4016: User/Role relationship for user

Similar Messages

• Roles autorized for this users

  Hi,
  I could not logon from R3 to XI in SM59 though I have given the right parameters in technical settings and right user ID, password,client etc......
  Is this anyway related to roles authorized for the users(SAPUSER for SAP R3 and XISUPER for XI) ?
  How do I check the roles autorized for this users ?
  Thanks
  dhusanth

  Hi,
  >>user: XISUPER
  I checked the Roles Tab
  In Profile Compar.Status
  SAP_BC_AI_LANDSCAPE_DB_RFC
  SAP_SLD_ADMINISTRATOR
  The mentioned roles are not sufficient.... The following roles are needed
  ROLES
  SAP_ALM_ADMINISTRATOR
  SAP_ALM_CUSTOMIZER
  SAP_BC_AI_LANDSCAPE_DB_RFC
  SAP_SLD_ADMINISTRATOR
  SAP_SLD_CONFIGURATOR
  SAP_SLD_DEVELOPER
  SAP_SLD_GUEST
  SAP_SLD_ORGANIZER
  SAP_XI_ADMINISTRATOR
  SAP_XI_ADMINISTRATOR_ABAP
  SAP_XI_ADMINISTRATOR_J2EE
  SAP_XI_BPE_ADMINISTRATOR_ABAP
  SAP_XI_BPE_CONFIGURATOR_ABAP
  SAP_XI_BPE_MONITOR_ABAP
  SAP_XI_CONFIGURATOR
  SAP_XI_CONFIGURATOR_ABAP
  SAP_XI_CONFIGURATOR_J2EE
  SAP_XI_CONTENT_ORGANIZER
  SAP_XI_CONTENT_ORGANIZER_ABAP
  SAP_XI_CONTENT_ORGANIZER_J2EE
  SAP_XI_DEMOAPP
  SAP_XI_DEVELOPER
  SAP_XI_DEVELOPER_ABAP
  SAP_XI_DEVELOPER_J2EE
  SAP_XI_MONITOR
  SAP_XI_MONITOR_ABAP
  SAP_XI_MONITOR_J2EE
  Regards
  Agasthuri Doss

• Can we set User roles/permissions for a content that is stored in Contentspace at the end of Process

  Friends,
  I have a requirment where a set of approvers approve a form and at the end of the process i store the form as a pdf in the contentspace.
  My requirment is that, can we set roles/permission for the file that i store in the contentspace and allow only the people who have approved the form to view/edit the content the the contentspace.
  If possible what is the workbench activity should i use and how should i use it in the process?
  Thanks for your support
  -Ashok Deivasigamani

  There is  a read/write permissions service in the Content Services category in workbench that will allow you to control the access to the space or th efile that you write intp CS.
  Paul

• Could not establish trust relationship for the SSL/TLS secure channel with authority

  Hello everyone, I need to establish a connection between my HTTPS WCF hosted in Windows Azure Web Role and my Windows Store App Client. The service is actually exposed for testing purposes using a self-signed certificate.
  I have installed the certificate in Personal and Trusted Root Certification Authorities in Current User and Local Manchine.
  In the Windows Store App, I create the service reference pointing to the cloud https service, then edit the manifest and create a new declaration to Add a New Certificate, I checked Exclusive Trust and Auto select, pointing to Root storage name and
  my self-signed certificate.cer.
  The result is the following exception in the IntelliTrace stack:
  Exception:Caught: "The remote certificate is invalid according to the validation procedure." (System.Security.Authentication.AuthenticationException)
  A System.Security.Authentication.AuthenticationException was caught: "The remote certificate is invalid according to the validation procedure."
  Time: 19/01/2015 04:42:33 p. m.
  Thread:Worker Thread[17080]
  Exception:Thrown: "Could not establish trust relationship for the SSL/TLS secure channel with authority 'appchallengewhi.cloudapp.net'." (System.ServiceModel.Security.SecurityNegotiationException)
  A System.ServiceModel.Security.SecurityNegotiationException was thrown: "Could not establish trust relationship for the SSL/TLS secure channel with authority 'appchallengewhi.cloudapp.net'."
  Time: 19/01/2015 04:42:34 p. m.
  Thread:Worker Thread[17080]
  Appreciate any help, to solve this with the approach of WCF Service Reference in Windows Store App.
  Note:
  If I call the HTTPS service using a Console App it works very good using the following the code:
  ChannelFactory<IAgentService> factory = new ChannelFactory<IAgentService>("basicHttpBinding_IAgentService");
  ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) => true;
  IAgentService wcfProxy = factory.CreateChannel();
  Thanks in advance,
  RC

  Maybe not implemented.
  https://social.msdn.microsoft.com/Forums/windowsapps/en-US/2dab2818-8f4c-4474-a7a1-db2cbfb40d40/accepting-client-certificate-for-https-connections?forum=winappswithcsharp

• Role Mapping For Portal Role Assignment and ABAP Role Assignment

  Summary:
  - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
  - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Problem Description:
  Our Scenarios we tested:
  Scenario 1:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
  *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
  Scenario 2:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
  *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
  Questions:
  1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
  2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
  Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

  I tested this set up.
  1.  Defined ABAP role as Manin role
  2.  Defined Non-ABAP role as dependednt role
  3. ABAP role  is set up in initiator requiring business approval.
  4.  Non-ABAP role is set up in initiator with no approval required.
  Results Where Business Approver approves the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
  Results Where Business Approver rejects the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
  Thanks again for your help.

• Is there any way to create admin role only for one resource.

  Hi all,
  I am trying to create an admin role with 'update user' capability. But I want to restrict the user(with the admin role) to be able to update a user's attribute only for one resource, The user(with the admin role) should not be able to update the attributes of the other resources which a user have.
  Is there any way to create admin role only for one resource?
  I customized the tabbed user form to show only one resource attribute (deleting the missing fields and adding my tab for the resource) and then assigned this new User Form to the user(with the admin role) in security tab.
  It works fine. But the problem is that if any user(with the admin role) is also admin of some other resource then he/she will not be able to view the other resource attributes.
  Please suggest,
  thanks

  The loop function always repeats the same region so of course the fade is also copied. So option+drag the original region to make a (non clone) copy, fade the first region and loop the second one (which you just copied).

• What are the roles required for MSS

  What are the roles required for MSS in R/3.
  I have created ESS roles. But need to find for MSS.
  I am able to see the PERNR in ESS on portal which created in R/3.
  I need to get my staff on portal.
  What config is required for this.
  MSS User.

  HI
  you will  have to create manager as portal role and assigned to them  necessary worksets containing necessary worksets  look into the PCD in migrated content and line *?? folder you will have necessary ESS and Mss packages. and all configs is related to iviews system properties and transactions  and applications you need to do it .please do not forget to give points
  with regards
  subrato kundu

• Making existing roles watertight for HR data

  Hello,
  I hope to get nudged in the right direction in here. I already descended pretty much to the end of my rope and ... well ... I need some more rope
  The situation is like this - I inherited everything that has to do with maintenance of authorizations on our system half a year ago, the guy that did that before me is no longer in the company (so there's no use in asking what he was thinking (if anything) when he was putting the roles together). Documentation is scarce/non-existing. When it exists it's usually not up to date. I'm not exactly a newbie in authorizations field, but at the same time I'm not really that far away from being a newbie yet, so I'm not beyond listening to basics being pointed out to me.
  <u>The Utopia</u>:
  There are five single roles built for all users of our system (say R1, R2, ... , R5). They're supposed to build on one another, R1 being the basic role, R2 having a couple more authorizations than R1, and so on until R5 which is the role that also has all HR authorizations.
  <u>The Reality</u>:
  The roles have been designed in a hurry and from the top down starting with the sap_all profile and removing some (or most of the) CA, BC and HR authorizations. They were not properly tested. They do not derive from one another in any way ... R2 for example is a complete copy of R1 with some additional objects and values, same for all the others. Every problem needed to be fixed five times, once for every role. That of course resulted in chaos, things got changed just in one place and the basic role suddenly got more powerful than all the rest. These roles are in use in the production system and there are no plans to substitute them with something better in the very near future.
  <u>The Problem</u>:
  Suddenly (yeah, right ) the need arose to have these roles watertight with regard to HR data. I did some rudimentary testing and sure enough they're nowhere near watertight even for the most common HR transactions. There are ranges defined in S_TCODE for which I have no idea why they are as they are, there was access to SA38 given where SAP HR programs with no authorization group (and no transaction code) assigned could be run by everyone ... there's god knows how many other security holes. The only help I got from the HR consultants was the list of all 2000 or so HR transactions (taken from the SAP menu tree) which shouldn't be accessible to a normal user. I suspect I might be in need of a typing monkey to check them all five times
  <u>Question</u>:
  How do I close as many security holes in these roles as possible? What's the strategy when dealing with such tasks? I've made it clear to the management that we probably won't have watertight roles if we don't create new ones, but making a set of new roles created properly from the bottom up is out of the question at this moment.
  I'd be extremely grateful for any advice or if anyone could point me to any kind of documentation about making roles like ours more secure for protecting HR data (and also keeping the users away from any BC stuff).
  In the meantime, I'm off to searching through the archives of the forum.
  ursa

  Mopping the floor with the water running is a spot on description
  Actually we're in the process of setting up new and improved authorizations but (of course!) the testing phase turned out to be much more time consuming than anticipated. No surprise to me, however someone obviously thought authorizations are a matter of defining roles and their menus and the system does everything else by itself. Riiight.
  What I did so far - first I educated myself on the specifics of HR authorizations. I never had to deal with those before, so (for example) it was a surprise to me that there's actually a separate SAP course dealing with HR authorizations Then I compared the existing roles to each other like you suggested and figured out a way that allowed me to do all the modifications with least amount of work. I cleaned most of the infotypes out of P_ORGIN and (to cover my behind), adjusted the ranges in S_TCODE to exclude the 2000 HR transactions our HR consultant listed for me.
  Most importantly - I made it clear to the guys above me, that with the roles we use I can't guarantee HR data to be inaccessible for people who should stay away from it. So ... back to the testing of the new authorizations
  Thanks for your help! It always makes a huge difference to get something like a second opinion when one can't decide if left is better than right or if it's the other way around.
  ursa

• Roles required for BPM operation

  Hi Everyone,
  Any idea what roles are required for the user used in receiver SOAP channel for accessing NWBPMs deployed on Java AS(Marked in Red)?
  I have already tried below :
  http://scn.sap.com/community/process-orchestration/blog/2012/06/12/ume-role-required-for-netweaver-bpm-development-and-testing
  https://help.sap.com/saphelp_nwce72/helpdata/en/45/d7d0e08a164c5e87e4604ba89c632a/frameset.htm
  With these roles it doesn’t work. I consistently get 403 forbidden error i.e. not sufficient authorization.
  Even tried roles like : SAP_BPM_SuperAdmin, SAP_BPM_TRIGGER_EVENT but same result.
  Only with full admin rights it works. Appreciate some inputs incase anybody has worked on this?
  Thanks,
  Sharanya

  Hi Sharanya,
  Have you checked the point 3 in this wiki PI Messages are not delivered to SAP NetWeaver BPM - Technology Troubleshooting Guide - SCN Wiki?
  Regards.

• Role Creation for CMS

  Hi Steve,
  We use ant scripts to create domain and assign roles. But some how the scripts for role is incomplete.
  Can you let me know, where the roles like 'Anonymous' and others should be specified in newly created domain. I mean where do we assign roles and privileges inside domain folders?
  Cheers,
  Lakshmi

  Hi
  > i need to create a ROLE only for  Plant Maintenence (only Plant maintenence  authorization).......
  Search the roles for this module & make copy of this roles to zroles.After the zrole was created assign this new roles to that user.
  Search the role by writing plant,maint & check which are related to plant maintenence & copy that role.
  Again check all the transaction which are going to use in the module PM.Create a new role & assign this transaction in this role.this is another way to create the user with authorization only for PM.
  For more details about PM modules transaction check the following link
  http://www.sap-img.com/sap-pm.htm

• Role creation for Plant maintenence

  Hi Folks ,
  i need to create a ROLE only for  Plant Maintenence (only Plant maintenence  authorization).......
  regards
  sathish

  Hi
  > i need to create a ROLE only for  Plant Maintenence (only Plant maintenence  authorization).......
  Search the roles for this module & make copy of this roles to zroles.After the zrole was created assign this new roles to that user.
  Search the role by writing plant,maint & check which are related to plant maintenence & copy that role.
  Again check all the transaction which are going to use in the module PM.Create a new role & assign this transaction in this role.this is another way to create the user with authorization only for PM.
  For more details about PM modules transaction check the following link
  http://www.sap-img.com/sap-pm.htm

• Which are the required roles/privs for viewing all scheduler jobs in OEM?

  Platform: Oracle 11.1.0.6 Enterprise Edition (64) Windows 2008 R2 Server
  - I've created a new Admin user in "OEM>Setup>Adminstrators>Create"
  - I checked the user in "OEM>Server>Users":
  CREATE USER "SA_ADMIN"
  PROFILE "DEFAULT"
  INDENTIFIED BY "saadminsa"
  DEFAULT TABLESPACE "SYSAUX"
  TEMPORARY TABLESPACE "TEMP"
  ACCOUNT UNLOCK;
  GRANT SELECT ANY DICTIONARY TO "SA_ADMIN";
  GRANT "MGMT_USER" TO "SA_ADMIN"
  - "SA_ADMIN" was granted only the permissions above.
  - I can log in OEM as "SA_ADMIN"
  - I can see OEM backup jobs and the history
  - But I cannot see any "scheduler" jobs in "OEM>Server>Jobs"
  - I get a lists of the jobs in "OEM>Scheduler Central" but I cannot display any more information of "scheduler jobs"
  - I logged off from OEM
  - I granted SCHEDULER_ADMIN role to "SA_ADMIN"
  GRANT SCHEDULER_ADMIN TO "SA_ADMIN";
  - I logged back in OEM as "SA_ADMIN
  - I can now see some scheduler jobs, but not all of the jobs, I still cannot see any of the new jobs I created logged in OEM as SYS.
  Which are the required roles/privs for viewing all scheduler jobs in OEM?

  if you grant "SYSDBA" to the new Admin user then you can see the "scheduler" jobs.
  GRANT SYSDBA TO "SA_ADMIN";
  I wanted to grant "read" access in OEM for the new user.
  This behaviour is strange.
  Without the "SYSDBA" role the new user can see the OEM backup jobs that were create in as SYS, but it cannot see the "scheduler" jobs.

• Lineage relationship for HANA tables is not shown

  Hi,
  We are using Information Steward version 14.2.1.220 and we ran Metadata integrator for SAP HANA. We are able to see the impact relationship for the tables but not lineage realationship. Some tables are populated from other tables by calling the procedures. But we are not able to see this lineage relationship.
  Can anyone please tell the solution for it?
  Regards,
  Bhagyashri

  Bhagyashri,
  At this time SAP HANA Metadata Integrator does not parse SQL procedure and so it cannot automatically establish relationship among tables which are populated by those procedures. You can create a user defined relationship to capture the table relationships in this scenario.
  Thanks,
  Hemant

• Authorization Object for role creation for query display?

  Hi,
  Can Anybody here tell me what is the Authorization object that we use for role creation for query display?
  I want to assign a role to the newly designed query! that query does not have any role so far!
  Pls suggest me
  Thanks,
  Ravi

  Hi,
  I could make the authorization tab green by entering the authorization object!
  But user tab still remains red as it is not allowing me to enter my username in the user tab!
  in the user tab  i am unable to enter my user name?
  Any suggestions?
  Thanks,
  Ravi

• Roles & Responsibilities for Junior & Senior consultants(Technical)

  Hi Guru's,
  what are the Roles & Responsibilities for Junior & Senior consultants(Technical).
  what is the  Role in your project?
  How to answer for this question.
  what is the  size of  cubes in your project?
  Thanks,
  Madhu.

  Hi ,
  In general Functional means, derive the funtional specification from the business requirement document. This job normally is done either by the business analyst or system analyst who has a very good knowledge of the business. In some large organizations there will be a business analyst as well as system analyst.
  In any business requirement or need for new reports or queries originates with the business user. This requirement will be recorded after discussion by the business analyst. A system analyst analyses these requirements and generates functional specification document. In the case of BW it could be also called logical design in DATA MODELING.
  After review this logical desing will be translated to physical design . This process defines all the required dimensions, key figures, master data, etc.
  Once this process is approved and signed off by the requester(users), then conversion of this into practically usable tasks using the SAP BW software. This is called Technical. The whole process of creating an InfoProvider, InfoObjects, InforSources, Source system, etc falls under the Technical domain.
  you work on a specific Application area in BW like say FI, MM, PP , etc. you are a BW functional. BW functional would not do any development but they are rather in charge of overseeing whether the specific application functionality is implemented or not. They rather look for the functionality and not for the underlying code.
  Functional skills..Knowledge of taking user requirements,and designing the functional and technical specs according to the requirements,determine what customizations are required in the system.Such a person needs strong 'functional background' of the source system and the functional areas involved..example SD,Finance,MM,Utilities,Inventory Mgmt etc.
  Sort of skills required by person at design and blueprint phase.
  But if you are working across application areas then you are BW technical. They are the ones who do all the development like creating BW objects and activating them.
  developing BW objects according to the design specs(FS and TS),data modeling skills,ABAP coding skills for routines and exits.Sort of skills required by person working in development phase of work.
  Generally Technical people are expected to have some basic functional knowledge. But if they really have very good functional knowledge in 1 area then they are generally called "Techno-functional".
  An SAP BW functional consultant is responsible for the following:
  Key responsibilities include:
  Maintain project plans
  Manage all project activities, many of which are executed by resources not directly managed by the
  project leader (central BW development team, source system developer, business key users)
  Liase with key users to agree reporting requirements, report designs
  Translate requirements into design specifications(report specs, data mapping / translation, functional specs)
  Write and execute test plans and scripts
  Coordinate and manage business / user testing Deliver training to key users
  Coordinate and manage product ionization and rollout activities
  Track CIP (continuous improvement) requests, work with users to prioritize, plan and manage CIP
  An SAP BW technical consultant is responsible for:
  -SAP BW extraction using standard data extractor and available development tools for SAP and non-SAP data sources. -SAP ABAP programming with BW
  -Data modeling, star schema, master data, ODS and cube design in BW
  -Data loading process and procedures (performance tuning)
  -Query and report development using Bex Analyzer and Query Designer
  -Web report development using Web Application Designer
  Hope this helps,
  Regards
  CSM Reddy