Authorization S_RS_AUTH in role PFCG for Analyzer

Similar Messages

• PFCG - ROLES DEFINITION FOR ABAP TEAM

  Dear SAP Professionals,
  I would like to know your thoughts, ideas, templates and resources, on authorization objects and roles we should define and / or create in the company for ABAP development team.
  Also, it will be very valuable being able to receive information about that definition, for BASIS team.
  Look forward for your answer, and if you need further explanation pls feel free to make it.
  Thanks in advance,
  Rodolfo

  The SAP_BC_DWB_WBDISPLAY is ABAP display only I think (pls correct me if I'm wrong) and this will give to little authorizations to display in production for them.
  We used the display roles in production that we have created per module (FI, MM, et cetera). and assigned them to one composite display role.
  The template roles can be a good start for the non production systems, but in our case they where to limited and they needed more authorizations, also for the functional modules. So we ended up creating a new developer composite role that was a combination of the basic ABAPdeveloper role with additional functional roles.
  The result is that they have many authorizations in the non production system and  additional compensenating controls where needed to minimize the risk. The good thing is that they don't need critical authorizations in the production system and we can monitor the usage of the firefighter use in the production system.

• Authorization Object for role creation for query display?

  Hi,
  Can Anybody here tell me what is the Authorization object that we use for role creation for query display?
  I want to assign a role to the newly designed query! that query does not have any role so far!
  Pls suggest me
  Thanks,
  Ravi

  Hi,
  I could make the authorization tab green by entering the authorization object!
  But user tab still remains red as it is not allowing me to enter my username in the user tab!
  in the user tab  i am unable to enter my user name?
  Any suggestions?
  Thanks,
  Ravi

• Authorization Object And Roles For  Functional Consultant

  Dear Expert,
  What kind of respective Authorization Object And Roles would be provided to  Functional Consultant (FI,MM, SD, PM, PS, CO, HR )at the time of implementation ?
  Thanx in advance
  Pavel

  Thanks Juan,
  We now already have it here and in the NW IDM forum a few times as well...
  Cheers,
  Julius

• No Authorization to change Purchase Order for Professional Purchaser

  Hi Experts, I am facing the following issue,
  System Info :
  SRM 5.0
  ECC 6.0
  IE 6.0
  I logged in as the professional Purchaser in to My SAP SRM browser and when I try to change a Direct material purchase order, I get the following message:
  No Authorization to change Purchase Order xxxxxxxxxxx.
  Here is my sequence of operations:
  Logged in as Proff Purchaser, selected the process purchase order link, then selected the purchase order from  the worklist and click on the change icon.
  Please let me know if need to customize any settings.
  Thanks in advance,
  Raj

  hi,
     In trascn PFCG,for the role of Startegic purchaser,under the Personalization tab,set the attribute  BBP_WFL_SECURITY to '4'.Also,check the authorisation data for the Strategic purchaser role.
  HTH.
  BR,
  Disha.
  Pls reward points for useful answers.

• Authorization issues after generating PFCG profile using CRMD_UI_ROLE_PREPA

  Dear expert
  We create a navigation bar profile and a business role. Then, we generated a PFCG profile for this business role to gather all the authorization object required to meet the functionality provided in this business role. For that, we used the program CRMD_UI_ROLE_PREPARE and then, imported file in our PFCG profile.
  But after assigning the user to this business role and PFCG profile, we still have authorization issues. For example, the result lists are not displayed.
  The kind of error we get is:
  +Cannot display view BP_CONT/ContactDetails
  An exception has occurred Exception Class  CX_BSP_DLC_CONFIG_GENERAL_ERR - Error creating configuration model 
  Method:  CL_BSP_DLC_VIEW_DESCRIPTOR=>LOAD_APPL_MODEL 
  Source Text Row:  14
  Cannot display view BP_ADDR/StandardAddress
  An exception has occurred Exception Class  CX_BSP_DLC_CONFIG_GENERAL_ERR - Error creating configuration model 
  Method:  CL_BSP_DLC_VIEW_DESCRIPTOR=>LOAD_APPL_MODEL 
  Source Text Row:  14 +
  Thanks in advance for your help
  Best regards
  Stephanie

  Hi,
  It is not a short dump but an exception raised in the new UI:
  Cannot display view BP_CONT/ContactDetails
  An exception has occurred Exception Class CX_BSP_DLC_CONFIG_GENERAL_ERR - Error creating configuration model
  Method: CL_BSP_DLC_VIEW_DESCRIPTOR=>LOAD_APPL_MODEL
  Source Text Row: 14
  Stephanie
  Edited by: Stephanie Blouin on Oct 23, 2008 7:48 AM

• Authorization Object inative in PFCG

  Hi,
  We created an authorization object for a Z BSP application that is used in htm page.
  When I try to create a role allowing that authorization object in PFCG, auth. object remains inactive and there is no possibility to active it.
  Does anyone knows how I can activate this object ?
  Many thanks.

  I was having the same problem. I was adding an auth object S_ASAPIA of class BC_Z to role (both manually or via Selection Criteria, the authorization is in the selection criteria list) but for some reason I could not make it active, the authorization is brought into the role as inactive. After some digging I realized the problem by looking up the authorization object in SU03. When I tried to check for authorizations associated with the authorization object in SU03 I got an error message:
  No fields have been maintained for this object
  Message no. 01231
  Checking table TOBJ I realized that this is not the only such problem:
  Here are 4 objects in my ECC system that have the same problem. ([ObjectID] [Object Class ID])
  K_ORGUNIT     CO
  S_ASAPIA     BC_Z
  S_RS_PPMAD     RS
  ZSTAT     BC_A
  I found these auth objects by searching for blanks in the field FIEL1 in table TOBJ.
  By the way I also found a number of objects that were not assigned to a valid Authorization Object Class. PFCG will not allow you to add these objects at all, even though they do exist in table TOBJ. ([ObjectID] [Object Class ID])
  CRMCONFMOD     CRM
  CRM_WSC     CRM
  CRM_WST     CRM
  PLM_LAYOUT     PLMB
  RSCRMBUPA     RSAN
  RSCRMEXTR     RSAN
  RSCRM_TG     RSAN
  RSDMEENGIN     RSAN
  RSDMEMBW     RSAN
  RSDMEMODEL     RSAN
  S_ESH_T_BG     TST
  S_ESH_T_MT     TST
  S_ESH_T_PR     TST
  I found these objects by copying all the classes in table TOBC and filtering out all the records in table TOBJ using exclude values in the field OCLSS. The resulting list is those objects not assigned to a valid object class.
  Note that most of this data was SAP delivered.
  Hope this helps to answer this Q.

• Making existing roles watertight for HR data

  Hello,
  I hope to get nudged in the right direction in here. I already descended pretty much to the end of my rope and ... well ... I need some more rope
  The situation is like this - I inherited everything that has to do with maintenance of authorizations on our system half a year ago, the guy that did that before me is no longer in the company (so there's no use in asking what he was thinking (if anything) when he was putting the roles together). Documentation is scarce/non-existing. When it exists it's usually not up to date. I'm not exactly a newbie in authorizations field, but at the same time I'm not really that far away from being a newbie yet, so I'm not beyond listening to basics being pointed out to me.
  <u>The Utopia</u>:
  There are five single roles built for all users of our system (say R1, R2, ... , R5). They're supposed to build on one another, R1 being the basic role, R2 having a couple more authorizations than R1, and so on until R5 which is the role that also has all HR authorizations.
  <u>The Reality</u>:
  The roles have been designed in a hurry and from the top down starting with the sap_all profile and removing some (or most of the) CA, BC and HR authorizations. They were not properly tested. They do not derive from one another in any way ... R2 for example is a complete copy of R1 with some additional objects and values, same for all the others. Every problem needed to be fixed five times, once for every role. That of course resulted in chaos, things got changed just in one place and the basic role suddenly got more powerful than all the rest. These roles are in use in the production system and there are no plans to substitute them with something better in the very near future.
  <u>The Problem</u>:
  Suddenly (yeah, right ) the need arose to have these roles watertight with regard to HR data. I did some rudimentary testing and sure enough they're nowhere near watertight even for the most common HR transactions. There are ranges defined in S_TCODE for which I have no idea why they are as they are, there was access to SA38 given where SAP HR programs with no authorization group (and no transaction code) assigned could be run by everyone ... there's god knows how many other security holes. The only help I got from the HR consultants was the list of all 2000 or so HR transactions (taken from the SAP menu tree) which shouldn't be accessible to a normal user. I suspect I might be in need of a typing monkey to check them all five times
  <u>Question</u>:
  How do I close as many security holes in these roles as possible? What's the strategy when dealing with such tasks? I've made it clear to the management that we probably won't have watertight roles if we don't create new ones, but making a set of new roles created properly from the bottom up is out of the question at this moment.
  I'd be extremely grateful for any advice or if anyone could point me to any kind of documentation about making roles like ours more secure for protecting HR data (and also keeping the users away from any BC stuff).
  In the meantime, I'm off to searching through the archives of the forum.
  ursa

  Mopping the floor with the water running is a spot on description
  Actually we're in the process of setting up new and improved authorizations but (of course!) the testing phase turned out to be much more time consuming than anticipated. No surprise to me, however someone obviously thought authorizations are a matter of defining roles and their menus and the system does everything else by itself. Riiight.
  What I did so far - first I educated myself on the specifics of HR authorizations. I never had to deal with those before, so (for example) it was a surprise to me that there's actually a separate SAP course dealing with HR authorizations Then I compared the existing roles to each other like you suggested and figured out a way that allowed me to do all the modifications with least amount of work. I cleaned most of the infotypes out of P_ORGIN and (to cover my behind), adjusted the ranges in S_TCODE to exclude the 2000 HR transactions our HR consultant listed for me.
  Most importantly - I made it clear to the guys above me, that with the roles we use I can't guarantee HR data to be inaccessible for people who should stay away from it. So ... back to the testing of the new authorizations
  Thanks for your help! It always makes a huge difference to get something like a second opinion when one can't decide if left is better than right or if it's the other way around.
  ursa

• Roles required for BPM operation

  Hi Everyone,
  Any idea what roles are required for the user used in receiver SOAP channel for accessing NWBPMs deployed on Java AS(Marked in Red)?
  I have already tried below :
  http://scn.sap.com/community/process-orchestration/blog/2012/06/12/ume-role-required-for-netweaver-bpm-development-and-testing
  https://help.sap.com/saphelp_nwce72/helpdata/en/45/d7d0e08a164c5e87e4604ba89c632a/frameset.htm
  With these roles it doesn’t work. I consistently get 403 forbidden error i.e. not sufficient authorization.
  Even tried roles like : SAP_BPM_SuperAdmin, SAP_BPM_TRIGGER_EVENT but same result.
  Only with full admin rights it works. Appreciate some inputs incase anybody has worked on this?
  Thanks,
  Sharanya

  Hi Sharanya,
  Have you checked the point 3 in this wiki PI Messages are not delivered to SAP NetWeaver BPM - Technology Troubleshooting Guide - SCN Wiki?
  Regards.

• Regarding Authorization policy and Roles in OIM 11g

  Hi,
  In OIM 11g Admin interface, is there a way to find out what all authorization polices, a role has been assigned to ?.
  I am asking this because, if you search for a user, you will know what all roles he is a member of, and similarly if you search for a role, you will know who all users are members of that role.
  Similarly, if you search for a Authorization policy, you will know what are roles are assigned to this policy. But if I search for a role, I am not able to find what all authorization policies has been assigned to this role.
  Looking forward to hearing from you,
  Many thanks in advance

  I understand your concern. But, this feature has not been available
  --nayan                                                                                                                                                                                   

• Role Menu for ESS (WDA) in SAP NWBC

  Dear experts,
  I am implementing ESS&MSS using SAP NWBC. For this use the following documentation:
  Configuration of the Role Menu for ESS (WDA) in SAP NWBC - SAP Documentation
  SAP delivers the composite role SAP_EMPLOYEE_ESS_WDA_2.
  1. Call up transaction PFCG and create or copy your customer-specific role based on the standard shipped composite role for ESS (WDA), SAP_EMPLOYEE_ESS_WDA_2 in the customer name space (Z_*.
  I have copied this role with the singles roles
  My first question: Should modify my composite role for add a new folder that content two applications WDA customer or this should do it in the single role ? How Can do it?
  My second question:
  What I dont can display the folder in top screen "Employee Self-Service"---"Employee Self-Service XX"---"Employee Self-Service2"(See Image leff)
  Thanks

  Hi Armin,
  For NWBC you must place transactions under the second folder down (or at least this is how its works for NWBC for ERP roles). Standard NWBC roles have 'Role menu' as top folder and then (generally) one main folder under that - like 'Purchasing'. Transactions should go under this folder or under subsequent sub-folder.
  There are additional parameters using right click 'Details for Net Weaver Business Client' under PFCG also - but assume your documentation has explained this to you.
  Regards,
  Craig

• Can anyone help me understanding the links between Launchpad roles, PFCG roles, and portal roles!?!

  Hi experts,
  I am looking at the newer EhP5 and EhP6 functionality for ESS and MSS, specifically the WD ABAP portal applications.  I've turned on all the business functions and services I think our team wants, however I'm confused on how to move forward in using them.  For a little tech info, we are on EhP6 for the backend, but our portal is 7.02.
  My first step was to assign the com.sap.pct.erp.ess.wda.Employee_Self_Service_WDA portal role to our test ESS user group in our sandbox environment.  The ESS user got a new ESS tab in the portal and it's linked to the Launchpad role ESS, Instance MENU.  I'm comfortable with ESS at this point, still need to learn more about customizing the menu for different employee groups without creating additional Launchpad or SAP roles.
  Question 1: Correct me if I'm wrong, but is the Launchpad roll ESS, instance menu linked to the PFCG role SAP_EMPLOYEE_ESS_WDA_2?
  Next, I was looking to see if there was a similar portal role for MSS, but it seems I can't find one.  I implemented the MSS Addon 1.0 for ABAP and the portal and got a new MSS portal addon role, but it doesn't seem to be connected to any MSS Launchpad role.
  Question 2: Is there a portal role to assign to users/groups that is linked to one of the MSS Launchpad roles? If yes, what business function or service is it a part of?
  I'd like to use of the existing MSS Launchpad role to test some of the new portal functionality, but I'm not sure how to do it.
  Question 3: How is a Launchpad role assigned to a SAP role in PFCG?  Anyone have some documentation they can point me too?
  Kind regards,
  Garrett Meredith

  Thank you Samuli, this was very helpful in connecting many of the pieces.
  For now I have a very good understanding of how the new ESS is controlled and modified.
  It appears that FPM_LAUNCHPAD_UIBB could be used to develop a similar component to call a custom launchpad role for MSS containing a customized list of WDA applications.
  Is a MSS Launchpad a good way to pursue since we use a SAP enterprise portal?
  I found a PAOC_MSS package containing other MSS embedded packages.
  Could I use one of the embedded packages in there and by creating a Component configuration in the FPM_LAUNCHPAD_UIBB for one of the MSS WD applications?
  Based on the documentation link above, PFCG roles are for NWBC HTML or Desktop versions.
  Kind regards,
  Garrett

• Role Creation for CMS

  Hi Steve,
  We use ant scripts to create domain and assign roles. But some how the scripts for role is incomplete.
  Can you let me know, where the roles like 'Anonymous' and others should be specified in newly created domain. I mean where do we assign roles and privileges inside domain folders?
  Cheers,
  Lakshmi

  Hi
  > i need to create a ROLE only for  Plant Maintenence (only Plant maintenence  authorization).......
  Search the roles for this module & make copy of this roles to zroles.After the zrole was created assign this new roles to that user.
  Search the role by writing plant,maint & check which are related to plant maintenence & copy that role.
  Again check all the transaction which are going to use in the module PM.Create a new role & assign this transaction in this role.this is another way to create the user with authorization only for PM.
  For more details about PM modules transaction check the following link
  http://www.sap-img.com/sap-pm.htm

• Role creation for Plant maintenence

  Hi Folks ,
  i need to create a ROLE only for  Plant Maintenence (only Plant maintenence  authorization).......
  regards
  sathish

  Hi
  > i need to create a ROLE only for  Plant Maintenence (only Plant maintenence  authorization).......
  Search the roles for this module & make copy of this roles to zroles.After the zrole was created assign this new roles to that user.
  Search the role by writing plant,maint & check which are related to plant maintenence & copy that role.
  Again check all the transaction which are going to use in the module PM.Create a new role & assign this transaction in this role.this is another way to create the user with authorization only for PM.
  For more details about PM modules transaction check the following link
  http://www.sap-img.com/sap-pm.htm

• Are Pre-defined roles available for Customizing Synchronization?

  Hello Guys,
  In the SAP Help for Solution Manager: <<http://help.sap.com/saphelp_sm40/helpdata/en/48/647e3ddf01910fe10000000a114084/content.htm>>
  it's mentioned that certain authorizations needs to be given for the involved people (admin & customizer), in both the SOLMAN & the component systems.
  Also, its said that the role Application Consultant has all authorizations which are needed to set-up the Customizing Distribution in the SAP Solution Manager system & the authorization profile S_CUS_CMP can be used in the component systems.
  But the AC role "SAP_SOL_AC_COMP" & "S_CUS_CMP" profile donot have all the necessary authorizations specified.
  E.g: Role SAP_SOL_AC_COMP doesnot have project creation authority, whereas S_CUS_CMP has only some authorizations.
  So my question is:
  Along with these two, are there any other roles/profiles which complete the gaps & are readily available for usage ?
  Last option would be to manually create & include the mentioned auth. objects.
  Thanks & Regards
  Chaitu

  Hello Chait,
  Regarding your two questions:
  1) There are seperate roles available for customizing purposes, please check note 803142 <i>Roles for satellite systems</i>. The note administration list an xls with the respective roles for customizing distribution and comparison, namely
  SAP_BC_CUS_ADMIN
  SAP_BC_CUS_CUSTOMIZER
  S_CUS_CMP
  2) What I can recommend is the quick reference for setting up Customizing Distribution which is also part of the help documentation
  http://help.sap.com/saphelp_sm40/helpdata/en/c4/533d4050d89523e10000000a1550b0/content.htm
  Regards,
  Doreen