Assigning authorization role to position in PP02 (SRM 5.0) not working

Similar Messages

• Not able to assign Composite Role to Position

  Hello All,
             I am facing following problems.
  1) The user is Not able to see Create Report Links, when i checked the Composite Role in PFCG i found that the in USER Tab Organizational Tab was yellow, i did Indirect Reconcillatin in Organizational Tab and then it went GREEN, then i did User Comparision.
  I got this Message
  "You do not need to perform Prfile Comparision for role " Role Name".
  and the Position was removed.
  2) Now i am Trying to assing the Role to Position, i am not even able to assign it and the User id is not coming under User id  list.
  Please suggest.
  Thanks,
  CB

  @Point#1: It could be that user master is already compared for your composite role and no further comparison is required. To double check you might just run the comparison again via tcode PFUD or report RHAUTUPD_NEW
  @Point#2: For indirect assigment to position make sure organization management is active in your system (the switch HR_ORG_ACTIVE is set in the table PRGN_CUST to YES).
  Thanks
  Sandipan

• External Catalogs of SRM 5.0 not working in SRM 7.0

  Hi all,
  Iu2019m in the process of converting all SRM 5.0 punchout catalogs to SRM 7.0.
  All catalogs are working fine in SRM 5.0 but not in SRM 7.0.
  For one I got a problem autologgin into the vendor catalog page.
  In SRM 5.0 we are using ITS (no portal). For SRM 7.0 we are using SAP-Portal.
  Iu2019ve traced SRM 5.0 punchout and SRM 7.0 punchout:
  SRM50:
  strUserName=XXXXX&strUserPwd=XXXXX&strLiefNr=XXXXX&HOOK_URL=https%3A%2F%2FXXXXX.XXX.ads%3A8002%2Fsap%28cz1TSUQlM2FBTk9OJTNhYWJhaGFjaGlfU1JEXzAwJTNhZjF2UUpGTlZWa1FFUFZrcDRXcDk5eDEwdDBBSUNnSE01V3pXQkY5Sy1BVFQ%3D%29%2Fbc%2Fgui%2Fsap%2Fits%2Fbbpsc03%2F%3F%7EOkCode%3DADDI%26%7Etarget%3D_top%26%7Ecaller%3DCTLG%26%7Eclient%3D100%26%7Elanguage%3DDE%26%7EHTTP_CONTENT_CHARSET%3Dutf-8&OCI_VERSION=4.0&OPI_VERSION=1.0&returntarget=_top
  SRM70:
  sap-client=100&sap-language=D&strUserName=XXXXX&strUserPwd=XXXXX&strLiefNr=XXXXX&OCI_VERSION=4.0&OPI_VERSION=1.0&returntarget=_top&HOOK_URL=http%3A%2F%2FXXXXX.XXX.ads%3A8000%2Fsap%2Fsapsrm%2Finbound_hdlr%3FTARGET_URL%3Dhttp%253a%252f%252fvangogh%252eafg%252eads%253a50000%252firj%252fportal%253fNavigationTarget%253dpcd%253aportal_content%252fcom%252esap%252epct%252fspecialist%252fcom%252esap%252epct%252esrm%252esrm70%252fcom%252esap%252epct%252esrm%252ecore%252efl_core%252fcom%252esap%252epct%252esrm%252ecore%252efl_roles%252fcom%252esap%252epct%252esrm%252ecore%252ero_employeeselfservice%252ffl_goshopping%252fcom%252esap%252epct%252esrm%252ecore%252eiv_shop%2526NavMode%253d3%2526UsePost%253dTrue%2526SAPSRM_RESUME_ID%253dSAPSRM_OCI&CATALOG_URL=http%3A%2F%2Fshop.xxxdaten.de%2Fcommerceportal%2Focisrm_autologin.asp
  I guess the differences in the punchout call is the reason for the failure in the autologin.
  I thought OCI u2013 interface is standardized. Both punchouts are with OCI-Version 4.0, but the call is different!
  Have I missed some settings? Is it possible to customize the punchout call e.g. to exclude the system added parameter "sap-client=100" because this is not used ins SRM50 punchout?
  Or is it the task of the vendor to customize his system to the SRM 7.0 punchout logic?
  Thanks for all of your inputs
  Regards
  Stefan

  All,
  We seem into run into similar issues once we upgraded from SRM 5.0 to SRM 7.0 Our catalog punchouts to ARIBA On-deman catalogs are not working. We have opened an OSS message with SAP so far none of the suggested options are working for us. ARIBA is also unable to help us.
  We suspect our issue is failing within SAP and OCI is not writing any application logs (SLG1) etc, So it has been difficult to troubleshoot.
  From the SRM Portal side, when we try to launch CATALOGS page in SRM 7.0, it fails right away with the following error
  "Error connecting to Catalog; contact your System Administrator "
  There are no errors anywhere on SRM box to investigate.
  We are on SRM 7.0 Support pack level 6.  So Note 1429685 - Empty importing parameter in BADI BBP_CAT_CALL_ENRICH is part of support pack 6.
  We have also applied the note 1405908 - Issues with 3rd Party catalog integration with SRM 7.0 as per SAP, still no resolution.
  Any suggestions !

• SRM-MDM searchs not working

  Hi,
  Whem doing a search in our SRM-MDM by the item description (for example "pencil") some items are not shown. If we search them from the "MDM Data Manager" searchs work OK. The data of the items that are not shown (language etc.) seems to be OK.
  Could it be any cache issue? Must something be done in order to refresh the searchs?
  Thanks in advance,
  Jon

  First a basic check ...
  In MDM Search UI check User-Specific Configuration -> Customize Search -> operators  , this is possible that you might have different set of parameter in MDM Data manager for search and different set of parameter here.
  Next you can check the SRM web service if you are using any specific "Mask" .
  Thanks
  Padhi

• CUA: Previously Assigned Job roles disappeared

  Hello Dear!
  Recently I have implemented CUA in our SAP System landscape.
  I have one issue with it that  I am unable to see the previously assigned Job roles to the users .
  Can some one advice me how to resolve it?
  Regards
  Saqib

  >
  M.Saqib Ayub wrote:
  > I have selected DEV Server as a CUA and others as Childs.
  that is exactly what i would have avoided, if possbile. you say, you have a solution manager hanging around ... i strongly recommend you use this as the CUA master. the reasons being: if you have developers on your DEV and you are doing some development on roles etc, you will always disturb the others, since you have to run PFUD and whatnot jobs while develping roles, maybe ALE scenarios, IDOCs. your SolMan, on the other hand ... is independent. you would disturb no-one, downtimes for maintenance, developments etc. are fewer (in which time you would have no control over the users in your landscape). you could setup a totally different backup strategy, you could synchronize naming conventions/proceedings from the very beginning instead of having to re-design it some day in the future (and that day will come, it always does). since you are at the very beginning of your project, you might want to reconsider ...
  but i am off-topic.
  >
  M.Saqib Ayub wrote:
  > Now when I am going to see existing users assigned job role in CUA (DEV) thru SU01. Its not showing already maintained Job roles. The users are  not complaining about any authorizations issue,  it means  the authorizations are intact in the system.
  how did you set that up? are you adding single roles per system in DEV or do you have a composite in DEV the singles of which point to the other systems or do you attach them to PPOME? or something totally different?

• Incorrect authorization when assigning a role to 2 positions

  I am assigning a role in role manager (/isdfps/role_manager) to 2 different positions in the org structure. Position 1 has plant 1000 and position 2 has plant 2000. User A is assigned to position 1 and user B is assigned position 2. When user A signs on he gets access to plant 2000 instead of plant 1000. It appears that whatever the last position the role was assigned to is what the user has access to when he signs on. The user should get access to whatever org values he has in the org structure. Appreciate any help.
  Bob

  Kiran,
  Thanks for the response. This problem is in ECC 6.0. We are using the organization structure to populate the org levels. A role is assigned to a position in the org structure and the corresponding org values are populated. You are supposed to be able to assign the same role to many positions in the org structure. The problem is that the org values of the last position that you assign the role to are what is populated. If user A has plant 2000 and user B has plant 3000 in the org structure that is what they should have in their user buffer at sign on. The problem is that both user A and user B have plant 3000. Any help would be greatly appreciated.
  Bob

• Replicating authorization roles via HR replication from ECC 6 to SRM 5.0

  Hi,
  I'm interested in knowing whether anyone has used the distribution model to copy roles (AG objects) between ECC 6 and SRM 5.0.
  Someone said that it's possible so I would like to validate that statement as I don't know whether it is possible and practical.
  If you have any knowledge or experience could you please share it?
  Regards,
  Jerry

  Hello Yann,
  I was told that it can be done but I don't know enough about the HR replication process to acknowledge or challenge, hence the question.
  Are you implying that it's not possible or simply that it's not done?
  I had an earlier post regarding assigning roles to positions in SRM Replicating authorization roles via HR replication from ECC 6 to SRM 5.0 that you replied to but never replied to my subsequent question. It can be done because one of my other clients is doing it. We're however unable to get it work at my current client's site. Do you have any experience with this subject?
  Regards,
  Jerry

• Report on Positions directly linked to Authorization roles

  Hello All,
  Is there a report in SAP which can tell us which positions are assigned to Authorization roles or which Users are directly assigned to Authorization roles rather than through their Positions?
  If not a report is there way we can find it out?
  Regards,
  Ahmad

  No Standard report available to show Positions directly linked to Authorization roles

• How to assign roles to positions?

  Hello everyone,
  I am new in SAP HR field and my question could be very basic but would really appreciate your reply:
  " I am configuring Indirect Role assignment model and want to use it to assign positions to users.
  Now, I want to know how are these positions linked to actual roles and from where can I assign some roles to my positions? "
  Thanks
  Harleen

  Hi Harleen
  As you know, we have both Standard and Structural authorizations in SAP HR
  1. Standard Authorization
  If you want to assign Standard Authorizations to a Position, you need to create Relationship b/w Object type S and AG (You need to have authorization to PFCG T code in this case)
  I am not very sure if SAP has provided any standard program to assign the Standard Authorizations which are avaialble against a position to a User.
  2. If you want to assign Structural Authorizations to a Position and in turn to a User
  Create Structural authorization profiles in OOSP, assign the same to position by creating Infotype 1017 for a Position and run RHPROFL0 program to update the same to the USER (T77UA) who is occupying the position (A008 Relationship b/w S & P and IT 0105 against P)
  Hope this helps
  Best Regards
  Reddy

• Assign queries to authorization role via PFCG maintenace

  Hi,
  I would like to assign several queries to existing authorization roles.
  Therefore I am using the transaction PFCG > maintain the menu > add "other" SAP BW Query URL and fill in the name as well as object description.
  However, the new query will not be shown in the BEx Analyzer in the role folder.
  What do I have to administrate that the query will be shown in the role menu (BEx Analyzer)?
  Thanks!

  Dear Arvind,
  thanks for your reply.
  As an authorization administrator for SAP BI I do have the authorization for S_USER_AGR already.
  I am just testing in our development system.
  However, the query will not appear in the BEx Analyzer while selecting "Open Query" and search in "Roles".
  As far as I know queries could provided to authorization roles via BEx Analyzer.
  But does no possibility exists to maintain the authorization role via PFCG?
  Regards, Christian

• Assigning authorization group to users or roles.

  Hi
  How do I assign authorization group I created for ECM digital signature approval to users

  Hi,
  Provide the authorization group and the role details to which it needs to be linked to your basis team and they should be able to do this for you.
  Regards
  Sreekanth

• Assign roles to positions

  Hi,
  How can i assign roles to position.
  Kind regards,
  Shruti

  Check this might help...
  http://help.sap.com/saphelp_erp2005vp/helpdata/en/92/e7623c28695c63e10000000a11405a/frameset.htm

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• GRC 10 EAM - Unable to assign Firefighter roles to owners

  Greetings SAP gurus,
  I am currently on a new GRC 10 installation and having issues with the Emergency Access Management (EAM) component previously known as FireFighter or SPM.  Note: We are trying to implement the Firefighter ''Role-Based" Approach.
  Issue: We are unable to assign EAM roles to owners within NWBC. Click on 'Assign owners to Firefigher ID's and provision Firefighter ID's to firefighters' via the Access Management Tab within NWBC, option Superuser Assignment. Click on Assign.  We are able to find the owners, but when I search for roles to assign, I get the error, 'No records found for the search criteria entered''.
  We are on SP7.
  Items completed:
  1) All post installation tasks were completed correctly, i.e. BC sets activated, connector groups created and working.
  2) EAM roles created on target system and imported via BRM.
  3) EAM role properties edited for "Firefighting' usage in BRM, role owners defined, functional areas defined, business process and sub process areas defined.
  4) Access control owners (i.e. role owners and controllers) defined.
  5) The ID being used for configuration is currently assigned all GRC_NWBC roles available.
  6) The connector groups are working fine and we are using for the Access risk Analysis component which is working fine.
  7) The post EAM configuration steps has been completed.
  Has anyone else experienced a similar issue?  I look forward to your responses.
  Rgds,
  Prevlin Moodley

  Hello Prevlin,
  Are you using a FF role owner for the assignment. This might be helpful:
  [Note 1289579 - Firefighter Owner additional authorization for Role based FF|https://service.sap.com/sap/support/notes/1289579]
  Cheers,
  Diego.

• Role assignment not working

  Hi everyone,
  I am trying to assign different roles to different users for GRC - Risk Management 10.0; however it seems like standard roles don't have any affect on type of activity. I have maintained various levels of roles (e.g. risk owner, risk expert, risk manager, etc) using PFCG and assigned almost every role to the users; but it doesn't give them the authorization to create or edit anything, they can only display.
  The only workaround for this was assigning a role with the authorization object GRFN_USER (with 02 Change value enabled) or assigning SAP_GRC_FN_ALL (Power user role which also contains object GRFN_USER). However this would allow users to do "anything" they want which obviously isn't what I seek.
  I have tried changing customization options such as Maintain Custom Agent Determination Rules and Maintain Entity Role Assignment, it hasn't solved anything so far.
  I urgently require your assistance on this issue. Thank you.
  Regards,
  Seckin

  Hi,
  I 'm facing same kind of problem.
  Case 1:
  I tried with:
                    Assigning users to group (abap role) which didn't worked.
                    Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                    Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
  How can i do the same from portal?
  Case2:     
  While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
  Why are the portal roles not getting transfered even though the status is green?
  Mr.Chowdary