Authorization,roles,profiles
i want to know how authorization and roles and profiles will be created...
and the hirearchy of above 3 (authorization,roles,profiles)
can anyone help me in getting the documens
Hi,
The common used t-code for the above is
PFCG to create the Role.Here we can assign the role to user also.
You can see the same in SU01 t-code.
IN PFCG we create the role and it will ask for profile name.
Basically it contain the authorization object.
In BW we hade rssm t-code,now we have RSECADMIN in BI.
RSECADMIN is basically used to create the auth object.
For Example: If you want to restrict the user to see their
company code data then you need to crete auth object for company code
and give access to user according to therir requirement ie
you need to add this auth object to their respetive role.
Thanks,
Saveen Kumar
Edited by: saveen kumar on Jan 10, 2011 7:47 AM
Similar Messages
-
How to upload authorization role & profile to PFCG
I have downlaod the authorization role & profile from PFCG at client 100.
How to upload the authorization role & profile to SAP client 200?check with ur basis guys once
generally it will be dont by them check with them once -
Structural authorization : role, profile, user group
Dear All,
I am working in OM in Structural authorization, can anyone tell me difference among Roles, profile, user group.
I am mainly concerned with roles and profiles, What exactly is role and what is profile.
Pl give me practical example....
Regards,
KumarHi kumar,
Roles: It is divided in to single role and Composite Role. It is used to maintain your list of allowed transactions and reports as a menu. Once you assigned this role to the user, he / she can access only those transactions, what you maintained in the menu.
Profile: It is based on the authorization object. Unless untill, you generate the profile, the system will not consider the authorization for the assigned menu. You can provide the authorization based on various objects like infotype, transaction code, master record, org key,..
User Group: Used to set the unique set of rules for the specific user. How system should react in case of specific user group.
Good Luck
Om
Reward it, if u feel helpful. -
Analysis Authorization (Role, Profile and Direct Assignments)
<b>Analysis Authorization Question:</b>
1) In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
2) Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign Reporting Authorizations as per the process defined in BW 3.x system.
3) Customer sometime have 100 + Roles to have 3.X Reporting Authorizations. This is Managed, assigned, approved using role concept.
<b>
Migration Options:</b>
1) New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned Like Company code 1100 not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
2) Analysis Migration Tool - RSEC_MIGRATION does not update ROLES. It creates or changes PROFILES.
3) Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
<b>Questions</b>
a) This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
b) Does any one use direct assignment to Users? It is good business practice?
c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
Just want to check how other folks have done migration that can be supported going forward.
Pankaj GuptaHey Pankaj,
In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce -
After BI 7.0 Upgrade, Authorization Roles and profiles are not visible
Hi Gurus,
We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
I verified in SU01 for user access and every are assigned there roles and they are green.
Do we need to add any new authorization object to fix this issue, please let me know
Thanks and appreciate your help.
Thanks
Ganesh Reddy.
Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PMHi Ganesh,
check the behaviour, if you assign
S_USER_AGR
ACT_GROUP = "..name of the assigned role.."
ACTVT = 03 (for "display")
b.rgds,
Bernhard -
List roles/profiles/authorizations for end user
HI All
Can anyone please give the list roles/profiles/authorizations
that needs to be added to our end user id so as to view
(Only Display) all the BEx Reports.
Points assured
Thanks
VijayaHi Vijaya,
Go through this link:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a07122ae-8216-2a10-c9a5-996717a0648b
Thanks,
Ajay -
BADI or User Exit for role/profile assignment SU01/PFCG
Hi ABAP gurus,
I need a way, BADI, UserExit to do some verifications over a role or a profile before is assigned in the Tcode: SU01 and PFCG.
These verifications prevent the assigment of critical roles, transacction or access to tables.
Any information about this topic it would be very helpful...
thanks...Hi RAFAEL ,
Only one exit is available for this Tcode SU01.No Exits available for PFCG
Enhancement SUSR0001 User exit after logon to SAP System
For SU01 we can check the profile assignment in program MS01CU10 and some AUTHORITY-CHECK:
AuthCheck MS01CC10 S_DEVELOP AUTHORITY-CHECK ABAP Workbench
AuthCheck MS01CU10 S_TCODE AUTHORITY-CHECK Transaction Code Check at Transaction Start
AuthCheck MS01CC10 S_USER_AUT AUTHORITY-CHECK User Master Maintenance: Authorizations
AuthCheck MS01CC10 S_USER_GRP AUTHORITY-CHECK User Master Maintenance: User Groups
AuthCheck MS01CC10 S_USER_PRO AUTHORITY-CHECK User Master Maintenance: Authorization Profile
AuthCheck MS01CC10 S_USER_SYS AUTHORITY-CHECK User Master Maintenance: System for Central User Maintenance
In the same way PFCG contains some AUTHORITY-CHECK:
AuthCheck LSUPRNU18 S_USER_TCD AUTHORITY-CHECK Authorizations: Transactions in Roles
AuthCheck LSUPRNU27 S_USER_PRO AUTHORITY-CHECK User Master Maintenance: Authorization Profile
AuthCheck LSUPRNU23 S_TCODE AUTHORITY-CHECK Transaction Code Check at Transaction Start
AuthCheck LPRGN_TREEI0O S_USER_AGR AUTHORITY-CHECK Authorizations: Role Check
I hope this may helpfull.
Thank you,
Thanks,
AMS -
Roles/Profiles for ALEREMOTE
hi all,
can anyone let me know all the Roles/Profiles required for the User ALEREMOTE in a production system.
I understad that the roles sap_all, sap_new , s_bi-wx_rfc and s_bi-whm_rfc can be used in the development and the Quality systems but am told that the roles SAP_ALL & SAP_NEW are not supposed to be used for ALEREMOTE in the Production systems as it would give all authorizations to all the users.
so, could anyone kindly let me know the various roles/profiles that need to be assigned to the user ALEREMOTE keeping in mind that SAP_ALL & SAP_NEW are not allowed and at the same time all the transactions w.r.t BW3.5 should go through successfully.
kindly revert back at the earliest as we are in the process of going to the BW Production.
Thanks & Regards
Manickshi Manicks,
check oss note 150315-BW-Authorizations for Remote-User in BW and OLTP. hope this helps.
Symptom
1) The ALE user fails security in the BW side
2) Missing authorizations when executing Customizing of extractors
3) No IDocs could be sent to the SAP-BW using RFC.
4) Automatic source system connection failes with error R3220: No RFC-Parameters in source system defined
5) When collecting content in BW, warning message RSAOLTP035 comes up
Other terms
Authorizations, SAP_ALL, S_BI-WX_RFC, S_BI-WHM_RFC, S_RS_ALL, ALEREMOTE, BWREMOTE, RSAOLTP 553, RSAOLTP553
Reason and Prerequisites
a) In the BW there exist two user:
i) a human administrator, using S_RS_ALL
ii) a user called BWREMOTE (or similar), used to receive the data from the OLTP, using S_BI-WHM_RFC
b) In the OLTP there exist also two user:
i) a human administrator, needing authorizations to create users and RFC-destinations.
ii) a user called ALEREMOTE (or similar), used to ...
1) ... connect the OLTP to the BW
2) ... extract the data
3) ... send the data to the BW
4) ... show monitoring dialogs for tasks 1 to 4, the profile S_BI-WX_RFC is used (<i>however does
not suffice on some points since some authorizations are
missing in the delivered profile</i>)
5) ... make customizing of OLTP extractors
for this, additionally the authorizations to execute IMG-functionality, to execute Transaction SBIW and to maintain the applications, which shall be customized, must be given during the customizing functionality is used.
Solution
1) The profile S_RS_ALL resp. S_BI-WHM_RFC must contain (at least) the following authorizations:
Profile
2) The referred functionality is b) i) 5), thus
the authorizations to execute IMG-functionality,
to execute Transaction SBIW and to
maintain the applications, which shall be customized,
must be temporarily given to ALEREMOTE, if you want to execute the
functionality from BW-side. The permissions for executing the
customizing is not included in the profile S_BI-WX_RFC, since
this is a critcal functionality.
However there is the possibility to execute the customizing
in the OLTP by a human administrator by hand, using Transaction
SBIW.
3), 4) For sending the Idocs and reading RFC-destinations
the profile S_BI-WX_RFC is incomplete.
Please check, if the following authorizations are included:
Profile
--- S_BI-WX_RFC <PRO> Business Information Warehouse, RFC User
-- B_ALE_ALL <PRO> All authorizations for ALE/EDI
-- S_APPL_LOG_A <PRO> Application log: All
-- S_BTCH_ADM <PRO> BC: Batch - Processing authorization
-- S_BW_RFC <PRO> BW: Authorization Profile: Other
-- See above, same sub-profile as in S_BI-WHM_RFC
--- S_IDOC_ALL <PRO> All authorizations for IDoc functions
- BW AddOn BW-BCT 1.2B:
These authorizations have been delivered with BW AddOn Patch 2 (see 158489 for the AddOn Patch information), except release 45B. For 45B, the authorizations are delivered with BW AddOn Patch 1.
- PI2000.1:
For 4.6B and 4.6C due to delivery errors, this profile also is incorrect. Please transport it from the BW into the Oltp (it is the same in any system and release).
- PI2000.2:
For 4.6C due to delivery errors, this profile also is incorrect.
Please transport it from the BW into the OLTP (it is the same
in any system and release).
- PI2001.2:
For 4.6C due to delivery errors, this profile also is incorrect.
Please transport it from the BW into the OLTP (it is the same in any system and release).
Alternatively, import the sapserv* transport BRSK002208 under the directory
general\R3server\abap\note.0150315 into your OLTP-System.
For help on the sapserv* transport refer to Note 13719.
5) If you have PI-Basis 2005.1 in your source system, you need to attach role SAP_RO_BCTRA to your user in the source system. Otherwise, the functionality mentioned in the message is not available. The system continues to function as before, you may ignore the warning. -
Standard authorization role for CRM implementation team member
Hello,
We are starting SAP CRM implementation project (7.0) and I would like to avoid giving sap_all authorizations to functional consultants in development environment. Unfortunetly I can't find standard customizer profiles like the ones in ERP system exists.
So the objective is to have quite broad role or profile with no restrictions in customization and functional area. However it's important not to have Basis authorizations in this role/profile. Hope that someone can give me a hint in this direction.
Thnak you,
JahooHi,
as soon as the implementation team member should also do developments my experience is that without SAP_ALL you will have much trouble. Therefore in our dev-system each consultant will have SAP_ALL authorization. Of course only in the DEV-System.
Kind regards
Manfred -
How to add profiles to critical roles & profiles table in GRC RAR
Hello,
As per Note# 1034117, it says Add "SAP_ALL" type security roles and the SAP profiles, see list below for profiles, to the Critical Roles and Critical Profiles table.
SAP_ALL All Authorizations For The SAP System
SAP_NEW All Authorizations For Newly Created Objects
S_A.ADMIN Basis Operator
How do we add the profiles, to the Critical Roles and Critical Profiles table in RAR.
Thanks,Hi,
I configured the critical roles & profiles in rule architect.
But when I schedule the background job for batch risk analysis, it is taking all the users, roles & profiles.
Is there a way to exclude users, roles & profiles? (I have already configured the excluded users, roles and profiles in exclude option), but still when I schedule the background job and say show parameter, it shows the User Range as '*'. It is not showing the excluded users.
Can you please update how to exclude the list of users, from the batch risk analysis?
Thanks, -
Role/Profile required with full access but not HR/payroll
HI,
We are running SAP ECC 6.0 and HR/payroll is also live. Few memebers in our functional team need full access. But as per our policies HR and Payroll access should be there only with HR team.
My query is: Is there any role/profile that I can assign to functional team memebrs through whcih they will have access for all T codes/programs but NOT related to HR.Hi ,
BASIS needs to restrict authorizations.
Ojbect Id : P.
...lakhan -
Authorizations analysis versus Authorizations roles
Hello All,
I try to understand how to manage BW authorizations in the best way. I'm confused with authorizations analysis we set up in transaction RSECADMIN and authorizations object available in authorizations roles.
I have got some questions :
1-Do we have to use both ? My tests shows that I have to declare a cube within analysis authorization using object 0TCAIPROV and I have also to update role with object S_RS_COMP for RSINFOCUBE.
2-What are the list of all existing analysis authorisation object ?
Thanks for your help
Regards
CatherineHi Catherine,
1)
S_RS_COMP gives you the option to only change the object and has nothing to do with the reading the data from the infoprovider.This is maintained by the Basis team for the users to create and do the developments in business exploere.
So if you want that a user should work upon a particulat infocube only like using that infocube to create query etc in business explorer. then you should you give the give the cube name here.
Generally it is kept as *.
You have to maintain the user profile to read the data from the respective cubes.
This has to be done by creating an authorization object/ ex .ZAUTH1) and providing the values for 0TCAIPROV there.
No need to add 0TCAIPROVto the cubes.
Once the authorization object is created you need to assing it to a role and then this role should be assigned to the user.
2)
Some are here
Authorization for Analysis Process RSANPR
Data Warehousing Workbench - Objects S_RS_ADMWB
BI Analysis Authorizations in Role S_RS_AUTH
Business Explorer - BEx Reusable web items (NW 7.0+) S_RS_BITM
Business Explorer - BEx Web Templates (NW 7.0+) S_RS_BTMP
Business Explorer - Components S_RS_COMP
Business Explorer - Components: Enhancements to the Owner S_RS_COMP1
Data Warehousing Workbench - DataSource (Release > BW 3.x) S_RS_DS
Data Warehousing Workbench - Data Transfer Process S_RS_DTP
Data Warehousing Workbench - Hierarchy S_RS_HIER
Data Warehousing Workbench - InfoCube S_RS_ICUBE
Data Warehousing Workbench - InfoObject Catalog S_RS_IOBC
Data Warehousing Workbench - InfoObject S_RS_IOBJ
Data Warehousing Workbench - Maintain Master Data S_RS_IOMAD
Data Warehousing Workbench - InfoSet S_RS_ISET
Data Warehousing Workbench - InfoSource (Release > BW 3.x) S_RS_ISNEW
Data Warehousing Workbench - InfoSource (Flexible Update) S_RS_ISOUR
Data Warehousing Workbench - InfoSource (Direct Update) S_RS_ISRCM
Data Warehousing Workbench - DataStore Object S_RS_ODSO
Data Warehousing Workbench - Open Hub Destination S_RS_OHDST
Data Warehousing Workbench - Process Chains S_RS_PC
Data Warehousing Workbench - Transformation S_RS_TR
you can find this values in the table
RSECVAL.
Thanks
Ajeet -
Roles/profiles for IDoc exchange between ECC & PI
Hi guys,
I'm using a IDoc->PI->File scenario and otherwise and I need to set up a communication user between ECC and PI for this IDoc exchange, but I don't want to use sap_all. Can you please tell which roles/profile to assign so the IDoc exchange would work?
Thank you,
Olianhttp://help.sap.com/saphelp_nw04/helpdata/en/2b/a48f3c685bc358e10000000a11405a/content.htm
From Note: 837595
Authorization object S_RFC
Field name RFC_TYPE value FUGR
Field name RFC_NAME value EDIMEXT, SDTX
Field name ACTVT value 16
Authorization object S_IDOCDEFT
Field name ACTVT value 03
Field name EDI_CIM value ' '
Field name EDI_DOC value TXTRAW01
Field name EDI_TCD value WE30
Authorization object S_CTS_ADMI
Field name CTS_ADMFCT value TABL
Authorization object S_TABU_DIS
Field name ACTVT value 03
Field name DICBERCLS value -
Comparison of analysis authorization roles ?
Hello Experts,
I am using BI7.0 new analysis authorization concept.
I know how to compare pfcg role across systems but does anybody know how we can compare analysis authorization roles across systems?
Thanks and Regards
ImranHi,
Easy comparison of roles (PFUD):
Many times the Role Comparison (Profile match up) is required after the transport of roles. One usually does it from PFCG for each role individually. For a quick solution to this problem, use transaction code PFUD.
Please check the below link :
http://help.sap.com/saphelp_bw21c/helpdata/en/5c/deaa7dd3d411d3970a0000e82de14a/content.htm
http://help.sap.com/saphelp_nw04/Helpdata/EN/5c/deaa7dd3d411d3970a0000e82de14a/content.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/c1/db3fc2fd3111d5997a00508b6b8b11/content.htm
http://help.sap.com/saphelp_mic10/helpdata/en/69/1810a4c51144dc833353183155ec88/content.htm
Regards
Sreedhar Reddy -
Menu vs. Authorization roles
Dear all,
I am checking the possibility to separate roles in order I have in one role a menu structure and another associated role for the authorizations.
I found out 2 standard SAP roles having something similar
SAP_AUDITOR_BA_FI_APMD
SAP_AUDITOR_BA_FI_APMD_A
Checking SAP_AUDITOR_BA_FI_APMD I realize here is a menu structure with "transactions" inside but on the authorization tab there is nothing.
How could do that if I would like to create my own roles? I mean when I add a transaction on the menu the authorization part will be updated automatically.
I will appreciate any suggestion to do that.
Thanks
FedeXNote that the PFCG also now also offers "Authorization Defaults", which is basically the same thing, but within the same single role. This is a very good thing.
This gives you the option of pulling proposals from SU24 without them being visible (or executable...) via the menu navigation.
I agree with you that it is ideal to derive the authority from the menu tab (whether visible or not) and build roles at a higher level, and less of them too.
But try explain that to an auditor who wants to run a report in his check-list?
Actually, I heard auditors recently recommending composite roles for this reason to reduce the access of the end users to less profiles...
Unfortunately they turn up on a Monday morning without invitation and want access... It is more secure to hash up a menu for them and know what access they have behind it (test and transport that one!) than dish out SA33 etc and SE16 etc.
If they are IT auditors (as is often the case) then they will want to display some development objects. Forget about S_TCODE from that point onwards.... use the authorizations role values.
Hope that helps,
Julius
Maybe you are looking for
-
Is there a way to operate the command key using the mouse?
I am working with a student who has limited movement of his hands. He is able to operate a mouse. However, he cannot operate the mouse and make key commands at the same time. Is there any way to adapt the mouse so command key actions can be carried o
-
Officejet 7500A installing drivers, missing dll file, can't scan
I have a new laptop with Windows 7 Professional, using first the cd, I installed drivers to use my Officejet 7500a on my wireless network, during installation it said it could not find file HPWia2_OJ7500_E910.dll and asked if I wanted to continue. I
-
Undo Year end closing for Asset
Hi, I need to undo year end posting for Asset and recalculate depreciation according to the changed laws. Is there any prerequisite/constraints to be taken care of before running OAAR(undo year end closing) and AJAB(year end closing) after required p
-
Help! Im locked out of my Macbook Pro what to do?
I cnt sign in into my Macbook Pro.. I think i accidently unchecked the automatic sign in box. What should I do? :( help!
-
InDesign CS6 not linking to source Word document
When I had Adobe Cs4 when I place a word document in InDesign a link was created to the source documenent. If the word document was changed, when InDesign checked for errors it prompted me to update the link document. Now when I place a word document