Authorization in Basis Roles

The scenario is; there is a single client but two different companies.
We are planning to develop a separate Basis Administration roles for each company.
To restrict Organizational levels (Company code, controlling area...) I use "S_USER_VAL" Authorization object. it works fine with org. levels but I have to define all possible Field Names along with their Authorization values and it seems very difficult.
Is it possible "S_USER_VAL" works according to the values I maintained but for rest of other values it may goes to * ?. In other word it should not by pass the maintained values.

Jurjen Heeck wrote:>
>... something else to make a part of SAP_ALL not work?
2 ideas:
- If the regeneration of SAP_ALL could check that the user running it does not have any SAP_ALL authorizations? Meaning, they would need to know exactly which non-SAP role authorizations (their technical names) have that authority in it. Many folks who only work with SAP_ALL don't know how to do that
- If there were some way to isolate the program parts which are required to change SCC4 such that they can only be run with root priveleges, then you do not need to give your SAP system (with SAP_ALL) root access...?
Disclaimer: Just ideas! Complete overkill!!
=> Does restricting the user's access sound like a much easier idea now?
Cheers,
Julius

Similar Messages

Security Issue: How to create a derived role from the Base role

Hi All,
Kindly let me know how can i create a derived role from the base role?
Please respond at the earliest.
Thanks in advance.
Ramesh.

Go to PFCG and Create a role with desired Name.
In the Description Tab, on the Left Side there is a text box for "Derive From "
enter the Base role.
Now your newly created role is derived from the Base role.
Save the newly created role and again run PFCG, enter the Base role name and execute.Select Edit role. Go to Authorization tab.
Edit Authorization.
In the Menu Adjust Derived -> Generate and Adjust derive
This will Generate the derived role.
Now you may go and check the authorization in the derived role.

Regarding Authorization policy and Roles in OIM 11g

Hi,
In OIM 11g Admin interface, is there a way to find out what all authorization polices, a role has been assigned to ?.
I am asking this because, if you search for a user, you will know what all roles he is a member of, and similarly if you search for a role, you will know who all users are members of that role.
Similarly, if you search for a Authorization policy, you will know what are roles are assigned to this policy. But if I search for a role, I am not able to find what all authorization policies has been assigned to this role.
Looking forward to hearing from you,
Many thanks in advance

I understand your concern. But, this feature has not been available
--nayan

Authorization on BP Role ???

Hello Experts,
we are running on CRM 5.0. we have created 3 roles "Prospect", "Customer", "Employe".
In our case we want "Customer" and "Employe" role to be in display only, user shoud not edit the details. Prospect can be created or edited.
What we did we put authorization on role Customer and Employe "DISPLAY"
This authorization is working in GUI but in PCUI, user still able to edit the details of Customer and Employe.
Please guide me how i can achive this authorization check on roles ???
Regards!!!
Amit Saini

Hi Amit,
How is that done? We tried using Authorization and Spro table but when we make address Display Only it only applies to SAP GUI and doesnt carry over to the portal.
Is there a way to add PCUI field groups to the BP role dataset and then make it a Display only? If you could please give me details on how you accomplish it I would really appreciate it.
Thank you,
Arpan

ABAP/4 & BASIS role in SRM

hi experts,
what is the role of ABAP/4's in SRM? n how much their involvement wth BASIS people in SRM.
could anyone pls resolve this question for getting good points.
bye bye
Regards
rakhi

Hi Rakhi,
I have done full end to end implementation in SRM5.5
SRM is 60% Technical.
ABAP Role:
If needed....adding new fields in different documents of SRM
IDOC extension
BADI enhancement
Resolving IDOC issues
BAPI related issues for document posted through SRM
User/Field exits
You need to know XML,HTML to resolve certain issues in SRM
Basis Role
RFC Destination / SICF configuration
ALE/IDOC setup
Roles and Authorisation
Lot of patches needs to be applied in SRM
We had lots of issues of basis, so expect issues if in implementation.
Thanks,
Anil Rajpal

Need FM which create authorization for a Role

Hi,
i neeed to create authorization for the roles. can anybody tell me , is there any FM to create authorization for a Role.
it is done through PFCG transaction.
i need a FM which creates authorization for a Role.
Thanks in advance

Hi Sami
Try this link.
Re: Programatically create Security Profiles via BAPI/FM in R/3?
Regards
Neha

3rd party tools to migrate Authorization profiles to roles

Experts,
Are there any 3rd party tools to migrate Authorization profiles to roles while upgrading to ECC 6.0?
NW

Hi,
Thanks so much for replying. I posted the errors here (no answers though):
XML to Forms conversion gives error for menus
Error when converting form to XML

Authorization Object And Roles For Functional Consultant

Dear Expert,
What kind of respective Authorization Object And Roles would be provided to Functional Consultant (FI,MM, SD, PM, PS, CO, HR )at the time of implementation ?
Thanx in advance
Pavel

Thanks Juan,
We now already have it here and in the NW IDM forum a few times as well...
Cheers,
Julius

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Regarding full authorization except basis and abap

Hello Gurus,
I want to provide full authorization to my super users excluding Basis and ABAP transactions such as PFCG,SU01,STMS,SCXX,SEXX. Is it possible by providing some standard profile? If yes then which profiles are that? and if no then how to solve this problem.
Please reply if u can.
Thanks and Regards,
Jayendra
email - [email protected]

Hi Jayendra,
You copy SAP_ALL to some ZSAP_ALL role and remove what ever the Transactions you want to remove from ZSAP_ALL.Then you assign this role to all your super users.
Regards,
Hari.

Authorization without BASIS help

Dear all,
Kindly let me know, what all the authorization that we can give without BASIS help.
Let me know the t-codes and what's possible (blocking some one to access something, hide something for some group etc) for a functional consultant without a BASIS person.
Regards
ET

Hi,
You can start in tcode su01. If you put your user name and click on modify you can get in the tab "Roles" and tab "Profiles". In roles you should have some roles in it. If you get into. If you double click next to any role you have it will take you to tcode pfcg, which is where the role is build. In there you have some tabs. The most importants would be "Menu" and "Authorizations".
In the Menu tab you can assign transactions to the role. In the Authorization tab at the bottom you have an icon called "Change authorization data". In there is where the most complex work is done, because is where you assign what can of things will the profile be able to do and what kind of data will be he able to modify or see.
As I mentioned there are a lot of details and from a basis point of view there would be even more.
Hope it helps.
Kind Regards,
Edoardo

S_TCode Full Authorization in all Roles

Hello,
We have created roles as per the role matrix given by the client. All are absolutely working fine but when i see the report at user level the transaction codes assigned to user we can see almost 100000 T-Codes authorization. I analyzed and found that S_TCODE authorization object consists of value as " * " so that is the reason i am finding all the T_codes authorization.
How this has happpened? We have not given these value in any of the Role.
Regards,
Narasimha Kumar

> How this has happpened? We have not given these value in any of the Role.
If you didn't do it manually then it must have been a (very strange) proposal value coming from SU24. Have a look in table USOBT_C, filtered on object S_TCODE. If there's a star in the low or high column, the 'name' column tells you which transactions' proposal you need to fix in SU24. After that re-read the authorizations for roles containing this transaction.

How to Add a single Transaction to Base role of a User in GRC AC 10

Hello Gurus,
I would like to know if it is possible to assign a single transaction to a user in his default roles.
e.g) We have some Users who have been assigned some default roles, and in some case if a user requires authorization only for a one transaction e.g.) FB08 or for the matter any transaction , instead of adding a role containing many other transactions , we would like to assign only this transaction to the user.
OR
In other example , if a user sends a missing authorization request i.e. SU53 screenshot , and that only one transaction needs to be assigned , how can it be provisioned to that specific user ?
Is it possible in GRC AC 10 , by using CUP or BRM ?
Looking forward for your opnion.
Regards,
Victor

Hello Victor,
In this case, why don't you create a role including only FB08? You cannot assign a user a transaction, you have to assign a role. This is the authorization concept in SAP.
Cheers,
Diego.

HR ABAP authorizations for Nakisa roles

Hi there,
We have just started to plan for ORG chart and Talent planning systems by naksia. Wondering if there are any
standard HR authorizations that the standard nakisa roles use and if anyone can elaborate if IT 008 (Basic Pay) really comes in to play with this as it is very sensitive. The project team has presented these user types:
Everyone, Executive,Assistant,HR(Human Resources), Manager
We are not using Structural auths but auth by PLOG, P_ORGIN
Any direction appreciated. Thanks !

Hi Dan,
For OrgChart are you using Live or Staged?
There are no special auths required for OrgChart. A SAP role needs to be mapped to an ORgChart role in order for users to see certain data. No PA0008 data is shown by default in OrgChart, although obviously if you want to show it you'll need to make configuration changes to restrict display, depending if you are using Live or Staged. The roles you mention are standard OrgChart roles that come pre-defined out of the box.
For SuccessionPlanning (assuming you are on ECC6 EhP4) you need to have the Talent Management Specialist role (SAP_TMC_TALENT_MANA_SPECIALIST) assigned to each user and an Area of Responsbility assigned in HRTMC_PPOM. This is between the Position of the user and the OrgUnit of each area they are responsible for. No configuration is required in the application because, for SuccessionPlanning, it is really just an interface between the user and ECC data and leverages ECC security etc.
I hope that helps!
Luke

Assigning different authorizations inside a role to different users

Hello,
Could someone please guide me to how can we assign different authorizations (authorizations field values) for an authorization object inside a role to different users; i.e. in the role maintenance transaction (pfcg) after we create a new role and add an authorization object to it, if this authorization object has several authorizations (authorization field values), and if I need to add two users to that role, how can I assign to one user an authorization different from that assigned to the other user ?
Thank you in advance.
Best regards.
Reda Khalifa
IT Department - Almansour Automotive Group - Egypt

Hi Reda,
That documentation complicates the subject slightly as it is talking about principles that are at a lower level than the usual role level.
We have 1 authorisation object - S_TRVL_BKS
Authorisations have been created for this object, called S_TRVL_CUS1 and S_TRVL_CUS2
In this context, an authorisation is an instance of an authorisation object that has been populated with data.
Before the profile generator you used to create authorisations (auth objects populated with data) and assign them to profiles which are then assigned to users.
In this example 2 profiles would be needed
Profile1: S_TRVL_CUS1 and S_TRVL_CUS2
Profile2: S_TRVL_CUS2
Miller would be assigned profile1, Meyers would be assigned profile2
The profile generator allows us to easily build authorisations and profiles and packages them up in a role. This way, we can assign transactions and authorisation objects into a role, populate the authorisations (which is what we do in the authorisations tab in the role) and automatically create the profile.
The example in the documentation is still valid because it requires 2 seperate authorisations (and therefore profiles and roles) to be assigned to different people. Unfortunately this is not explained very well in the documentation.
I hope that makes sense, roles are static and the permissions that they give do not vary dynamically. In BW we can use variables to do something similar and to some extent structural authorisations in HR work dynamically however this doesn't apply to R/3 or ECC. (it can be done in come cases but costs many, many £££/$$$'s)
Please let me know if you want me to elaborate further on this
Cheers
Alex

Authorization in Basis Roles

Similar Messages

Maybe you are looking for