Authorization,roles,profiles

Similar Messages

• How to upload authorization role & profile to PFCG

  I have downlaod the authorization role & profile from PFCG at client 100.
  How to upload the authorization role & profile to SAP client 200?

  check with ur basis guys once
  generally it will be dont by them check with them once

• Structural authorization : role, profile, user group

  Dear All,
  I am working in OM in Structural authorization, can anyone tell me difference among Roles, profile, user group.
  I am mainly concerned with roles and profiles, What exactly is role and what is profile.
  Pl give me practical example....
  Regards,
  Kumar

  Hi kumar,
  Roles: It is divided in to single role and Composite Role. It is used to maintain your list of allowed transactions and reports as a menu. Once you assigned this role to the user, he / she can access only those transactions, what you maintained in the menu.
  Profile: It is based on the authorization object. Unless untill, you generate the profile, the system will not consider the authorization for the assigned menu. You can provide the authorization based on various objects like infotype, transaction code, master record, org key,..
  User Group: Used to set the unique set of rules for the specific user. How system should react in case of specific user group.
  Good Luck
  Om
  Reward it, if u feel helpful.

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• After BI 7.0 Upgrade, Authorization Roles and profiles are not visible

  Hi Gurus,
  We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
  As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
  I verified in SU01 for user access and every are assigned there roles and they are green.
  Do we need to add any new authorization object to fix this issue, please let me know
  Thanks and appreciate your help.
  Thanks
  Ganesh Reddy.
  Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PM

  Hi Ganesh,
  check the behaviour, if you assign
  S_USER_AGR                          
     ACT_GROUP = "..name of the assigned role.."
     ACTVT = 03 (for "display")    
  b.rgds,
  Bernhard

• List roles/profiles/authorizations for end user

  HI All
  Can anyone please give the list roles/profiles/authorizations
  that needs to be added to our end user id so as to view
  (Only Display) all the BEx Reports.
  Points assured
  Thanks
  Vijaya

  Hi Vijaya,
  Go through this link:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a07122ae-8216-2a10-c9a5-996717a0648b
  Thanks,
  Ajay

• BADI or User Exit for role/profile assignment SU01/PFCG

  Hi ABAP gurus,
  I need a way, BADI, UserExit to do some verifications over a role or a profile before is assigned in the Tcode: SU01 and PFCG.
  These verifications prevent the assigment of critical roles, transacction or access to tables.
  Any information about this topic it would be very helpful...
  thanks...

  Hi RAFAEL ,
  Only one exit is available for this  Tcode SU01.No Exits available for PFCG
  Enhancement     SUSR0001     User exit after logon to SAP System                    
  For SU01 we can check the profile assignment  in program MS01CU10 and some AUTHORITY-CHECK:
  AuthCheck     MS01CC10     S_DEVELOP     AUTHORITY-CHECK     ABAP Workbench                    
  AuthCheck     MS01CU10     S_TCODE     AUTHORITY-CHECK     Transaction Code Check at Transaction Start                    
  AuthCheck     MS01CC10     S_USER_AUT     AUTHORITY-CHECK     User Master Maintenance: Authorizations                    
  AuthCheck     MS01CC10     S_USER_GRP     AUTHORITY-CHECK     User Master Maintenance: User Groups                    
  AuthCheck     MS01CC10     S_USER_PRO     AUTHORITY-CHECK     User Master Maintenance: Authorization Profile                    
  AuthCheck     MS01CC10     S_USER_SYS     AUTHORITY-CHECK     User Master Maintenance: System for Central User Maintenance                    
  In the same way PFCG contains some AUTHORITY-CHECK:
  AuthCheck     LSUPRNU18     S_USER_TCD     AUTHORITY-CHECK     Authorizations: Transactions in Roles                    
  AuthCheck     LSUPRNU27     S_USER_PRO     AUTHORITY-CHECK     User Master Maintenance: Authorization Profile                    
  AuthCheck     LSUPRNU23     S_TCODE     AUTHORITY-CHECK     Transaction Code Check at Transaction Start                    
  AuthCheck     LPRGN_TREEI0O     S_USER_AGR     AUTHORITY-CHECK     Authorizations: Role Check                    
  I hope this may helpfull.
  Thank you,
  Thanks,
  AMS

• Roles/Profiles for ALEREMOTE

  hi all,
  can anyone let me know all the Roles/Profiles required for the User ALEREMOTE in a production system.
  I understad that the roles sap_all, sap_new , s_bi-wx_rfc and s_bi-whm_rfc can be used in the development and the Quality systems but am told that the roles SAP_ALL & SAP_NEW are not supposed to be used for ALEREMOTE in the Production systems as it would give all authorizations to all the users.
  so, could anyone kindly let me know the various roles/profiles that need to be assigned to the user ALEREMOTE keeping in mind that SAP_ALL & SAP_NEW are not allowed and at the same time all the transactions w.r.t BW3.5 should go through successfully.
  kindly revert back at the earliest as we are in the process of going to the BW Production.
  Thanks & Regards
  Manicks

  hi Manicks,
  check oss note 150315-BW-Authorizations for Remote-User in BW and OLTP. hope this helps.
  Symptom
  1) The ALE user fails security in the BW side
  2) Missing authorizations when executing Customizing of extractors
  3) No IDocs could be sent to the SAP-BW using RFC.
  4) Automatic source system connection failes with error R3220: No RFC-Parameters in source system defined
  5) When collecting content in BW, warning message RSAOLTP035 comes up
  Other terms
  Authorizations, SAP_ALL, S_BI-WX_RFC, S_BI-WHM_RFC, S_RS_ALL, ALEREMOTE, BWREMOTE, RSAOLTP 553, RSAOLTP553
  Reason and Prerequisites
  a) In the BW there exist two user:
     i)  a human administrator, using S_RS_ALL
     ii) a user called BWREMOTE (or similar), used to receive the data from the OLTP, using S_BI-WHM_RFC
  b) In the OLTP there exist also two user:
     i)  a human administrator, needing authorizations to create users and RFC-destinations.
     ii) a user called ALEREMOTE (or similar), used to ...
         1) ... connect the OLTP to the BW
         2) ... extract the data
         3) ... send the data to the BW
         4) ... show monitoring dialogs for tasks 1 to 4, the profile S_BI-WX_RFC is used (<i>however does
  not suffice on some points since some authorizations are
  missing in the delivered profile</i>)
         5) ... make customizing of OLTP extractors
         for this, additionally the authorizations to execute IMG-functionality, to execute Transaction SBIW and to maintain the applications, which shall be customized, must be given during the customizing functionality is used.
  Solution
  1) The profile S_RS_ALL resp. S_BI-WHM_RFC must contain (at least) the following authorizations:
  Profile
  2) The referred functionality is b) i) 5), thus
     the authorizations to execute IMG-functionality,
     to execute Transaction SBIW and to
     maintain the applications, which shall be customized,
     must be temporarily given to ALEREMOTE, if you want to execute the
     functionality from BW-side. The permissions for executing the
     customizing is not included in the profile S_BI-WX_RFC, since
     this is a critcal functionality.
     However there is the possibility to execute the customizing
     in the OLTP by a human administrator by hand, using Transaction
     SBIW.
  3), 4) For sending the Idocs and reading RFC-destinations
     the profile S_BI-WX_RFC is incomplete.
     Please check, if the following authorizations are included:
  Profile
    ---   S_BI-WX_RFC  <PRO> Business Information Warehouse, RFC User
  --   B_ALE_ALL    <PRO> All authorizations for ALE/EDI
  --   S_APPL_LOG_A <PRO> Application log: All
  --   S_BTCH_ADM   <PRO> BC: Batch - Processing authorization
  --   S_BW_RFC     <PRO> BW: Authorization Profile: Other
  --   See above, same sub-profile as in S_BI-WHM_RFC
        ---   S_IDOC_ALL   <PRO> All authorizations for IDoc functions
  - BW AddOn BW-BCT 1.2B:
  These authorizations have been delivered with BW AddOn Patch 2 (see 158489 for the AddOn Patch information), except release 45B. For 45B, the authorizations are delivered with BW AddOn Patch 1.
  - PI2000.1:
  For 4.6B and 4.6C due to delivery errors, this profile also is incorrect. Please transport it from the BW into the Oltp (it is the same in any system and release).
  - PI2000.2:
  For 4.6C due to delivery errors, this profile also is incorrect.
  Please transport it from the BW into the OLTP (it is the same
  in any system and release).
  - PI2001.2:
  For 4.6C due to delivery errors, this profile also is incorrect.
  Please transport it from the BW into the OLTP (it is the same in any system and release).
  Alternatively, import the sapserv* transport BRSK002208 under the directory
  general\R3server\abap\note.0150315 into your OLTP-System.
  For help on the sapserv* transport refer to Note 13719.
  5) If you have PI-Basis 2005.1 in your source system, you need to attach role SAP_RO_BCTRA to your user in the source system. Otherwise, the functionality mentioned in the message is not available. The system continues to function as before, you may ignore the warning.

• Standard authorization role for CRM implementation team member

  Hello,
  We are starting SAP CRM implementation project (7.0) and I would like to avoid giving sap_all authorizations to functional consultants in development environment. Unfortunetly I can't find standard customizer profiles like the ones in ERP system exists.
  So the objective is to have quite broad role or profile with no restrictions in customization and functional area. However it's important not to have Basis authorizations in this role/profile. Hope that someone can give me a hint in this direction.
  Thnak you,
  Jahoo

  Hi,
  as soon as the implementation team member should also do developments my experience is that without SAP_ALL you will have much trouble. Therefore in our dev-system each consultant will have SAP_ALL authorization. Of course only in the DEV-System.
  Kind regards
  Manfred

• How to add profiles to critical roles & profiles table in GRC RAR

  Hello,
  As per Note# 1034117, it says Add "SAP_ALL" type security roles and the SAP profiles, see list below for profiles, to the Critical Roles and Critical Profiles table.
  SAP_ALL All Authorizations For The SAP System
  SAP_NEW All Authorizations For Newly Created Objects
  S_A.ADMIN Basis Operator
  How do we add the profiles, to the Critical Roles and Critical Profiles table in RAR.
  Thanks,

  Hi,
  I configured the critical roles & profiles in rule architect.
  But when I schedule the background job for batch risk analysis, it is taking all the users, roles & profiles.
  Is there a way to exclude users, roles & profiles? (I have already configured the excluded users, roles and profiles in exclude option), but still when I schedule the background job and say show parameter, it shows the User Range as '*'. It is not showing the excluded users.
  Can you please update how to exclude the list of users, from the batch risk analysis?
  Thanks,

• Role/Profile required with full access but not HR/payroll

  HI,
  We are running SAP ECC 6.0 and HR/payroll is also live. Few memebers in our functional team need full access. But as per our policies HR and Payroll access should be there only with HR team.
  My query is: Is there any role/profile that I can assign to functional team memebrs through whcih they will have access for all T codes/programs but NOT related to HR.

  Hi ,
  BASIS needs to restrict authorizations.
  Ojbect Id  : P.
  ...lakhan

• Authorizations analysis versus Authorizations roles

  Hello All,
  I try to understand how to manage BW authorizations in the best way. I'm confused with authorizations analysis we set up in transaction RSECADMIN and authorizations object available in authorizations roles.
  I have got some questions :
  1-Do we have to use both ? My tests shows that I have to declare a cube within analysis authorization using object 0TCAIPROV and I have also to update role with object S_RS_COMP for RSINFOCUBE.
  2-What are the list of all existing analysis authorisation object ?
  Thanks for your help
  Regards
  Catherine

  Hi Catherine,
  1)
  S_RS_COMP gives you the option to only change the object and has nothing to do with the reading the data from the infoprovider.This is maintained by the Basis team for the users to create and do the developments in business exploere.
  So if you want that a user should work upon a particulat infocube only like using that infocube to create query etc in business explorer.  then you should you give the give the cube name here.
  Generally it is kept as *.
  You have to maintain the user profile to read the data from the respective cubes.
  This has to be done by creating an authorization object/ ex .ZAUTH1) and providing the values for  0TCAIPROV  there.
  No need to add 0TCAIPROVto the cubes.
  Once the authorization object is created you need to assing it to a role and then this role should be assigned to the user.
  2)
  Some are here
  Authorization for Analysis Process                           RSANPR    
  Data Warehousing Workbench - Objects                         S_RS_ADMWB
  BI Analysis Authorizations in Role                           S_RS_AUTH 
  Business Explorer - BEx Reusable web items (NW 7.0+)         S_RS_BITM 
  Business Explorer - BEx Web Templates (NW 7.0+)              S_RS_BTMP 
  Business Explorer - Components                               S_RS_COMP 
  Business Explorer - Components: Enhancements to the Owner    S_RS_COMP1
  Data Warehousing Workbench - DataSource (Release > BW 3.x)   S_RS_DS   
  Data Warehousing Workbench - Data Transfer Process           S_RS_DTP  
  Data Warehousing Workbench - Hierarchy                       S_RS_HIER 
  Data Warehousing Workbench - InfoCube                        S_RS_ICUBE
  Data Warehousing Workbench - InfoObject Catalog              S_RS_IOBC 
  Data Warehousing Workbench - InfoObject                      S_RS_IOBJ 
  Data Warehousing Workbench  - Maintain Master Data           S_RS_IOMAD
  Data Warehousing Workbench - InfoSet                         S_RS_ISET 
  Data Warehousing Workbench - InfoSource (Release > BW 3.x)   S_RS_ISNEW
  Data Warehousing Workbench - InfoSource (Flexible Update)    S_RS_ISOUR
  Data Warehousing Workbench - InfoSource (Direct Update)      S_RS_ISRCM
  Data Warehousing Workbench - DataStore Object                S_RS_ODSO 
  Data Warehousing Workbench - Open Hub Destination            S_RS_OHDST
  Data Warehousing Workbench - Process Chains                  S_RS_PC   
  Data Warehousing Workbench - Transformation                  S_RS_TR   
  you can find this values in the table
  RSECVAL.
  Thanks
  Ajeet

• Roles/profiles for IDoc exchange between ECC & PI

  Hi guys,
  I'm using a IDoc->PI->File scenario and otherwise and I need to set up a communication user between ECC and PI for this IDoc exchange, but I don't want to use sap_all. Can you please tell which roles/profile to assign so the IDoc exchange would work?
  Thank you,
  Olian

  http://help.sap.com/saphelp_nw04/helpdata/en/2b/a48f3c685bc358e10000000a11405a/content.htm
  From Note: 837595
  Authorization object S_RFC
  Field name RFC_TYPE value FUGR
  Field name RFC_NAME value EDIMEXT, SDTX
  Field name ACTVT    value 16
  Authorization object S_IDOCDEFT
  Field name ACTVT   value 03
  Field name EDI_CIM value ' '
  Field name EDI_DOC value TXTRAW01
  Field name EDI_TCD value WE30
  Authorization object S_CTS_ADMI
  Field name CTS_ADMFCT  value TABL
  Authorization object S_TABU_DIS
  Field name ACTVT      value 03
  Field name DICBERCLS  value

• Comparison of analysis authorization roles ?

  Hello Experts,
  I am using BI7.0 new analysis authorization concept.
  I know how to compare pfcg role across systems but does anybody know how we can compare analysis authorization roles across systems?
  Thanks and Regards
  Imran

  Hi,
  Easy comparison of roles (PFUD):
  Many times the Role Comparison (Profile match up) is required after the transport of roles. One usually does it from PFCG for each role individually. For a quick solution to this problem, use transaction code PFUD.
  Please check the below link :
  http://help.sap.com/saphelp_bw21c/helpdata/en/5c/deaa7dd3d411d3970a0000e82de14a/content.htm
  http://help.sap.com/saphelp_nw04/Helpdata/EN/5c/deaa7dd3d411d3970a0000e82de14a/content.htm
  http://help.sap.com/saphelp_nw70/helpdata/EN/c1/db3fc2fd3111d5997a00508b6b8b11/content.htm
  http://help.sap.com/saphelp_mic10/helpdata/en/69/1810a4c51144dc833353183155ec88/content.htm
  Regards
  Sreedhar Reddy

• Menu vs. Authorization roles

  Dear all,
  I am checking the possibility to separate roles in order I have in one role a menu structure and another associated role for the authorizations.
  I found out 2 standard SAP roles having something similar
  SAP_AUDITOR_BA_FI_APMD
  SAP_AUDITOR_BA_FI_APMD_A
  Checking SAP_AUDITOR_BA_FI_APMD I realize here is a menu structure with "transactions" inside but on the authorization tab there is nothing.
  How could do that if I would like to create my own roles? I mean when I add a transaction on the menu the authorization part will be updated automatically.
  I will appreciate any suggestion to do that.
  Thanks
  FedeX

  Note that the PFCG also now also offers "Authorization Defaults", which is basically the same thing, but within the same single role. This is a very good thing.
  This gives you the option of pulling proposals from SU24 without them being visible (or executable...) via the menu navigation.
  I agree with you that it is ideal to derive the authority from the menu tab (whether visible or not) and build roles at a higher level, and less of them too.
  But try explain that to an auditor who wants to run a report in his check-list?
  Actually, I heard auditors recently recommending composite roles for this reason to reduce the access of the end users to less profiles...
  Unfortunately they turn up on a Monday morning without invitation and want access... It is more secure to hash up a menu for them and know what access they have behind it (test and transport that one!) than dish out SA33 etc and SE16 etc.
  If they are IT auditors (as is often the case) then they will want to display some development objects. Forget about S_TCODE from that point onwards.... use the authorizations role values.
  Hope that helps,
  Julius