Best practice for promoting roles

Similar Messages

• Best practices for promotions to production

  My company's production environment is way to lose, I need to implement some controls. My analysts keep fouling up the production objects. Does anyone know of best practices for an organization rolling out production changes?
  thanks

  Yes you can. With SOA 11g, you can create deployment profiles to change poperties during deployment. You can also build your own deployment mechanism, as I did.
  http://orasoa.blogspot.com/2009/04/new-oracle-soa-build-server-osbs.html
  Marc

• Best practice for standard security role

  Hi, I'd like to know which is the best practice for standard role use, some people tell me that a standard role should never be used, that a copy must be made and assign the users to the copy, but then, why should SAP bother creating the standard role?

  They are provided as a template for you, and you can copy them into a different namespace and make changes there before generating the profiles and authorizations.
  Why you should use a copy of them is because SAP will also update them sometimes. If transactions change in the standard menues with SP's and upgrades, then you will find them in transaction SU25.
  If you do a search on "standard AND roles" in the SDN then you will also find more detailed infos and opinions on the use of them.
  Cheers,
  Julius

• Best Practice for ESS/ MSS role customization

  Hi ,
  I would want to know the best practice for role customization for ESS / MSS business package . For eg if my company does not want to use someof the workset like working time , travel etc , what is the best practice for this scenario .
  anEEZ

  Hi Aneez,
  This is the link for complete best practices on NetWeaver
  http://help.sap.com/bp_epv260/EP_EN/index.htm
  Browse the Busines scenarios, you will find what you are looking for.
  Now, these ones is specific for ESS and MSS
  http://help.sap.com/bp_epv260/EP_EN/html/EP/N26_ESS.htm
  http://help.sap.com/bp_epv260/EP_EN/html/EP/N27_MSS.htm
  Hope this helps,
  Kumar
  P.S Reward Points for useful answers.

• Best Practice for BEX Query "PUBLISH to ROLE"?

  Hello.
  We are trying to determine the best practice for publishing BEX queries/views/workbooks to ROLEs. 
  To be clear of the process I am referring: from the BEX Query Designer, there is an option QUERY>PUBLISH>TO ROLE.  This function updates the user menu of the selected security role with essentially a shortcut to the BEX query.  It is also possible to save VIEWS/WORKBOOKS to a role from the BEX Analyzer menu.  We have found ROLE menus to be a good way to organize BEX queries/views/workbooks for our users. 
  Our dilemma is whether to publish to the role in our DEV system and transport to PROD,... or if it is ok to publish to the role directly in the PROD system.
  Publishing in DEV is not always possible, as we have objects in PROD that do not exist in DEV. For example, we allow power users to create queries directly in PROD.  We also allow VIEWS and WORKBOOKS to be created directly in PROD.  It would not be possible to publish types of objects in DEV. 
  Publishing in PROD eliminates the issues above, but causes concerns for our SECURITY team.  We would be able to maintain these special roles directly in PROD.
  Would appreciate any ideas, suggestions, examples of how others are handling this BEX publish-to-role process.
  Thank you.
  -Joel

  Hi Joel,
  Again as per the Best Practices.Nothing to be created in PRD,even if we create them in PRD for Power users its assumed as temprory and can be deleted at any time.
  So if there are already deviations then you can go for deviations in this case as well but it wont be the Best Practice.Also in few cases we have workbooks created in PRD as they cud nt be created in DEV due to various reasons...in such cases we did not think of Best Practice ,we had a raised an OSS on this aswell.
  In our Project,we have done everything in DEV and transported to PRD,in case there were any very Minor changes at query level we have done in PRD and immedialtely replicated the same in DEV so that they are in SYNC.
  rgds
  SVU

• Best Practices for Setting up a Windows 2012 R2 STD Domain Controller in a Remote Site

  So I'm looking for an article or writeup similar to the "Adding Domain Controllers in Remote Sites" TechNet article but for Windows Server 2012 STD R2.  Here is my scenario:
  1.  I want to setup the domain controller at Site A where the primary domain controller is located.  The primary domain controller is Windows Server 2008 R2. 
  2.  Once the DC is setup I plan on leaving it on our network for a few days before shipping it to remote Site B for installation
  Other key items:
  1.  The remote Site B will have a different IP range than Site A but will be connected to Site A via a single VPN tunnel.  All the DCs that replicate with each other are on the same domain. 
  2.  The 2012 DC that I setup for Site B (same domain in same forest) will be a DHCP, DNS, and WSUS server all replicating to the primary DC at Site A
  Questions:
  1.  What items can I setup while it's at Site A without effecting or conflicting with the existing network and domain controller?  Can I setup a scope once the DHCP role is added? 
  2.  All of our DCs replicate through Sites and Services, do I have to manually add this to our primary DC for the new DC going to remote Site B?  Or when does this happen automatically when I promote the DC? 
  All and all I'm just looking for a list of Best Practices for 2012 or a Step by Step Guide.  Any help would be appreciated. 

  Hi,
  Thanks for your posting.
  When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
  For more and detail information, please refer to:
  Best Practices for Adding Domain Controllers in Remote Sites
  http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
  Regards.
  Vivian Wang

• Best-practice for Catalog Views ? :|

  Hello community,
  A best practice question:
  The situtation: I have several product categories (110), several items in those categories (4000) and 300 end-users.    I would like to know which is the best practice for segment the catalog.   I mean, some users should only see categories 10,20 & 30.  Other users only category 80, etc.    The problem is how can I implement this ?
  My first idea is:
  1. Create 110 Procurement Catalogs (1 for every prod.category).   Each catalog should contain only its product category.
  2. Assign in my Org Model, in a user-level all the "catalogs" that the user should access.
  Do you have any idea in order to improve this ?
  Saludos desde Mexico,
  Diego

  Hi,
  Your way of doing will work, but you'll get maintenance issues (to many catalogs, and catalog link to maintain for each user).
  The other way is to built your views in CCM, and assign these views to the users, either on the roles (PFCG) or on the user (SU01). The problem is that with CCM 1.0 this is limitated, cause you'll have to assign one by one the items to each view (no dynamic or mass processes), it has been enhanced in CCM 2.0.
  My advice:
  -Challenge your customer about views, and try to limit the number of views, with for example strategic and non strategic
  -With CCM 1.0 stick to the procurement catalogs, or implement BADIs to assign items to the views (I experienced it, it works, but is quite difficult), but with a limitated number of views
  Good luck.
  Vadim

• Best practices for ARM - please help!!!

  Hi all,
  Can you please help with any pointers / links to documents describing best practices for "who should be creating" the GRC request in below workflow of ARM in GRC 10.0??
  Create GRC request -> role approver -> risk manager -> security team
  options are : end user / Manager / Functional super users / security team.
  End user and manager not possible- we can not train so many people. Functional team is refusing since its a lot of work. Please help me with pointers to any best practices documents.
  Thanks!!!!

  In this case, I recommend proposing that the department managers create GRC Access Requests.  In order for the managers to comprehend the new process, you should create a separate "Role Catalog" that describes what abilities each role enables.  This Role Catalog needs to be taught to the department Managers, and they need to fully understand what tcodes and abilities are inside of each role.  From your workflow design, it looks like Role Owners should be brought into these workshops.
  You might consider a Role Catalog that the manager could filter on and make selections from.  For example, an AP manager could select "Accounts Payable" roles, and then choose from a smaller list of AP-related roles.  You could map business functions or tasks to specific technical roles.  The design flaw here, of course, is the way your technical roles have been designed.
  The point being, GRC AC 10 is not business-user friendly, so using an intuitive "Role Catalog" really helps the managers understand which technical roles they should be selecting in GRC ARs.  They can use this catalog to spit out a list of technical role names that they can then search for within the GRC Access Request.
  At all costs, avoid having end-users create ARs.  They usually select the wrong access, and the process then becomes very long and drawn out because the role owners or security stages need to mix and match the access after the fact.  You should choose a Requestor who has the highest chance of requesting the correct access.  This is usually the user's Manager, but you need to propose this solution in a way that won't scare off the manager - at the end of the day, they do NOT want to take on more work.
  If you are using SAP HR, then you can attempt HR Triggers for New User Access Requests, which automatically fill out and submit the GRC AR upon a specific HR action (New Hire, or Termination).  I do not recommend going down this path, however.  It is very confusing, time consuming, and difficult to integrate properly.
  Good luck!
  -Ken

• Best Practice for Managing a BPC Environment?

  My company is currently running a BPC 5.1 MS environment and will soon be upgrading to version 7.0 MS.  I was wondering if there is a white paper or some guidance that anyone can give with regard to the best practice for managing a BPC environment.  Which brings to light several questions in my mind:
  1.  Which department(s) in a company should u201Cownu201D the BPC application? 
  2. If both, whatu2019s SAPu2019s recommendation for segregation of duties?
  3. What roles should exist within our company to manage BPC?
  4. What type(s) of change control is SAPu2019s u201CBest Practiceu201D?
  We are currently evaluating the best way to manage the system across multiple departments, however there is no real business ownership in the system, which seems to be counter to the reason for having BPC as a solution in the first place.
  Any guidance on this would be very much appreciated.

  My company is currently running a BPC 5.1 MS environment and will soon be upgrading to version 7.0 MS.  I was wondering if there is a white paper or some guidance that anyone can give with regard to the best practice for managing a BPC environment.  Which brings to light several questions in my mind:
  1.  Which department(s) in a company should u201Cownu201D the BPC application? 
  2. If both, whatu2019s SAPu2019s recommendation for segregation of duties?
  3. What roles should exist within our company to manage BPC?
  4. What type(s) of change control is SAPu2019s u201CBest Practiceu201D?
  We are currently evaluating the best way to manage the system across multiple departments, however there is no real business ownership in the system, which seems to be counter to the reason for having BPC as a solution in the first place.
  Any guidance on this would be very much appreciated.

• Best Practice for trimming content in Sharepoint Hosted Apps?

  Hey there,
  I'm developing a Sharepoint 2013 App that is set to be Sharepoint Hosted.  I have a section within the app that I'd like to be Configuration-related, so I would like to only allow certain users or roles to be able to access this content or even see
  that it exists (i.e. an Admin button, if you will).  What is the best practice for accomplishing this in Sharepoint 2013 Apps?  Thusfar, I've been doing everything using jQuery and the REST api and I'm hoping there's a standard within this that I
  should be using.
  Thanks in advance to anyone who can weigh in here.
  Mike

  Hi,
  According to
  this documentation, “You must configure a new name in Domain Name Services (DNS) to host the apps. To help improve security, the domain name should not be a subdomain
  of the domain that hosts the SharePoint sites. For example, if the SharePoint sites are at Contoso.com, consider ContosoApps.com instead of App.Contoso.com as the domain name”.
  More information:
  http://technet.microsoft.com/en-us/library/fp161237(v=office.15)
  For production hosting scenarios, you would still have to create a DNS routing strategy within your intranet and optionally configure your firewall.
  The link below will show how to create and configure a production environment for apps for SharePoint:
  http://technet.microsoft.com/en-us/library/fp161232(v=office.15)
  Thanks
  Patrick Liang
  Forum Support
  Please remember to mark the replies as answers if they
  help and unmark them if they provide no help. If you have feedback for TechNet
  Subscriber Support, contact [email protected]
  Patrick Liang
  TechNet Community Support

• What is best practice for dealing with Engineering Spare Parts?

  Hello All,
  I am after some advice regarding the process for handling engineering spare parts in PM. (We run ECC 5)
  Our current process is as follows:
  All materials are set up as HIBE's
  Each material is batch managed
  The Batch field is used for the Bin location
  We are now looking to role out PM to a site that has in excess of 50,000 spare parts and want to make sure we use best practice for handling the spare parts. We are now considering using a basic WM setup to handle the movement of parts.
  Please can you provide me with some feedback on what you feel the best practice is for dealing with these parts?
  We are looking to set up a solution that will us to generate pick lists etc and implment a scanning solution to move parts in and out of stores.
  Regards
  Chris

  Hi,
  I hope all the 50000 spare parts are maintained as stock items.
  1. Based on the usage of those spare parts, try to define safety stock & define MRP as "Reorder Point Planning". By this, you can avoid petty cash purchase.
  2. By keeping the spare parts (atleast critical components) in stock, Planned Maintenance as well as unplanned maintenance will not get delayed.
  3. By doing GI based on reservation, qty can be tracked against the order & equipment.
  As this question is MM & WM related, they can give better clarity on this.
  Regards,
  Maheswaran.

• Best practice for simply invoking a web service

  Hello,
  We have web services deployed and accessible as wsdl documents in the SOA service manager/UDDI product. What is the best practice for simply calling a web service method deployed without regard to whether it is deployed on Tomcat, WebSphere, Oracle, etc.
  I'd just like to create a java client to make a web service call and JAXRPC has me confused because you seem to have to have custody of the web service implementation code to call a service. Can someone point me in the right direction?
  Thanks,
  Sean

  Thanks. Here is my wsdl, how would you say this is encoded?
  <?xml version="1.0" encoding="UTF-8"?>
  <definitions
       name="OracleProcess"
       targetNamespace="http://xmlns.oracle.com/OracleProcess"
       xmlns="http://schemas.xmlsoap.org/wsdl/"
       xmlns:tns="http://xmlns.oracle.com/OracleProcess"
       xmlns:plnk="http://schemas.xmlsoap.org/ws/2003/05/partner-link/"
       xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
       xmlns:client="http://xmlns.oracle.com/OracleProcess"
      >
      <types>
          <schema attributeFormDefault="qualified" elementFormDefault="qualified" targetNamespace="http://xmlns.oracle.com/OracleProcess"
               xmlns="http://www.w3.org/2001/XMLSchema">
              <element name="OracleProcessProcessRequest">
                  <complexType>
                      <sequence>
                          <element name="input" type="string"/>
                          <element name="input2" type="string"/>
                      </sequence>
                  </complexType>
              </element>
              <element name="OracleProcessProcessResponse">
                  <complexType>
                      <sequence>
                          <element name="result" type="string"/>
                      </sequence>
                  </complexType>
              </element>
          </schema>
      </types>
      <message name="OracleProcessRequestMessage">
          <part name="payload" element="tns:OracleProcessProcessRequest"/>
      </message>
      <message name="OracleProcessResponseMessage">
          <part name="payload" element="tns:OracleProcessProcessResponse"/>
      </message>
      <portType name="OracleProcess">
          <operation name="process">
              <input message="tns:OracleProcessRequestMessage"/>
              <output message="tns:OracleProcessResponseMessage"/>
          </operation>
      </portType>
      <binding name="OracleProcessBinding" type="tns:OracleProcess">
          <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
          <operation name="process">
              <soap:operation style="document" soapAction="process"/>
              <input>
                  <soap:body use="literal"/>
              </input>
              <output>
                  <soap:body use="literal"/>
              </output>
          </operation>
      </binding>
      <service name="OracleProcess">
          <port name="OracleProcessPort" binding="tns:OracleProcessBinding">
              <soap:address location="http://st4s:9700/orabpel/default/OracleProcess/1.0"/>
          </port>
      </service>
    <plnk:partnerLinkType name="OracleProcess">
      <plnk:role name="OracleProcessProvider">
        <plnk:portType name="tns:OracleProcess"/>
      </plnk:role>
    </plnk:partnerLinkType>
  </definitions>

• Best practice for dealing with Recordsets

  Hi all,
  I'm wondering what is best practice for dealing with data retrieved via JDBC as Recordsets without involving third part products such as Hibernate etc. I've been told to NOT use RecordSets throughout in my applications since they are taking up resources and are expensive. I'm wondering which collection type is best to convert RecordSets into. The apps I'm building are webbased using JSPs as presentation layer, beans and servlets.
  Many thanks
  Erik

  There is no requirement that DAO's have a direct mapping to Database Tables. One of the advantages of the DAO pattern is that the business layer isn't directly aware of the persistence layer. If the joined data is used in the business code as if it were an unnormalized table, then you might want to provide a DAO for the joined data. If the joined data provides a subsiduray object within some particular object, you might add the access method to the DAO for the outer object.
  eg:
  In a user permissioning system where:
  1 user has many userRoles
  1 role has many userRoles
  1 role has many rolePermissions
  1 permission has many rolePermissions
  ie. there is a many to many relationship between users and roles, and between roles and permissions.
  The administrator needs to be able to add and delete permissions for roles and roles for users, so the crud for the rolePermissions table is probably most useful in the RoleDAO, and the crud for the userRoles table in the UserDAO. DOA's also can call each other.
  During operation the system needs to be able to get all permissions for a user at login, so the UserDAO should provide a readPermissions method that does a rather complex join across the user, userRole, rolePermission and permission tables..
  Note that f the system I just described were done with LDAP, a Hierarchical database or an Object database, the userRoles and rolePermissions tables wouldn't even exist, these are RDBMS artifacts since relational databases don't understand many to many relationships. This is good reason to avoid providing DAO's that give access to those tables.

• Best Practice for Production IDM setup

  Hi, what is the best practice for setting up prodcution IDM:
  1. Connect IDM prod to ECC DEV,QA and Prod or
  2. Connect IDM prod to ECC prod only and Connect IDM dev to ECC Dev and QA.
  Please also specify pros and cons for both options if possible.
  Thanks in advance,
  Farhan

  We run our IDM installation as per your option 2 (Prod and non-prod on separate instances)
  We use HCM for the source of truth in production and have a strict policy regarding not allowing non HCM based user accounts. HCM creates the SU01 record and details are downloaded to IDM through the LDAP extract. Access is provision based on Roles attached to the HCM Position in IDM. In Dev/test/uat we create user logins in IDM and push the details out.
  Our thinking was that we definitely needed a testing environment for development and patch testing, and it needs to be separate to production. It was also ideal to use this second environment for dev/test/uat since we are in the middle of a major SAP project rollout and are creating hundreds of test and training users with various roles and prefer to keep this out of a production instance.
  Lately we also created a sandpit environment since I found that I could not do destructive testing or development in the dev/test/uat instance because we were becoming reliant on this environment being available. Almost a second production instance - since we also set the policy that all changes are made through IDM and no direct SU01 changes are permitted.
  Have a close look at your usage requirements before deciding which structure works best for you.

• Best practices for apps integration with third party systems ?

  Hi all
  I would like to know if there is any document from oracle or from your own regarding best practices for apps integration with third party systems.
  For example, in particular, let's say we need customization in a given module(ex:payables) need to provide data to a third party system, consider following:
  outbound interface:
  1)should third party system should be given with direct access to oracle database to access a particular payments data information table/view to look for data ?
  2) should oracle create a file to third party system, so that it can read and do what it need to do?
  inbound:
  1) should third party should directly login and insert data into tables which holds response data?
  2) again, should third party create file and oralce apps will pick up for further processing?
  again, there could be lot of company specific scenarios like it has to be real time or not... etc...
  How does companies make sure third party systems are not directly dipping into other systems (oracle apps/others), so that it will follow certain integration best practices.
  how does enterprise architectute will play a role in this? can we apply SOA standards? should use request/reply using Tibco etc?
  Many oracle apps implementations customizations are more or less directly interacting with third party systems by including code to login into respective third party systems and vice versa.
  Let me your know if you have done differently and that would help oracle apps community.
  thanks
  rrb.

  you want to send idoc to third party system (NONSAP).
  what kind of system is it? can it handle http requests
  or
  can it handle webservice?
  which version of R/3 you are using?
  what is the mechanism the receiving system has, to receive data?
  Regards
  Raja