Authorization maintenance - Create Collective Roles

Similar Messages

• Error While creating Collection Management role

  Hi
  We did a client copy and Iam getting the error "Database error UDM_PR_HEAD UDM_COLL_BUPA 5" whenever I tried to create collection management roles.
  Database error UDM_PR_HEAD UDM_COLL_BUPA 5
  Message no. UDM_WORK_LIST010
  Diagnosis
  Database instruction UDM_PR_HEAD was not successful.
  Procedure
  If you can reproduce the error message, contact SAP Support.
  Anyone knows anything about this error?
  Thanks

  Hi Ram,
  sorry for the inconvenience, can you provide the collections management(ecc6.0) configuration document.
  i am trying to learn that but i could not find any related document .
  Thanks,
  Ravi

• Role for authorization to create sub element

  Hello All,
  When am trying to create a sub element in SICF it says no authorization.What is the role that i need to request to basis team?
  Thanks,
  Rakesh.

  Hello Rakesh,
  Run transaction SU53 after the authorization error to find the missing authorization objects.
  Edgar

• Creating standard roles transaction

  Hello,
  Please let me know transaction code of standard roles creation in SAP Business Workflow.
  Regards,
  Amey

  Create Roles 
  The role also contains the authorizations users need to access the transactions, reports, web-based applications and so on, contained in the menu.
  You can assign a role to an unlimited number of users.
  Procedure
  To create a single role:
  1.     Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy Access. You go to the role maintenance.
  2.     Specify a name for the role.
  The roles delivered by SAP have the prefix 'SAP_'. Do not use the SAP namespace for your user roles.
  SAP does not distinguish between the names of simple and composite roles. You should adopt your own naming convention to distinguish between simple and composite roles.
  3.     Choose Basic maintenance (in the Profile, Other objects menu).
  4.     Choose Create.
  5.     Enter a meaningful role description text. You can describe the activities in the role in detail.
  You may use an existing role as a reference.
  6.     Assign transactions, programs and/or web addresses to the role in the Menu tab. The user menu which you create here is called automatically when the user to whom this role is assigned logs on to the SAP System. You can create the authorizations for the transactions in the role menu structure in the authorizations tab.
  If you want to call the transactions in a role in another system, enter the RFC destination of the other system in the Target system field.
  You should only use RFC destinations which were created using the Trusted System concept () to guarantee that the same user is used in the target system. This is only necessary if you want to navigate via the Easy Access Menu in the SAPgui.
  If you use the Workplace Web Browser, you can use any destination containing a logical system with the same name.
  If the Target system field is empty, the transactions are called in the system in which the user is logged on.
  You can also specify a variable which refers to an RFC destination. Variables are assigned to the RFC destinations in the transaction SM30_SSM_RFC.
  To distribute the role into a particular target system, specify the target system (its Release must be 4.6C) and choose Distribute. This function is most useful when you use the Workplace.
  You can create the user menu:
  o     from the SAP menu
  You can copy complete menu branches from the SAP menu by clicking on the cross in front of it in the user menu. Expand the menu branch if you want to put lower-level nodes or individual transactions/programs in the user menu.
  o     from a role
  this function copies a defined role menu structure in the same system into the current role. You can also copy the menu structure of a role delivered by SAP. Click on the menu branches and copy them.
  o     from an area menu
  You can copy area menus (SAP Standard and your own) into a role menu. Choose an area menu from the list of menus and copy the transactions you want.
  o     Import from file
  See Upload/Download roles.
  o     Transaction
  You can put a transaction code in the user menu directly.
  o     Program
  This function puts programs, transaction variants or queries in the user menu. They need not be given a transaction code.
  ABAP Report
  Choose a report and a variant. You can skip the selection screen.
  You can generate a transaction code automatically and copy the report description by setting checkboxes.
  SAP Query
  Enter a user group and query name. If the query has a variant, you can specify it. You can also specify a global query. See  Query work areas.
  Transactions with variants
  The system administrator can create transaction variants in the SAP System  Personalization. Transaction variants adjust complex SAP System transactions to customer business processes, by e.g. hiding superfluous information and adding other information such as pushbuttons, text or graphics. You can put a transaction variant call in a user menu by entering the transaction code and variant which you created in the transaction SHD0.
  BW report
  Include a Business Information Warehouse report. Enter the report ID.
  ReportWriter, Search, Report
  These function put other application-specific report types in the user menu.
  o     Others
  Enter other objects:
  Web address or file
  Enter internet/intranet links with a descriptive text and the web address. You can enter a file name if the browser can call an application.
  Drag and relate component
  Enter the component name.
  Knowledge Warehouse link
  Use the Document field possible entries help. Choose the information object type. You go to a selection screen in which you can search for the object in the Knowledge Warehouse.
  There are other pushbuttons for editing the user menu. Choose a menu entry with the cursor before you call one of the following functions.
  Function:     Meaning
    Create folder
  Group transactions, programs, etc. in a folder
    Change node text
  Change a menu entry text
    Move down
  Move a menu entry down one place
    Move up
  Move a menu entry up one place
    Delete nodes
  Delete a menu entry
  Any subnodes are also deleted.
    Delete all nodes
  Delete the complete role menu
    Translate node
  Translate a menu entry
    Documentation
  Display the documentation of transactions, programs, etc.
    Find doc.
  Find programs
  You can restructure the menu by Drag & Drop.
  The Menu tab status is red if no menu nodes are assigned. If at least one menu node is assigned, the status is green.
  You can assign Implementation Guide (IMG) projects or project views to a role under Utilities  Customizing auth. Do this to generate IMG activity authorization and assign users. The authorization to perform all activities in the assigned IMG projects/project views is generated in profile generation. You make the assignments in a dialog box. Choose Information to display more information on using this option.
  7.     Save your entries.
  You have created a role.

• Creating a role for t.code FBL1N

  Hi All,
  Creating a role (PFCG), I've to assign the t.code FBL1N only.
  In this role and for the t.code FBL1N, I've to exclude a certain Vendor Account Group.
  Could anyone help me?
  Thanks

  Hi ,
  For the task that you want to perform .
  First of all have a basic idea of how the authorization objects pertaining to a T code are checked , go to T code SU24 and give the input transaction as FBL1N and execute . there you will find the list of all the authorization objects that would be available for FBL1N.
  go through their documentation and understand the behaviour .
  Secondly , in case of FBL1n you cannot restrict based on account group at the granual level you can control on document type authorization group F_BKPF_BLA .
  For creating a role Go to t code PFCG create a role assing the t code , provide the auhtorization values , generate the role and assign the role to the user ID that you want to assign it to .
  Hope this helps .
  Regards ,
  Dewang T .

• CRM 7.0 How to create Business role & generate

  Hi Team,
  Can you please let me know some breif idea about CRM 7.0 security guide.
  How to created Business role is this part of functional activity?
  Whats the role of Technical colleagues BASIS guys in CRM 7.0 security .
  Please help me to get some document regarding business role creation , generation , assignment & authorization checks in CRM 7.0.
  Thanks & Regards,
  Vyash Mishra

  Hello Viyash
  I will add the most important information for generation of business roles and assignment of authorizations to users.
  You must first create the PFCG roles. PFCG role is built based on the Business Role.
  Please see documentation in : SPRO
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Authorization Role
  Then the PFCG role can be assigned to the business role in 
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Business role
  Finally you must assign business roles to Organizations or positions in organizations in
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Organizational Assignment
  The users that are assigned to such organizations / positions will be therefore linked to the business role.
  With the previous steps the users will have the authorizations that are assigned to the PFCG profile that is linked to their business role.
  Business roles are the main way to configure authorizations for users in CRM but you have more options that give you flexibility.Each business role has assigned one PFCG role, but the relationship between business role and PFCG role is not strict. You can even assign a dummy PFCG role to a certain business role in business role customizing and then go to transaction PFCG and assign other PFCG role(s) to the users that are assigned to that business role.
  I would say that the previous tasks must be performed by the basis team but in cooperation with the functional team
  Best Regards
  Luis Rivera

• HCM Authorization - Creation of separate Roles & Objects

  Hi All,
  We are developing authorisation matrix and have following doubt:
  The Scenarion is:
  - There are around 130 HR Users can be classified into 10 unique groups.
  - Each user handles from 4 - 8 locations, where locations are not part of PSA but are captured thru VDSK1 feature and stored the details in Organisation Keys
  - OM, PA, PE, PD modules along with ESS with few Custom trnsactions, workflows developed.
  My proposed solution is :
  1. Create 10 Roles only with tcodes (Trn_Roles_Grp_01 to Trn_Roles_Grp_10)
  2. Create 130 Roles without tcodes, but with objects authorisations (Obj_Roles_001 to Obj_Roles_130)
  3. For each user, assign relevant Trn_Role & Obj_Role
  Will this solution work ?  Or any better suggestions are welcome...
  Thanks & Regards,
  Vijay

  Hi,
  You solution will work, but you will have 140 roles. It is to many for 130 users.
  I can suggest you to use structural authorizations to drive scope of access by organization structure rather than enterprise structure. This will reduce number of PA role, but increase number of structural roles. However it will be more consistent approach as you will drive access to functionality by PA roles and organizational scope by OM roles.
  Cheers

• Trouble when adding / modifying authorization objects in a role through ERM

  Hi everyone!!!
  We're having some issues when configuring ERM, we followed the Post-Installation guides and we are done with the config part, but when we try to do an example creating a role, we're getting an error message when attempt to add the authorization data.
  When we look at the log, we find this message:  /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
  This is the last log...
  2010-11-05 17:03:42,515 [SAPEngine_Application_Thread[impl:3]_30] ERROR /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
  java.lang.Throwable: /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
       at com.virsa.re.service.sap.dao.SAPRoleTimestampDAO.getRoleChangedDetails(SAPRoleTimestampDAO.java:136)
       at com.virsa.re.bo.impl.ConcurrentAccessRoleBO.isRoleChangedInPFCG(ConcurrentAccessRoleBO.java:228)
       at com.virsa.re.role.actions.AuthAuthorizationDataAction.pageLoad(AuthAuthorizationDataAction.java:6865)
       at com.virsa.re.role.actions.AuthAuthorizationDataAction.execute(AuthAuthorizationDataAction.java:213)
       at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
       at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
       at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Plz help us, we can't find any information about this error.
  Regards
  Connie

  Hi,
  Settings need to be checked-
  1. Connectors must be identical for all components for a particular system and test connection should be successful.
  2. Unicode should be checked for RAR connector.
  3. Patch Level should be same on GRC and Backend and all backend post-installation activites must be completed  - (BC set activation, Program etc)
  4. RAR Objects Import must be done.
  5. ERM Background jobs must be completed before doing Role Creation- Transaction/Object/Field sync, Org Value sync and activity sync.
  If above activities are done, no issues should occur in tcode/Object assignment in role.
  Regards,
  Sabita

• Authorization when creating contract account

  Dear gurus,
  I am now have a problem with authorization when creating Contract Account for Business Partner with the scenario: each user only have right to create Contract Account for some BP Number Range that I determine in their Role. Is that possible to do this scenario?
  Pls help me,
  Thanks a lot

  Hi,
  May be you can set the same in the User Authorization roles where in you can restrict the user to create Contract account for certain BP only. May be you can work along with your Basis consultant to solve this issue or you can also try for validation rules if it works for this scenario.
  regards,
  radhika

• Creating Global Roles in 9.1 using WLST

  Hi,
  Did anyone try creating Global Roles in Weblogic 9.1 ?
  Since in Weblogic 9.1, the Authorizer and Role Mapper providers are XACML based, I am not sure if we can use WLST offline to create global roles.
  Can someone please shed some light on this.
  Thanks -agreddy

  As far as i know you could never create roles via WLST offline, only via WLST online.
  Thanks,
  -satya
  BEA Blog: http://dev2dev.bea.com/blog/sghattu/

• How to create a role?

  Guys,
  I am trying to create a role in transaction SU01 and PFCG, but i have no authorizattioin for either of them is ther any other way ?????????? Please reply
  This role is to save my workbooks under this role

  Create the Role in PFCG; if you don't have authorization ask the security person to give you the autho. If you want to save a query under the role, then you do this in BEx designer..there is a small icon which has a pic of man..click on the that icon and attached your query with appropriate role.
  Regards:
  BK

• Steps to create Collective delivery

  Hi,
  Someone pl tell me steps to create collective delivery
  Thanks Munna

  hi,
  You can schedule delivery creation for whenever you like using automatic background processing.
  Procedure
  To plan background processing for delivery creation, proceed as follows:
  1.Either apply a user role for background processing or make a copy of a user role for shipment due processing for yourself.
  During the test phase, use a function code profile for shipment due list display within this user role.
  2.Test the shipment due processing with this user role until you only need to execute the Create delivery in background function after the shipment due list is first displayed in order to ship part of the delivery list. (Vary the rules for line selection or for quantity definition during item processing, for instance.)
  3.Change the function code profile in the user role from Display to Deliver.
  4.From Logistics ® Logistics Execution ® Outbound Process ® Goods Issue for Outbound Delivery, choose Outbound Delivery ® Create ® Collective Processing of Documents Due for Delivery ® Delivery scenario of your choice.
  5.Choose the user role that you want to use for background scheduling in the User role field on the User role tab page.
  6.Enter additional selection parameters on the selection screen.
  7.Save the selection screen as a variant.
  8.From shipping, choose Outbound delivery ® Create ® Collective Processing of Documents Due for Delivery ® Plan Background Processing and execute the delivery scenario for background planning.
  9.Choose the selection variant you want and then select Schedule job.
  10.Follow the basis dialog for scheduling a background job.
  regards
  sadhu kishore

• The bidder has no authorization to create responses

  Hi,my experts:
     The purchaser create RFx in SRM7.0 ,and publish it . The Bidder find the bid ,and  click the button"Create bid".The system dispalys"You have no authorization to create responses".I give the role"SAP_BBP_STAL_BIDDER" to this bidder .
     I do not konw y?
  Alex!
  BR!

  Hi
  http://help.sap.com/saphelp_srm70/helpdata/EN/2b/7c399f1f0b465f9e58f77c3bd2c38c/frameset.htm
  /SAPSRM/BIDDER (SAP SRM: Bidder)
  br
  muthu

• Authorization to create Query

  Hello Gurus,
  When I try to create a report and save it using query Analyzer it gives the following error: "You do not have authorization to create or add".
  I checked the authorization for that role for that user , it has * for all components of S_RS_COMP and S_RS_COMP1. Is there any other component which needs to be checked.
  Pls suggest,thanks in advance.

  Hi bw,
  did you also check if there is a special naming convention for the queries? May be you just have to name it differently.
  regards
  Siggi

• Authorization to create PO for certain specific materials

  Hello Experts,
  Is it technically possible to give authorization to create PO,change PO and display PO in a Purchasing Organization based on Material? The user should be authorized to create, display or change PO in a Purchasing organization XXXX only for certain materials. How to achieve this?
  Thanks & Regards
  Yoga

  The object concerned is M_MATE_MAR Material Master: Material Types. Although this object is only checked you may have to manually insert it in the role with the required values.Also, a pre requisite is that you may have to maintain the authorization groups for the material in the material master inorder to restrict such a change.
  Baiscally you can try doing this for one material first. If it works then you can go for a mass change in all materials and maintain user roles with this object.
  --- Discard my above suggestion.
  It is not possible to impose such an restriction based on material type. The above object is used for master data only.
  Edited by: Subramaniam Iyer on Dec 1, 2008 8:38 AM