Best Practice for ESS/ MSS role customization

Similar Messages

• Best practice for standard security role

  Hi, I'd like to know which is the best practice for standard role use, some people tell me that a standard role should never be used, that a copy must be made and assign the users to the copy, but then, why should SAP bother creating the standard role?

  They are provided as a template for you, and you can copy them into a different namespace and make changes there before generating the profiles and authorizations.
  Why you should use a copy of them is because SAP will also update them sometimes. If transactions change in the standard menues with SP's and upgrades, then you will find them in transaction SU25.
  If you do a search on "standard AND roles" in the SDN then you will also find more detailed infos and opinions on the use of them.
  Cheers,
  Julius

• Best Practice for Customization of ESS 50.4

  Hi ,
  We have implemented ESS 50.4 on EP 6.0 SP 14 and R3 4.6C . I want to know what is the best practice for minor modification of ESS transaction . For eg : I need to hide the change button in Personal information screen .
  Pls let me know .
  PS : Guaranteed award points
  Aneez

  @Aneez
     "Best Practice" is just going to be good ole' ITS custom development. All the "old" ESS services are all ITS based. What can not be done through config is then done by developing custom version of the ESS services. For what you describe (ie. the typical "hide a button" scenario) it is simply a matter of:
  (1) create custom version(ie. "Z" version) of the standard service. The service file will still call the same backend transaction via the ITS parameter ~transaction.
  (2) Since you are NOT making changes that require anything changed on the backend transaction (such as adding new fields, changing business logic, etc) you are lucky to ONLY have to change the web templates. Locate the web template in your new custom service file that corresponds to the screen in the transaction where the "CHANGE" button appears. The ITS naming convention for web templates is <sapprogramname>_<screennumber>.
  (3) After locating the web template that corresponds to your needed screen, simply locate in the HTMLb where the "CHANGE" button code is and comment it out. Just that easy!
  (4) Publish your new customized service and test it out directly through ITS. ie. via the direct URL to it: http://<yourdomain>/scripts/wgate/<yourservice>!
  (5) once you see that it works, you can then make an iView for it in your portal (or simply change the iView you have to now point to your custom ITS service.
  LOTS and LOTS more info on ITS development all around this site and in the ITS sepcific forum.
  Hope this helps!
  Award points or save them...I really don't care. I think the points system here is one of the dumbest ideas since square wheels. =)

• Portal Design - Best Practices for Role and Workset Tab Menu

  We are looking to identify and promote best practices in SAP Portal Design. 
  First, is there a maximum number of tabs which should exist on the highest level tab menu, commonly called the role menu?  Do a large number of tabs on this menu cause performance issues?  Are there any other issues associated with a large number of tabs on this menu?
  Second, can the workset tab menu be customized to be 2 lines of tabs?  Our goal is to prevent tab scrolling.
  Thanks

  Debra,
  Not aware of any performance issues with the number of tabs in the Level 1 or 2 menus, particularly if you have portal navigation caching enabled.
  From an end user perspective I guess "best practice" would be to avoid scrolling in the top level navigation areas completely if possible.
  You can do a number of things to avoid this, including:
  - Keep the role/folder/workset names as short as possible.
  - If necessary break the role down into multiple level 1 entry points to reduce the number of tabs in level 2.
  An example of the second point would be MSS.  Instead of creating a role with a single workset (i.e. level 1 tab), we usually split it into two folders called something like "My Staff" and My Finance" and define these folders as entry points.  We therefore end up with two tabs in level 1 for the MSS role, and consequently a smaller number of tabs in level 2.
  Hope that helps......
  Regards,
  John

• Best Practice for BEX Query "PUBLISH to ROLE"?

  Hello.
  We are trying to determine the best practice for publishing BEX queries/views/workbooks to ROLEs. 
  To be clear of the process I am referring: from the BEX Query Designer, there is an option QUERY>PUBLISH>TO ROLE.  This function updates the user menu of the selected security role with essentially a shortcut to the BEX query.  It is also possible to save VIEWS/WORKBOOKS to a role from the BEX Analyzer menu.  We have found ROLE menus to be a good way to organize BEX queries/views/workbooks for our users. 
  Our dilemma is whether to publish to the role in our DEV system and transport to PROD,... or if it is ok to publish to the role directly in the PROD system.
  Publishing in DEV is not always possible, as we have objects in PROD that do not exist in DEV. For example, we allow power users to create queries directly in PROD.  We also allow VIEWS and WORKBOOKS to be created directly in PROD.  It would not be possible to publish types of objects in DEV. 
  Publishing in PROD eliminates the issues above, but causes concerns for our SECURITY team.  We would be able to maintain these special roles directly in PROD.
  Would appreciate any ideas, suggestions, examples of how others are handling this BEX publish-to-role process.
  Thank you.
  -Joel

  Hi Joel,
  Again as per the Best Practices.Nothing to be created in PRD,even if we create them in PRD for Power users its assumed as temprory and can be deleted at any time.
  So if there are already deviations then you can go for deviations in this case as well but it wont be the Best Practice.Also in few cases we have workbooks created in PRD as they cud nt be created in DEV due to various reasons...in such cases we did not think of Best Practice ,we had a raised an OSS on this aswell.
  In our Project,we have done everything in DEV and transported to PRD,in case there were any very Minor changes at query level we have done in PRD and immedialtely replicated the same in DEV so that they are in SYNC.
  rgds
  SVU

• Best practice for promoting roles

  I would like to know what is the best practices for promoting Administrative and/or normal Roles between environments. If I make a change to the capabilities of a role, I'd rather not create a whole new build if I didn't have to. Would exporting from debug, and importing via 'lh import' suffice, or is there an easier/better method?
  Thanks

  Hello,
  I'd ask in the Windows forum on Microsoft Community.
  Karl
  When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
  My Blog:http://unlockpowershell.wordpress.com
  My Book:Windows PowerShell 2.0 Bible
  My E-mail: -join ('6F6C646B61726C40686F746D61696C2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

• Best Practice for Portal Patches and effort estimation

  Hi ,
  One of our client is applying the following patches
  1. ECC 6.0 SP15(currently SP14)
  2. ESS MSS SP15(currently SP14 with some level of functional customization )
  3. EP 7 SP18(currently SP14)
  We would like to kwow the best practice for applying portal patches and the effort estimation for redoing the portal devt on the new patch.
  o   What is the overall level of effort with applying Portal patches?
  o   How are all the changes to SAP objects handle?  Do they have to be
       manually re-entered?
  o  What is the impact of having a single NWDI instance across the
      Portal Landscape during the Patch process?
  Regards,
  Revathi Raju.

  Hi Revathi,
  o What is the overall level of effort with applying Portal patches?
  overall effort to apply the patch is apprx 1/2-1 days for NW7 system. This is exclude the patch files download because it's based on your download speed.
  o How are all the changes to SAP objects handle? Do they have to be
  manually re-entered?
  Depending on your customization. Normally it wont effect if you created the customzation application apart from SAP standard application
  o What is the impact of having a single NWDI instance across the
  Portal Landscape during the Patch process?
  Any change that related to NWDI, you might be need to re-deployed from NWDI itself.
  Thanks
  Regards,
  AZLY

• Transport for ESS / MSS

  Hi,
  We have installed ECC 6.0 and we are tring to install WAS Java 7.0 and EP 7.0 ( NW 04s SR1 ). We also wanted to go for ESS / MSS version which is compatible with NW 04 SR1 .We have Dev/ QA / PROd environments . My questions are
  1) Once we install the ESS / MSS business packege on Dev environment , What is the best practice for transport ? Or DO we need install the business package individually on DEV / QA / PROD env first ?
  Jayant

  Jayant,
  you have to install all XSS-components on all 3 machines
  for the BPs I would do it like this:
  - install (deploy) all BPs on all 3 machines
  - create own roles, iviews, pages that are derivated from standard objects (via delta links) in the DEV portal and create a transport package to import it in Q and P.
  kr, achim

• Best practices for apps integration with third party systems ?

  Hi all
  I would like to know if there is any document from oracle or from your own regarding best practices for apps integration with third party systems.
  For example, in particular, let's say we need customization in a given module(ex:payables) need to provide data to a third party system, consider following:
  outbound interface:
  1)should third party system should be given with direct access to oracle database to access a particular payments data information table/view to look for data ?
  2) should oracle create a file to third party system, so that it can read and do what it need to do?
  inbound:
  1) should third party should directly login and insert data into tables which holds response data?
  2) again, should third party create file and oralce apps will pick up for further processing?
  again, there could be lot of company specific scenarios like it has to be real time or not... etc...
  How does companies make sure third party systems are not directly dipping into other systems (oracle apps/others), so that it will follow certain integration best practices.
  how does enterprise architectute will play a role in this? can we apply SOA standards? should use request/reply using Tibco etc?
  Many oracle apps implementations customizations are more or less directly interacting with third party systems by including code to login into respective third party systems and vice versa.
  Let me your know if you have done differently and that would help oracle apps community.
  thanks
  rrb.

  you want to send idoc to third party system (NONSAP).
  what kind of system is it? can it handle http requests
  or
  can it handle webservice?
  which version of R/3 you are using?
  what is the mechanism the receiving system has, to receive data?
  Regards
  Raja

• Custom ESS/MSS ROLE under ADMININTRATION workset  - How to approach?

  HI
  Dear
  ESS/MSS Experts,
  We have a requirement with our client for a custom development ESS/MSS ROLE under ADMININTRATION workset for the functionality.
  ADMINISTRATION(workset)
  This workset provides administrative information regarding an employee. The services available under this workset are:
  INBOX(service)under--->This service will show the SAP inbox for an employee. The details shown on the screen are,
  u2022     Inbox
  u2022     Outbox private
  u2022     Shared
  u2022     Resubmission
  u2022     Trash
  how can i implement in portal...
  I am New From  Portal consultant so kindly please help me its very much helpful.
  Regards,
  Rafi Shaik

  inbox you meant UWL ie universal worklist
  first note that SAP provides standard roles and you can copy it to z role and modify it accordingly and remove the roles
  as per required/
  For ESS, the standard composite role is SAP_EMPLOYEE_ERP. You can make a Z copy of this role and customize it per your needs.
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/a4/93554056bd1f24e10000000a1550b0/frameset.htm
  There is no standard role provided for MSS applications. You will need to build one as per your needs.
  See SAP Note 844639 for more details.
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/a4/93554056bd1f24e10000000a1550b0/frameset.htm
  https://www.sdn.sap.com/irj/scn/wiki?path=/display/bpx/uwl+faq

• I need step-by-step procedure for ESS/MSS Security??

  Hi, I need step by step procedure for ESS/MSS security. I know the Structural .Authorization , but i dont know how this ESS/MSS security is. Could you please help me with any step by step notes of your personal. Please i dont want any best practices from help.sap.com. I already gone through those links, but i didnt get how to maintain security for ESS/MSS.

  Hi @mehdijon 
  I can help. There is no full feature software and driver available from HP, but the OS X v10.9 Mavericks driver for your printer is available through Apple Software Update (ASU).
  With this driver you can still print and scan, you just wont have HP software to scan from. Scanning to the computer from the printer control panel is only available when using HP Scan software, thus it will not work because there is no HP scan software as apart of the Apple Software Update driver.
  Instead, you can scan using,
  Method one: Scan from the Print & Scan window   
  Method two: Scan from Apple Preview
  Method three: Scan from Apple Image Capture 
  I hope this helps. If you have any additional questions are have any difficulty using any of these methods, please let me know what method you are trying and what the issue/error is. You may also find the following document helpful; OS X v10.9 Mavericks: Installing and Using the Printer on a Mac
  Please click the Thumbs up icon below to thank me for responding.
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Please click “Accept as Solution” if you feel my post solved your issue, it will help others find the solution.
  Sunshyn2005 - I work on behalf of HP

• Best-practice for Catalog Views ? :|

  Hello community,
  A best practice question:
  The situtation: I have several product categories (110), several items in those categories (4000) and 300 end-users.    I would like to know which is the best practice for segment the catalog.   I mean, some users should only see categories 10,20 & 30.  Other users only category 80, etc.    The problem is how can I implement this ?
  My first idea is:
  1. Create 110 Procurement Catalogs (1 for every prod.category).   Each catalog should contain only its product category.
  2. Assign in my Org Model, in a user-level all the "catalogs" that the user should access.
  Do you have any idea in order to improve this ?
  Saludos desde Mexico,
  Diego

  Hi,
  Your way of doing will work, but you'll get maintenance issues (to many catalogs, and catalog link to maintain for each user).
  The other way is to built your views in CCM, and assign these views to the users, either on the roles (PFCG) or on the user (SU01). The problem is that with CCM 1.0 this is limitated, cause you'll have to assign one by one the items to each view (no dynamic or mass processes), it has been enhanced in CCM 2.0.
  My advice:
  -Challenge your customer about views, and try to limit the number of views, with for example strategic and non strategic
  -With CCM 1.0 stick to the procurement catalogs, or implement BADIs to assign items to the views (I experienced it, it works, but is quite difficult), but with a limitated number of views
  Good luck.
  Vadim

• Best practices for ARM - please help!!!

  Hi all,
  Can you please help with any pointers / links to documents describing best practices for "who should be creating" the GRC request in below workflow of ARM in GRC 10.0??
  Create GRC request -> role approver -> risk manager -> security team
  options are : end user / Manager / Functional super users / security team.
  End user and manager not possible- we can not train so many people. Functional team is refusing since its a lot of work. Please help me with pointers to any best practices documents.
  Thanks!!!!

  In this case, I recommend proposing that the department managers create GRC Access Requests.  In order for the managers to comprehend the new process, you should create a separate "Role Catalog" that describes what abilities each role enables.  This Role Catalog needs to be taught to the department Managers, and they need to fully understand what tcodes and abilities are inside of each role.  From your workflow design, it looks like Role Owners should be brought into these workshops.
  You might consider a Role Catalog that the manager could filter on and make selections from.  For example, an AP manager could select "Accounts Payable" roles, and then choose from a smaller list of AP-related roles.  You could map business functions or tasks to specific technical roles.  The design flaw here, of course, is the way your technical roles have been designed.
  The point being, GRC AC 10 is not business-user friendly, so using an intuitive "Role Catalog" really helps the managers understand which technical roles they should be selecting in GRC ARs.  They can use this catalog to spit out a list of technical role names that they can then search for within the GRC Access Request.
  At all costs, avoid having end-users create ARs.  They usually select the wrong access, and the process then becomes very long and drawn out because the role owners or security stages need to mix and match the access after the fact.  You should choose a Requestor who has the highest chance of requesting the correct access.  This is usually the user's Manager, but you need to propose this solution in a way that won't scare off the manager - at the end of the day, they do NOT want to take on more work.
  If you are using SAP HR, then you can attempt HR Triggers for New User Access Requests, which automatically fill out and submit the GRC AR upon a specific HR action (New Hire, or Termination).  I do not recommend going down this path, however.  It is very confusing, time consuming, and difficult to integrate properly.
  Good luck!
  -Ken

• Best Practices for Setting up a Windows 2012 R2 STD Domain Controller in a Remote Site

  So I'm looking for an article or writeup similar to the "Adding Domain Controllers in Remote Sites" TechNet article but for Windows Server 2012 STD R2.  Here is my scenario:
  1.  I want to setup the domain controller at Site A where the primary domain controller is located.  The primary domain controller is Windows Server 2008 R2. 
  2.  Once the DC is setup I plan on leaving it on our network for a few days before shipping it to remote Site B for installation
  Other key items:
  1.  The remote Site B will have a different IP range than Site A but will be connected to Site A via a single VPN tunnel.  All the DCs that replicate with each other are on the same domain. 
  2.  The 2012 DC that I setup for Site B (same domain in same forest) will be a DHCP, DNS, and WSUS server all replicating to the primary DC at Site A
  Questions:
  1.  What items can I setup while it's at Site A without effecting or conflicting with the existing network and domain controller?  Can I setup a scope once the DHCP role is added? 
  2.  All of our DCs replicate through Sites and Services, do I have to manually add this to our primary DC for the new DC going to remote Site B?  Or when does this happen automatically when I promote the DC? 
  All and all I'm just looking for a list of Best Practices for 2012 or a Step by Step Guide.  Any help would be appreciated. 

  Hi,
  Thanks for your posting.
  When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
  For more and detail information, please refer to:
  Best Practices for Adding Domain Controllers in Remote Sites
  http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
  Regards.
  Vivian Wang

• Best Practice for Use of ABAP in Customizing SRM and/or CRM

  I was wondering if there is a document that defines best practices for the use of ABAP with the installation and customization of SRM and/or CRM.   Such as amount of ABAP coding typically required, and best practices around the use of ABAP for customization and configuration.
  Thanks.

  Hi, Johnson
  Sorry, Please don't mind, you are not at right place to ask the Question like this
  Please read "The Forum Rules of Engagement" before posting!  HOT NEWS!!
  Thanks and Regards,
  Faisal