Authorizations & Roles in ISA

Hi,
FIRST PART - USER ADMINISTRATION
     I have a requirement where in I have to add a new authoization (fo providing "User is approver" role) . What are all the necessary things to be done to add a new role/authorization to pop up in role list while creating a new user?
What is to be added in Customizingr3.xml and INITCUST.xml.
Does ISA_USER_CREATE or any other RFC call which is made while creating a user validates these customized role?
If Yes, then i will be thrown some backend exception which i am anticipating !!
If NO, what is that i need to do or ask ABAP folks here to check in backend and to implement some kind of validation on all the Roles that are getting assigned while creating a user.
SECOND PART - B2B Shopping Site
Once a newly created User logs into Shopping site, from where are these roles/authorizations of that user being accessed?
I mean to say, how can i check for User specific settings(permissions,auth,role). Please advise me with the RFC / BusinessObjects used to find User specific data.

Hi Dev,
            We are trying to build a B2B solution using ISA. I may be very dumb in my questions, but please please try to make some point out of my questions.
We are trying to look at all the files under R3 and not using anything from CRM (in terms of folder structure and files from OOB code of ISA). so i think we are using SAP-ERP as per your previous reply. I hope i make some sense. We are building application on version 7.0
Now coming to procedure of creating a user from User Administration, i do have the idea of what is being mentioned in your steps.
Now in the "Assigned Roles" table displayed in "Create New User" screen, i need to add a new role (like Can Approve Orders - means user is an approver). Now in order to create a new role with new description (in addition to Full b2b, view only orders et.,) what are all the necessary things i need to do?
By modifying the CustomizingR3.xml and INITCUST.xml, i was able to get another new row for role/description in "Customizing" link. When i add some new role/description, they get populated in the "create new user" screen. Now when i save all the details assigning the new role, a new user is created with new role assigned.
But if we observe, Full B2B authorization for instance, when we assign them, in the backend, few sub roles like :
SAP_ISA_B2B_FULL     SAP_ISA_SUB_BILLING_VIEW
                                     SAP_ISA_SUB_CATDISPLAY
                                     SAP_ISA_SUB_CATPRICE
                                    SAP_ISA_SUB_CONTRACT_UI
                                     SAP_ISA_SUB_CUSTOMER_READ
                                     SAP_ISA_SUB_ORDER_MAINTAIN
                                     SAP_ISA_SUB_QUOTATION_UI
                                     SAP_ISA_SUB_QUOT_DISPLAY_UI
                                     SAP_ISA_SUB_RFC
                                      SAP_ISA_SUB_TEMPLATE_MAINTAIN
In similar fashion, i need to create new authorization SAP_ISA_B2B_APPROVE_ORDERS. so what is all that i need to do? just modifying the xmls, adding this auth in "customizing" link and assigning them in create user screen are enough?
If this process is enough, then i need to know, how can we validate such a new role in backend when a new user is created. Should i ask the ABAP folks here to create a new auth with same string and assign some SUB roles which in future will help me authenticate approval flow?
Finally, how are the roles visible in frontend while user creation and roles in sap backend validated/mapped against eachother?
I have put forward what all i could. Please do guide me.
Thanks,
Abhiram

Similar Messages

  • Required Authorization Role for E-commerce manager

    Hi ,
    Could you please tell me required Authorization Role for E-commerce manager and catalog administartor?
    Thanks.
    Regards,
    PV

    SAP_CRM_ECO_ISA_WU_B2B_FULL           CRM-ECO: ISA Internet User (Full Document Authorization)             ISA_B2B_FULL
    SAP_CRM_ISA_UA_SUPERUSER              Internet Sales User Administration Authorizations                              Superuser
    *SAP_CRM_ISA_WEBSHOP_MANAGER     *    Authorizations for the Internet Sales Web shop Manager         Webshop Manager
    SAP_CRM_ECO_ISA_WU_B2C                  Internet User for B2C

  • Can I get a list of users who have a specific authorization role?

    Hello,
    I'm wondering if there is a BAPI or FM that takes as input a single authorization role and gives me back a list of all users who have that role?
    Thx.
    Andy Jacobs

    hi,
    please check the below FM
    'PRGN_1001_READ_USER_ASSIGNMENT'
    jaffer ,
    Please reward the helpful answers.

  • Report on Positions directly linked to Authorization roles

    Hello All,
    Is there a report in SAP which can tell us which positions are assigned to Authorization roles or which Users are directly assigned to Authorization roles rather than through their Positions?
    If not a report is there way we can find it out?
    Regards,
    Ahmad

    No Standard report available to show Positions directly linked to Authorization roles

  • How to achieve logical operator on [Authorize(Roles = ] in MVC

    For example, I need to make a controller accessible a user with two roles; role "Admin" and "Editor". How to achieve it.
       [Authorize(Roles = "Admins")]
        public class SampleController : BaseController
    How to do logical operator, such as AND and OR (maybe || and &&)
    Thanks!
      

    Hello klouapple,
    Please post your question to ASP.NET forum instead of here.
    Best regards,
    Barry
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Urgent - create Standard Authorization Roles

    Hi experts,
    we urgently need to establish some basic roles for our key users and basic users, so they can create/run BeX querys and workbooks as part of the Test User's phase.
    Based on several posts in SDN we have seen that a valid role template would be S_RS_RREDE for key users and S_RS_RREPU for normal users.
    However, I cannot find those roles neither in tx PFCG nor at the Business Content.
    What am I missing? How can I fin those template roles (or any other that can apply)?
    Thanks and bets regards,
    Enric

    have you followed these instructions :
    For 3.x authorizations:
    Roles in BW (Authorization Objects)
    for 7.0 authorizations :
    /thread/509708 [original link is broken]
    here you find a good Authorization Objects Overview:
    http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/frameset.htm
    Use TA PFCG to create a new role. http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6866e07211d2acb80000e829fbfe/frameset.htm

  • Replicating authorization roles via HR replication from ECC 6 to SRM 5.0

    Hi,
    I'm interested in knowing whether anyone has used the distribution model to copy roles (AG objects) between ECC 6 and SRM 5.0.
    Someone said that it's possible so I would like to validate that statement as I don't know whether it is possible and practical.
    If you have any knowledge or experience could you please share it?
    Regards,
    Jerry

    Hello Yann,
    I was told that it can be done but I don't know enough about the HR replication process to acknowledge or challenge, hence the question.
    Are you implying that it's not possible or simply that it's not done?
    I had an earlier post regarding assigning roles to positions in SRM Replicating authorization roles via HR replication from ECC 6 to SRM 5.0 that you replied to but never replied to my subsequent question. It can be done because one of my other clients is doing it. We're however unable to get it work at my current client's site. Do you have any experience with this subject?
    Regards,
    Jerry

  • How to create authorization role for just displaying query prefix Q and X.

    Hi Expert,
    I hope someone can help me on how to create authorization role for just displaying and executing  BEX  Queries prefix Q and X. I'm currently using SAP BI 7.1.
    Actually, I already created one role called : Z_FORINDO_ONLYDISPLAY_QX
    where I only put in the Authorization Component (in the Role Maintenance - Tcode 'pfcg'):
    -->Manually Business Information Warehouse
        --> Manually Business Explorer - Components
    Activity : Display, Execute, Enter, Include, Assign
    InfoArea : *
    InfoCube : *
    Name(ID) of a reporting component : *
    Type of a reporting component : Calculated key figure, Restricted key figure, Template structure
        --> Manually Business Explorer - Components
    Activity : Display, Execute
    InfoArea : *
    InfoCube : *
    Name(ID) of a reporting component : Q* , X*
    Type of a reporting component : Query
    But, the problem is I still can make changes on that queries (Q* and X*). Even, I still can run query with prefix Z. I use S_RS_RREPU Tamplete for Query Display and execution.
    Please assist. Very much appreciate your help. Thanks.
    Edited by: nadiyah salleh on Mar 18, 2008 11:22 AM

    Question close. This issue has been resolved.

  • After BI 7.0 Upgrade, Authorization Roles and profiles are not visible

    Hi Gurus,
    We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
    As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
    I verified in SU01 for user access and every are assigned there roles and they are green.
    Do we need to add any new authorization object to fix this issue, please let me know
    Thanks and appreciate your help.
    Thanks
    Ganesh Reddy.
    Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PM

    Hi Ganesh,
    check the behaviour, if you assign
    S_USER_AGR                          
       ACT_GROUP = "..name of the assigned role.."
       ACTVT = 03 (for "display")    
    b.rgds,
    Bernhard

  • Assign queries to authorization role via PFCG maintenace

    Hi,
    I would like to assign several queries to existing authorization roles.
    Therefore I am using the transaction PFCG > maintain the menu > add "other" SAP BW Query URL and fill in the name as well as object description.
    However, the new query will not be shown in the BEx Analyzer in the role folder.
    What do I have to administrate that the query will be shown in the role menu (BEx Analyzer)?
    Thanks!

    Dear Arvind,
    thanks for your reply.
    As an authorization administrator for SAP BI I do have the authorization for S_USER_AGR already.
    I am just testing in our development system.
    However, the query will not appear in the BEx Analyzer while selecting "Open Query" and search in "Roles".
    As far as I know queries could provided to authorization roles via BEx Analyzer.
    But does no possibility exists to maintain the authorization role via PFCG?
    Regards, Christian

  • What authorization-roles for user login (java stack)

    Hello SAP-Fans ,
    which authorization role needs to be assigned to the users for logging into a java-stack on port 50.000?
    We always get the error-message: "Error 403 forbidden, You are not authorized to view the requested resource."
    I know this is a beginner's question. Java is completely new to us.
    Thanks in advance
    Danny Winn

    Hi Danny,
    Welcome to SDN,
    Logon to the portal with the user Administrator, go to User Administartion and create a user for yourself by assigning Super Admin Role.
    portal Url must be http://<host.fqdn>:50XX0/irj/portal where XX is the system number in this case 00.
    You will able to see at the user admin tab all the SAP standard roles.
    regards
    Juan
    Please reward with points if helpful

  • Transport Release frequency for Authorization Roles

    Hi,
    At my present customer all system changes are transported via release management. The current frequency of releases is 2 times a year. This includes SAP support packages, customizing, abap AND authorization roles.
    Now I would like to establish a different, quicker release 'speed' for authorization roles only (f.i. once a week).
    I already motivated my request with many reasons (role changes can be considered as master data changes; the lack of speed leeds to insecure 'workarounds'; role management issues are 'redesigned' to user management issues; etc.) but what I am still looking for are reference documents, best practices, audit reports in which the same advise is described.
    Could you please help me with my quest?
    Thank you!
    Kind regards,
    Lodewijk

    Hi Lodewijk,
    I agree, that is is useful to define a specific schedule for transporting roles in oposite to the schedule for updating the software, however, I do not have a document described some best practise. Anyway, the following link may help you to convince the management, that you can setup a process including 4-eyes checks on the transports:
    [TMS Quality Assurance|http://help.sap.com/saphelp_nw70ehp2/helpdata/en/9c/a544c6c57111d2b438006094b9ea64/frameset.htm]
    Using this process you would accept transports only which cointains roles (R3TR ACGR...).
    Kind regards
    Frank

  • Authorizations analysis versus Authorizations roles

    Hello All,
    I try to understand how to manage BW authorizations in the best way. I'm confused with authorizations analysis we set up in transaction RSECADMIN and authorizations object available in authorizations roles.
    I have got some questions :
    1-Do we have to use both ? My tests shows that I have to declare a cube within analysis authorization using object 0TCAIPROV and I have also to update role with object S_RS_COMP for RSINFOCUBE.
    2-What are the list of all existing analysis authorisation object ?
    Thanks for your help
    Regards
    Catherine

    Hi Catherine,
    1)
    S_RS_COMP gives you the option to only change the object and has nothing to do with the reading the data from the infoprovider.This is maintained by the Basis team for the users to create and do the developments in business exploere.
    So if you want that a user should work upon a particulat infocube only like using that infocube to create query etc in business explorer.  then you should you give the give the cube name here.
    Generally it is kept as *.
    You have to maintain the user profile to read the data from the respective cubes.
    This has to be done by creating an authorization object/ ex .ZAUTH1) and providing the values for  0TCAIPROV  there.
    No need to add 0TCAIPROVto the cubes.
    Once the authorization object is created you need to assing it to a role and then this role should be assigned to the user.
    2)
    Some are here
    Authorization for Analysis Process                           RSANPR    
    Data Warehousing Workbench - Objects                         S_RS_ADMWB
    BI Analysis Authorizations in Role                           S_RS_AUTH 
    Business Explorer - BEx Reusable web items (NW 7.0+)         S_RS_BITM 
    Business Explorer - BEx Web Templates (NW 7.0+)              S_RS_BTMP 
    Business Explorer - Components                               S_RS_COMP 
    Business Explorer - Components: Enhancements to the Owner    S_RS_COMP1
    Data Warehousing Workbench - DataSource (Release > BW 3.x)   S_RS_DS   
    Data Warehousing Workbench - Data Transfer Process           S_RS_DTP  
    Data Warehousing Workbench - Hierarchy                       S_RS_HIER 
    Data Warehousing Workbench - InfoCube                        S_RS_ICUBE
    Data Warehousing Workbench - InfoObject Catalog              S_RS_IOBC 
    Data Warehousing Workbench - InfoObject                      S_RS_IOBJ 
    Data Warehousing Workbench  - Maintain Master Data           S_RS_IOMAD
    Data Warehousing Workbench - InfoSet                         S_RS_ISET 
    Data Warehousing Workbench - InfoSource (Release > BW 3.x)   S_RS_ISNEW
    Data Warehousing Workbench - InfoSource (Flexible Update)    S_RS_ISOUR
    Data Warehousing Workbench - InfoSource (Direct Update)      S_RS_ISRCM
    Data Warehousing Workbench - DataStore Object                S_RS_ODSO 
    Data Warehousing Workbench - Open Hub Destination            S_RS_OHDST
    Data Warehousing Workbench - Process Chains                  S_RS_PC   
    Data Warehousing Workbench - Transformation                  S_RS_TR   
    you can find this values in the table
    RSECVAL.
    Thanks
    Ajeet

  • How to upload authorization role & profile to PFCG

    I have downlaod the authorization role & profile from PFCG at client 100.
    How to upload the authorization role & profile to SAP client 200?

    check with ur basis guys once
    generally it will be dont by them check with them once

  • Authorization  -- Roles

    Hi All,
    We are moving our applicaiton from Oracle Forms to Apex. I am basically a forms developer and I didnt understand the authorization/roles in Apex.
    For eg in our database we have 2 roles app_lookup ( privs - insert,update, delete, select) and app_guest( privs select) . And we use the database authentication for forms. If we have 2 end users Super with role app_lookup and operator with role app_guest, and if I want to implement the database role, how can it be done in Apex.
    End user Super ( with all privs) need to update/delete/insert/select in apex
    End user Operator( with only priv select) need to select particular table/pages in apex.
    Could someone throw lights on how this can be done in Apex.
    thank you
    rajesh

    "user596620",
    You can go to your control panel and give us your real name, or at least something easier than "user596620".
    Why do I think Database Authentication is a dying trend?
    - LDAP directories were designed from the ground-up to store information like Authentication and Authorization data.
    - Almost every technology out there can use LDAP as an Authentication source.
    - There are only a few technologies that can use the DB for an authentication source. What if your users don't want to have a separate username / password for their APEX apps than their email account? You're out of luck.
    - Databases were never designed as user repositories. It's a square peg in a round hole.
    - Mixing data schemas and user accounts in a database is mess to maintain. It's often difficult to tell them apart. Which ones contain sensitive data, which ones are just users?
    - There are only a few attributes that you can store in a database "user". If you want to store phone, email, certificate, etc, you have to create your tables for it.
    - If end users have accounts in a database, it's that much easier for them to connect with third-party tools and start poking around.
    - There is no concept of delegated administration with a database. How do you give someone the ability to manage all users in a particular group?
    - Managing roles and privs for thousands of database user accounts is a nightmare. It's much easier in a web environment to assign select / execute privs to the account used by the web application, vs all of the users accessing the application.
    - Onboarding / off-boarding / auditing accounts scattered throughout a bunch of databases is impossible vs creating / deleting / auditing all accounts and groups (roles) in a single LDAP directory.
    I'm probably missing a lot of points here, so I may ask someone one the Identity Management side of things to chime-in.
    Tyler

Maybe you are looking for