Assigning different authorizations inside a role to different users

Similar Messages

• Different authorizations for a Dashboard in a SAP NW BW Portal

  Hi everybody,
  we would like to use BO Dashboards / Xcelsius in our company. Everything is fine and the dashboards are looking fantastic. Since we would like to publish them on our SAP BW portal I have a question. Given a dashboard with a SAP NW BW connection that is published as an iView in the portal. And we have users with different authorizations. For example there is user A with the authorization to see data from a BW query for departments ABC and there is a second user X with the permission for dept. XYZ.
  Is it possible to configure the connection / dashboard in a way that only the data is used for the dashboard in dependence of the authorization at the SAP portal?
  Thanks for your help!

  Hi,
  The person who creates the dashboard should have a BW ID which should have access to all the data required for the dashboard and as well access to EP portal. Else he wont be able to test and validate the dashboard once the development is done. 
  The BW ID's belonging to the users with which they will access the dashboard, if already created or need to be created , then you can ask the authorization team to extend these ID's to EP System as well as provide the necessary BW Roles, ie access to the related queries and info providers. Once this is done they will have access to EP portal as well as the dashboard and the data displayed will be based on the roles provided to the ID.
  For ex User A will only see departments A-D and the User X will see Departments X-Z. You need not write logic for Dynamic Visibility as such for this. Once the roles are assigned to the users they wont be able to see any other data apart from the ones assigned to their ID's.
  Thanks & Regards,
  Arjun.C.T

• Assigning different authorization to same user based on Query

  Hi experts,
  I am redefining my issue,
  Is there any way i can assign different authorizations to the same user but based on either Query/Workbook.
  lets say i have two Analysis authorizations A & B and two Queries X and Y.
  If the Query/Workbook is X then Add Authorization A to user ABC.
  else if the Query/Workbook is Y then Add authorization B to user ABC.
  this is because i have two set of workbooks the same user can access and authorization for these two set is different based on the workbook.
  I tried using the auth objects 0TCTWORKBK,0TCTQUERID OR 0TCTQUERY but no success so far.
  thank in advance.
  Edited by: youmenbi on Feb 12, 2008 1:20 AM
  Edited by: youmenbi on Feb 12, 2008 1:31 AM

  Hi
  We have set same kind of authorizations based on the users. The Cost Center Manager is assigned a role and the authorizations for each of the Report/Layout/Workbook is based on his/her profile...some are Read only, some or Read & Write...etc.
  If you go through that route......and assign each of the Reports/Layouts/Workbooks to Users....you may succeed.
  I know it is a bit time consuming but that is one alternative we could think of as it addressed seamlessly any changes in CC Managers.
  Regards
  Srinivas

• Assigning roles to different users in GP

  Hello,
  We have developed a small application using CAF.The UI part is done using  <b>Webdynpro module which is a part of CAF project</b>. Now we have to apply Guided procedures to this application .
  I have followed steps in this link to create a process (My First Process), and got result.
  <b>http://help.sap.com/saphelp_nw04s/helpdata/en/4a/d78041a17e060de10000000a1550b0/content.htm</b>.
  Now I have to do the same for our application.For eg: In "<b>My First Process</b>" , the role of Applicant is assigned to one user, and the role of HR Manager is assigned to another user.
  In our application, many people has done modules.I want to create different roles (like applicant ,HR Manager in My Process) and assign each role to the user who has developed that module.
  Actually we are not using NWDI . But we integrated all modules into one application manually.Is it possible to achieve the above mentioned goals ?
  Please any one give me a suggestion or link.
  With Thanks,
  Vivek
  With Thanks,
  Vivek

  Hi Ashutosh,
  <b>Thanks for response and providing link.</b>
  I have followed the documents provided by you.
  Now I have to do the same for our application as in  "My First Process" , the role of Applicant is assigned to one user, and the role of HR Manager is assigned to another user.
  Do I require to follow the steps,
  step1 :In GP design time and choose Create Callable Object Type – <b>Process Control, and select Visual Approval</b>.
  step2 :For the purposes of the process that you create, define the same input parameters as the output parameters that you have defined for the data input form.
  <b>In our application already created views(webdynpro views) are there.Still we need to create data input form and define input and output parameters ?.</b>
  In our application, many people has done modules.I want to create different roles (like applicant ,HR Manager in My Process) and assign each role to the user who has developed that module.
  Please any one give me a suggestion or link.
  With Thanks,
  Vivek

• Can not assign ONE PFCG ROLE TO DIFFERENT ROLES

  Hi
  First I created a new Conf Key then I created a new NAV BAR by coying the standard Makrting and Sales PRO Nav Bar.
  Then I am trying to create a new buiness role( lets say ZMARKETING PRO) by copying the standard Marketing role and assigned my own created NAV BAR and Con KEY.
  I am facing an error
  " YOU CAN NOT ASSIGN ONE PFCG ROLE TO DIFFERENT ROLES"
  Just want to know the background of this error. Any help would be appreciated and points would be rewarded

  Hello Sajjid,
  Sorry we are not aware of the terminology used in your organization.
  Can you be more specific:
  are you doing Role Release,
  Org Filter changes or creating CHILD (derived) role
  Please generalise your problem.
  Regards,
  Surpreet

• Programmatically assigning Authorization Objects to roles

  Hi there,
  I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
  What I want to do is the following:
  There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
  In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
  Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
  I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
  Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
  Thank you very much,
  Gregor
  Edited by: Gregor Bender on Mar 11, 2008 8:41 AM

  >
  Gregor Bender wrote:
  > I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
  Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
  For mass regenerating profiles there's transaction SUPC.
  For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
  If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.

• Same user different roles within different organizations

  Hello All,
  We have requirement where Same user has to have different roles within different organizations.
  What will be the solution to handle this situation using SUN IDM ?
  Any inputs are greatly appreciated.
  Thanks,
  Akeel

  Let me simplify this,
  We have requirement where a user can work for different organizations , which can be achieved in SIM using membership rules.
  Say a user works for two organizations Say Org1 and Org2.
  The user can have different roles in these 2 different organizations. For example user can have Role1 in Org1 and Role2 in Org2.
  Role1 and Role2 both are available for assignment for respective admins of both Org1 and Org2.
  Suppose Admin of Org1 assigns the user Role1; and admin of Org2 assigns the user Role2.
  Now waveset.roles will have Role1 and Role2, but it can not tell the user has which role in which organization.
  How do i specify the relationship between the role and organization ? The number of organizations are very large 70000+ and Number of identified roles around 51.
  I dont think this can be implemented in Sun Identity Manger. Anybody has done this? Or any inputs are highly appreciated.
  Regards,
  Akeel

• Account assignment cannot be carried out because of different origin no

  Hie Guru's
  While saving excise invoice (J1iiN) iam getting the below error
  Detailed Error Diagnosis :-
  Account assignment cannot be carried out because of different origin no.
  Message no. V1134
  Diagnosis
  The sales document to which you want to refer is based on sales document 10000003 and item 000010. Therefore, the settlement and possibly inventory management are carried out using the number of the preceding document.
  System Response
  This entry is not allowed.
  Procedure
  Enter the document and the item number of the preceding sales document.
  NOTE :- IT'S MTO SCENARIO. WITH REQ CLASS 040 (Consumption :- E)
  Thanks in advance,
  Denish

  Hie JP,
  This is not related to project at all. The stock is purely reseved for my sales order (and since my sales order is created with reference to quotation the stock is reserved for my quotation). While debug I found the route cause for this, if we see the function module "SD_DOCUMENT_ACCOUNT_ASSIGNMENT" (this FM is called at the time of quotation, sales order, stock taking, billing and excise invoice). Now in this FM :-
    CALL FUNCTION 'SD_VBAK_SELECT'
      EXPORTING
        i_document_number  = i_document_number 
    IF ( vbap-vbeln NE vbap-vbelv OR
         vbap-posnr NE vbap-posnv ) AND
         NOT vbap-vbelv IS INITIAL.
  The i_document_number found in my excise invoice is sales order nmbr. Thus vbap-vbeln NE vbap-vbelv condition in my IF loop gets satisfied (because vbap-vbeln = sales order numbr & vbap-vbelv = quotation numbr) and it goes further. THIS SHOULD NOT GO FURTHER.
  Like I said this FM is called at the time of billing also, so at that time the i_document_number  is quotation number thus
  vbap-vbeln NE vbap-vbelv codition does not satisfy (because vbap-vbeln = Quotation numbr & vbap-vbelv = Quotation numbr) and it doesnt fo further.
  I hope I am able to convay my message. Please do let me know if you find something regarding the same because this is a Std. FM which will be same for everybody.
  Regards,
  Denish Patel
  Edited by: denish__01 on Oct 12, 2011 9:59 AM
  Edited by: denish__01 on Oct 12, 2011 10:01 AM

• Different authorizations on different cubes for the same characteristic

  Hello,
  Is it possible to implement different authorizations on different groups for the cubes characteristic?
  For example a user should be authorized to see just the data of company code 101 on Cube A but he should see the data of all company codes on Cube B (Cube B also contains the company code. ":"-Authorization is not an option)?
  In transaction RSECADMIN it is possible to insert the "special characteristics" Acitivty, InfoProvider and Validity into an authorization. But standard setting for InfoProvider is * and I get an error message if I want to modify for just 1 Cube because the characteristic "InfoProvider" (SAP Content) isn't marked as authorization relevant.
  Can you please answer:
  1) If it is possible to implement different authorizations on different cubes for the same characteristic?
  2) What is the function of the special charactristics if I can't maintain the values?
  Thank you
  Johannes

  Hi there,
  Yes it is possible.
  The new authorization concept created union also based on InfoProvider Characteristic.
  You have to change in rsd1 transaction the characteristics 0TCAACTVT, 0TCAKYFNM, 0TCAIPROV and 0TCAVALID to be authorization relevant.
  So you can do this:
  Create two authorizations in rsecadmin like this:
  Aut_1:
  0comp_code: 101
  0TCAACTVT: 03 (activity of display)
  0TCAKYFNM: * (all key figures)
  0TCAIPROV: Cube A
  0TCAVALID: * (authorization valid for ever)
  Aut_2:
  0comp_code: *
  0TCAACTVT: 03 (activity of display)
  0TCAKYFNM: * (all key figures)
  0TCAIPROV: Cube B
  0TCAVALID: * (authorization valid for ever)
  Now in rsecadmin give both authorizations aut_1 and aut_2 for the user.
  If the user opens a query built on cube a he will be having authorizations only for company code 101. If the user opens a query for cube B he will be having authorizations for all the company codes.
  Diogo.

• Which authorizations are required for assigning a query to a role?

  Hi everybody,
  we try to set up some roles for "reporting power users". These guys should be alble to define new queries using BEx (works fine) and also should be able to assign these new defined queries to a role, so other users can use these roles.
  The idea is simple, but we're searching for the right authorization object (or - as i suppose - set of authorization objects) that enables the user to assign a query to a role (using that "enter to a role" button in the open / save dialog).
  At the moment, the user can user that button, and the role, he should the query assigned to is shown. After selecting the role and clicking button "create" it take some seconds and a message "error when saving. entry has not been created" is shown.
  Obviously, there is a problem with writing the role (or adding the new information to that role).
  So, could anyone help me and provide me with a list of authorization objects that are required.
  Thanks in advance,
    Alfred

  S_RFC
  S_TCODE
  S_USER_GRP
  S_BDS_D
  S_OD_SEND
  S_RS_AUTH
  S_RS_BCS
  S_RS_COMP
  S_RS_COMP1
  S_RS_FOLD
  S_RS_ICUBE
  S_RS_MPRO
  The above mentioned authorization objects are enough to add in the role and required for the accessing a query.
  particularly, S_RS_COMP, S_RS_COMP1, S_RS_MPRO, S_RS_ICUBE are the most important auth objects which are directly getting involved in authorization of a query in a role.
  SO, you have to assign the respective info area, info cube and info providers names in these auth objects.
  The same scenario , i am using in my project to give access to the queries in all the areas for my end users.
  The values and access/authorizations restrictions is up to your project requirement.
  Hope this would help you.

• Different behaviour inside a Thread

  Hello ,
  I am developing a software to help in automating certain tasks related to certain voice switch , i connect to the switch using ssh . i send commands generally using a button that ptints the content of a textbox into the outputstream . every thing works fine as long as i print the command into the outputstream from the code of the button press event . This hangs the interdace because i have to wait for a specific output format . So i used a Thread to execute the same code so that the interface doesn't hang . The strange thing is after the thread finishes i am not able to receive any thing from the switch ( although the printing into the output stream doesn't produce any exceptions and this is not the same if i executed the same code without the thread) . The question is why the program has different behaviour inside a thread and outside it ?
  Best Regards ,

  >
  Sounds like this actually is more related to Swing than concurrency (if I'm correct). I think that everything is working, but you are failing to update the UI with the result. You are only allowed to update the UI from the AWT thread, so you probably need to publish the result using invokeLater or use a SwingWorker.

• Common technical roles in different business roles in BRM & ARM

  Hi Gurus ,
  Some help please .
  We have the following situation with BRM & ARM role provisioning .
  In BRM we have for example two business roles setup (B1 & B2). We have in these two business roles a common technical role .
  E.g. B1 (has role T1 ,T2 )  , while B2 (has roles T1 & T3) .
  in our example an user already has role B1 (with T1 & T2) assigned. The user then needs access to role B2 as well .
  Since role T1 is common in both business roles  , When an user does an request , ARM then send them a notification saying that an duplicate role exist within the request. (which they have to remove before continuing) . This is confusing the some users .
  My question is as follows. Is there a way to for the user to process the request without having the warning displayed & without having the duplicate technical role assigned ?
  So essentially , they will get access to business role B1 & B2 (but technical role T1 will not be assigned twice) ?
  Your help is greatly appreciated .
  Regards,
  AJ

  Hi AJ,
  Could you share the notification message that  ARM generates.And what about role T1 assignment.
  Is it assigned two time in user profle?
  Thanks,
  Mamoon

• CUP 5.3 - request with different roles and different approvers

  Hello,
  Here is a scenario we are experiencing in CUP 5.3:
  A Request was created to add 2 roles to a user.
  Role 1 has Role Approver A and Role Approver B
  Role 2 has Role Approver X and Approver X 
  In my final approval level when Role Approver A logs into CUP to approve Role 1, he still sees Role 2 listed in the screen, even though he does not have authority to approve it. Same thing happens for Role Approver X.
  My issue is if anyone of the role approvers approves the request, both roles (Role 1 and Role 2) are assigned to the user master.  (Here the system should have said request pending approval from other approvers, but it didnu2019t)
  The additional configuration on my final stage of approval says approval type =  any one approver.
  I figured that I if I change this setting to u201CAll Approversu201D it would work (and it did), but now the request wants to be approved by Role Approver A and Role Approver B for Role 1 and the same goes for Role Approver X and Approver X  for Role 2
  When I do the above change the system tells me that the request is pending approval from other approvers
  Do you have any ideas on how I can solve my issue?  Please let me know if I need to clarify further.
  Thank you
  Jacklyn

  Jacklyn,
  I guess you want to use the second approver on each role as the secondary approvers (when escalated the request will go to these approvers), but instead you defined both of them as primary approvers, so you need to add both the second aprovers on the roles as secondary approvers instead of primary approver and reroute the request for role owner stage. This should fix your issue.
  Naveen

• Difference in Objects maintained in SU24 and inside the role.

  Hi Experts,
  I noticed that for t.code F-67,default objects maintained in SU24 are different from the objects associated with same t.code in a role.
  In SU24 only three objects are associated(F_BKPF_BUK,F_BKPF_KOA and S_TCODE), wherein a role there are eight objets maintained.(F_BKPF_BED,F_BKPF_BEK,F_BKPF_BES,F_BKPF_BLA,F_BKPF_BUK,F_BKPF_GSB,F_BKPF_KOA and F_FAGL_SEG)
  Please clarify ! what is the reason of this difference.
  Regards,
  Mukesh

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• Maintaining the authorizations for parent role and derived role

  Hi Experts,
  Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
  Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
  1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
  2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
  please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

  I will try to answer both your queries here:
  "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
  The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
  All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
  Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
  Soumya