Avoid reduncy in PFCG.
Hi All,
I am working as Sap Security Consultant. Can any one please guide me how to reduce / avoid Redundency in PFCG, so that same roles are not assigned to the users.
Best regards,
Shashi.
Hi,
The best solution to avoid redundancy in PFCG is to make the entry CONDENSE_MENU_PFCG in the customizing table SSM_CUST with the values NO and YES.
In the Role maintenance PFCG:
Chooses utilities menu - Settings and it will show a dialog box where you have to check "Do not insert existing entries"
Similar Messages
-
Creation of role using T-code PFCG in R/3
Hi Experts,
I have created a Role using PFCG inorder to give acess only to three T-codes(PZ09. PZ80,PZ88).
so i have created a role intially using PFCG and incorporated PZ09 tcode in it and assigend the Role to users in R/3. it is displaying the TCode(PZ09) in Portal.
Now again i have added PZ80 & PZ88 to the same Role in R/3, but now i am getting an error:
Infotype 0000 does not exist.
but whereas when i assign SAP_ALL they(PZ88 & PZ 80) are working fine.
Is they anything i can do so that i can avoid assigning SAP_ALL Profile to the users and eliminate the Error "Infotype 0000 does not exist.
Thanks Inadvance,
Regards,
SivaHi,
Thanks for your reply,
Creation of role using T-code PFCG in R/3
The above link has solved my issue, Thank you!
Regards,
Siva -
CCM 2.0 avoid changes in the Procurement Catalogue
Hi!!!
Is it possible to avoid that the Master Catalog can change characteristic values in the Procurement Catalog?
This issue is critical for us. Could you please please help us?
THANKS!!!Hi Dinesh,
We tried the "Read Only" solution but it's not working with complex characteristics such as price. Besides, it's the Catalog Manager who sets the read only flag, and we wanted the procurement catalog not be editable to avoid him to change some value (so, it has not much sense to make him responsible to set the flag, as he could just un-flag it, change values, and flag it again).
What we did was, go to the transaction PFCG, write the manager role (/CCM/CATALOG_MANAGER), the click on the authorization tab, and press on the Change Authorization Data button.
Then, inside the menu Cross-Application Authorization Object go to Access Restriction for Catalog Design Center. Here we added two new entries. So now we have 3 different "Restriction for Catalog Design Center", one for the Procurement Catalog (that don't have the activity of CHANGE), another for the Master Catalog (we had to wrote the name, because there isn't an option for the Master in the Catalog type menu. We wanted the Catalog Manager not to be able to publish it. However, although we didn't include PUBLISH in his activity, he still can publish it) and another one for the Supplier Catalog.
So, if someone knows how to avoid the Catalog Manager publishing the Master Catalog using authorizations, we would be really grateful for some tips.
THANKS!!!
Best Regards,
Mar -
Hi all,
we are performing an upgrade from SAP 46C to ECC 6.0 and I download one Role from PFCG (46C).
I use a sandbox system ECC 6.0 for testing PFCG Upload but I obtain the popup message:
Incorrect release; see long text
Incorrect release; see long text
Message no. S#388
Diagnosis
The system release does not match the release in which the role was saved to the file.
Main Program: SAPLSHL2
Any ideas???
Thanks,
GBHi,
Best approach would be copy roles from 4.6C system into a 4.6C sandbox system and then upgrade the 4.6C sandbox system into 6.0. This method will ensure a consistent conversion of the 4.6 profiles and objects to ECC 6.0.
You can run SU25 after the upgrade to update your roles to include new auth objects/field/values/transactions of ECC 6.0 and also remove 4.6 C auth objects that are no longer in use.
This approach will definitely save lot of manual effort to upload roles into new ECC6.0 system and avoid any inconsistencies/ authorization errors in the upgraded system.
You can easily search this forum for more information on SU25
[Upgrade 46C to ECC 6 0 STEP BY STEP ---Developing;
Hope this helps!
Sandipan -
Relation between OOSB and a PFCG Role?
Hi folks,
Is there a link between OOSB and a PFCG role?
I would like to avoid inputting a person through OOSB. Basically, my aim is to link a profile created in OOSP to a profile (or role) created in PFCG.
The final objective is to assign Admin people in a single role and, depending their company codes assigned in the org. struc., see only the people from those companies when using BBPUSERMAINT transaction.
Any feedback or others solution?
Thanks
Regards - chrisHi
Which SRM version are you using ?
I have not tried this ever yet... so difficult to comment on this.
Anyways, I guess, this will affect to all levels down the line wherever inherited. Be careful while doing this.
<b>Please go through the related links -></b>
Re: SRM 4.0 Security Concept
Re: Manager is not able to change attribute
SRM 4.0 & structural authorizations
Do let me know.
Regards
- Atul -
PFCG: an authorifation object for Financial Document Types
Hi All,
I've to create a role (PFCG) in which I've to avoid that the user can display some Financial Document Types.
Is there an authorization object for this?
Thanks
G.RossiHi ,
First of all you will have to activate the document display authorization in IMG .
SPRO - Financial accounting new - financial accounting global settings - check display authorization for document type .
Active this by keeping the tick on document authorization .
Secondly , in SUIM go through the Authorization objec F_BKPF_BLA which is the authorization for dcoument type .
In the OBA7 maintain the authorization group for document type and in FPCG for the authorization object F_BKPF_BLA give the value for BRGRU as the authorization group value .
Regards ,
Dewang T -
Authorisation required to display Workflow Tasks in PFCG
Hi Gurus,
When using PFCG I have a strange difference between a user with SAP_ALL authorisatios and a user without SAP_ALL.
Using the SAP_ALL user, when I display a role it shows the Tasks under the Workflow tab.
Using the user without SAP_ALL, it still displays the Workflow tab but the Tasks are not displayed.
I have come to the conclusion that this must be authorisation related, so does anyone know what authorisations allow users to display the Workflow Tasks in PFCG?
All help greatly appreciated.
Thanks,
Matt> What I am trying to find out is which authorisations I need to add to an alternate role in order to avoid using SAP_ALL.
The following are basic transactions which are being used in the SAP Workflow.
Tcodes - Description
OOAW - Evaluation paths
PFAC_CHG - Change roles
PFAC_DEL - Delete roles
PFAC_DIS - Display roles
PFAC_INS - Create roles
PFOM - Maintain assignment to SAP organizational objects
PFOS - Display assignment to SAP organizational objects
PFSO - Organizational environment of a user
PFTC_CHG - Change tasks
PFTC_COP - Copy tasks
PFTC_DEL - Delete tasks
PFTC_DIS - Display tasks
PFTC_INS - Create tasks
PPOCW - Create organizational plan
PPOMW - Maintain organizational plan
PPOSW - Display organizational plan
SWDA - Workflow Builder (Calls the Workflow Builder in alphanumeric mode)
SWDD - Workflow Builder
SWDS - Workflow Builder (Selection)
SWDD_CONFIG - Workflow configuration
SBWP - The Business Workplace
SWDC_DEFINITION - Workflow Builder administration data
SWDC_RUNTIME - Workflow runtime administration data
SWNCONFIG - Extended notifications for business workflow
SWDM - Business Workflow Explorer
SWEINST - Evaluation and maintenance of instance linkages
SWEINSTVC - Evaluation and maintenance of instance linkages
SWE2 - Evaluation and maintenance of type linkages
SWE3 - Evaluation and maintenance of instance linkages
SWE4 - Switch event trace on/off
SWEL - Display event trace
RSWELOGD - Delete event trace
You can create separate role and assign these codes
Regards
Siva -
Display Links on welcome screen of SC as per the role in PFCG
Hi All,
We have created a Z ITS service from a Z transcation and want to give the link of this ITS service on welcome screen of EBP only to some specific users.
We created a Z role in PFCG and attached the link of this ITS service using the option 'Generic Web Address (URL Template)' from the popup that we get on clicking Other button in PFCG .
How to check the role to display this link on the welcome screen?
We can not hardcode the link in ITS template because then it will be displayed for all users.
We can not use the Z transcation directly instead of calling the corresponding ITS service because then it also shows menu options on screen using which the user can access SAP EASY ACCESS menu from screen.
In PFCG it display under the Go Shopping folder:
BW_GENERIC_TYPE-Report
So how to check the role in ITS template and show the link only to specific users?
Thanks,
AnubhavHi Deepti,
Sorry for the confusing description.Let me explain in detail.
We have a Z report which should be accessible from a link on welcome screen of EBP.
For this we created a Z transcation of this Z report and selected Easy Web Transcation radio button and SAP GUI for HTML checkbox while creating this transcation.
Added this Z transcation in a role in PFCG .But the problem here is , when the link on screen is clicked and transcation is opened in IE it shows Menu , Save as variant , Back , Cancel and System options in header, using these user can access all transcations as if he is loged in to SAP from SAP GUI.
To avoid this we created an ITS service using this Z transcation and created corresponding service node in SICF .
So we either have to remove the menu options from header when this Z transcation is displayed in WEB GUI ie. when we attach this Z transcation in PFCG OR instead of calling the Z transcation , this ITS service should be called so how to attach this ITS service to PFCG ?
Further if it is a transcation we can check in the ITS Service BBPSTART Template BBPGLOBAL_650_EMP as follows...
<!-- Modified standard code to call Z transcation-->
repeat with idx from 1 to MENU_NODE_TAB-TEXT.dim;
if(MENU_NODE_TAB-S_IDENT[idx] == "ZBUSRP"); <--Here we check if the ZRole has ZBUSRP transcation attached to it in PFCG if yes then only display the link.
A_S_IDENT<i> = MENU_NODE_TAB-S_IDENT[idx];
A_GEN_URL<i> = MENU_NODE_TAB-GEN_URL[idx];
A_OBJECT_ID<i> = "parent.launchpad.menu.M" & MENU_NODE_TAB-OBJECT_ID[idx] & ".root.name + parent.launchpad.menu.M" & MENU_NODE_TAB-OBJECT_ID[idx] & ".path";
A_TEXT<i> = "Vendor Report";
A_INTRODUCTION<i> = "Business Card Report For Administrator";
found = 1;
end;
end;
if(found==1);i=i+1;found=0;end;
How to apply this check when calling an ITS service that is in a role in PFCG?
I hope it is a bit clearer now.
Thanks,
Anubhav -
Queries added to role in PFCG don't show up under role folder in BEX
Hello Guruu2019s
Currently I am experiencing a very strange problem regarding the visibility of queries in the role menu of BEX. Please find below some investigation already done:
Just to avoid any authorization questions/assumptions, I have a user with SAP_NEW and SAP_ALL. He also has 2 roles (R1 and R2, no other roles) in which reports are entered using: PFCG -> +OTHER -> SAP BW Query URL.
In his SAP user menu all reports from both roles show up and are executable.
When this user open BEX Analyzer and goes to u2018Openu2019 -> u2018Open Queryu2019 and then go to u2018Rolesu2019 only R1 and its contents is visible.
The roles however are identical and contain only the following authorization objects (apart from menu entries):
S_USER_TCD: RRMX
S_TCODE: RRMX
The only difference between them is that the R1 has been created some time ago while the R2 is new.
I expect that people will tell me that S_USR_AGR is required but this isnu2019t the case since he is able to see one of the two mentioned roles (R1) and its contents in SAP BI due to SAP_ALL and SAP_NEW.
When I copy R1 to R3 and add it to the user he is also able to see this R3 in the Bex analyzer. However, when I remove all reports from R3 and add some myself in PFCG these new entries do not show up in Bex analyzer, even though I re-added the report(s) I removed earlier in the exact same way.
The same for the original R1, when I add new entries they arenu2019t visible although the u2018oldu2019 ones are.
When I check the only table I know that holds SAP menu entries all links show up, this also explains why in his SAP user menu he sees all links. Does anyone know how (which tables) the BEX Analyzer gets the appropriate roles and role entries when a user wants to open a query?
What can be the issue here; to me it feels like something has changed in the system that prevents BEX to read all roles properly?Hi Casper,
there is a known issue at the moment whereby workbooks/queries and roles are no longer
visable due to the following.....
The settings in SSM_CUST defines a compress mechanism for the user menu
known as "Redundancy avoidance" and described in notes 357877 and 357693
Redundancy avoidance deletes easy access menu entries for doubled
transaction codes whenever SSM_CUST contains
1. an entry CONDENSE_MENU with PATH = 'YES' and
2. either an entry DELETE_DOUBLE_TCODE with PATH = 'YES' or no entry
DELETE_DOUBLE_TCODES, at all.
If you don't want doubled transaction codes to be deleted, then simply
add an entry DELETE_DOUBLE_TCODES with PATH = 'NO' into table SSM_CUST.
Please enter
DELETE_DOUBLE_TCODES with PATH = 'NO' into table SSM_CUST
and retest this issue...
I hope this helps
best regards
Orla. -
Disable Merging of Authorizations During Menu Maintenance in PFCG
Hi Experts,
Wanna ask if it is possible to stop SAP from automatically merging the authorizations (i.e. removing repetitive authorization objects, combining authorization objects to logical groupings) everytime I edit the transaction code assignment at the "Menu" tab in PFCG? I observe that SAP automatically updates the authorization objects everything I add/remove transaction codes in the authorization menu.
The reason that the automatic merging of authorization is not desirable for our case is that we want to maintain certain format of our authorization objects. E.g. if there is a tcode XXX that requires read acess to 3 infotype 0000, 0001, 0002 and another tcode YYY that requires read access to 2 infotypes 0003, 0004. In this case, we would configure 2 rows for P_ORGIN object (1 for read access to 3 infotypes, another for read access to 2 infotypes). By default when updates are done in the menu, SAP merges all the 5 infotypes into 1 entry for read access. Our desired behavior is that the merging can be disabled so that the we can easily remove the corresponding infotype access when the a tcode is removed.
Experts, please advice whether the above is possible and any best practices for my above sceanrio?
Thanks and Regards.> ... we want to maintain certain format of our authorization objects. E.g. if there is a tcode XXX that requires read acess to 3 infotype 0000, 0001, 0002 and another tcode YYY that requires read access to 2 infotypes 0003, 0004. In this case, we would configure 2 rows for P_ORGIN object (1 for read access to 3 infotypes, another for read access to 2 infotypes).
That is what SU24 is designed to do. Why not maintain two neat "rows" - one for each transaction.
> By default when updates are done in the menu, SAP merges all the 5 infotypes into 1 entry for read access.
What is your problem with this. It is the access which counts, and not the number of "rows".
> Our desired behavior is that the merging can be disabled so that the we can easily remove the corresponding infotype access when the a tcode is removed.
If you really want this, then either disable all authorization proposals in SU24 to "check" only, or, use SU02 and SU03 like in the olden days.
In both cases you will need to re-invent the wheel each time and work in an environment which is very error prone.
That is exactly what the development work in SU24 and the role administration via the menu objects (S_USER_TCD and S_USER_VAL) set out to avoid - namely a big mess in neat rows...
Hope that helps you reconsider.
Cheers,
Julius -
IMA11: avoiding that an user can reject the appropriation request "created"
Hi All,
with reference to the t.code IMA11 (create/change an appropriation request),
an appriopriation request has the systen status "created".
I wonder if is possible to avoid that, for the appropriation request which has the status "created",
a certain user can choose the botton 'reject' in the tab "control data".
In PFCG, for the authorization object A_IMA_BUK I can't exclude that activity.
Coul anyone help me?
ThanksUse Substitution for passing it from level 1 to below WBS:
Prerequisite:
PROJ-PROFL = 'ABC' AND PRPS-STUFE >= '1'
Substitute
PRPS-ASTNR = " A"
PRPS-VERNR = "B"
This will help for Person Responsible and Application Number.
However for Partner function you have to use Exit and wirte code.
Thanks
Sarang -
Avoiding null and duplicate values using model clause
Hi,
I am trying to use model clause to get comma seperated list of data : following is the scenario:
testuser>select * from test1;
ID VALUE
1 Value1
2 Value2
3 Value3
4 Value4
5 Value4
6
7 value5
8
8 rows selected.
the query I have is:
testuser>with src as (
2 select distinct id,value
3 from test1
4 ),
5 t as (
6 select distinct substr(value,2) value
7 from src
8 model
9 ignore nav
10 dimension by (id)
11 measures (cast(value as varchar2(100)) value)
12 rules
13 (
14 value[any] order by id =
15 value[cv()-1] || ',' || value[cv()]
16 )
17 )
18 select max(value) oneline
19 from t;
ONELINE
Value1,Value2,Value3,Value4,Value4,,value5,
what I find is that this query has duplicate value and null (',,') coming in as data has null and duplicate value. Is there a way i can avoid the null and the duplicate values in the query output?
thanks,
Edited by: orausern on Feb 19, 2010 5:05 AMHi,
Try this code.
with
t as ( select substr(value,2)value,ind
from test1
model
ignore nav
dimension by (id)
measures (cast(value as varchar2(100)) value, 0 ind)
rules
( ind[any]= instr(value[cv()-1],value[cv()]),
value[any] order by id = value[cv()-1] || CASE WHEN value[cv()] IS NOT NULL
and ind[cv()]=0 THEN ',' || value[cv()] END
select max(value) oneline
from t;
SQL> select * from test1;
ID VALUE
1 Value1
2 Value2
3 Value3
4 Value4
5 Value4
6
7 value5
8
8 ligne(s) sélectionnée(s).
SQL> with
2 t as ( select substr(value,2)value,ind
3 from test1
4 model
5 ignore nav
6 dimension by (id)
7 measures (cast(value as varchar2(100)) value, 0 ind)
8 rules
9 ( ind[any]= instr(value[cv()-1],value[cv()]),
10 value[any] order by id = value[cv()-1] || CASE WHEN value[cv()] IS NOT NULL
11 and ind[cv()]=0 THEN ',' || value[cv()] END
12 )
13 )
14 select max(value) oneline
15 from t;
ONELINE
Value1,Value2,Value3,Value4,value5
SQL> -
How to set text resources avoiding automatic page update with c:set tag
Hello everyone,
I'm developing my web application with JDeveloper 11.1.2.3.0 in order to support two language locales (en and de). Following this guide I've performed the following steps:
Creation of two property files (Resources.properties and Resources_de.properties) with the key-value entries;
Modify of faces-config.xml file adding these lines:
<locale-config>
<default-locale>en</default-locale>
<supported-locale>de</supported-locale>
</locale-config>
<resource-bundle>
<base-name>view.Resources</base-name>
<var>res</var>
</resource-bundle>
In the project properties > Resources Bundle I've checked:
Automatically Synchronize Bundle;
Warn about Hard-coed Translatable Strings;
Always Prompt for Description.
In the same place I've set the default project bundle name to view.Resources.
In a test JSP page I've a outputText with the value #{res['HELLOWORLD']} where HELLOWORLD is the key in the property files. All works fine, and the correct string is shown based on locale browser settings.
Anyway, when I use the "Select Text Resources..." menu in any text value choosing a value from the default property file, JDev automatically adds the following tag:
<c:set var="customuiBundle" value="#{adfBundle['view.ViewControllerBundle']}"/>
setting the value of the text in #{ViewControllerBundle.HELLOWORLD}.
There is a way to avoid this behavior? Can I manage the resources in a different way? I would to choose a value from the list in order to get the res.KEY value instead of ViewControllerBundle.KEY value.
Thanks in advance for your help.
Manueldon't select from menu - go to source and write it . The problem with the tools is they have a certain way of doing things and don't think we should spend time customizing jdeveloper rather concentrate on the work in hand.
-
Can a BIG form be served up one page at a time to avoid long load time?
Tricks I have read for optimizing the load time of large forms are not helping. Linearization causes the first page to render quickly, but you can't interact with the fields until the whole form finishes loading -- no help there. Is there a way to break the form into pages (without creating entirely separate forms) so the user can fill out a page, hit a Next Page button, fill out that page, etc.? Understood that this is an old school idea, but until Reader can download a 1+ MB form in less time than it takes an average user to get ticked off, old school might do the trick.
Alternatively, is there a way to construct a form so you can start interacting with it without having to wait for it all to load? This question comes from the (uninformed) assumption that maybe there are forward references that can't be satisfied until all the bits have come over the wire. If that's right, can a multipage form be architected so as to avoid this problem?No that technology does not exist yet. There are form level events that need to have the entire document there before they can fire. Also you would have to keep track of where you are so that would mean some sort of session information for each user.
-
To avoid writing database code in the front end
Hello,
I am working on a database application using 10g database as backend and dotnet as front end. I wish to execute only oracle stored procedure for all the select (to avoid hard parse and use of bind variable), DDL and DML operations; just to avoid writing database code in the front end. Can anyone please give me a little examples of :
1.Select query's output to be return as resultset by stored procedure.
2.DML example by stored procedure.
3.Any DDL example by stored procedure.
using scott.emp, so that i would just call the stored procedure, rather than giving select,DML and/or DDL commands in the front end. Even though i have read in the documentation, but a clear cut examples will help me to get into clear concept as well.
Thanks & Regards
Girish SharmaHi...
-->Select example
create or replace procedure get_emp(rc out sys_refcursor)
is
begin
open rc for select * from emp;
end;
-->DML example
create or replace procedure do_dml_emp(pempid in number,
pempname varchar2,
result out number)
is
begin
insert into emp(empid,empname) values(pempid,pempname) returning empid into result;
exception
when others then
result:=-1;
end;
-->DDL example
create or replace procedure ddl_emp(colname varchar2,
coltype varchar2,
result out number)
is
begin
result:=-1;
execute immediate 'alter table emp add column ' || colname || ' ' || coltype ;
result:=1;
end;
Maybe you are looking for
-
Reading Multiple Tables with VB
I'm attempting to retrieve records from multiple tables base on info returned from the previous call. This code fails on the second call to " IF RFC_Read_TableTJ.Call = True" also if I comment out "IF RFC_Read_TableTJ.Call = True" is creates the next
-
Exporting videos to Mobile Me gallery not working
I have a Mobile Me album in Aperture 3 which only synchronizes photos. Everytime I try to upload a video to the Mobile Me gallery, Aperture hangs during the synchronization process.
-
While opening specific Document "Not enough Memory" while rendering the Document with Large Image
When Opening a PDF-File with a Large Image, the Adobe Reader and Acrobat will Crash while rendering with the Message Out of Memory. After some investigations this error is reproducable on Windows 2008 R2 and 2012 R2 Machines running on HP ProLiant BL
-
Sharing and permission issue of folders thru different accounts
Hello, After installing Lightroom 5 I've lost permission to write on some sub-folders located on an external drive. On the screen shot (attached) the main user called "Alfredo1" is not my user account name and as far as I know is not a reall user on
-
How can i understand nested application module?
Is there inherit relation between root application module and child application module? jiayu thanks