APO roles and auth objects

Similar Messages

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• Relation between Roles and Course/Object ID

  hi
  Please tell me the HR-infotype having roles/position/job in relation with Course/object Id.
  HRP1000 have only courses .
  or please tell me how to make relation between two i.e. roles and course/object id
  S@chin

  all these
  Characterstic will available in differnt Infotypes   Check the tcode PP01
  and check with the help of the Objects
  for Course ID

• SoD Analysis , tables to relate roles, transactions and auth objects

  Hi everyone,
  I am analyzing my company SAP roles in terms of segregation of duties, however I having a problem.
  I need a table/report to give me for each role, every transactions and for each transaction in the role every authorization objects.
  For example I want to know for Role B that have transaction C which have the follow authorization object D with values X and Y.
  Therefore I want to know for each role and respective transactions which are only display or/and execute or/and editable. How can I do that?
  Thanks!

  Hi,
  There is no default report/table which gives you the required information. However, you can achieve this by using SQVI. Join the tables, and create a tcode for the same. Refer the below link:
  Re: SAP Query in SQVI transaction
  Alternatively, you can download all the data into spreadsheet and create Pivots to plot the information.
  The other alternative is to have a custom program built which takes the information from AGR_DEFINE, AGR_AGRS, AGR_1251, AGR_1252, AGR_TCODE tables.
  Hope this helps!!
  Regards,
  Raghu

• SAP APO roles and authorizations

  Hi,
         There is a brand new APO-DP, SNP system  being configured at my client for SCM 5.0. I need information on the kinds of roles we need and the security objects involved.
  I have searched this forum and so far, the information I could get is the following:
  Generally there would be a Developer, Super User, end user, APO-ADMIN and a test user.
  The authorization in SCM is by either planning book or by selection profiles and not both.
  I found some information on <a href="http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/frameset.htm">Authorization in Supply Network and Demand Planning</a>
  I would appreciate if anybody can give me more information or refer to any link/documents. My id is visu_venkat AT yahoo.com
  Thanks.

  You will require to create roles, see more details in following link
  Users and Roles : <b>http://help.sap.com/saphelp_scm50/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htm</b>
  As you have already mentioned
  http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
  http://help.sap.com/saphelp_scm50/helpdata/en/0c/515bb287fe41829556fb4227820e52/content.htm

• security-role and auth-constraint

  Hi Everybody,
  I want to know the relation between the <role-name> tags defined under <security-role> tag and the <auth-constraint> tag (defined for web-resource-collection).
  Assuming that tomcat is being used, should the <role-name> of <security-role> map to a role defined for tomcat and then the <role-name> of <auth-constraint> map to the <role-name> of <security-role>.
  Or how does it all work ? How are these two <role-name> tags related ?
  Thanks in advance for your time.
  Vikas

  in <security-role> you define the roles, in <auth-contraint> you tell which role is allowed to use the protected resource

• Appraisals object type VA and auth object P_HAP_DOC

  The system is running 2005 version. While running
  APPCHANGE tcode the program ignores values in PD Profile
  for object type VA. Furthermore the program bypasses
  the check against P_HAP_DOC object. Any hints why this happens? F.ex 2005 IDES system we have performs these checks ok.

  Hi Carlos,
  The Otype VA - Template, VB- Criteria group and VC - Criterion.
  The hierarchy is as follows
  VC is blow VB is below VA.
  The objects as such wil be created in the HRP1000 as usual.
  In addition, there are tables which starts with HRHAP* which holds the appraisal document related data.
  But the table contents cannot be seen from SE11 or SE16. Create a SQ01 Quick viewer query for the Database tables.
  Hope this helps.
  Reward points if it helps you.
  Regards,
  Subbu.

• Role and auth comparisation

  hey,
  how to compare roles of 16 users?
  by suim i can do it two by two which is noo gooood
  Regards
  sanchodur panzadurma

  Hello Sancho,
  Please see this document
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/12320898-0301-0010-1abb-91770fb41b24
  hope this helps
  Thanks
  Chandran

• Can we control Work center group links using auth object UIU_COMP

  Hello All,
  We are running into an issue while doing our PFCG role configuration.
  I need to know if we can control Work center group links in a business role through auth object UIU_COMP.
  We can control Workcenter's but not 'Work Center Group Links'.
  Here is what we did:
  - We have a business role Z_RA_DEFAULT.
  - The Nav Bar Profile SRV-PRO for this business role has some work center group links that are checked in menu and visible.
  - I'm trying to find the values in the auth object UIU_COMP to restrict Work center group links.
  - Even though the values Work center group links are in menu and visible,
  I want to remove these Work center group links from the screen using the auth object.
  - If we remove the check from in menu and visible in the business role the Work center group links disapper from the screen.
  Right now this is only way we are able to controle Work center group links.
  Question:
  - Can I use UIU_COMP to restrict Work center group links?
  - any another auth object that controle Work center group links?
  - any document/ website / info  available which tells us what can we restrict with auth object UIU_COMP?
  - or any other way of doing this... like code change, user exit, ....?
  Really appreciate your help.
  Thanks,
  Nasir

  I am not sure if I have understood the issue correctly, but still what stops you from actually creating a clone business role to your existing business role and deactivating the in menu visible work center group links. Use this new business role for users who need to be prevented from viewing the work center groups links in question.
  If you are going to use authorization objects to control the visibility wont it impact all users (still defeating your original purpose?)
  Again apologies in case I have got the question wrong.

• How to delimitate the authorization on BI based on HR auth. object P_ORGIN

  Hi all,
  I need to insert in my BI role one authorization object to delimitate the view of data in the report (data are extracted from and SAP HR system) based on Personnel Area. On the HR system I have the authorization Object P_ORGIN that can be filled inside the roles for what concerns the value of  Personnel Area.
  How can I apply the same limitation inside the BI role?
  Many Thanks,
  Valentina

  Hi,
  R u using any other roles . If yes then open that roles and add object p_origin .It should work.
  Regards
  Nilesh

• Dump file and database objects

  Dear Team,
  I have a dump file created using oracle 9.2.0.8 exp tool.
  how to find what all schema, tablespaces, roles and other objects contained that dump file
  Thanks in advance.
  Mallikarjun

  imp &lt;username&gt;/&lt;password&gt; show=y full=y file=&lt;dump file&gt; log=&lt;any filename&gt;
  doc question
  Sybrand Bakker
  Senior Oracle DBA

• Maintaining the authorizations for parent role and derived role

  Hi Experts,
  Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
  Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
  1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
  2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
  please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

  I will try to answer both your queries here:
  "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
  The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
  All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
  Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
  Soumya

• Manually added auth objects and Derived roles

  If there are manually added auth objects in the parent role do they come across to the derived roles?
  Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

  yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
  yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
  if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
  http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• GRC SPM 5.3: Auth. object GRCFF_0001 in the role /VIRSA/Z_VFAT_FIREFIGHTER

  Hi experts,
  According to latest version of "SAP GRC Access Control 5.3 Security Guide" available on SAP service marketplace:
  https://websmp105.sap-ag.de/~sapdownload/011000358700000406492008E/AC53_Sec_Guide_en.pdf
  I should assign the default role "/VIRSA/Z_VFAT_FIREFIGHTER" to FF users. (see page 18):
  Base user authorizations required to logon as a firefighter. The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction. Read SAP Note 1319031 for additional authorizations required after installation of AC5.3 SP07.
  The authorization object GRCFF_0001 field ACTVT is * as per default, and as the Sec. Guide says, see page 22.
  What is this authorization for?
  The documentation of this field (PFCG-> press <F1> on object) states following:
  "Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"
  Iu2019ve removed completely this authorization for the role "/VIRSA/Z_VFAT_FIREFIGHTERu201D and users still can use their FF without problems.
  The problem is in the case of a user having the following auth:
  GRCFF_0001 ACTV *
  S_TABU_DIS  ACTV 02  Table group: Z****
  This combination allows FF users to change all the configuration tables in tx. /n/virsa/vfat.
  What do you think? Is the security guide correct? Why we should give FF users this authorization?. As I said Iu2019ve removed this auth from the role and all works fine anyway.
  Regards
  Diego.

  Hi sunny,
  I've removed the authorization from the users. It means, no user has this authorization. I've checked it using SUIM. I've done a lot of test already.
  If you've a look at the sec. guide, you'll understand what I'm saying. Note for example the role /VIRSA/Z_VFAT_ID_OWNER and compare it with /VIRSA/Z_VFAT_FIREFIGHTER.
  As per the security guide a owner should have ONLY ACTV 02 and 03, while I should give FF users *. This makes no sense at all. ACTV * should be granted only to admins.
  Agian, note what is this authorization for:
  "Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"
  Do u think is correct to give FF users ACTV *  taking into account this definition from PFCG???
  Cheers,
  Diego.