Security roles and profiles

Hello,
Could you please provide information on "security roles and profiles "
I would appreciate.
Regards,
Alex

Roles give you authorization to specific area of the system. Use TC pfcg and you will see different setting for a role.
In specific Role -> Authorization -> click on Display Authorization Data.
Here all specific InfoArea, Cube, ODS, Reporting componets: display, execute and other security rules are defined.
User Section: defines who has access to this role.
Multiple authorization are combined to create an Authorization Profile. You defined a profile at TC su01 and under profile section.
Hope that helps.
thanks.
Wond

Similar Messages

  • Developing security Roles and profiles

    Hi Team,
    Can you guys let me know how to develop security roles and profiles. We are rolling out for a company in Japan, and the congif is completed. We are in the process of developing test cases ans also security roles and profiles for users? Can somebody guide and help me on this?
    Regards,

    Hi,
    Use Tcode = PFCG -->then create any customized roles and profiles for any users on module based.
    user masters: USR01 to 09, UST04,
    profiles: USR10, USR11, UST10S, UST10C,
    authorisations: USR12, USR13, UST12.
    password exceptions USR40.
    History tables(may not be applicable but FYI): users: USH02, USH04,
    profiles: USH10, auths USH12.
    R/3 Security Tcodes
    End User Transaction Code  Menu Path   Purpose
    SU3  System > User Profile> Own Data  Set address/defaults/parameters
    SU53  System > Utilities > Display Authorization Check  Display last authority check that failed
    SU56  Tools --> Administration --> Monitor --> User Buffer  Display user buffer
    Role Administration Transaction Code  Menu Path   Purpose
    PFCG
    Tools --> Administration --> User Maintenance --> Roles  Maintain roles using the Profile Generator
    PFUD   Work on SAP check indicators and field values
    Select: Copy SAP check IDu2019s and field values
    Installation
    1. Initial Customer Tables Fill
    Upgrade
    2a. Preparation: Compare with SAP values
    2b. Reconcile affected transactions
    2c. Roles to be checked
    2d. Display changed transaction codes
    SU24
    Same as for SU25:
    Select: Change Check Indicators > Maintain Check Indicators>Maintain 
    Regards,
    Srini Nookala

  • Security-role and security-role-assignment not working in WL7.0

    Hello all..
    Some EJB components that worked fine in WebLogic 6.1 no longer work in
    WL7.0. It has to do with the security-role and security-role-assignment
    descriptor elements no longer allowing anonymous users to be included in the
    authorization for a bean.
    For example, in WL6.1 placing these items in ejb-jar.xml:
    <assembly-descriptor>
    <security-role>
    <role-name>Employees</role-name>
    </security-role>
    <method-permission>
    <role-name>Employees</role-name>
    <method>
    <ejb-name>CustomerEJB</ejb-name>
    <method-name>*</method-name>
    </method>
    </method-permission>
    and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
    <security-role-assignment>
    <role-name>Employees</role-name>
    <principal-name>guest</principal-name>
    <principal-name>system</principal-name>
    </security-role-assignment>
    worked fine for clients creating their context using a simple
    InitialContext() constructor without specifying SECURITY_PRINCIPAL or
    SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
    the security-role-assignment element above told WebLogic that "guest" was in
    the Employees role for purposes of this EJB archive.
    Worked in WL6.1, no longer works in WL7.0. Client receives typical
    permission exception:
    java.rmi.AccessException: Security violation: insufficient permission to
    access method 'create'
    If I explicity connect as "system" things are fine, or I can create a new
    user in the default realm in WebLogic, put a matching <principal-name>
    element in the section above, and connect as that user. Note that if I leave
    off the <security-role> section completely, or set the required role name to
    "everyone", the anonymous access works fine. Apparently the anonymous user
    is a member of "everyone" behind the scenes even though "everyone" does not
    appear in the realm list of groups or roles.
    So, my question boils down to this: Is there a "magic" username in WL7 like
    "guest" was in WL6.1 that can be mapped to the required role name, or must
    every client connection use a true weblogic-created user with appropriate
    role assignments used to map it to the required role name.
    -Greg
    P.S. Note that none of the EJB examples provided with WL used
    <security-role>..
    Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
    www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

    Below are the screen shots for PFCG:

  • Configure security-role and method permission for EJB 3.0 using Jdev 11g

    The EJB 3.0 session bean created by Jdev 11g EJB wizard does not have ejb-jar.xml. Where and how can security-role and method permission for the EJB be configured?
    For example,
    <assembly-descriptor>
    <security-role>
    <role-name>managers</role-name>
    </security-role>
    <method-permission>
    <role-name>managers</role-name>
    <method>
    <ejb-name>Employees</ejb-name>
    <method-name>setSalary</method-name>
    <method-params>
    <method-param>java.lang.Long</method-param>
    </method-params>
    </method>
    </method-permission>
    </assembly-descriptor>

    user516954,
    By default annotations are used. However, you can create a new descriptor and that will take presidence over any declared annotation.
    --Ric                                                                                                                                                                                                                                                                                                                               

  • Compliance Calibrator Design - Roles and Profiles

    Hi guys,as you know SAP's authorization concept involves generation of Roles into Profile before it can be assigned to a User. In CC, i wonder why is there a need to segregate Roles and Profiles into 2 seperate functions. Isnt it already sufficient to analyse roles instead of profiles? Profile are names which is too technical which i feel should be omitted unless really necessary.
    Well, unless it is to cater for indirect assignment where profiles are granted to position/org unit etc... I will also be trying out whether there is a difference when you only batch analyse a Role and intentionally excluding the 'profile' whenever a new role is created. Will the system work fine when i do a role analysis?
    Cheers!

    I agree that profiles are old fashioned and should be phased out.  The system has to stop people from being able to maintain profiles directly and assign them directly before they do this though.  SAP_ALL etc can be converted and assigned as a role.  It would make the whole authorisation concept just that little bit easier.  We are talking about a German company though!
    Also, you don't need profiles for indirect assignment.  You can relate roles to the position using PFCG!  Click on the organisational management button on the user-tab, next to the user comparison button.
    Using profiles (ie, maintaining directly and assignment) is highly recommended against.

  • Active a role and profile

    Hi Experts,
    Could you guide me on how to activate a role and profile? Kindly suggest to me the proper procedure of doing this.
    One more thing experts do you have any idea on what tcode used to change a password for multiple user's? Could you give to me as well the proper procedure of doing this.
    Regards,

    To activate a profile, choose Profile Activate on the Profile List screen. If an active version of the profile exists, you will see the active and maintenance versions of the profile so that you can verify the changes.
    New or modified profiles must be activated before they can be assigned to users or become effective in the system.Activation copies the maintenance version of a profile to the active version. If the activated profile already exists in a user master record, the changes to it become effective as each affected user logs onto the system. Changes are not effective for users who are already logged on when the profile is activated.
    For it to take effect, you must hand over your role to the User Management Engine. You do so by activating the user role.
    To activate a user role, choose Activate User Role ( ). To undo, choose Deactivate User Role.
    If u want to change password number of user at a time .For my kind of information its not possible need to change password indivisualy.
    Reg.
    Deepak

  • After BI 7.0 Upgrade, Authorization Roles and profiles are not visible

    Hi Gurus,
    We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
    As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
    I verified in SU01 for user access and every are assigned there roles and they are green.
    Do we need to add any new authorization object to fix this issue, please let me know
    Thanks and appreciate your help.
    Thanks
    Ganesh Reddy.
    Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PM

    Hi Ganesh,
    check the behaviour, if you assign
    S_USER_AGR                          
       ACT_GROUP = "..name of the assigned role.."
       ACTVT = 03 (for "display")    
    b.rgds,
    Bernhard

  • After BI 7.0 Upgrade, Roles and profiles are not visible

    Hi Gurus,
                                  We have issue with the roles and profiles, all our users doesnt see any roles or profiles in Bex Analyzer, under there user access after BI 7.0 Upgrade. 
                                   When I go and check there profile in SU01 and I can see all roles are assigned but not able to see in the Bex Analyzer reporting tool.
                                   Do we need to do any configuration settings after BI 7.0 upgrade to visible roles. This problem with every user.
                                   Your help will be really appreciated.
    Thanks
    Ganesh Reddy.
    Edited by: Ganesh Reddy on Oct 22, 2009 5:19 PM

    Hi Mohan/Vijay,
                            Sorry for little bit late. I have all authorization roles access, and users dont have that access. Difference between our roles is I have SAP_ALL and SAP_NEW.
                            But when they login with old bex analyzer they can see all roles, but not with new bex analyzer.
                            Please some suggest me still I need to run SU25.
    Thanks
    Dayaker Reddy.
    Edited by: Ganesh Reddy on Oct 26, 2009 10:19 AM

  • Authorization : roles and profiles

    Hi,
    I have two questions that I need answers
    - How do I check roles that are assigned to reports and
    - roles and profiles needed to execute reports
    thanks in advance

    Hi,
    Roles or profiles are assigned to user not specific reports or queries, if u need u can check what roles are assigned to u in SU01, provide the user name and go to display mode there u will find profiles tab, u can check .
    Hope this helps u a lot.........
    Assigning points is the way of saying Thanks in SDN
    Regards
    Ramakrishna Kamurthy

  • VIRSA tables for users, roles and profiles sync?

    Hello,
    I am in a customer, implementing CC 5.2. At the first time, we tried CC 5.2 in DEV environment, and when everything was OK, we redirect RFC connectors to QA environment.
    After doing user, roles and profiles sync in DEV and in QA environment too, I have 4.500 user (1.100 from DEV + 3.400 from QA) when I recover all users "*" with "user level - risk analysis" from the "Informer" tab.
    It seems that "users, roles, profiles, sync" works like and "APPEND", but I did a COMPLETE syncronization not an INCREMENTAL.
    If I start an analysis for QA environment, CC works properly and only analyse QA users (3.400). But I would like to clean CC tables (users, roles and profiles) in order to have a clean copy of QA in CC.
    Which VIRSA tables (users, roles and profiles) I need to clean?
    It is necessary to do the same with authorization and text objects? Which would be these tables?
    Thanks in advance,
    Victor

    Hi all,
    SAP GRC Support provides a script which allows you to remove a connector since it does delete all data link to it. Anyway, I would recommend a deep analysis of it and find out if it does what you really want to do.
    Víctor, if what you want to do it is just to remove all user, role and profile master data (stored in tables VIRSA_CC_SYSUSR and VIRSA_CC_GENOBJ) you could upload a text file using data extractor functionality with the delete field set to X. Doing so user, role and profile master data will be removed from CC database.
    In order to use data extraction functionlaity you connector must be of type "File Local".
    Be careful about removing data directly from DB since, as Prem states, you might loose the DB consistency.
    Hope it helps. Best regards,
       Imanol

  • Webservices roles and profiles r/3

    Hi gurus i have a little problem i guess
    i develop a web service and i want that an extern client use this webservice.
    the basis consultan has created an user and he has assigned the sapall and sap new profile and the role.
    the client executes the webservice without problem, but i dont want that the user has this profiles, i need to restric the prmissions of the user created by the basis consultant
    and when the basis consultant take out the sap all and sap new profile and assing other profile an role the webservice cant be executed, the error is that the user has not permission to execute the function group zsd001.
    Does any one knows which roles and profiles does the basis consultant has to assign to the user?
    thanks.

    thanks gurus

  • Su01 recreate old user - lost roles and profiles

    Situation: a person's sap account was deleted, but now that person needs it again with the same sap access as before
    when you recreate an old sap user account in su01,
    sap gives a message "found old user information, do you want to reacreate this".
    Press yess, then all is copied except roles and profiles (empty)....
    You can find them back via the menu : information<change dcuments for users.
    Is there a way to make sure that roles (and/or profiles) are instantly copied from the old records of the sap account (like
    the name, email user group, user parameters, etcetera)?
    Regards,
    ABC

    No. There is no such feature.
    The solution is not to delete the user but rather lock the ID and move it to a "retired" user group where it is protected. From there you can restore it again easily.
    Cheers,
    Julius

  • BW Roles and profiles Tables

    I would like to download a list of all users and what roles and profiles each has.  I did it once before but now I can't remember the table names.  Can anyone help?

    Hi,
    Roles:
    SAP_BW_DEVELOPER
    Profile:
    SAP_ALL
    S_BW_D____
    S_BW_D____1
    Authorizations are
    S_Rs_Admwb_a
    S_rs_adw_a
    S_rs_exp_a
    S_rs_wb_all
    Links for user roles:
    http://help.sap.com/saphelp_nw2004s/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm
    http://help.sap.com/saphelp_nw2004s/helpdata/en/42/271d24d86211d2961a0000e82de14a/content.htm
    http://help.sap.com/saphelp_nw2004s/helpdata/en/e4/15e48efd6c11d296430000e82de14a/frameset.htm
    http://help.sap.com/saphelp_erp2005vp/helpdata/en/d3/559a4271c80a31e10000000a1550b0/frameset.htm
    http://help.sap.com/saphelp_erp2005vp/helpdata/en/4e/52b74065448431e10000000a1550b0/frameset.htm
    For profiles and authorisations:
    http://help.sap.com/saphelp_nw2004s/helpdata/en/52/67151e439b11d1896f0000e8322d00/frameset.htm
    http://help.sap.com/saphelp_erp2005vp/helpdata/en/20/efcbfed8a511d397110000e82de14a/frameset.htm
    Also chk this link..
    http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
    screenshots..
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
    Hope this helps,
    regards
    CSM reddy

  • SAP Roles and Profiles provisioning

    Hi all,
    I am trying to provision SAP CUA using the SAP UM Connector.
    User gets provisioned, but its role and profile do not get assigned.
    The tasks "Add Role" and "Add Profile" are seen as completed.
    But the roles and profiles are not seen in SAP.
    Thanks in advance

    Any inputs from anyone ???

  • Roles and profile in SAP

    what is role and profile in SAP?
    how we can diffferentiate both?

    Hi Swati,
    Role refers to the collection of associated activities (privilages) such as transactions, reports and so on. There are 2 types of Roles, Standard Role and Derived Role. While profile is a set of authorizations that are valid for the transactions defined in that role. Roles contain no actual access. They contain a role menu composed of transaction codes. These transaction codes are then mapped into the profile automatically by profile generator. When a role is generated (once created) the profiles are created automatically by profile generator. Every transaction code is different and may require different numbers of accompanying authorization objects to execute. A single profile can only contain 150 authorizations.  Once that number is exceeded the profile generator will automatically create a second profile, sorted alphabetically by object name.
    Please refer the below links:
    The specified item was not found.
    Re: difference between profile and role
    Difference between Role & Profile
    Regards,
    Sreedhar

Maybe you are looking for

  • I paid for a yearly subscription and now it says I'm on a trial version of adobe creative cloud?????

    It was working fine from march onward when I bought it but when I tried to sign in today it's saying all my products are just trial version and when i go to activate it, it asks for a serial code which wasn't give to me in my emails or anything? I ha

  • How do i get the app store to search for apps again

    in the app store i set it to recommend apps now i cant get it to go back to normal so i can search for apps how do i fix this?

  • MIGO G/L Accounts

    1. Can you please tell me When I am Doing the MIGO with a standard Item category W/o Account Assignment. It is Hitting the EIN & EKG transactions Why is this difference but in my development server it is Hitting the WRX : GR/IR Clearing account and t

  • Incremental backups taking waaaaaaaaay too long!

    Recently, my TC backups using Time Machine have been taking much longer than normal. Even when nothing on my Mac has changed since the previous hour's backup, it normally takes 45 minutes or more, when it used to take just a few minutes. Nothing in m

  • Nokia Lumia 520 battery death ?

    Hello, I've received my phone 2 weeks ago from a shop until then it worked good, Today i tried to charge my phone at school cause my battery was at 0% but after it my phone doesnt go on more i've used normal electricity power 230V for The Netherlands