Authorizations & Roles in ISA
Hi,
FIRST PART - USER ADMINISTRATION
I have a requirement where in I have to add a new authoization (fo providing "User is approver" role) . What are all the necessary things to be done to add a new role/authorization to pop up in role list while creating a new user?
What is to be added in Customizingr3.xml and INITCUST.xml.
Does ISA_USER_CREATE or any other RFC call which is made while creating a user validates these customized role?
If Yes, then i will be thrown some backend exception which i am anticipating !!
If NO, what is that i need to do or ask ABAP folks here to check in backend and to implement some kind of validation on all the Roles that are getting assigned while creating a user.
SECOND PART - B2B Shopping Site
Once a newly created User logs into Shopping site, from where are these roles/authorizations of that user being accessed?
I mean to say, how can i check for User specific settings(permissions,auth,role). Please advise me with the RFC / BusinessObjects used to find User specific data.
Hi Dev,
We are trying to build a B2B solution using ISA. I may be very dumb in my questions, but please please try to make some point out of my questions.
We are trying to look at all the files under R3 and not using anything from CRM (in terms of folder structure and files from OOB code of ISA). so i think we are using SAP-ERP as per your previous reply. I hope i make some sense. We are building application on version 7.0
Now coming to procedure of creating a user from User Administration, i do have the idea of what is being mentioned in your steps.
Now in the "Assigned Roles" table displayed in "Create New User" screen, i need to add a new role (like Can Approve Orders - means user is an approver). Now in order to create a new role with new description (in addition to Full b2b, view only orders et.,) what are all the necessary things i need to do?
By modifying the CustomizingR3.xml and INITCUST.xml, i was able to get another new row for role/description in "Customizing" link. When i add some new role/description, they get populated in the "create new user" screen. Now when i save all the details assigning the new role, a new user is created with new role assigned.
But if we observe, Full B2B authorization for instance, when we assign them, in the backend, few sub roles like :
SAP_ISA_B2B_FULL SAP_ISA_SUB_BILLING_VIEW
SAP_ISA_SUB_CATDISPLAY
SAP_ISA_SUB_CATPRICE
SAP_ISA_SUB_CONTRACT_UI
SAP_ISA_SUB_CUSTOMER_READ
SAP_ISA_SUB_ORDER_MAINTAIN
SAP_ISA_SUB_QUOTATION_UI
SAP_ISA_SUB_QUOT_DISPLAY_UI
SAP_ISA_SUB_RFC
SAP_ISA_SUB_TEMPLATE_MAINTAIN
In similar fashion, i need to create new authorization SAP_ISA_B2B_APPROVE_ORDERS. so what is all that i need to do? just modifying the xmls, adding this auth in "customizing" link and assigning them in create user screen are enough?
If this process is enough, then i need to know, how can we validate such a new role in backend when a new user is created. Should i ask the ABAP folks here to create a new auth with same string and assign some SUB roles which in future will help me authenticate approval flow?
Finally, how are the roles visible in frontend while user creation and roles in sap backend validated/mapped against eachother?
I have put forward what all i could. Please do guide me.
Thanks,
Abhiram
Similar Messages
-
Required Authorization Role for E-commerce manager
Hi ,
Could you please tell me required Authorization Role for E-commerce manager and catalog administartor?
Thanks.
Regards,
PVSAP_CRM_ECO_ISA_WU_B2B_FULL CRM-ECO: ISA Internet User (Full Document Authorization) ISA_B2B_FULL
SAP_CRM_ISA_UA_SUPERUSER Internet Sales User Administration Authorizations Superuser
*SAP_CRM_ISA_WEBSHOP_MANAGER * Authorizations for the Internet Sales Web shop Manager Webshop Manager
SAP_CRM_ECO_ISA_WU_B2C Internet User for B2C -
Can I get a list of users who have a specific authorization role?
Hello,
I'm wondering if there is a BAPI or FM that takes as input a single authorization role and gives me back a list of all users who have that role?
Thx.
Andy Jacobshi,
please check the below FM
'PRGN_1001_READ_USER_ASSIGNMENT'
jaffer ,
Please reward the helpful answers. -
Report on Positions directly linked to Authorization roles
Hello All,
Is there a report in SAP which can tell us which positions are assigned to Authorization roles or which Users are directly assigned to Authorization roles rather than through their Positions?
If not a report is there way we can find it out?
Regards,
AhmadNo Standard report available to show Positions directly linked to Authorization roles
-
How to achieve logical operator on [Authorize(Roles = ] in MVC
For example, I need to make a controller accessible a user with two roles; role "Admin" and "Editor". How to achieve it.
[Authorize(Roles = "Admins")]
public class SampleController : BaseController
How to do logical operator, such as AND and OR (maybe || and &&)
Thanks!
Hello klouapple,
Please post your question to ASP.NET forum instead of here.
Best regards,
Barry
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Urgent - create Standard Authorization Roles
Hi experts,
we urgently need to establish some basic roles for our key users and basic users, so they can create/run BeX querys and workbooks as part of the Test User's phase.
Based on several posts in SDN we have seen that a valid role template would be S_RS_RREDE for key users and S_RS_RREPU for normal users.
However, I cannot find those roles neither in tx PFCG nor at the Business Content.
What am I missing? How can I fin those template roles (or any other that can apply)?
Thanks and bets regards,
Enrichave you followed these instructions :
For 3.x authorizations:
Roles in BW (Authorization Objects)
for 7.0 authorizations :
/thread/509708 [original link is broken]
here you find a good Authorization Objects Overview:
http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/frameset.htm
Use TA PFCG to create a new role. http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6866e07211d2acb80000e829fbfe/frameset.htm -
Replicating authorization roles via HR replication from ECC 6 to SRM 5.0
Hi,
I'm interested in knowing whether anyone has used the distribution model to copy roles (AG objects) between ECC 6 and SRM 5.0.
Someone said that it's possible so I would like to validate that statement as I don't know whether it is possible and practical.
If you have any knowledge or experience could you please share it?
Regards,
JerryHello Yann,
I was told that it can be done but I don't know enough about the HR replication process to acknowledge or challenge, hence the question.
Are you implying that it's not possible or simply that it's not done?
I had an earlier post regarding assigning roles to positions in SRM Replicating authorization roles via HR replication from ECC 6 to SRM 5.0 that you replied to but never replied to my subsequent question. It can be done because one of my other clients is doing it. We're however unable to get it work at my current client's site. Do you have any experience with this subject?
Regards,
Jerry -
How to create authorization role for just displaying query prefix Q and X.
Hi Expert,
I hope someone can help me on how to create authorization role for just displaying and executing BEX Queries prefix Q and X. I'm currently using SAP BI 7.1.
Actually, I already created one role called : Z_FORINDO_ONLYDISPLAY_QX
where I only put in the Authorization Component (in the Role Maintenance - Tcode 'pfcg'):
-->Manually Business Information Warehouse
--> Manually Business Explorer - Components
Activity : Display, Execute, Enter, Include, Assign
InfoArea : *
InfoCube : *
Name(ID) of a reporting component : *
Type of a reporting component : Calculated key figure, Restricted key figure, Template structure
--> Manually Business Explorer - Components
Activity : Display, Execute
InfoArea : *
InfoCube : *
Name(ID) of a reporting component : Q* , X*
Type of a reporting component : Query
But, the problem is I still can make changes on that queries (Q* and X*). Even, I still can run query with prefix Z. I use S_RS_RREPU Tamplete for Query Display and execution.
Please assist. Very much appreciate your help. Thanks.
Edited by: nadiyah salleh on Mar 18, 2008 11:22 AMQuestion close. This issue has been resolved.
-
After BI 7.0 Upgrade, Authorization Roles and profiles are not visible
Hi Gurus,
We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
I verified in SU01 for user access and every are assigned there roles and they are green.
Do we need to add any new authorization object to fix this issue, please let me know
Thanks and appreciate your help.
Thanks
Ganesh Reddy.
Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PMHi Ganesh,
check the behaviour, if you assign
S_USER_AGR
ACT_GROUP = "..name of the assigned role.."
ACTVT = 03 (for "display")
b.rgds,
Bernhard -
Assign queries to authorization role via PFCG maintenace
Hi,
I would like to assign several queries to existing authorization roles.
Therefore I am using the transaction PFCG > maintain the menu > add "other" SAP BW Query URL and fill in the name as well as object description.
However, the new query will not be shown in the BEx Analyzer in the role folder.
What do I have to administrate that the query will be shown in the role menu (BEx Analyzer)?
Thanks!Dear Arvind,
thanks for your reply.
As an authorization administrator for SAP BI I do have the authorization for S_USER_AGR already.
I am just testing in our development system.
However, the query will not appear in the BEx Analyzer while selecting "Open Query" and search in "Roles".
As far as I know queries could provided to authorization roles via BEx Analyzer.
But does no possibility exists to maintain the authorization role via PFCG?
Regards, Christian -
What authorization-roles for user login (java stack)
Hello SAP-Fans ,
which authorization role needs to be assigned to the users for logging into a java-stack on port 50.000?
We always get the error-message: "Error 403 forbidden, You are not authorized to view the requested resource."
I know this is a beginner's question. Java is completely new to us.
Thanks in advance
Danny WinnHi Danny,
Welcome to SDN,
Logon to the portal with the user Administrator, go to User Administartion and create a user for yourself by assigning Super Admin Role.
portal Url must be http://<host.fqdn>:50XX0/irj/portal where XX is the system number in this case 00.
You will able to see at the user admin tab all the SAP standard roles.
regards
Juan
Please reward with points if helpful -
Transport Release frequency for Authorization Roles
Hi,
At my present customer all system changes are transported via release management. The current frequency of releases is 2 times a year. This includes SAP support packages, customizing, abap AND authorization roles.
Now I would like to establish a different, quicker release 'speed' for authorization roles only (f.i. once a week).
I already motivated my request with many reasons (role changes can be considered as master data changes; the lack of speed leeds to insecure 'workarounds'; role management issues are 'redesigned' to user management issues; etc.) but what I am still looking for are reference documents, best practices, audit reports in which the same advise is described.
Could you please help me with my quest?
Thank you!
Kind regards,
LodewijkHi Lodewijk,
I agree, that is is useful to define a specific schedule for transporting roles in oposite to the schedule for updating the software, however, I do not have a document described some best practise. Anyway, the following link may help you to convince the management, that you can setup a process including 4-eyes checks on the transports:
[TMS Quality Assurance|http://help.sap.com/saphelp_nw70ehp2/helpdata/en/9c/a544c6c57111d2b438006094b9ea64/frameset.htm]
Using this process you would accept transports only which cointains roles (R3TR ACGR...).
Kind regards
Frank -
Authorizations analysis versus Authorizations roles
Hello All,
I try to understand how to manage BW authorizations in the best way. I'm confused with authorizations analysis we set up in transaction RSECADMIN and authorizations object available in authorizations roles.
I have got some questions :
1-Do we have to use both ? My tests shows that I have to declare a cube within analysis authorization using object 0TCAIPROV and I have also to update role with object S_RS_COMP for RSINFOCUBE.
2-What are the list of all existing analysis authorisation object ?
Thanks for your help
Regards
CatherineHi Catherine,
1)
S_RS_COMP gives you the option to only change the object and has nothing to do with the reading the data from the infoprovider.This is maintained by the Basis team for the users to create and do the developments in business exploere.
So if you want that a user should work upon a particulat infocube only like using that infocube to create query etc in business explorer. then you should you give the give the cube name here.
Generally it is kept as *.
You have to maintain the user profile to read the data from the respective cubes.
This has to be done by creating an authorization object/ ex .ZAUTH1) and providing the values for 0TCAIPROV there.
No need to add 0TCAIPROVto the cubes.
Once the authorization object is created you need to assing it to a role and then this role should be assigned to the user.
2)
Some are here
Authorization for Analysis Process RSANPR
Data Warehousing Workbench - Objects S_RS_ADMWB
BI Analysis Authorizations in Role S_RS_AUTH
Business Explorer - BEx Reusable web items (NW 7.0+) S_RS_BITM
Business Explorer - BEx Web Templates (NW 7.0+) S_RS_BTMP
Business Explorer - Components S_RS_COMP
Business Explorer - Components: Enhancements to the Owner S_RS_COMP1
Data Warehousing Workbench - DataSource (Release > BW 3.x) S_RS_DS
Data Warehousing Workbench - Data Transfer Process S_RS_DTP
Data Warehousing Workbench - Hierarchy S_RS_HIER
Data Warehousing Workbench - InfoCube S_RS_ICUBE
Data Warehousing Workbench - InfoObject Catalog S_RS_IOBC
Data Warehousing Workbench - InfoObject S_RS_IOBJ
Data Warehousing Workbench - Maintain Master Data S_RS_IOMAD
Data Warehousing Workbench - InfoSet S_RS_ISET
Data Warehousing Workbench - InfoSource (Release > BW 3.x) S_RS_ISNEW
Data Warehousing Workbench - InfoSource (Flexible Update) S_RS_ISOUR
Data Warehousing Workbench - InfoSource (Direct Update) S_RS_ISRCM
Data Warehousing Workbench - DataStore Object S_RS_ODSO
Data Warehousing Workbench - Open Hub Destination S_RS_OHDST
Data Warehousing Workbench - Process Chains S_RS_PC
Data Warehousing Workbench - Transformation S_RS_TR
you can find this values in the table
RSECVAL.
Thanks
Ajeet -
How to upload authorization role & profile to PFCG
I have downlaod the authorization role & profile from PFCG at client 100.
How to upload the authorization role & profile to SAP client 200?check with ur basis guys once
generally it will be dont by them check with them once -
Hi All,
We are moving our applicaiton from Oracle Forms to Apex. I am basically a forms developer and I didnt understand the authorization/roles in Apex.
For eg in our database we have 2 roles app_lookup ( privs - insert,update, delete, select) and app_guest( privs select) . And we use the database authentication for forms. If we have 2 end users Super with role app_lookup and operator with role app_guest, and if I want to implement the database role, how can it be done in Apex.
End user Super ( with all privs) need to update/delete/insert/select in apex
End user Operator( with only priv select) need to select particular table/pages in apex.
Could someone throw lights on how this can be done in Apex.
thank you
rajesh"user596620",
You can go to your control panel and give us your real name, or at least something easier than "user596620".
Why do I think Database Authentication is a dying trend?
- LDAP directories were designed from the ground-up to store information like Authentication and Authorization data.
- Almost every technology out there can use LDAP as an Authentication source.
- There are only a few technologies that can use the DB for an authentication source. What if your users don't want to have a separate username / password for their APEX apps than their email account? You're out of luck.
- Databases were never designed as user repositories. It's a square peg in a round hole.
- Mixing data schemas and user accounts in a database is mess to maintain. It's often difficult to tell them apart. Which ones contain sensitive data, which ones are just users?
- There are only a few attributes that you can store in a database "user". If you want to store phone, email, certificate, etc, you have to create your tables for it.
- If end users have accounts in a database, it's that much easier for them to connect with third-party tools and start poking around.
- There is no concept of delegated administration with a database. How do you give someone the ability to manage all users in a particular group?
- Managing roles and privs for thousands of database user accounts is a nightmare. It's much easier in a web environment to assign select / execute privs to the account used by the web application, vs all of the users accessing the application.
- Onboarding / off-boarding / auditing accounts scattered throughout a bunch of databases is impossible vs creating / deleting / auditing all accounts and groups (roles) in a single LDAP directory.
I'm probably missing a lot of points here, so I may ask someone one the Identity Management side of things to chime-in.
Tyler
Maybe you are looking for
-
How to count number of repeated characters in a String
I have a String.... 10022002202222. I need to know how many 2's are there in the string... here the string contains eight 2's.. Thanks in advance..
-
Sending command apdu with a byte array as CDATA
Hi, I am learning java card as part of my final year project. So far I think I can do most of the basic things but I have got stuck at one particular point. I know that there are different constructors for creating a command apdu object and a number
-
okay, so i just updated itunes to 10.4.1 and noticed my iphone was still 4.2.10 but when i click update it says 4.2.10 is the current version....i want to update it to 4.3 can anyone help?
-
Sorry if I am posting this question in the wrong location, but hopefully someone who sees this message will be able to answer or point me in the right direction. I did perform a search and could not find a definitive answer. There are documents in my
-
How to create clipping paths shape like a slice of a circle?
I want to make a DVD label by dividing the circle into 8 equal slices (like cutting a pie 4 times). In each slice I will put an actor's photo in it. I think I need to create 8 layers to house the 8 slices of photo, each layer gets a clipping path tha