Basis Team Composition / Roles and Responsbilities

Similar Messages

• Roles and Responsbilites

  Dear Guru's,
  I am Srini and am a Basis Consultant working last 3 years.Now i would like learn
  XI Administration.
  Can anybody provide me the details:
  1.What are all the roles and responsbilites handled by XI Administrator.
  2.I have one exmple,I have one SAP system and one Business system and one CRM system and one NOn SAp system.How can i configure or conectivity between these systems using SAP XI.
  Please anybody help on this.
  Regards,
  Venkat.

  Hi,
  <i>
  1.What are all the roles and responsbilites handled by XI Administrator.</i>
  >>>The answer is it depends on the Customer to Customer and their SLAs.
  Some are:
  - Installation and post installation steps + configuration
  - Upgradation
  - J2EE engine admin
  -Queue Administration
  -SLD/Logical system , SM59 entry maitenance
  -Transportation- path setup etc
  -Backup/Archiving of messages
  For more: Basis activites for XI
  <i>2.I have one exmple,I have one SAP system and one Business system and one CRM system and one NOn SAp system.How can i configure or conectivity between these systems using SAP XI.</i>
  Refer this configuration guide :
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ac6de690-0201-0010-54ac-8923089dcc97
  Hope this helps,
  Regards,
  Moorthy

• Sap-abap Technical Team Leader Roles and Responsibilities

  Can u give  me Sap-abap Technical Team Leader Roles and Responsibilities.

  Yes I can, but I don't think I'll share my experience with you.
  Here's a tip for you though, how about only applying for jobs you are skilled at and not try to lie yourself into a job.
  Warm regards, Rob Dielemans

• SD Customization team member --Role and Profile

  Dear All,
  I want to assign the roles to our SD customize person. Please tell me which role i should give him so that he can only customize its own area (SD). Same issue for FI customize person.
  Currently i gave sap_all to them and they disturb each other work.
  Thanks
  UsmanRana

  HI Usman,
  Check this site.
  http://sapecc.com/sox_sod/sod_matrix_sd.htm
  In the SOD matrix, the list of transactions atre listed for each responsibility. You can create single roles for each responsibilitry and assign it to your SD consultant.
  I am sure u would be aware of the procedure for creation of roles via PFCG transaction.
  Br,
  Sri
  Award points if helpful.

• Identifying Duplicate Roles and Traching Composite Role Assigned to the Use

  Dear Friends,
  I am novice to this website even after browsing for past 3 months. This website is so useful and huge with so many forums. I am lost many times where to post this questions. there is not a single SAP Security Forum or Basis/Security related forum. Can anyone direct me to the right forum or if there is no Security Forums, can anyone  direct me how to start new Forum so that all security related discussions and knowledge sharing takes place. I am requesting the Moderators of this website to direct me to the right forums.
  we have around 2000 users in Production. We assign Composite roles and single roles to all users. Sometime we use SECATT or LSMW to update User Master Data to Assign some Roles that are ALREADY assigned to the users. I have 2 questions. If there any way to clean up this mess. I mean Identifying all users who have these Duplicate Roles with Different Validity Dates. I am sure SUIM can not help me as I research a lot on this. I appreciate if anyone can direct me with some solution in this cleanup process. I mean some SQL or SAP Query will help me i guess. Any suggestions are greatly appreciated.
  My Second Question is Tracking Composite Role/User Assignment Changes. We had assigned some Composite roles to the user 3 months ago and deleted last week. when i check SUIM change documents, It does not show Composite Role history. It is Displaying all single roles that are assigned and deleted later. BUT It never showed any information on Composite Role Additions or Deletions in User Change Documents. I hope SUIM is not going to help. I still need to go to many places or write any Good SQL and execute them.
  Is anyone had written this Utility SQL programs for cleanup of roles/users in the SAP. Is there any way to check or debug this issue, going to see any tables that monitor these changes. I appreciate if can one can share this knowledge to resolving this issues.
  any ideas and suggestions are welcome.
  Thanks
  Kumar

  Satish,
  Please post this in the SAP NetWeaver Administrator Forum and close this thread here.
  SAP NetWeaver Administrator
  Regards,
  Ravi

• Add a single role to different composite roles in one step

  Hello everybody,
  I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
  Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
  I don't want to believe that there is no easier way. Any ideas?
  Thank you
  Flo

  Hi Soma,
  great to find a place to be welcome..Thanks
  What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
  The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
  And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
  -> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
  or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
  -> Which again... our security manager disallowed me...
  So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
  And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
  Comments?
  Cheers
  Florian

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Get child users of composite role

  Hello
  There is FM (ESS_USERS_OF_ROLE_GET ) which bring all user of roles but what i want it's more complicated
  IF there is composite role i want to get all the user that in the roles under the composite role .
  Let say i have composite role with two roles inside (in the role tree ) .
  Composite role
  user1"this is the users of the composite role
  user2
  user3
  Role number  1
  user4
  user7
  user9
  Role number 2
  user 8
  user 5
  user7
  user6
  What i want is to get all the users of the composite role  and the child  role (which is parent ) .
  which is .
  users 1 - 9.
  I read some previous post on this issue in the forum but what I need is to use just this FM without access  to the DB
  table such as T_AGR_AGRS and COLL_ACTGROUPS_GET_ACTGROUPS ,
  What i need to do is recursive call on  the FM ESS_USERS_OF_ROLE_GET  .
  Regards
  Joy
  Edited by: Joy Stpr on Aug 23, 2009 8:50 AM

  Hello Joy,
  How is it possible to use just function module ESS_USERS_OF_ROLE_GET to get data without DB access?
  I mean this function module takes input as Simple/Composite ROLE so you have to have some list maintained
  which will be input for this function module.
  I think you can load composite and simple role in table and loop at it to make calls to function module ESS_USERS_OF_ROLE_GET to get users for compsite/simple roles.
  Some input has to be there, That's what I feel.
  Check if this helps!
  Thanks,
  Augustin.

• Assign single role to composite role with alternate logsys assignments

  Dear gurus,
  In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
  Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
  But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
  Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
  Cheers,
  Julius

  Hi Martin and others,
  I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
  While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
  Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
  You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
  There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
  That is a bit of a bummer because it means that you also cannot ever test anything...
  Did anyone ever try to actually use this?
  Cheers,
  Julius

• SECATT to create a composite role

  hello,
  until now i was using secatt with succes to create composite roles.
  but i now have to create composite roles with a lot of included simples roles.
  and i have this problem : when i try to add more than 11 simples rôles to my composites roles, it doesn't works.
  i think it's problem related to scrolling but i cannot see how to resolve it.
  thanks for your help
  best regards

  JEROME TOCANNE wrote:
  > hello,
  >
  > until now i was using secatt with succes to create composite roles.
  >
  > but i now have to create composite roles with a lot of included simples roles.
  >
  > and i have this problem : when i try to add more than 11 simples rôles to my composites roles, it doesn't works.
  >
  > i think it's problem related to scrolling but i cannot see how to resolve it.
  >
  > thanks for your help
  >
  > best regards
  SECATT reads your source file sequentially, one line at a time.  Design your script to read each line with the name of the composite role then on the same line the simple role that needs to be added.  With this design you can add 1 or 20 simple roles on a composite role.  You might need two scripts to make it simpler, one to create the composite role and the other to add the simple role to the composite.
  Good luck!

• A Composite Role

  I am not able to find "Design Engineer role" from the Business contents of the BW release 3.5/Netweaver 4.0. According to a SDN document, this role can be reached under the "Composite Roles" and the Logistics/Supply chain application. Its technical name is SAP_WP_DESIGN_ENGINEER. Thanks. - DBSS
  Message was moved from SDN Content Suggestion Forum. Edited by:
  Anand Mandalika.

  Are you sure that this is a BW role and not an R/3 one ?

• Not able to assign Composite Role to Position

  Hello All,
             I am facing following problems.
  1) The user is Not able to see Create Report Links, when i checked the Composite Role in PFCG i found that the in USER Tab Organizational Tab was yellow, i did Indirect Reconcillatin in Organizational Tab and then it went GREEN, then i did User Comparision.
  I got this Message
  "You do not need to perform Prfile Comparision for role " Role Name".
  and the Position was removed.
  2) Now i am Trying to assing the Role to Position, i am not even able to assign it and the User id is not coming under User id  list.
  Please suggest.
  Thanks,
  CB

  @Point#1: It could be that user master is already compared for your composite role and no further comparison is required. To double check you might just run the comparison again via tcode PFUD or report RHAUTUPD_NEW
  @Point#2: For indirect assigment to position make sure organization management is active in your system (the switch HR_ORG_ACTIVE is set in the table PRGN_CUST to YES).
  Thanks
  Sandipan

• BPC Team memnbers - Composition and Roles and Responsibilities

  Hello
  We are a large global consumer products company embarking on our BPC 7.5 (NW version)  implementation (Big Bang) - Planning and Consolidation implementation worldwide. Are there any guidelines or "best" practices for how the team should be built ..??
  What is the balance between Business and IT members and what would be the roles and responsibilities of each member??
  We realize that this is different in each case (and also quite different from a typical SAP ERP implementation) hence we are very anxious / eager to find out the experiences out in the market of folks who've done this before and would also like to get a list of "watch-outs" or points to consider before / during and after the implementation is over to engage the right resources to sustain the implementation. Our Primary quest right now is to get a good idea of the roles and responsibilites of the implementation team for BP&C..
  thanks
  Ram

  Hello
  We are a large global consumer products company embarking on our BPC 7.5 (NW version)  implementation (Big Bang) - Planning and Consolidation implementation worldwide. Are there any guidelines or "best" practices for how the team should be built ..??
  What is the balance between Business and IT members and what would be the roles and responsibilities of each member??
  We realize that this is different in each case (and also quite different from a typical SAP ERP implementation) hence we are very anxious / eager to find out the experiences out in the market of folks who've done this before and would also like to get a list of "watch-outs" or points to consider before / during and after the implementation is over to engage the right resources to sustain the implementation. Our Primary quest right now is to get a good idea of the roles and responsibilites of the implementation team for BP&C..
  thanks
  Ram

• Stopping user compare when saving composite roles in 4.6c basis pack 25?

  One of the environments I look after is a 4.6c system with basis pack 25 – they can’t upgrade as it breaks a great deal of very heavy customisation in that system.
  We have encountered an issue with the saving of composite roles in that system - when a role is saved we must sit through a very long period of “user distribution in role XXX” while the system performs a user compare of every singular role in that composite role.  This is very painful as it can take nearly half an hour simply to save the composite role – we then need to rebuild the menu and compress it (we use the composite role’s menu structure).  The odd thing is that this behaviour wasn’t apparent for many years – it suddenly started happening about 2-3 years ago to a previous administrator but he wasn’t aware of any changes going through, it just began to force these lengthy compares on him when saving composites.
  I’ve tried in vain to disable this forced compare on every save – I’ve tried the PRGN_CUST modifications including adding the lines “AUTO_USERCOMPARE” with a value of “NO” and “USRCOMPARE_PFUD” with a value of “YES” to try and stop the profile generator from doing this but to no avail.  Unless these settings need a restart of the system to take effect (do they?) I’m at a loss to find any other options.
  The menu setting in the profile generator of “automatic user master adjustment when saving role” is switched off – though setting “auto_usercompare” seems to have broken the ability to bring up the “settings: role maintenance” dialogue box anyway.
  We have a very large number of roles to modify and would be grateful if anyone could offer any advice here.
  Thanks
  DT

  the problem with your issue is that none of use can reproduce that phenomenon, since none of use has that combination of primal release/support package level at hand any longer (at least i think so). so there's only two options left to you:
  first: update this special application until the problem goes away - do so by adding note after note on the very subject, like the one i mentioned plus [905924|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=905924&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] plus [662484|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=662484&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] and stop only when you hit one that is not implementable using SNOTE but only by implementing a support-package -> this will obviously be the point where you're stuck then.
  (and yes - for the sake of rob burbank: there are several other ways to implement corrections aside from SNOTE).
  second: open a call with SAP. mind you, this might become a lenghty one since they will also give you note after note ...
  as i said, i'm pretty sure no one in here can help you doing a proper analysis anymore (but maybe i'm wrong).
  anyone - any other (better) suggestions?

• SAP Roles and Access for SAP Implementation team members

  Hi,
  Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
  If not, what is the correct practice?
  Kindly let me know

  Madhu,
  It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
  You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
  Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
  But I know just how demanding they can be....
  Best of luck
  Tony