Assign single role to composite role with alternate logsys assignments

Dear gurus,
In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
Cheers,
Julius

Hi Martin and others,
I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
That is a bit of a bummer because it means that you also cannot ever test anything...
Did anyone ever try to actually use this?
Cheers,
Julius

Similar Messages

  • Assign remote roles with Federated portals

    Hello all,
    We're trying to implement a federated Portal network using the <i>"Implementing a Federated Portal Network" in Detail</i> document.
    The steps that we have follow successfully are:
    1. Connect to the user repository (Producer and Consumer).
    2. Configure system settings (Producer and Consumer).
    3. Define and Configure producers (consumer).
    4. Set permisions (producer).
    Now we want to assign remote roles to local users in <i>User Administration -> Proxy-to-remote Roles option.</i> But <i>Proxy-to-remote Roles</i> tab doesn't appear in the second level navigation...
    We are working with EP7 SP10.
    Any idea?
    Thanks in advance

    Maybe a clue: According to the Remote Role assigment question, We have a similar problem using the Remote content copy option.
    In the consumer EP, Content Administration -> Portal Content, the Netweaver Content Producers contains the producer connection icon but it's empty. So, the content share can't be done...
    Now... Any idea?
    Thanks!
    Message was edited by:
            Marta Sánchez

  • Assigning admin role with bulk action

    Using IDM 6.0 SP1 on tomcat and oracle db
    Using a csv file, I can update users with an admin role only if there are more than one admin roles (pipe delimited)
    CSV Header Row:
    Command,user,accounts[Lighthouse].adminRoles
    CSV Line One:
    Update,cramert,Administrator - Second Level Help Desk|Administrator - Security Desk|Administrator - Registration Authority
    CSV Line Two:
    Update,morrisom,Administrator - Registration Authority
    The first update with multiple admin roles works - the second does not...
    Thanks,
    Mike K

    Seems we have documentation on this one:
    For a list with one value use:
    |List|Administrator - First Level Help Desk
    For Merging one value to a List:
    |List;Merge|Administrator - First Level Help Desk
    Thanks,
    Mike K

  • Add a single role to different composite roles in one step

    Hello everybody,
    I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
    Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
    I don't want to believe that there is no easier way. Any ideas?
    Thank you
    Flo

    Hi Soma,
    great to find a place to be welcome..Thanks
    What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
    The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
    And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
    -> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
    or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
    -> Which again... our security manager disallowed me...
    So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
    And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
    Comments?
    Cheers
    Florian

  • Role with SPRO for FICO

    Hello SAP EXperts,
    Can anyone tell me how to create a role with SPRO authorization for FICO transactions and roles only. I need to assign a role with which a FICO consultant can do all the customizing related tasks in the development server. Please give some solution.
    I invite your valuable inputs
    Thanks & Regards
    Vanitha
    Edited by: Vanitha badampudi on Oct 21, 2008 1:33 PM
    Edited by: Vanitha badampudi on Oct 21, 2008 1:36 PM

    Hi there,
    The easiest way to get all of the t-codes, is for a customising project to be created in the IMG with all of the relevant IMG activities assigned to it.  (Your FI CO consultant can assist here.)
    Once that has been done, you can go and create a role in PFCG.  Select the menu tab, then select Utilities - Customizing Auth. and it will then ask you to select a customising project.
    Once you've done that, all IMG activities and transactions for that customising project will automatically be entered into the menu.
    You then need to go and maintain and generate the authorisations.
    That's my suggestion.
    Hope you can use it.
    Regards
    Lucille

  • Assign Portal Roles from R/3

    Hi all,
    We've here an EP6 SP14 SR1 with R/3 as data source, this R/3 is used to ESS and MSS implementation on portal. The users are created at R/3 using SU01 and then Logon portal with  this same user. But we've to assign portal roles with portal administrator to have access to menus in portal. There's a way to, when create user in backend we can assign automatically portal roles to the user ?
    We do not have CUA neither LDAP.
    Thanks a lot for help.
    Best Regards,
    Pedro Rodrigues.

    Jörg,
    Thanks a lot, that's very helpfull, now I can see the roles in portal groups. But, we need to use dataSourceConfiguration_r3_rw.xml because when user have to change his own password first time they enter in portal.
    How could we got this authorization ?
    Could we assign to pfcg roles that we pretend to use this authorization ?? What authorization is it ??
    Thanks,
    Best Regards,
    Pedro Rodrigues.

  • FM to assign Single PFCG Roles to Composite PFCG Roles?

    Hello everybody,
    Can you tell me a Function Module which assigns/removes a Single PFCG Role to a Composite PFCG Role.
    Regards Max

    Thank you very much for your quick answer. I am afraid the mentioned reports doesn't solve my problem.
    I am looking for an ordinary function Module, which adds and removes PFCG Single Role to an PFCG Composite Role.
    Best Regards,
    Sebastian

  • SIngle riole that belong to composite role with user

    HI,
    There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
    BR
    Nina

    There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
    SIngle role is created by pfcg where you assign the role name n safe it as single role n then after t codes been provided the user has been assigned accordingly
    Composite role is same just it contains many roleson to one and similarly the user has been assigned
    Thx
    Mysterious

  • FM Assigning of Single Roles to Composite Roles

    Hello everybody,
    I spend the whole day to a find a solution using any source I know and I couldn't find an solution. So sorry if this question has been asked before.
    My Question is:
    Can you tell me a Function Module which assigns/removes a Single PFCG Role to a Composite PFCG Role.
    Regards Max

    Hi,
    You can add the as many single roles but you cannot add the Composite Roles in Composite Role.

  • Composite menu regeneration from single roles

    Hello,
    When I have to maintain (add or remove tcodes) and transport a "single" role that is part of a composite role, the role menu for the composite is out of synch with the single role's transaction content.
    The manual fix for this is to go into the composite role via PFCG in the destination system and push the Read Menu button. This will read the latest menus of the single roles.
    I would like to know if there is a job that I can schedule that can synchonize the composite role to the single roles assigned to it, or basically a refresh of the composite menus.  Is there any function that can do a mass menu update for a selection of composite roles?
    The only other way I can think of doing this is writing an LSMW or CATT script to do this, but I would like to find a better way of doing this if available.
    Thanks,
    Ryan

    I don't think this is a feasible approach because 1 single role change can be linked to many composites (as designed) in our environment.  I would not want to change every composite and transport them together with the single role.  Also, it seems that composite transports take a lot of time to import, so I don't think our basis guys would be happy with us doing that. I have found that the menus can be re-imported in the production system w/o the need for transport, etc.  I just think that manually refreshing the menus is going to be a maintenance struggle, especially since we have around 200 designed composite roles in our production environment.
    Thanks,
    Ryan

  • How to find the T-codes that's in a Single Role & Composite Role??

    Hi all,
    Some of the user have authorization to particular t-codes. However single roles are not created for them.
    Now I need to assign authorization to that particular t-code to a new employee.
    Since the single role is not there, I do not know how to find if it is inside a composite role.
    Which table should I find all the t-codes that are assigned to a single role / composite role?
    pls help.
    Regards,
    Pri

    Rakesh Kulkarni wrote:>
    > Table AGRS_TCODES give the roles with their tcode assignment.
    Beware of AGR_TCODES, it only reports transactions entered into the role menu. If you query table AGR_1251 filtered on object S_TCODE you get the actual transaction authorizations.
    Besides that, authorizations are always in single roles, so if you cannot find them there there's no point in searching through the composites.

  • Role prefix for XI custom composite/single roles

    We have XI custom composite roles which start with TI_XI_* and contain single SAP roles (SAP_) and single custom roles (AAW:). Are we forced to use a certain XI role naming standard at the composite and single role levels due to Java authorizations?
    Thanks,
    Brad

    Just transport it rather than upload it.  The generated profiles will be carried through with their existing convention.
    If you need to have different profile names due to the naming constraints then LSMW or SECATT will let you do this easily.  If you are not familiar with the tools then 1. Take time to learn one of them (they are very useful) or 2. Do it manually.  60 profiles can be named in 30 minutes or less if you already have created the profile names in a spreadsheet, text file etc.

  • How to assign a single role to all the 700 bi users

    Hi all,
    I have created a new roles, which needs to be assigned to all the users in the BI. I have teh list of users but i need to copy all of them manually and assign that users with this role!!
    Is there any way in which i can use any abap programs/ function module were in i can assign this single role too all the list of users in the bi system!!
    Thanks
    Pooja

    Hi Pooja,
    I guess you are lookign for  way to upload the list of 700 users into transaction Su10 instead of copying and pasting them manually (which will need many manual copy pastes since the number of users which can be pasted into SAP in one shot will be limted to 10-20).
    There is a way to upload all 700 into SU10 transaction in a few clicks. Please follow the below steps:
    1.Get the list of all 700 users in say excel or notepad. Copy all 700 users ids (copy entire column in excel using Cntrl+C)
    2. Login to system and go to SU10 tcode.
    3. Click on 'Authorization data" tab in SU10
    4. In next page you will see a tab called "User" --> select the arrow exactly to the right side for multiple selection.
    5. In new window; there is an icon for "Upload from clipboard"(second last icon in bottom of window). Click on it and you will have the list of 700 users uploaded into SAP. In next window click on "select all" and "transfer"
    Now go into change mode in SU10 and paste the role to be added under tab "roles".
    Get back if you face any issues.
    Soumya

  • Role prefix for custom composite/single roles

    We have custom composite roles which start with TI_XI_* and contain single SAP roles (SAP_) and single custom roles (AAW:). Are we forced to use a certain role naming standard at the composite and single role levels due to Java authorizations?
    Thanks,
    Brad

    Just transport it rather than upload it.  The generated profiles will be carried through with their existing convention.
    If you need to have different profile names due to the naming constraints then LSMW or SECATT will let you do this easily.  If you are not familiar with the tools then 1. Take time to learn one of them (they are very useful) or 2. Do it manually.  60 profiles can be named in 30 minutes or less if you already have created the profile names in a spreadsheet, text file etc.

  • ECATT to mass delete singles roles from a composite

    Hi,
    I am creating an eCATT to delete singles roles from multiples Composites roles. The eCATT takes the same position of the single role for each composite.  And of course the single role may differ per role.
    Could someone help?
    Thank you in advance,
    Yolanda

    HI Garcia,
    I didnot quite get your example as I am not familiar with the roles tables or transactions.
    But, if I understood ur requirement, you want to delete all those single roles (some specific role) from a list of roles.
    I am not sure how the transaction looks here, but a standard way of doing it is to record one execution of deleting the role using TCD or SAPGUI using the position button when available, entering the role name, selecting the delete button on the screen and then save.
    Now, when you check the database table for the number of occurances that this type of role is present, collect the count of the table into a local parameter and execute the earlier script of deleting multiple times using DO command.
    Select count from <tabname> where <role field> is <value> into <Local parameter>.
    and use the earlier script with in
    DO (<local parameter>).
            SCRIPT
    ENDDO.
    This ideally works. You can come back if u need any additional inputs.
    Best regards,
    Harsha

Maybe you are looking for