Authorizations, many roles
Hello!
I have the following issue.
I have many departments in my project.
All the departments are authorized to do the same things, but ONLY for their one departmnet.
Is there any way NOT to create one role per department ?
THANK YOU!
Hi
I have the same problem in my company not Departments but it has many companies with in it. Due to this we have created Master & Derived roles & set it up using Org levels.
In your case you can create Master role & derived as many as no. of depts.
Adv: In case you need to change(add/del/chng a t-code) all these roles you only need to do it on Master role & re-generate. this will reflect on all derived roles. You need not do changes on all 30roles. This will help you on long term.
But as far as my understanding, there is no way out but create more roles.
Regards
Puneeth
Similar Messages
-
HOW MANY ROLES ARE ELGIBLE FOR THE USER
hello gurus,
how many roles can we assign to the user... what is the maximum limit of the roles and profiles for the user.
thanks in advance!
sriDear Srinivas,
About roles it's indeed not to easy to tell..just imagine the scenario:
1. Maximum number of profile is 312 ... (however due to some known bug system reads about 300). So, let's say 300 profile maximum can be assigned to an user
2. Now you can have single ABAP role which generally one-to-one to profile. So, this theory says if you are only assigning single ABAP roles, you can assign maximum 312 (or 300) roles.
3. But, you might also have Composite ABAP role. A composite ABAP role can have one or more Single/Composite ABAP role. So, one Composite ABAP role can correspond to any number of Profile which is determined by number of individual Single roles under than composite role. So, when you are assiging Composite ABAP role, you have to take care underlying number of profiles and make sure total does not exceed 312 (or 300 without note correction)
4. Now, last part of complication (and my favourite one). Sometimes, there is an empty Role which does not have any ABAP authorization assigned to it. But, this type of roles are used to map a authorization role in JAVA system. These roles does not have any Profile (as it does not have any ABAP authorization). Now, that brings my confusion ..What happens you assign 300 ABAP profiles via ABAP Roles and another 20 empty role for JAVA system without profile. You see my point
Hope this clarifies a bit
Cheers !!
Satya. -
Deletion of Authorisation object from many roles
Hi Gurus,
How can we deleted one customized authorisation object included in many roles at once?
Do it one by one is little bit time consuming. Please help me out.
Thanks
Firoz.>
Jurjen Heeck wrote:
> > You can use CATT/eCATT to record the steps and try it out. While recording you can include a step to click the find button and input the authorization object which you want to delete and then delete it.
>
> I do not think ECATT can handle the correct cursor positioning.
>
> My question to the original poster is:
> How many roles are affected? This gives an idea about the amount of investigation which is reasonable to find a workaround.
I believe it can be done with SECATT using the "find button" to locate the auth object thus addressing the cursor positioning but I will NEVER advise or go the SECATT or ECATT script route for regeneration of roles. I just do NOT trust a script to automatically regenerate a role unless they number in the thousands or several hundreds.
To answer your question, I'll do it one at a time. And as Jurjen pointed out you need to run a query to find out exactly how many roles are affected, you might be pleasantly surprise. Run SE16->AGR_1251 to find out how many auth objects need to be corrected.
Good luck! -
How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client and i propose two methode
1- Creation of Ztcode ZVL32N and do changes ABAP program level
2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32NI think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.
-
MSS (non-webdynpro) Authorizations and Roles
Do you know the MSS 60.1 business package authorizations and roles that are required for the backend R/3 system? I noticed an SAP note exists for the webdynpro version (#798967) but didn't see a note for the old package.
Umair,
I know this auth object is required for webdynpros in new business package but does it apply for old traditional java MSS package too?
Thanks, John -
Regarding Authorizations and Roles
Hi All,
Can anyone explain me about Authorizations and Roles ,in detail.
regards,
AliLinks for Learning about Authorizations:
http://help.sap.com/saphelp_nw70/helpdata/en/44/599b3c494d8e15e10000000a114084/frameset.htm
http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm
http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
http://help.sap.com/saphelp_nw04/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
Links to learn about Roles:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
Assign points if helpful,
Venkat -
Authorization or roles assign?
Hi All,
I have installed Xi 3.0 on windows server 2003.but my users are getting this error not able to create a product. Its says "You
are not authorized to view the requested resource 403 forbidden".
What all the authorizations and roles i need to set for every user.
Regards,
RohitError: HTTP 403 Forbidden
Description: The server understood the request, but is refusing to fulfill it
Possible Tips:
Path sap/xi/engine not active
HTTP 403 during cache refresh of the adapter framework - Refer SAP Note -751856
Because of Inactive Services in ICF Go to SICF transaction and activate the services. Refer SAP Note -517484
Error in RWB/Message Monitoring- because of J2EE roles Refer SAP Note -796726
Error in SOAP Adapter - "403 Forbidden" from the adapter's servlet. Because of the URL is incorrect or the adapter is not correctly deployed.
<i>From
/people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
Regards,
Prateek -
Authorizations & Business roles for ITSM
Dears,
i would like to ask whoever implemented an ITSM as a service desk for an IT organization, after setup the Organizational Structure (Organizational Model) and setup the Organizational Unit (Sold To Part) and Org. Object (Support team).
what is the best approach to give Authorizations & Business roles for :
1) new employee joined the company as an End User (Requester).
2) new employee joined the company as one of the IT Help desk (Dispatcher, Processor....etc.)
Regards,
YazeedHI Shikha,
i hope you are assigning the Role to the Position cretaed in your org model.
That is by navigating thru
GO TO-DETAIL OBJECT-ENHANCED DETIAL DESCRIPTION-By creating new infotype for Business Role
here one can assign the Business Role with the position.
In case you are not assigning by above mentioned way. Try to do so. Hope this will help.
Vijayata -
How many roles delta link a particular iview
Dear experts,
sir, i a creating a iview and i assign this iview to many roles by using delta link.
My problem is that is it possible to find that how many roles with their names we delta link that iview.
please help.............Hi Mousam,
If you want to know the roles that are connected with a particular iview, open the iview object and then select delta link tracer from the display dropdown > select show delta link dependants radio button and you'll see all the dependant objects.
Regards,
Sen -
Creating Single Role from Many Roles
Hi,
Can we created a single role(not composite) from many roles?? i.e. all the authorisations of n roles being copied into a single new role??You can create a composite role in PFCG and just include the other roles within it. But there is no functionality to merge roles into one another.
If you need more detail, the I suggest you ask your question in the Security Forum.
Hope that helps.
J. Haynes
Denver CO US -
To make/change easily so many roles & profiles
Hi,
Does anyone know how to make/change easily so many roles & profiles?
Or, what tools are more efficient in this task?
We're required to make hundreds (or thousands...!!) of roles & profiles...
Katsumi MakabeHi katsumi,
Read this thread,
Mass creation of roles in ECC 6
Regards
Juan -
Org Level Roles / Authorization Object Roles
Hi board,
I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".
The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.
My questions are:
- Is it technically feasible (for a large-scale company)?
- What is your experience?
- Drawbacks?
Kind regards and many thanks for your help,
RichardRichard Hösl wrote:
> Hi there,
>
> that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.
>
> Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
>
> Kind regards,
>
> Richard
Hi Richard,
It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.
A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions. That bucket invariably contains more authorisations than the transactions require. Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........
If you have organisational complexity then you should look elsewhere to simplify.
By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).
Put the effort in the design stage and it will pay dividends later on down the line.
Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.
Cheers
Alex -
Authorizations in role creation
hi,
any body can help me. in which table the status of maintained, changed, satandard is available. suppose when we change the filedvalues of one object it will be maintained in one table and shows the changed and maintained status flags in display autorizations screen of role. help me.Hi Mukka
Hope it will help you.
reward if help.
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Sy-SUBRC values
4 User has no authorization in the SAP System for
such an action. If necessary, change the user
master record.
8 Too many parameters (fields, values). Maximum
allowed is 10.
12 Specified object not maintained in the user
master record.
16 No profile entered in the user master record.
24 The field names of the check call do not match
those of an authorization. Either the
authorization or the call is incorrect.
28 Incorrect structure for user master record.
32 Incorrect structure for user master record.
36 Incorrect structure for user master record. -
Report to check the open authorization in Roles
Hi All,
Is there any standard SAP report or option to find out the list of roles with open authorizations(auth data incomplete) in the R/3 system?
We are on R/3 4.7.
Thanx
Balaji SrinivasI've found a solution on netweaver 2004 for which I think does work on 4.7 as well:
Use SE16 to get the data from tables AGR_1251 and AGR1252 with the following selection criteria:
For the "LOW" field open the selection subscreen, go to "exclude ranges" and in the lower limit you enter "#!" where the exclamation mark is the lowest in the ascii range (character 33) and the hash is there to escape any special meaning so SE16 will accept it. In the "upper limit" enter "ÿ", character 255. Now you've told the system not to return any row with a valid ascii character in the "LOW" field for the objects.
You may want to filter for "DELETED" <> "X" as well in AGR_1251.
Hope this helps
Jurjen -
Check users authorizations and role
Hello!
How can I check the authorizations of
Web Dynpro application users and also his role.
Thanks
rgds
sasHI,
Pl go through Following link
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/wd%20java/web%20dynpro%20security.pdf
https://help.sap.com/javadocs/index.html
use the method isMemberOfRole.
Regards
Ayyapparaj
Maybe you are looking for
-
hi how to verify what the the ARCHIVED logs mode of my oracle server? how to change that mode? thank you
-
We got a lot of LaserJet m1212nf printers, installed the SAME driver version on server and desktops and nothing is printed using Easy Print. No errors, no messages but nothing is printed, only when a test page is printed the server show an alert: "No
-
Dear All, I have ACE10-6500-K9 installed in 6513 core switch with below mentioned sh version. Software loader: Version 12.2[121] system: Version A2(2.0) [build 3.0(0)A2(2.0)] system image file: [LCP] disk0:c6ace-t1k9-mz.A2_2_0.bin insta
-
How to transfer address book to other provider
I want to transfer my Mozilla address book to Comcast e-mail account.
-
just after the new update (4.2), there is NO ZOOM in video recording mode...Can anyone provide any solution? Zoom in still camera is working fine... Am i the only one?