Adding tcode to role in display access.

Similar Messages

• Authorization roles for display access to PD transactions

  Hi all,
  There is a requirement to create a new security role to allow display access to PD transactions :
  > Organisational and Staffing Display PPOSE,
  > Display Position PO13D,
  > Display Organisational Unit P010D
  With this role, display access needs to be restricted to view organisation units and positions within the line of business where the position with this security role sits, eg position is within Direct Sales and Service 55001641 therefore they can only view organisational structures that report through to this top org unit.
  Any inputs regarding this would be appreciated.
  Regards,
  Manasee

  Try with  object 'S_ENQUE' and ID 'S_ENQ_ACT'...
  Hope it helps!
  Bye,
  Roberto

• Adding Tcodes in Role

  How to add multiple Tcodes while creating a role  using PFCG.
  I can only add 17 Tcodes each time, I have 250 T codes in a Role which I am going to create , just wanted to know if there is any way to do this at a time, apart from using the scripts. is there any icon in pfcg-menu-tcodes section to upload or paste all at a time ? please suggest.
  Thanks
  SR

  Hello Raj,
  Basically it is not possible...!!
  But try like this...copy and paste at a time in that transactional folder..!!
  Note: Points always encourage me to reply !!

• Display access for the tcode SCC4

  Hi all,
  I want only the display access for the tcode SCC4. In which authorization object I can do this.
  Regards,
  R.Suganya

  Good Afternoon yes you can goto transaction SU24 insert transaction SCC4 and execute, click on display indicator, and you will see the object S_TABU_DIS assign activity value (03) to your role for this object which has that transaction SCC4 assigned to it. Also make sure that no other roles for that user has this object other wise the values will overwrite it.
  Make sure you have locked transaction code OY24 as its a duplicate of SCC4.
  Hope this helps
  Edited by: nadim razaq on Sep 17, 2008 4:13 PM

• SM59 Display Access

  Hello All,
            In our Audit Role user needs Tcode SCU0 for Cross System Viewer, after assigning this Tcode to Role, this Tcode in turn calls SM59 which is a Risk of giving this Tcode.
  Is there a way to give SM59 as display access access for SCU0.
  Please help with your valuable experiences.
  Thanks,
  CB

  Hi,
  I agree that S_RFC_ADM can be used to restrict SM59 access to display only. But S_RFC_ADM is available only from ECC 6.0 versions, so how about pre ECC 6.0 versions?
  Currently I am on ECC 5.0 where I don't have S_RFC_ADM and  SM59 program has a authority check for S_ADMI_FCD=NADM hardcoded in it which makes it impossible to make SM59 just display.
  Someone suggested using tcode- RSRFCCHK for displaying the RFC destinations and Execute connection tests but unfortunately this tcode skips SM59 initial screen and calls SM59 internally. In addition to that once the destinations are displayed, and you double click any, it takes you to the SM59 screen with full access to create, change and delete!!!
  Am I missing on something? Please advice
  Thanks
  Sandipan

• Can PID (Parameter ID) be set as a default by TCODE or Role Level

  Hi, Any one has any idea if PID (Parameter ID) and its value can be set as a default at TCODE or at Role Level?
  Thanks in advance.
  Syd.
  Addendum:
  Re: Can PID (Parameter ID) be set as a default by TCODE or Role Level
  Posted: Oct 17, 2006 9:38 AM        Reply      E-mail this post 
  Thanks for the reply, you have mentioned try creating a Transaction variant or a Transaction parameter.
  Here is my question?
  1. Can we set a default Parameter ID at TCODE level so, if any user execute a transaction who has access to execute it, he will have Parameter id and its value as a default?
  2. Can PID be set as a default for SAP TCODE or Custom TCODE, or can be done for both, if it can be done then, How?
  3. Can PID be set as a default for a particular Role or profile?
  Message was edited by: Syed Alam
  Message was edited by: Syed Alam

  Hi JC,
  Yes, I agree.
  A small disclaimer however is that we dont know which transaction is being refered to.
  Creating a transaction variant with the parameter set for it could enable the use to navigate further and back again and in doing so "shed" the screen which the transaction (initially with variant parameter and skip screen) originally gave them.
  Using a user-exit to set the parameter can in some cases be closer to the functionality (irrespective of how the user gets there) and be more reliable. But in this case an adventurous user will be likely to trick it anyway if they want to.
  If the decision is made to use PIDs in the coding, then it is a decision that the user can influence the value (in my view). If coding makes insecure use of PIDs, then it is a design error in the coding.
  Cheers,
  Julius

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.

• Database design for Role/User based access to the application..

  We want to implement Role/User based access to the application.
  Can anyone tell me whats the optimized way of storing the data {User, Role, Access_Type etc} in the database.. The Roles might get added in the future so i dont want to maintain a single table to map User-Access_Type..
  Access_Type -->
  AT_1 | AT_2 |AT_N |
  ------- |------- |------- -|------|
  User_1 | | | |
  ------- |------- |--------|------ |
  User_2 | | | |
  ------- |------ -|--------|------ |
  I want to maintain a table which will map user with the Access_Type, which should be mainatained in a different table..
  Any help would be highly appreciated..
  Thanks in Advacnce,
  Shridhar..

  You find your answer here:
  http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html

• Display access in Netweaver 2004s

  Hi all
  How do i give display access to user for Tcode SXMB_MONI and SXMB_IFR in Netweaver 2004s
  Thanks

  Hi Jacko,
  For transaction SXMB_MONI you have:
  - <i>S_XMB_ADM</i>. The authorization object Integration Engine Administrator, determines the global administrator for the monitoring and administration of the Integration Engine. The field can have the following contents:
     X (The user is the administrator and can access XML messages in all clients in the system)
     Empty (User is not the administrator and can only access XML messages in the current client)
  -<i>S_XMB_AUTH</i>. This provides authorization protection for all actions that affect configuration, administration, monitoring, runtime, the cache, and time-controlled and prioritized message processing.
    Activity (Activity executed in the area: change 02, display 03, execute 16, activate/deactivate 63, reorganize 65).
    Area for Integration Engine (CACHE, CONFIG, FILTER,...and so on).
  - <i>S_XMB_MONI</i>. The authorization object XI: Monitoring of XML Messages is used during monitoring of the XML messages that are processed by the Integration Engine and saved in the database. In particular, this includes the transaction Integration Engine Monitoring (Monitor for Processed XML Messages) and the message monitoring in the Runtime Workbench.
  Activity (you must fill with 03 - Display).
  You can not give display access to transactio SXMB_IFR because this tcode let to user open the folder X:\Documents and Settings\<current user>\SapWorkDir.
  I hope helps you.
  Regards, Leandro

• GRC BRM TCodes of Role cannot be updated

  Hi Expert,
  I am facing problem in creating role from BRM, while trying to Genearte the role from Generate Stage of Role Methodology. I am getting the error when I click on Generate button under Generate Roles tab.
  When I click on Generate button it opens a new screen with stages, 1 Select system and roles 2 Schedule 3 Analysze Risk 4 Confirmation.
  In the Analyze Risk stage when I click on Submit button post risk analysis, i get the error "TCodes of Role Z:ECC_Test cannot be updated (System).
  Please let me know if anybody is facing issue and have reached to some solution.
  Thanking you in advance.
  Thanks & Regards,
  Jatin.

  Hi, Jatin.
  I am in SP6 and facing the same issue. SAP tell you something?
  In my case the transactions added in pfcg are maintained in SU24.
  Also, I am facing an issue when copy authorization from a function in RAR: "Authorization data cannot be updated".
  Please, tell me if you have news.
  Regads,

• Display access to UCWB

  We are trying to create an authorization role that allows display access only to UCWB.  The role we currently have is a "change" role.  Our QA and production systems are closed, so by defualt a user can only display in these environments.  However, we have business users who help develop test scripts and require display access to UCWB in our development environment.  Because the development system is open, the current change role allows the users to change config.  Has anyone created a pure display role for UCWB?

  Hi Deborah,
  You can ask your BW or BASIS consultants to crate a Display role for UCWB, this is a simple job.
  Technically you can first crete a role with UCWB display acces and then assingn to the respective users.
  While giving diaplay access, you can even restrict only the Master data and others if required.  Again better to give restricted display access to UCWB, as it involed many things which users are not aware.
  Hope this resolves your problem.
  All the best,
  Sunil M

• SAP Role to limit access to few ledger accounts

  Hi
  I have created a SAP role which has Display access to FAGLB03 using pfcg.
  I want to restrict this role only to a certain number of Ledger accounts.
  Say like XXXX5, XXXX17, XXXX23. XXXX45 etc;
  Can we restrict using any Authorization object?
  Thanks
  Hari.

  Hi Duggineni,
  I would suggest you to make a use of Authorization Group in GL Master
  F_BKPF_BES
  I have create one role ZFAGLBO3, in which T.Code FAGLBO3 is authorized, and users are assigned to this role ZFAGLBO3, now all these users can access all the GL by t.code FAGLBO3, but except for few GLs, in which I have entered Authorization Object "OTHG". So your reqirement was to restrict few GLs in roles, which can be met by using Authorization Object F_BKPF_BES.
  In above role you can see highlighted object F_BKPF_BES, have NIL value against BRGRU.
  Now I have created one test user, who have this role ZFAGLBO3.
  See the results:
  All GL master don't have authorization objects, so this user can display the balances.
  He can
  Note: These user can't display balances in FAGLB03 for few GLs, which is your requirement, that I understand. Just add the any authorization Groups in GL master in this case i have entered in one GL "OTHG", see below snapshot: 
  When these users of profile "ZFAGLBO3" try to display balances of few GLs who have Authorization Group field filled in master data, system will give below error:
  I hope this will clear your understanding, and give you an idea, how you can use this to meet your requirement.
  Regards
  Javed

• PE51- Display Access only??

  Dear all
  how do we restrict PE51   SAPMPE51       HR form editor for only display access..sooner i gave it it dosent  give any objects for me to maintain the disply authorization..can come one tell me if there any objct goes with this T-code where i can maintain only the Display access to the user..

  Hi,
  Goto SU24> enter the T.code in which u want the user should have only display . Execute it (Button on Appl> Toolbar), it gices 2 objects and on Appl. toolbar its a button as check indicator> click on this button.
  It display a list of objects, select the objects with CHECK AND MAINTAIN priority.
  Now goto the role of that user in which u assigned tat perticular Authorization , Double click on that role, it takes u in PFCG screen, click on Authorization Tab. Check that it shold be in change mode. Now check tat perticular object which v searched in SU24 with check and maintain, (cntrl+F), find tat object, after getting the object , in activity remoce all the selected fields, and just select 03 which is for display. Repeat the same for all objects and generate.
  Now the user has only Display access.
  Regards
  Syed.

• How to implement Oracle user/role security with Access front end?

  Hi,
  We have successfully migrated our Access database tables to Oracle 10g using SQL developer. We've recreated all the users and roles(i.e., access groups) in Oracle and granted rights to tables.
  In the Access front end database, in the Database window we have saved linked Oracle tables which replaced the Access tables. The forms, reports, queries run fine with the linked Oracle tables. All the linked table use one ODBC DSN to the Oracle database with the same Oracle user id.
  We need to be able to authenticate users into the Oracle database and RE-link the tables based on their own unique user id. By during so we can allow users to use the Oracle standard user id/role and system privileges to control select, update, ect. rights to the database.
  I've been able to use the VB code within Access to logon into the database with a unique id, but I have not been able to find out how to RE-link the tables to the unique user id using VB. There should be some way to relink tables dynamically, based on users login into the Access front end.
  I don't know a great deal about Access projects, but I do know with SQL server allows login into your Access project and link tables dynamically.
  Can someone give me some assistance or point me in the right direction?
  Thanks in advance,
  Larry

  We had one of our programmers here come up with a VB code solution for re-linking table within Access. However the relinking takes 3-4 minutes for 100+ tables.
  In an effort to help you understand the situation better, I will attempt to elaborate on the problem:
  We have an Access 2003 application which currently has a front end using Access(forms, reports, queries, & VB code) and a MS Access 2003 backend.
  We have migrated the backend tables to Oracle. However, we still have a need to maintain the front end in Access, since we have over 60 forms, 40 reports, 200+ queries in Access. Its easy to understand, we have a significant investment in the front end(Obviously, the plan is to migrate the front end also at some future date).
  In order to utilized the existing front end, we have to validate and modify the current front end connections to the new Oracle backend. One of the features of Access is that you can "link" tables and save the link for runtime. Each Access table can have its own link which is a separate ODBC/JET connection. As such, each separate link has its own userid/database information.
  The other issue with using the Access front-end is that Access utilizes a workgroup file to implement user and group security. The workgroup file contains all the users and which groups the users belong to in Access. Then within Access, you allow users access to object(tables, queries, ect) by their userid and or group. When users open an Access database with Access security enabled, they are required to log into Access. The login is authenticated by the workgroup file. Once, logged into Access, users have rights to Access objects based on their rights granted to their userid and groups they belong. The problem here is that when you remove the linked Access tables and replace them with linked Oracle tables, Access has knowledge about Oracle table rights granted to users; nor would you expect it to.
  The dilema is the disconnect between Access and the fact Oracle utilizes a similar but much more sophisticated security model. It creates users and roles(which are similar to Access groups), and again this is independent of Access security.
  Our solution was to still use the Access workgroup file security along with the Oracle security model. By using the Access userid and then creating a similar Oracle userid with similar table rights granted in Access, you could apply security within Access and also with the Oracle database.
  For example, a user BOB logs into Access via the workgroup file, using VB code, Access then establishes a Oracle connection logining into Oracle using the same unique userid BOB into Oracle.
  After connecting and validating user BOB into Oracle, then the Access tables are relinked to Oracle using the user BOB userid and table rights.
  This Oracle userid has been granted table rights specific for this userid.This allows the user BOB to use the Access application and still be authenticated into the Oracle database.
  The problem with this solution is that the relinking of the saved Access tables takes 3-7 minutes for about 100+ tables. This is not acceptable for users each time they log into the application.
  Our current alternative is to use one Oracle userid to login each user, and use Access form restrictions/security to allow/prevent users from updating/viewing data. Obviously, this is not the optimal solution in respect to security, but it at least allows us to control access to the data(via the forms) by using one logon required for each user, and quick startup time for the application.
  I understand SQL server does a better job in integration, but we use Oracle which is what I am trying to work with.
  Larry

• Adding New BP Role In CRM 5.0

  Hi,
  when i create a new BP role using BUSD it is not displaying in roles of BP using Trans.code BP and i am not able to add this BP Role in Field Group BP Role (IMG-> cross-app-> BP->Basic Settings->Field Groups->cong. field groups by BP Role) to this role when i try to add this role it displaying message that it is not in TB0003 table can any one can give solution for this problem.
  thanks in advance,

  Hi BPX Partners,
  It is not necessary to have same key for business Partners Mapping between CRM to ECC.
  But, it would be advisable to create the Z role instead of using the standard role. As, you can make any changes to Z role.
  In order to map the BP"s , you need to maintain settings in T code "PIDE" & PIDV" where in you can maintain mapping of CRM role to ECC Account group.
  Please let me know for any help you need on this.
  Regards,
  Rahul