Abaper roles or duties in a company.

Similar Messages

• Can we rename ABAP roles in GRC Process Control to adhere to naming convntn

  Hello,
  We are working on a new implementation of the GRC Process Control 2.5 product. It comes with 11 standard roles. I wanted to change the names to adhere to our company's role naming conventions. Will this adversely affect any functionality. I know that in PC, there is a additional level of security that is maintained thru the NWBC. How will that be affected? And is it typical to have a non-sap security team maintain the roles/user thru the NWBC and have SAP Security maintain the ABAP users/roles?
  Thanks in advance.

  Hi Arvind:
  We copied the standard delivered ABAP roles to our namespace, made a few additional changes and are using them no problem.  We also copied the NWBC roles to our namespace.  We have the default roles as reference.  We did this for consistency, but also because ABAP roles and App roles can change as the App roles did in SP04.  This way we compare the app roles before and after a SP to make sure we agree with any role changes introduced to default roles.  This way, we don't unknowingly introduce changes to our roles based on the changes SAP introduces to their roles at any given point.
  As far as the tester role goes, it is at the Process level.  If you aren't sure go into the app under User Access => Roles and their tasks like you will assign it and restrict the selection to "proces".  You will see it is at the Process level.  As far as the rest goes, you seem pretty well versed in the security guide so I'm sure you know this, but as long as the level of the role is equal to or greater than the task you can assign it.  Ex:  You can assign a control level task to a Corporate level role but not a Corporate level task to a control level role.
  I hope this helps.
  Matt

• Abap role in the enterprise portal?

  Can anyone give me a clear picture abt the enterprise protal and abap role in that?

  Hi when there is an integration between EP and R/3 and you click on the User Adinistration of the Portal you will find two types od users available there.
  1. UME Database - this is nothing but the Portal Roles here you will find all the roles related to portal administration, such as eu_role, eu_corerole etc etc .
  We assign portal developer roles to the user form here like Content Admin, System Admin, etc etc.
  2. ABAP Role : whatever role are defined for the user in the backened will appear here ...
  for instance if you implement ESS, hence the user must be able to apply for Travel so a backend r/3 travel role will be attached in SU01 for that user. This is visible on portal.
  Hope this clarifies!
  Cheers!
  SJ.

• J2EE roles vs Portal roles vs ABAP roles

  (I also posted this on portal implementation, but i hope i receive more reactions here )
  Dear all,
  I have a question about the information on the following link:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
  It says the following:
  "These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
  1. These "...certain functions..." they talk about, can someome give an example of these functions?
  2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
  3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
  4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
  From what I've read on help.sap.com, you always need to do certain actions in both places.
  A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
  I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
  Kind regards,
  Joren

  Hi Jorem
  Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
  Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
  Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
  Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

• ABAP Role Assignments stored in MSAD

  Hi all,
  unfortunately I have only found contradicting information in relation to the possibility to manage ABAP role assignments using a MS Active Directory.
  We plan to implement a WAS (ABAP) 6.40 SP14, synchronise data between the WAS and the corporate MSAD. While WAS (ABAP) is not capable of MSAD based authentication I suspect it is possible to manage the user/role assignments in MSAD. Am I right in my assumptions (see list below) that the following data entities can/cannot be managed and synchronised/stored with the WAS (ABAP) out of the box?
  WAS ABAP
  1. possible - user master data (e.g. userName, address, etc.)
  2. possible - user/role assignments
  3. not possible - user passwords (however, can be bypassed through SSO based on NTLM)
  Portal UME
  1. possible  - user master data
  2. possible - user password
  3. possible - role/group assignments
  4. possible - group/user assignments
  5. possible - user/group assignments
  6. possible - user/role assignments
  Thanks for the help!!
  Cheers Stefan

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• Mapping ABAP roles and assignments to EP UserGroups and EP Roles

  Hello.
  I have set up my EP7 UME to upload ABAP roles as Portal Groups . Im expecting the ABAP role to user assignment to also reflect as EP Group to User assignment.
  All my roles that 'exist' in the ABAP source system are created in EP7 correctly as expected. However, only "direct" user to role assignments are uploaded. NONE of my "indirect" user to role assignments (ie: Via HR Org in ABAP system) are reflected in EP.
  Qtn: Is there a way I can encorporate indirect user-role assignments into the upload into EP as well ??
  Thanks
  Andrew
  ps: I have played with HR org active switch in vain in ABAP syst

  Hi Kumar,
  Have you tested the connection of your R3 system?
  Do you want to connect to the ABAP UME?  If so do the following:
  1.     Logon to the portal as administrator
  2.     Go to:
  1.     System Administrator
  2.     System Configuration
  3.     UME Configuration
  4.     Click Modify Configuration
  5.     From the drop down select ABAP system
  Fill in the details for your system. 
  Click on the User Mapping tab
  Click on the reference system combo box and select the relevant system
  (in this case R3)
  Click on the ‘Test Connection button’.  If the test has been successful you should get a ‘Connection test successful’. ~<b>It is important to test the connection before saving otherwise this could cause you lots of problems!</b>
  Thanks,
  Nick

• How to upload ABAP roles in Portal 6.0 N/W ABAP + Java

  Hi ,
  I have portal 6.0. How can i see the ABAP roles in portal. I know there is some backend system need to configured. please write step by step. I can create users in portal which is replicated in ABAP.
  i have gone thru some forums but did not get the answer.
  Regards
  Atul-

  Thanks for your reply... I am new to Portal. the document you sent me I did not understand where to configured backend system. please let me know where do I configured below information in portal
  When you create a system with a connection to an ABAP-based backend system, you must maintain at least the following property categories and properties:
  Property Category
  Property
  Connector
  Group;
  Logical System Name, e.g. QWACLNT100;
  Message Server;
  SAP Client;
  Message Server;
  SAP System ID
  User Management
  Logon method
  User mapping type (if you want to take advantage of user mapping)
  Internet Transaction Server (ITS)
  ITS Description, e.g. qwa_its
  ITS Host Name
  ITS Path
  ITS Protocol  
  Appreciate for your reply...
  Regards
  Atul

• UME problem - ABAP roles not showing up in UME

  Hello,
  I'm having a problem where the ABAP roles (UME groups)  for my PI system are not showing up as assigned to a user in the UME.  The roles assigned to the user are not reflecting the roles (UME groups) that are in the ABAP side.  But, other users are showing up fine.    The user is shown to have only the standard basic roles.
  This works fine on my development and AS system.  Any help would be greatly appreciated. Thanks.

  Hi George,
  There is a 30 minute delay before these roles/groups show up in the Java system. Could that be the problem in your case?
  See the [documentation|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/af3ac012d32e78e10000000a155369/frameset.htm].
  -Michael

• Documentation for PI ABAP roles

  Hi all,
  is there a general documentation for the PI ABAP roles? I assume something like that:
  - User should access J2EE Adapter Engines / SOAP Adapter (used for sending a Webservice to PI from a 3rd Party Application) --> necessary role abc
  - User should be able to process Alerts in Alert Inbox --> necessary role def
  - User should be able to create repository objects --> necessary role ghi
  - User should be able to create scenario objects in intergration directory --> necessary role jkl
  What I still don't know which ABAP role is used for which purpose. We'd like to assign minimal roles to the users.
  BR
  Holger

  Hi,
  Check in this link:
  http://www.erpgenie.com/sap/netweaver/xi/xiauthorizations.htm
  For alerts refer this:
  The following predefined user roles are available for customizing and administration:
  • SAP_BC_ALM_CUST for customizing authorization.
  • SAP_BC_ALM_ADMIN for administration authorization. The administrator has the authorization for all activities. He or she can also read and confirm alerts for other users. In addition, the administrator can execute report RSALRTPROC to delete, escalate, and deliver alerts as well as to delete logs.
  • For the sending of alerts via external communication methods (e-mail, sms, fax) and for inbound processing, an RFC user has to be created on the central alert server with the role SAP_BC_ALM_ALERT_USER. The authorization objects contained in this role are S_OC_SEND and S_RFC.
  • Accessing alert inbox the userid has to have the role SAP_XI_MONITOR.
  • SAP_ALM_ADMINISTRATOR - Alert Management Administrator Give this rights
  Refer the SAP_XI_ADMI topic and see the roles.
  http://www.erpgenie.com/sap/netweaver/xi/xiauthorizations.htm
  Refer link for user roles: http://help.sap.com/saphelp_nw2004s/helpdata/en/74/03b140ade49c2ae10000000a155106/content.htm
  Roles needed for IR and ID:
  Role: SAP_XI_Developer
  SAP_XI_DEVELOPER (Composite)
  SAP_SLD_DEVELOPER
  SAP_XI_DEMOAPP
  SAP_XI_DEVELOPER_ABAP
  SAP_XI_DEVELOPER_J2EE
  Role: SAP_XI_Configurator
  SAP_XI_CONFIGURATOR (Composite)
  SAP_SLD_CONFIGURATOR
  SAP_XI_BPE_CONFIGURATOR_ABAP
  SAP_XI_CONFIGURATOR_ABAP
  SAP_XI_CONFIGURATOR_J2EE
  SAP_XI_DEMOAPP
  Regards,
  Nithiyanandam
  Edited by: Nithiyanandam A.U. on Feb 18, 2008 2:31 PM

• R/3 Transaction Iviews vs Imported ABAP Roles on Portal

  Hi,
  In one of our requirement, Business needs to set up such that client should be able to have web based access to R/3 Transaction through Portal.
  We can achieve that by creating system in portal and create Transaction iview with required T-code of R/3.
  Whats wrong if we can define roles in ABAP system for a user with full hierirachy and import those ABAP roles into portals.and through portal we can give unified web based access to imported roles?
  Does both the possibilities accomplish our need?what are main gaps between these two methods?
  I want to go by Import method,Any suggestions please?
  Cheers
  Rani

  Hi Michael,
    I agree with you that the ABAP role has a complicated menu structure and uploading has to be done at regular basis.
  Is there any mechanism through which any change in ABAP role structure in R/3 reflects in portal exactly so that there is no need of regular uploading?
  If not?So in which business scenario uploading of ABAP roles into portals are helpful?whats the use?
  Coming back to your second solution
  It is much easier to have one transaction iView that starts transaction SMEN, which presents the user's full SAP menu in a single screen
  But about about a user if he wants to navigate from this transaction SMEN to another transactions to which he is authorised to(R/3 Back-end)through this single Transaction iview.
  In other words if we want to have access to 5 transaction iviews in R/3,do we need to create 5 corresponding transaction iviews in portals?How to achieve this requirement in a better way?
  Waiting for you Reply
  Bye and have a Nice Day
  Rani

• Role Mapping For Portal Role Assignment and ABAP Role Assignment

  Summary:
  - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
  - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Problem Description:
  Our Scenarios we tested:
  Scenario 1:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
  *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
  Scenario 2:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
  *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
  Questions:
  1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
  2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
  Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

  I tested this set up.
  1.  Defined ABAP role as Manin role
  2.  Defined Non-ABAP role as dependednt role
  3. ABAP role  is set up in initiator requiring business approval.
  4.  Non-ABAP role is set up in initiator with no approval required.
  Results Where Business Approver approves the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
  Results Where Business Approver rejects the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
  Thanks again for your help.

• ABAP roles v/s Portal Roles

  Hi All,
  Currently I was going through  EP security docs where I came across this
  "An important difference between ABAP roles and Portal roles is that in the portal,no authorizations are defined for the backend application itself. This must still be
  done within the backend applications (for example, mySAP ERP)."
  Can somebody plz explain me this..
  Would also like to know more difference  between ECC and EP security,
  Thanks,
  Ajit

  Hi Ajit,
  I have been looking into this for some time as well, but am still not sure of some things myself nor which scenarios fit best to which security aspects.
  My understanding is that it depends on how the portal is connecting to the backend.
  If the portal user is the backend user, then the portal role is just a permission to click on things in the portal. The portal roles are mapped to the backend roles in the ABAP system (so you can, and need to, define what that portal role can infact do when the portal user "clicks" in the backend, using the backend roles of the same backend user context).
  If the portal user is not the backend user (i.e. it is a system service for generic access to the backend), then you should restrict the backend access to the bare minimum of that service and control the security in the portal application (the calling application) as the backend user context is not the same.
  So it is a "design" answer as well...
  There are a few good posts about this if you use the search. If you find a good one, then please link it here so that others who use the search and follow up on their questions can use it as well.
  At the top of the forum, there is a sticky thread on FAQs and other usefull discussions. Sadly, portal security does not have any links yet, so if you find a good one then let me know.
  Cheers,
  Julius

• Federation, remote role assignment based on ABAP roles on producer

  Hi all,
  We have implemented the federated portal solution for our ESS users. We use the ABAP stack of the producer portal as user store for consumer and have no problems in assigning portal roles on our consumer based on ABAP roles in the backend (displayed as groups in the portal).
  Now we want to add some extra functionality (eg SRM and eRec) and we encounter some problems. These systems all have their own ABAP stack as user store. We have maintained the functional authorization model in the ABAP roles for instance in SRM. So an example:
  System I: ABAP + JAVA --> ECC 6.0
  Here we have the standard R/3 functionality and the producer portal (A) installed. Roles created on producer portal and assigned based on ABAP roles.
  System II: JAVA --> NW 7.0 Portal
  Our consumer portal (B) where we use roles created on the producer portal (A) on System I.
  System III: ABAP + JAVA --> SRM
  Our SRM system with SRM producer portal (C). In the ABAP stack of this sytem the functional SRM roles have been assigned to the users. We have created functional SRM Portal roles in order to use remote role assignment on consumer portal (B).
  +PROBLEM+
  We want to remotely assign portal roles created on the SRM Producer (C) to users on the consumer portal (B), based on the ABAP role assignment in the backend of system III. How can we achieve this in a fast and efficient way?
  Looking forward to your ideas. Anything helpfull will be gladly awarded with SDN points.
  Best regards,
  Jan Laros

  Jan,
  Interesting question. Let me share my experience and hope that's of some use to you.
  We started off federating corporate NetWeaver Portal (lets say B, parallel to your convention) as consumers to BI Portals (Lets say A).
  - B's UME points to Active Directory
  - A's UME points to BI ABAP user store
  - User ids are identical in both systems
  We ran into the problem of dual administration ((de)assigning portal role on both portals instead of just one) for a long time. The issue was because of different reasons at different times as we patched B's and A's. At one point we were on SP15 on both portals and we were told by SAP that RRA can be done on B for remote roles and the assignment propagates to A automatically if the following configuration is set up on both A and B.
  - A's permissions are relaxed allowing "Everyone" group checked for "End User" access as per ([http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm|http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm]
  However, we chose not to do the permission relaxation as enabling "Everyone" group with "End User" access can allow anyone to launch an iView (if the URL is known somehow) and the user would be able to see the layout of the iView, which can include text, etc. The user won't be able to access any data though, however, there is certain compromise on security which we decided that its not okay. So, we digressed in SAP's suggested practice because of security reasons.
  Today we, manage security on B using Active Directory groups and on A using Java groups (ABAP roles).
  In your case, I suggest investigating the option of relaxing the security on producer portal like in the above link. If you think its okay, all you have to do is, provision users on B by assigning remote roles from C and A.
  Either my story is applicable or I must have got you totally wrong,
  Kiran

• ABAPer role in upgrade project

  Hi,
  Please let me know the ABAPer role with upgrade project. When Std programs updated by support packs what are the responsibility of ABAPers?
  Thanks,
  Praneeth

  Hi,
  Automatic- It means that there will be a green icon. You will have to just click it and it is done.
  This is because the changes to the SAP Object have been done either via SNOTE for some note application or you have used the modification assistant. So SAP does not have any problem in determining the changes. So the adjustment is automatic.
  Semi-Automatic - In this case there will be a yellow icon. This means that you have to make some manual adjustments. This is because SAP considers that the adjustments are proper but still there is some discrepancy.Probably this is because you have made some note changes and additionally inserted some comments like begin of changes by xxxx on yyyyy for note zzzzz.
  So in this case SAP will give you a split screen editor in whihc your existing code and the one coming from support pack will come. So you have to adjust accordingly.
  Manual Adjustment - In this case there will be a red icon. This means that you have to make the chnages manually. This is because SAP finds a lot of discrepancy in your program and the one coming via support pack. The reason can be either the earlier note was incorrectly applied or you have added your own code for some custom requirment. So again SAP gives you the split screen editor to make the adjustments.
  Your assumptions about Reset to Original and Adopt Modifications are correct.
  I hope it solves your queries.
  Regards,
  Ankur Parab

• Abaper role in RFID project

  hi all,
        can anybody tell me role of abaper in RFID project?? by next month i have to engage in RFID implementation project, i dont have any details of project right now..can any body tell me what they will expecting from my side in project ... what will be my responsiblitites in this type of projects...

  Hi,
  Abaper role is to write some Custom Function module to query from SAP OER, which later going to be exposed as web service.
  That webservice can be used by some middleware or for some interfacing. Probably some FM's for reporting purpose in BI.
  Regards
  Aashish Sinha