ideas?
  Thanks and Regards,
  Srinivas

  There are two ways which we can implement this kind of authorization based on my knowledge.
  1. Data Security purely at BW
  If the data is secured based on roles and users, there is no  need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
  Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
  2. Data Security from BO
  Let's assume that, if nothing is set at BW and every thing to be take care from BO.
  Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
  Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
  So you would need to create many restrictions for different permutations and combinations.
  I never tries this option with Multiprovider. But It worked well with NON-SAP data.
  Hope this helps!
  Regards
  Gowtham

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• Announcing General Availability of PowerShell Connector and Release Candidate of Generic SQL and SAP Roles/Users

  The FIM team is pleased to announce the availability of some additional Connectors for FIM2010R2.
  General Availability of PowerShell Connector
  The PowerShell Connector can be used to communicate with a system through PowerShell scripts. This allows an easy and flexible way to communicate with other systems but also to pre-/post-process data and files before handed over to the FIM Synchronization
  Service. We believe the community will help providing scripts for this Connector for various systems and will open a place where scripts can be published for reuse.
  TechNet docs:  
  http://go.microsoft.com/fwlink/?LinkID=393057
  Download:         
  http://go.microsoft.com/fwlink/?LinkID=393056
  Release Candidate of Generic SQL Connector
  The Generic SQL Connector will allow you to connect to any database where you have an ODBC driver available. It enables new features compared to the built-in MA such as support for Stored Procedures, running SQL scripts, built-in delta import support, import
  multiple object types, connect to multiple tables, and much more. This Connector is built on ECMA2.3 which allows schema discoverability to be customized in the Sync Engine UI. A pre-release of the next Sync Engine hotfix is included with the Connector download
  and is required for the Connector to work.
  Download:         
  https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52652
  Release Candidate of SAP Users and Roles/Groups
  The updated SAP templates for Users and Roles/Groups allows you to manage Users, Roles, and Groups in SAP. This also include password sync for Users to SAP. The Connector will make sure roles are represented as groups to make it possible to manage these
  with bhold. This template will require the previously published WebService Connector:
  http://go.microsoft.com/fwlink/?LinkID=235883.
  Download:         
  https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52651
  If you have participated in any other Connector preview program you will have access to the Release Candidate downloads. If you have not participated before then to get access to the preview programs on Connect either join the program “Identity and Access
  Management”, “FIM Synchronization Service Connectors Pre-release” on
  http://connect.microsoft.com/directory or follow this link
  http://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6709&pageType=1
  We have also published an update to the Generic LDAP Connector adding support for some additional LDAP directories, see
  http://support.microsoft.com/kb/2936070/. If you have additional LDAP directories you think we should support, please feel free to contact me.
                  On behalf of the FIM Sync team,
                  /Andreas Kjellman

  On Tue, 18 Mar 2014 08:09:43 +0000, David Burghgraeve wrote:
  We've been using the OpenLDAPXMA to be able to connect to ACF2 CA-LDAP (from Computer Associates) running on a IBM Z-OS Mainframe System. We've been using it for password synchronization since 2004 on MIIS. Today it's still used via the
  OpenLDAPXMA (64bit) on FIM 2010 R2.
  We had to tweak the password management component in the OpenLDAPXMA to support the error messages we get from the ACF2 System, as we support a multi-master password setup between Mainframe and Active Directory (one can change the password on
  MF and/or on Windows). by example  "LDP0406E ACF2 error modifying lid(ACF00155 NEW PASSWORD CANNOT BE THE SAME AS CURRENT PASSWORD)".
  Additionally, we cannot get the delta import to work with the CA-LDAP, there's no capability in it and we tried to use the time attribute to use in the query for recent changes, but it does not work. (I think we need it in a large integer format
  or unix time integer).
  Would be great to have Microsofts' support in this :)
  In a case like this where your follow-up has nothing to do with the
  original post you should create a new thread.
  Having said that, neither of the MAs to which you refer are official
  Microsoft MAs and as such there is no support from Microsoft available.
  Also, keep in mind that the ECMA1/XMA extensibility framework has been
  deprecated and replaced by the ECMA 2.0. You should plan on replacing
  existing ECMA1 management agents with ECMA2.0 connectors.
  Paul Adare - FIM CM MVP
  "It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
  a half a pack of cigarettes, it's dark, and we're wearing visors."
  "Hotsync." -- Paul Tomblin & Peter da Silva

• Sap-abap Technical Team Leader Roles and Responsibilities

  Can u give  me Sap-abap Technical Team Leader Roles and Responsibilities.

  Yes I can, but I don't think I'll share my experience with you.
  Here's a tip for you though, how about only applying for jobs you are skilled at and not try to lie yourself into a job.
  Warm regards, Rob Dielemans

• Sap b1 roles and responsibilities

  Hi can anyone give me roles and responsibilities of SAP BUSINESS ONE Co-ordinator.
  cheers,
  srikanth.

  Hi Paul,
  I just wanted to know what are SAP CO-ORDITATOR Roles and Resposibilities. what he does in a corporate company. He is responsible for what.
  In a company where SAP is implemented by their Client Company, and now supporting by the same client.
  Cheers,
  Srikanth.

• SAP instance dies when I try to make a change to the role and save

  Hello Friends
  I am an ABAP and XI guy, but am working on Enterprise Portal.
  I have created an IVIEW (URL) and am trying to associate it with a user and role.  I have created user and then when I try to assign role by clicking on AssignROles and then select a role and try to save, it consistently kills the SAP instance (dm36939 0) and this instance turns to yellow (instead of staying green). I have to restart this again. I have installed ECC and EP on this server and ECC (ABAP programs tables etc.,) works without any problem. EP also works most of the time, but consistently fails at this point as explained above.
  I am not sure if there is any specific settings I should be looking at. Any feedback will be highly appreciated.
  Thanks
  Ram

  NOone responded and so closing here to open it again in a relevant area.

• Please tell me sap bw consultant roles and responsiblities in immp project?

  this is shyam plz inform

  Hi,
  Please go through the below link.
  http://mysap.wordpress.com/2006/09/18/sap-bw-consultant-roles-and-responsibilities/
  Assign point if this is useful.

• Role and responsibilities of SAP BW support consultant

  Hi Guru's,
  What is the Role and responsibilities of SAP BW support consultant?
  Regards,
  Sabari kannan.S

  XI Architect:
  He plays the role in the analyzing the landscape for which XI will be used...will take the special not on the number for legacy systems involved...type of system...how much amount of data will flow what has to be taken care for better performance etc........
  1. Design the XI for the currentl lanscape for high performance...
  2. Idebtiy the bottle necks which can appear.
  3. understanding the busnies requirement withrespective to XI
  4. Configure the XI according to the standrds
  5. Lays ground rules on the developemtnenv till golive.
  6. what's the good appproach of design when systems like CRM,BW etc are invloved.
  7 tranports methods till  production and so on

• What are the Roles and Responsibilities of SAP Testing Consultant?

  Hello,
             i want to know about The Roles and Responsibility of SAP Testing Consultant,,pls anybody guide me Real time scenarios.
  regards,
  Balaram

  Understanding the business scenarios
  Organization Structure to incorporate the tune of the script.
  Preparation of test scripts
  Execute and record results to see if it is fine before going to approval.
  Make changes to your test script if required.
  What is Test Script (Scenario Testing)
  Header Data
  Step in Process
  Transaction Code / Program (FB60)
  Menu Path
  Description
  Field Data and actions to complete
  Expected Results
  Actual Results
  TPR
  Closing Period
  F.19 Clearing GR/IR Account
  F.13 Adjustments GR/IR Account
  Using of these above two accounts will help us in clearing the balances and adjustments to those respective clearing accounts so that the GR/IR account will be zero balance and the balances will appear in respective reconciliation accounts accordingly the balances will be carried forwarded to next fiscal year.
  GR/IR Clears the following Documents
  GL Document
  Customer Documents
  Vendor Documents
  Assignment Field is important in any document (ZUONR), Amount (DMBTR)
  Foreign Currency Valuation
  Lowest Value Method, If we are in loss then only we will account for it.
  GL Accounts which are important in Testing
  Enjoy Transaction   - FB50
  Normal Transaction - FB01
  Document Parking   - FV50
  Post with Clearing   - F-04
  Incoming Payment   - F-06
  Outgoing Payment   - F-07
  Document Related
  Reset Cleared Items   - FBRA
  Parking Document Posting  - FBVO
  Reversal Documents   - F-14
  Company Code Clearing A/C
  (Trial Balance purposes) reversal  -  (FBUB)
  Clearing Account
  Partial clearing Invoice  - 100 - Open Item
                             Paid  -   70 - Open Item
                         Balance -   30
  In Partial Clearing you can see 100 and 70 are cleared line items and 30 as balance and if it is in Residual you can only 30 as balance as it creates new line item and you canu2019t see the other cleared line items.
  As no company will use residual clearing as it affects on ageing reports.
  Open Items in Foreign Currency in all Modules GL/AP/AR  - F.05
  Master Data
  Company Code
  Currency
  Only Balances in local currencies
  Reconciliation Account Type
  Year End Scripts
  Re Grouping Receivables / Payables  - (F101)
  Bad Debts Provisions u2013 Scripts
  We assume that the customer has not paid at the end of the year you doubt whether this receivable will ever be paid. So you make a transfer posting for the receivables to an account for individual value adjustments using special GL Indicator E and Transaction Code F-21
  Carry forward Balances
  Sub Ledgers and General Ledger balances to be forwarded to next Fiscal Year
  Accounts Payables
  Vendor Down Payments
  Invoice
  Parking
  Reversal
  Outgoing Payments
  Automatic Clearing
  Manual Clearing
  Advance (Down Payment)
  Post with Clearing
  Post without Clearing
  Reset Clearing
  Carry forward
  Regrouping
  Foreign Currency Valuations
  Accounts Receivables
  Customer Down Payments
  Invoice
  Parking
  Reversal
  Incoming Payments
  Manual Clearing
  Advance (Down Payment)
  Post with Clearing
  Post without Clearing
  Reset Clearing
  Carry forward
  Regrouping
  Foreign Currency Valuations
  Other than that, it is important to know the following:
  Unit Testing
  When you test every single document is called unit testing.
  String Testing
  One transaction full activity is called string testing . For example Vendor invoice, goods received and vendor payment.
  Integration Testing
  It is purely with other modules and we have to check whether the FI testing is working with other related modules or not.
  Regression Testing
  Testing for whole database. Bring all the data into another server and do the testing is called regression.
  UAT
  When we test any particular document with the user and if it is ok immediately we have to take the signature on the document, which is signed off and can be forwarded to the immediate boss. There are some steps to be followed when we go for user acceptance testing.
  Transaction u2013 Script Writing u2013 Expected Results u2013 Compare with Actual Results
  TPR (Transaction Problem Reporting)
  While doing the user acceptance testing if we get any problems then there are some methodologies to be followed according to the companyu2019s policy and normally as a tester we always need to write on Test Script itself.
  Hope this helps you.
  Regards,
  Rakesh

• Roles and responsebilities of sap sd implementation consultant?

  what are the roles and responsebilities of sap sd implementation consultant?

  Hi,
  Refer to this website for  roles and responsebilities of sap sd implementation consultant.
  http://www.sap-img.com/general/role-of-a-sap-functional-consultant.htm
  Simple - he is responsbile for implementation of SAP SD Module.
  Regarding Implemenation
  http://en.wikipedia.org/wiki/SAP_Implementation
  Please let me know if you need more information.
  Assign points if useful.
  Regards
  Sridhar M

• Roles and authorisations in SAP BI...

  CAN ANY ONE EXPLAIN ME THE ROLES AND AUTHORISATIONS IN SAP BI /BW...???
  THANKS IN ADVANCE...

  Hi Anand,
  Refer these links from help.sap.
  BI Authorisations
  http://help.sap.com/saphelp_nw2004s/helpdata/en/be/076f3b6c980c3be10000000a11402f/frameset.htm
  BI Analysis Authorisation
  http://help.sap.com/saphelp_nw2004s/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm
  Regards,
  Hari