Authorization for Role Assignment

Dear Experts,
I have a scenario whereby a user is able to assign a set of roles to end-users but should not be allowed to do so for himself. I could only think of assigning user groups to the person's authorization which restrict him to assign roles to end-users from specific user groups. However, this is not desirable in our scenario as this means we need to maintain user groups for the entire organization (which is a huge organization). I would like to enquire if anybody has implemented similar requirements via standard/alternative means. Any suggestion and advice is appreciated. Thanks.

Louis,
I think this is a standard security and authorizations question, and not really HR specific.  You are correct in that the standard way to achieve this is with user groups.  However, it doesn't have to be as onerous as you are thinking.  The usual way of achieving this, of having an authorizations administrator or user administrator who can manage standard end-users but not him- or herself is to assign just that user to a group, typically called SUPER, and not worry about assigning groups to all the other end-users (or at least, not for this purpose).  You might also put all other high-power basis users, like the system administrator and any other security administrators, into this SUPER group, since you don't want anyone other than the super-superuser to manage them.  Then, you assign the user administrator role the S_USER_GRP authorization with the usual activities for user group ranges 0-SUPEQ and SUPES-Z.  This allows the role to manage users in all user groups except SUPER.
I would also only allow this role to work with authorization profiles starting with the standard T, and role names in the pattern Z.  Then make sure that this role itself is not in the Z* customer namespace, but instead in the Y* customer namespace, and this way you prevent the user administrator from getting through a loophole and being able to create or modify non-SUPER users and simply assign them to the User Administrator role as a way of bypassing the above restriction.
You should also not allow the User Administrator role to directly modify roles or profiles, only to create users and assign them to existing roles in the Z namespace.
I trust that this helps.
--Matt

Similar Messages

  • OIM 11gR1 : Parallel approval for role assignment.

    Hi,
    I'd like to add custom attributes to a role : "District security officer" and "Department security officer" (Can those be used for searching users? -- i.e. users lookup)
    When the role is to be assigned to a user, I'd like the workflow engine to open tasks for the members entered on those custom attributes.
    Also, Is it possible to assign a Role instead of the users in the custom attributes ?
    Meaning, Approving user assignment of a role named "Role A" will be done by users that belong to "Role_A_Approvers".
    Will appreciate pointers to the online docs, I've search and didn't find information related to the usecase I've described.
    Thanks,
    Meni,

    Bikash Bagaria wrote:
    Meni wrote:
    Hi,
    I'd like to add custom attributes to a role : "District security officer" and "Department security officer" (Can those be used for searching users? -- i.e. users lookup)
    When the role is to be assigned to a user, I'd like the workflow engine to open tasks for the members entered on those custom attributes.Try modifying the dataset. But I think there was an issue which someone reported here which said that you cannot add additional attributes to the role dataset. Logically it makes sense because there is no custom attribute for role in OIM so dataset should not allow it either.
    I've noticed that the design console allows adding custom attributes to roles.
    This can be done via Administration --> User Defined Field Definitions --> UGP (Table name).
    Once a field is added, you'll need to choose "Properties" and add a "Visible Field = true" prop to the attribute chosen.
    This will add a custom attributes section where your attributes will be shown.
    Question is how you can add a "search users" lookup instead of plain string for this custom attribute,
    and how those attributes will find their ways into the BPEL composite where business decisions based on those attributes may be taken (assign task per this attribute for an example).
    Also, Is it possible to assign a Role instead of the users in the custom attributes ?
    Meaning, Approving user assignment of a role named "Role A" will be done by users that belong to "Role_A_Approvers".You can create request for multiple roles in a single request and in your approval process you need to dynamically set the human task assignee based on the role selected. You also need to attach the approval process to orchestration level so that it generates a separate child request for each role selected.
    I'm not sure I understand how the proposed approach helps avoid the decoupling of users to role admins attribute.
    The intention was to have two roles, "Role_A" and "Role_A_Approver" where people that belong to "Role_A_Approver" will be assigned workflow tasks whenever Role_A is to be granted to end-users.
    Currently, each role has a "Role Admin" attribute, this attribute however holds a user and not a container of users (role)..
    Will appreciate pointers to the online docs, I've search and didn't find information related to the usecase I've described.
    All about requests
    Thanks,
    Meni,-Bikash

  • Approval Task for role assignment

    Hello again,
    is there any manual for approval tasks with the SAP Provisioning Framework? There is a task group called Request new business role, but if I use this, the approver approves the request, but the status of the role assignment is "in process"and never changed to "OK".
    I only found these manuals:
    - How To... Create Approval Tasks in SAP NetWeaver Identity Management
    - Implementing role approvals
    But both documents didn't show an end-to-end role-request-and-approval workflow.
    Thanks in advance.

    Hello Matt, hello Peter,
    the web-enabled task "Request New Business Role" and the including approval task are only examples.
    To create own approval processes for your projects you have to understand how approval tasks and pending values work.
    The following document shows the basics of PVOs (pending value objects).
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0d6b459-3456-2b10-209e-9e78ec9fd97b?quicklink=index&overridelayout=true
    This is documentation of the release 7.0, which is not updated to 7.1. But basics of PVOs are still the same.
    There is also a document which describes approval task for Release 7.1:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/20b67ad5-c69a-2c10-9da2-9721b1cf749c?quicklink=index&overridelayout=true
    Also a "How-To Guide" is available:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/904deabf-73b9-2c10-e8bb-8514dc3757f2?quicklink=index&overridelayout=true
    I think this is enough to learn to create workflows in SAP IdM.
    There is also a nice book available with detailed information:
    EN: http://www.sap-press.com/products/Understanding-SAP-NetWeaver-Identity-Management-.html
    DE: http://www.sap-press.de/2007
    I think this will help you.
    Best regrads,
    Christoph Reckers

  • Authorization or roles assign?

    Hi All,
    I have installed Xi 3.0 on windows server 2003.but my users are getting this error not able to create a product. Its says "You
    are not authorized to view the requested resource 403 forbidden".
    What all the authorizations and roles i need to set for every user.
    Regards,
    Rohit

    Error: HTTP 403 Forbidden
    Description: The server understood the request, but is refusing to fulfill it
    Possible Tips:
    Path sap/xi/engine not active
    • HTTP 403 during cache refresh of the adapter framework - Refer SAP Note -751856
    • Because of Inactive Services in ICF –Go to SICF transaction and activate the services. Refer SAP Note -517484
    • Error in RWB/Message Monitoring- because of J2EE roles – Refer SAP Note -796726
    • Error in SOAP Adapter - "403 Forbidden" from the adapter's servlet. –Because of the URL is incorrect or the adapter is not correctly deployed.
    <i>From
    /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
    Regards,
    Prateek

  • Role assignment to users (Change documents)

    Hi
    I was looking through the change documents for users and here i came across  "START_REPORT" under the Transaction column along with SU01 and PFCG. I was not quite sure about what this "STATUS_REPORT" was all about. I was wondering if this is a program. It certainly is not a batch coz we dont run batches here. I am trying to track down this change to the user but STATUS_REPORT is leading me nowhere....
    Any ideas?
    ravi

    Hi ravi
    Could you please explain the problem once more ?
    If you want to see the changes in the profiles of the user(which i take as one example of change documents) then you can use the transaction SUIM and there it'll give you options for change documents as below:
    1) For users
    2) For role assignment
    3) For Roles
    4) For profiles
    5) For authorizations
    and then you can choose the option you want.
    If I can help in some other way then kindly let me know.
    Cheers

  • Authorization for a particular Query

    Hi,
    I have a query say "X".I want that query to be executed by an user say "Y".Now I want to restrict user "Y" to that particular query only.User Y should not be able to access/execute any othr queries except query "Y".
    Could you provide me the detailed approch for this.
    Thanks,
    Neetu

    Hi neetu,
    are you using which system BW 3.5 or BI 7.0?
    first create the role for with required authorization object then same to user.
    RSD1 - maintain the authorization
    PFCG- to create  and maintain roles
    RSECADMIN -To maintain analysis authorization and role assignment to user.
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c0b7acf2-6121-2e10-5591-eaec182d9315?quicklink=index&…
    Authorization in BI 7 - Part 1
    Thanks,
    Phani.

  • Auth Group for Accounting Doc and Account authorization for  Vendors

    Hi guys,
    I have question regarding Accounting Doc for Vendor and G/l Account.  I have a security client whree I build my business roles for end user but we we configuration client where all the functional focus wokring and doing configuration.  My questiion when I start creating business roles  and start going  into these authorization objects and filling up the field values (F_BKPF_BEK, F_BKPF_BES,  F_BKPF_BLA).
    I won't  see auth group that will be c reated by functional  cocus because they are working on configuration Client and they probably create auth group for above authorization objects in Config lcient and I'm building Roles in my security client. 
    If it is true what would be the best way to create business role.  I'm in realization face of the project  Should I build my roles in Config client?   Please advise.
    Thanks in advance
    Faisal

    What is the benefit of a "security client" in DEV? I don't get it...
    You anyway need to protect the namespace... and the authorizations for role development (SU24) and admin (PFCG).
    Anyway, you have closed your question so we can only lick our wounds now
    Cheers and good luck on your project (let is know how it goes if you stick around for long enough to experience a release upgrade...
    Julius

  • Authorization check for caller assignment to J2EE security role

    Dears experts, in the default.trc logs in, my Enterprise Portal NW2004s, appear this error:
    #1.#0018714E4A14005E000027E1000057B8000441BB7EF2FC03#1198173451524#com.sap.engine.services.security.roles.SecurityRoleReference#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleReference#Guest#2126####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ : ] referencing J2EE security role [ : ].#5#ACCESS.ERROR#service.jms.default.authorization#administrators#SAP-J2EE-Engine#administrators#
    #1.#0018714E4A14005E000027E5000057B8000441BB7F8BDC21#1198173461543#com.sap.engine.services.security.roles.SecurityRoleImpl#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#2127####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ :
    Any idea about it?
    Thanks friends

    Hi Holger,
    Thanks for the tip, it could be the case, I just checked and we are on Patch 0 for JEECOR as you can see here below:
    sap.com/SAP-JEECOR   7.00 SP13 (1000.7.00.13.0.20070907082334)  20071028144036 
    sap.com/SAP-JEE          7.00 SP13 (1000.7.00.13.2.20071026143730)  20071203150628 
    Will inform some people internally to patch to atleast 3 to check if it still occures.
    Anyway, Thanks again..
    Benjamin Houttuin

  • Error :Authorization check for caller assignment to J2EE security role whil

    Hi Experts,
                 i m working as a portal resource .
    after the deployment of standered Sap e-rec package .
    i m getting some error. i have assigned the recruiter role to one test user.
    Now i m getting two issue:
    1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
    2) I m able to see few iview for the test user but those are also in detailed navigation view.
       And few ivews are giving following error :
      i)Internal error
    ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
    /System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
    Full Message Text
    ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
    please suggest what can be  done or what is pending from my side.

    Prajakta2602 wrote:
    Hi Experts,
    >
    > the previous issue got solved..
    > it was due to servies pack miss match and applying notes
    > the Basis guy  checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
    > notes 1445294 and 1175239 were applied.
    > now the issue is:
    >
    >
    >  After implemetation and  i assigning the standerd sap roles
    > 1)Recruiter Administrator
    > 2)Recruiter
    > to the test user .
    > but for few iview it is showing error as in
    > 1) you are not a authorized user
    > 2) internal error
    >
    > please help experts.
    >
    >  i m working on portal side have i to assign any role to that test user..
    >
    >
    > Thnaks & Regards,
    > Prajakta
    You can run a quick check using the below steps:
    1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
    2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
    Regards,
    Mahesh

  • Background job fails for BDC profile creation and role assignment

    Hi Experts,
    I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
    Below is the process of job
       1. ZMIS_AUTH_OBJECT_CREATE
           Variant : auth-create
       2. ZMIS_AUTH_ASSIGN_TO_ROLE
           Variant : auth-assign
    The problem is in second program, runs in foreground but fails in background.
    Code which i have written in my second program
    ***BDC for Profile creation and assignment to Roles
        CALL FUNCTION 'ZROLE'
          EXPORTING
           ctu                     = 'X'
           mode                    = p_mode
           UPDATE                  = 'L'
    *   GROUP                   =
    *   USER                    =
    *   KEEP                    =
    *   HOLDDATE                =
           nodata                  = '/'
            agr_name_neu_001        = wa_role-role_name
            text_002                = wa_role-desc
            text_003                = wa_role-desc
            text_004                = wa_role-desc
           value_01_005            = 'T-ML330881'
            h_fval_low_01_006       = wa_role-auth
            profn_007               = lv_profile
            ptext_008               = lv_text1
    * IMPORTING
    *   SUBRC                   =
         TABLES
           messtab                 = temp_message.
    ***Generation of Profile created
    CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
         EXPORTING
           activity_group                      = wa_role-role_name
    *     PROFILE_NAME                        =
    *     PROFILE_TEXT                        =
          no_dialog                           = ' '
          rebuild_auth_data                   = ''
          org_levels_with_star                = ' '
          fill_empty_fields_with_star         = 'X'
          template                            = ' '
          check_profgen_tables                = 'X'
          generate_profile                    = 'X'
          authority_check_pfcg                = 'X'
       EXCEPTIONS
         activity_group_does_not_exist       = 1
         activity_group_enqueued             = 2
         profile_name_exists                 = 3
         profile_not_in_namespace            = 4
         no_auth_for_prof_creation           = 5
         no_auth_for_role_change             = 6
         no_auth_for_auth_maint              = 7
         no_auth_for_gen                     = 8
         no_auths                            = 9
         open_auths                          = 10
         too_many_auths                      = 11
         profgen_tables_not_updated          = 12
         error_when_generating_profile       = 13
         OTHERS                              = 14  .
    Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
    Regards,
    Chetan

    Hi Praveen,
    Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
    To achieve this i have written two programs
    1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
    "" Creation of Authorization Object
    CALL FUNCTION 'ZAUTHOBJ'
            EXPORTING
             ctu                    = 'X'
             mode                   = p_mode
             UPDATE                 = 'L'
    *   GROUP                  =
    *   USER                   =
    *   KEEP                   =
    *   HOLDDATE               =
             nodata                 = '/'
             g_authname_001         = 'ZDUMMY_MIS'
              g_targetauth_002       = wa_tab-auth
              g_authtxt_003          = wa_tab-short_desc
              g_authtxtmd_004        = wa_tab-med_desc
             marked_04_005          = 'X'
              g_authtxt_006          = wa_tab-short_desc
              g_authtxtmd_007        = wa_tab-med_desc
             tctiobjnm_04_008       = 'ZBUS_UNIT'
              g_authtxt_009          = wa_tab-short_desc
              g_authtxtmd_010        = wa_tab-med_desc
             marked_05_011          = ''
             opt_01_012             = 'EQ'
              low_01_013             = wa_tab-bu
              g_authtxt_014          = wa_tab-short_desc
              g_authtxtmd_015        = wa_tab-med_desc
             marked_04_016          = 'X'
              g_authtxt_017          = wa_tab-short_desc
              g_authtxtmd_018        = wa_tab-med_desc
             tctiobjnm_04_019       = 'ZCONTRCT'
              g_authtxt_020          = wa_tab-short_desc
              g_authtxtmd_021        = wa_tab-med_desc
             marked_05_022          = ''
             opt_01_023             = 'EQ'
              low_01_024             = lv_contract
              g_authtxt_025          = wa_tab-short_desc
              g_authtxtmd_026        = wa_tab-med_desc
              g_authtxt_027          = wa_tab-short_desc
              g_authtxtmd_028        = wa_tab-med_desc
              g_authname_029         = wa_tab-auth
    * IMPORTING
    *   SUBRC                  =
           TABLES
             messtab                = temp_message.
    "" Creation of role
    LOOP AT it_role INTO wa_role.
          CLEAR wa_text.
          wa_text-text = wa_role-desc.
          wa_text-langu = 'E'.
          APPEND wa_text TO it_text.
          wa_jobrole-agr_name = wa_role-role_name.
          wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
          wa_method-usmethod = 'CHANGE'.
          CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
            EXPORTING
              jobrole          = wa_jobrole
             parent           = wa_parentrole
             method           = wa_method
           TABLES
    *   RETURN           =
             shorttext     = it_text
    *   LONGTEXT         =
    *   MENU_NODES       =
    *   MENU_TEXTS       =.
        ENDLOOP.
    2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
      ""*BDC for Profile creation and assignment to Roles
        CALL FUNCTION 'ZROLE'
          EXPORTING
           ctu                     = 'X'
           mode                    = p_mode
           UPDATE                  = 'L'
    *   GROUP                   =
    *   USER                    =
    *   KEEP                    =
    *   HOLDDATE                =
           nodata                  = '/'
            agr_name_neu_001        = wa_role-role_name
            text_002                = wa_role-desc
            text_003                = wa_role-desc
            text_004                = wa_role-desc
           value_01_005            = 'T-ML330881'
            h_fval_low_01_006       = wa_role-auth
            profn_007               = lv_profile
            ptext_008               = lv_text1
    * IMPORTING
    *   SUBRC                   =
         TABLES
           messtab                 = temp_message .
       COMMIT WORK AND WAIT.
    ""*Generation of Profile created
      LOOP AT it_role INTO wa_role.
        CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
         EXPORTING
           activity_group                      = wa_role-role_name
    *     PROFILE_NAME                        =
    *     PROFILE_TEXT                        =
          no_dialog                           = ' '
          rebuild_auth_data                   = ''
          org_levels_with_star                = ' '
          fill_empty_fields_with_star         = 'X'
          template                            = ' '
          check_profgen_tables                = 'X'
          generate_profile                    = 'X'
          authority_check_pfcg                = 'X'
       EXCEPTIONS
         activity_group_does_not_exist       = 1
         activity_group_enqueued             = 2
         profile_name_exists                 = 3
         profile_not_in_namespace            = 4
         no_auth_for_prof_creation           = 5
         no_auth_for_role_change             = 6
         no_auth_for_auth_maint              = 7
         no_auth_for_gen                     = 8
         no_auths                            = 9
         open_auths                          = 10
         too_many_auths                      = 11
         profgen_tables_not_updated          = 12
         error_when_generating_profile       = 13
         OTHERS                              = 14
        IF sy-subrc <> 0.
          MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
                  WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
        ENDIF.
      ENDLOOP.
    For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
    i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
    Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
    Regards,
    Chetan

  • BW authorizations based on assigned PPM users/roles + inherited roles

    Dear experts,
    We using PPM 5.0 SP7, and we are having trouble defining authorizations for BW reports.
    We would like to use the same authorizations as in PPM business client, so that BI would use/check the authorization from business client.
    This check would include:
    - users or roles gain access from direct assignment to an item
    - users or roles gain access that is inherited in the bucket structure, both structure and classification buckets.
    Users would have access to BW reports, but they could see data only from the same structures/classifications or direct assignments that are given to them in PPM business client.
    Can we utilize the same authorization methods, or do we need to create and maintain this in another place (BW)?
    If needed, how to create similar authorization model to BW?
    Kind regards,
    Antti Forsell

    Hello,
    Please see these docs,
    [Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
    [An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
    [Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
    Thanks
    Chandran

  • Transport roles and analysis authorization with user assigned

    Hi expert,
    I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
    Thanks for your time,
    Luis

    Hi,
    In role administration, you have the following options for transporting roles:
    You can download the roles from one system and upload them into another  
    You can import the role from a remote system using RFC  
    You can transport the roles with the transport function.
    Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
    Transporting Roles with the Role Transport Function
           1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
           2.      Enter the role to be transported and choose Transport Role.
    The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
    You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
    For more information go thrpugh the below link
    http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
    Regards,
    Marasa.

  • Roles & Authorizations for Web Reports...

    Hello Experts,
    We are newly implementing Web Reports in our organization. I need your great thoughts regarding implementing Authorizations for users to access the reports.
    We are using a report menu page that contain links to all the reports. The page opens by clicking on a link on the portal. The individual reports are basically accessed from this page by clicking on the corresponding button (links a URL ).
    I wonder if there is any way to look into the menu page (XHTML code of that web page/application) when ever the users click on the reports link and disable those buttons that the users are not allowed to access depending on the roles users are assigned to. Otherwise is there any better way to do it.
    And also how to call a function from web applications.
    This is a kind of urgent issue any quick ideas would be greatly appreciated.

    I apologize for the difficulty in reading this  I will repost.
    We have had no training or received any documenation on WAD.  The below was created from internet research.  Hence there may be WAD functionality that would allow easier maintenance, however; this is what we use.
    With our dashboard, I have a web template that contains hyperlinks for our reports.  I will call this HeaderTemplate1.  For each web page I have report templates.  These report templates have the HeaderTemplate1 mentioned above as well as the report tables, charts, text elements, tabs, etc.
    The JavaScript logic for accessing the urls of the specific report templates is contained within our HeaderTemplate1.
    Below is how our setup was tested.  Keep in mind, this was only for testing basic functionality.  If this is something we use I will most likely create a master data table that houses the user ID and an attribute for the header type.  Thus, any report menu changes can be altered quickly without changing the javascript of each report template.  Also this will accomodate the few thousand users we have.
    To add the functionality of different 'menus', I created another header template with the same hyperlinks of HeadertTemplate1 with the exception of one or two hyperlinks.  This, HeaderTemplate2, was added to each report template just below HeaderTemplate1.  Note that both HeaderTemplate1 and HeaderTemplate2 were set as visible on each report template.
    Also, on each report template I added a text element.  The 'List of Text Elements'property was set as such; Element Type = General Text Sympol,  Element ID = SYUSER.  This Text Element was linked to a query  or view from BEx via the dataprovider.  On the HTML side, I surrounded this Text Element with
    <Font ID="UserID",,,textelement....</Font>
    Each Report template has this javascript function, fnRepOnLoad, which is triggered at the OnLoad event.
    [<SCRIPT language = "JAVASCRIPT">                       
      function fnRepOnLoad()
        var user_ID=document.getElementById("UserID").innerHTML;
        if (user_ID=='USER123')
          document.all["HEADTMPLT1"].style.visibility = 'hidden';
          document.all["HEADTMPLT1"].style.position = 'absolute';
        else         
          document.all["HEADTMPLT2"].style.visibility = 'hidden';
          document.all["HEADTMPLT2"].style.position = 'absolute';
    </script>
    The function results as this.  If the user is USER123, HeaderTemplate1 is hidden, leaving only HeaderTemplate2 visible.  Otherwise HeaderTemplate2 is invisible leaving on HeaderTemplate1 visible.
    We do not use buttons as our global leaders prefer hyperlinks but buttons can be enabled or disabled similarly.
    As mentioned before, if this method is implemented, I will create a reportable master data table.  Create a customer exit variable to retrieve the header template required for the user.  This header template variable value will then be pulled by a text element on each report template.  The script function will act as follows.  If many report headers are necessary I may use a case statement.
    Var User_template=document.getElementById("UserTmplt").innerHTML;
    If UserTmplt = HeaderTemplate1
    -->  make all header templates other than HeaderTemplate1 invisible
    else
    -->  make all header templates other than HeaderTemplate2 invisible
    etc...
    I hope this helps.  Please keep me posted with your solution.  I am very interested to learn what others are doing.
    Best Regards,
    Larry

  • "Low-level" authorizations for accessing BW reports - add users to role

    Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
    Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.

    Hi!
    i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
    with regards
    ashwin
    <i>PS n: Assigning point to the helpful answers is the way of saying thanks in SDN.  you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.</i>

  • ACCESS.ERROR: Authorization check for caller assignment to J2EESecurityRole

    Hi
    After updating our portal (NW04 SP20) this new error occurs in the default.trc log.
    <i>ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [service.jms.default.authorization : administrators] referencing J2EE security role [SAP-J2EE-Engine : administrators].</i>
    I have not found anything helpfull thusfar.
    Thank you for your help in advance

    Hi,
    We had the same problem after upgrading to 2004s sp13.
    We applied all available patches and it went away.
    Check out this thread:
    <a href="https://www.sdn.sap.com/irj/sdn/thread?threadID=614693&tstart=0">https://www.sdn.sap.com/irj/sdn/thread?threadID=614693&tstart=0</a>
    Best regards,
    Avisahi Zamir

Maybe you are looking for

  • Getting row count

    is there any other way than select count(*) from tableName to get the number of rows in a table or to know if the table has any records or not ? Thanks !

  • Vendors PAN Number field Mandatory in Vendor Master Data

    HI, I am working in 4.7 EE version. I want to make Vendors Pan Number field mandatory while creating Vendor Master Data. As per my knowledge we cannot use Validation for this purpose. Regards Sudhakar

  • Exit in CNEX0009 not getting triggered from CJ20n

    Dear All, I am trying to use the exit ( EXIT_SAPLCOMK_001) present in enhancement package CNEX0009. This exit description says that we can modify Material Components in Networks'. But when we create a new material component in CJ20n, this exit is not

  • IPhone 4 - Ghost songs (brrrrr)

    Hello, I'm having a real strange problem... When I copy/sync my playlists (from iTunes 9.2) to my "cool-brand-new-iphone-4", the songs are copied correctly (I can find them by searching them) but playlists are empty or almost (I can find 10 songs ins

  • Get info crashing itunes

    When I try to change the location for a file in get info from music to audiobooks, itunes crashes. my itunes has all updates as does my macbook.  i am on lion os.