Best Practices Roles

Similar Messages

• Best Practice of using ERM (Role Expert) in Landscape

  Hello,
  Can anyone tell me what is the best practice (choice) of using ERM in the SAP landscape?
  1. Creating a role in DEV system using ERM and using SAP standard transport process to transport role to QAS and PRD systems.
  OR
  2. Creating a role in all systems in ladscape (DEV, QAS and PRD).
  Please share if you have any best practice implementation scenarios.
  Appreciate for the help.
  Thanks
  Harry.

  Harry,
     The best practice is to follow Option 1. You should never directly create a role in Prod system. This is what SAP recommends as well.
  Alpesh

• Best Practice for ESS/ MSS role customization

  Hi ,
  I would want to know the best practice for role customization for ESS / MSS business package . For eg if my company does not want to use someof the workset like working time , travel etc , what is the best practice for this scenario .
  anEEZ

  Hi Aneez,
  This is the link for complete best practices on NetWeaver
  http://help.sap.com/bp_epv260/EP_EN/index.htm
  Browse the Busines scenarios, you will find what you are looking for.
  Now, these ones is specific for ESS and MSS
  http://help.sap.com/bp_epv260/EP_EN/html/EP/N26_ESS.htm
  http://help.sap.com/bp_epv260/EP_EN/html/EP/N27_MSS.htm
  Hope this helps,
  Kumar
  P.S Reward Points for useful answers.

• Best Practice for BEX Query "PUBLISH to ROLE"?

  Hello.
  We are trying to determine the best practice for publishing BEX queries/views/workbooks to ROLEs. 
  To be clear of the process I am referring: from the BEX Query Designer, there is an option QUERY>PUBLISH>TO ROLE.  This function updates the user menu of the selected security role with essentially a shortcut to the BEX query.  It is also possible to save VIEWS/WORKBOOKS to a role from the BEX Analyzer menu.  We have found ROLE menus to be a good way to organize BEX queries/views/workbooks for our users. 
  Our dilemma is whether to publish to the role in our DEV system and transport to PROD,... or if it is ok to publish to the role directly in the PROD system.
  Publishing in DEV is not always possible, as we have objects in PROD that do not exist in DEV. For example, we allow power users to create queries directly in PROD.  We also allow VIEWS and WORKBOOKS to be created directly in PROD.  It would not be possible to publish types of objects in DEV. 
  Publishing in PROD eliminates the issues above, but causes concerns for our SECURITY team.  We would be able to maintain these special roles directly in PROD.
  Would appreciate any ideas, suggestions, examples of how others are handling this BEX publish-to-role process.
  Thank you.
  -Joel

  Hi Joel,
  Again as per the Best Practices.Nothing to be created in PRD,even if we create them in PRD for Power users its assumed as temprory and can be deleted at any time.
  So if there are already deviations then you can go for deviations in this case as well but it wont be the Best Practice.Also in few cases we have workbooks created in PRD as they cud nt be created in DEV due to various reasons...in such cases we did not think of Best Practice ,we had a raised an OSS on this aswell.
  In our Project,we have done everything in DEV and transported to PRD,in case there were any very Minor changes at query level we have done in PRD and immedialtely replicated the same in DEV so that they are in SYNC.
  rgds
  SVU

• Failover cluster File Server role best practices

  We recently implemented a Hyper-V Server Core 2012 R2 cluster with the sole purpose to run our server environment.  I started with our file servers and decided to create multiple file servers and put them in a cluster for high
  availability.  So now I have a cluster of VMs, which I have now learned is called a guest cluster, and I added the File Server role to this cluster.  It then struck me that I could have just as easily created the File Server role under my Hyper-V
  Server cluster and removed this extra virtual layer.  
  I'm reaching out to this community to see if there are any best practices on using the File Server role.  Are there any benefits to having a guest cluster provide file shares? Or am I making things overly complicated for no reason?
  Just to be clear, I'm just trying to make a simple Windows file server with folder shares that have security enabled on them for users to access internally. I'm using Hyper-V Core server 2012 R2 on my physical servers and right now I have Windows
  Server Standard 2012 R2 on the VMs in the guest cluster.
  Thanks for any information you can provide.

  Hi,
  Generally with Hyper-V VMs available, we will install all roles into virtual machines as that will be easy for management purpose.
  In your situation the host system is a server core, so it seems that manage file shares with a GUI is much better.
  I cannot find an article specifically regarding "best practices of setting up failover cluster". Here are 2 articles regarding build guest cluster (you have already done) and steps to create a file server cluster. 
  Hyper-V Guest Clustering Step-by-Step Guide
  http://blogs.technet.com/b/mghazai/archive/2009/12/12/hyper-v-guest-clustering-step-by-step-guide.aspx
  Failover Cluster Step-by-Step Guide: Configuring a Two-Node File Server Failover Cluster
  https://technet.microsoft.com/en-us/library/cc731844(v=ws.10).aspx
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Site System Roles - Best Practices

  Hi all -
  I was wondering if there wwere any best practice recommendations for how to configure Site System Roles? We had a vendor come onsite and setup our environment and without going into a lot of detail on why, I wasn't able to work with the vendor. I am trying
  to understand why they did certain things after the fact.
  For scoping purposes we have about 12,000 clients, and this how our environment was setup:
  SERVERA - Site Server, Management Point
  SERVERB - Management Point, Software Update Point
  SERVERC - Asset Intelligence Synchronization Point, Application Catalog Web Service Point, Application Catalog Website Point, Fallback Status Point, Software Update Point
  SERVERD - Distribution Point (we will add more DPs later)
  SERVERE - Distribution Point (we will add more DPs later)
  SERVERF - Reporting Services Point
  The rest is dedicated to our SQL cluster.
  I was wondering if this seems like a good setup, and had a few specific questions:
  Our Site Server is also a Management Point. We have a second Management Point as well, but I was curious if that was best practice?
  Should our Fallback Status Point be a Distribution Point?
  I really appreciate any help on this.

  The FSP role has nothing to do with the 'Allow
  fallback source location for content' on the DP.
  http://technet.microsoft.com/en-us/library/gg681976.aspx
  http://blogs.technet.com/b/cmpfekevin/archive/2013/03/05/what-is-fallback-and-what-does-it-mean.aspx
  Benoit Lecours | Blog: System Center Dudes

• Best practice for standard security role

  Hi, I'd like to know which is the best practice for standard role use, some people tell me that a standard role should never be used, that a copy must be made and assign the users to the copy, but then, why should SAP bother creating the standard role?

  They are provided as a template for you, and you can copy them into a different namespace and make changes there before generating the profiles and authorizations.
  Why you should use a copy of them is because SAP will also update them sometimes. If transactions change in the standard menues with SP's and upgrades, then you will find them in transaction SU25.
  If you do a search on "standard AND roles" in the SDN then you will also find more detailed infos and opinions on the use of them.
  Cheers,
  Julius

• BI Roles administration: What is Best Practice?

  I am interested in what is considered best practice for administering roles in BI.
  Is this something always left to BASIS at most SAP sites? or does the BI team (development/support) usually do this? I am responsible for supporting the BI users and keeping control of reports and queries and who can use them. I find leaving this to BASIS a clumsy approach, and wonder if I am alone in this, or if most sites allow their BI people to administer roles.
  Feedback would be appreciated, points awarded..

  Hi Tony,
      Praposal and approach done by BI Team only. maintainance(Creation, change, assign ..ect of roles) done by BASIS. Best practice is together.
  Hope it Helps
  Srini

• Best practice for promoting roles

  I would like to know what is the best practices for promoting Administrative and/or normal Roles between environments. If I make a change to the capabilities of a role, I'd rather not create a whole new build if I didn't have to. Would exporting from debug, and importing via 'lh import' suffice, or is there an easier/better method?
  Thanks

  Hello,
  I'd ask in the Windows forum on Microsoft Community.
  Karl
  When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
  My Blog:http://unlockpowershell.wordpress.com
  My Book:Windows PowerShell 2.0 Bible
  My E-mail: -join ('6F6C646B61726C40686F746D61696C2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

• What is the best practice and Microsoft best recommended procedure of placing "FSMO Roles on Primary Domain Controller (PDC) and Additional Domain Controller (ADC)"??

  Hi,
  I have Windows Server 2008 Enterprise  and have
  2 Domain Controllers in my Company:
  Primary Domain Controller (PDC)
  Additional Domain Controller (ADC)
  My (PDC) was down due to Hardware failure, but somehow I got a chance to get it up and transferred
  (5) FSMO Roles from (PDC) to (ADC).
  Now my (PDC) is rectified and UP with same configurations and settings.  (I did not install new OS or Domain Controller in existing PDC Server).
  Finally I want it to move back the (FSMO Roles) from
  (ADC) to (PDC) to get UP and operational my (PDC) as Primary. 
  (Before Disaster my PDC had 5 FSMO Roles).
  Here I want to know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
  In case if Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
  Example like (FSMO Roles Distribution between both Servers) should be……. ???
  Primary Domain Controller (PDC) Should contains:????
  Schema Master
  Domain Naming Master
  Additional Domain Controller (ADC) Should contains:????
  RID
  PDC Emulator
  Infrastructure Master
  Please let me know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles.
  I will be waiting for your valuable comments.
  Regards,
  Muhammad Daud

  Here I want to know the best practice
  and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
  There is a good article I would like to share with you:http://oreilly.com/pub/a/windows/2004/06/15/fsmo.html
  For me, I do not really see a need to have FSMO roles on multiple servers in your case. I would recommend making it simple and have a single DC holding all the FSMO roles.
  In case if
  Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
  No. This is not true. Each FSMO role is unique and if a DC fails, FSMO roles will not be automatically transferred.
  There is two approaches that can be followed when an FSMO roles holder is down:
  If the DC can be recovered quickly then I would recommend taking no action
  If the DC will be down for a long time or cannot be recovered then I would recommend that you size FSMO roles and do a metadata cleanup
  Attention! For (2) the old FSMO holder should never be up and online again if the FSMO roles were sized. Otherwise, your AD may be facing huge impacts and side effects.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Any best practice to apply role based access control?

  Hi,
  I am starting to apply the access permissions for new users as being set by admin. I am choosing Role Based Access Control for this task.
  Can you please share the best practices or any built-in feature in JSF to achieve my goal?
  Regards,
  Faysi

  Hi,
  The macro pattern is my work. I've received a lot of help from forums as this one and from the Java developers community in general and I am very happy to help others and share my work.
  Regarding the architect responsibility of defining the pages according to the roles that have access to them : there is the enterprise.software infrastructure.facade
  java package.
  Here I implemented the Facade GoF software design pattern in the GroupsAndRolesAccessFacade java class. Thus, this is the only class the developer uses in order to define groups and roles of users and to define their access as per page.
  This is according to Java EE 6 tutorial, section VII Security, page 471.
  A group, role or user is created with an Identity Management application or by a custom application.
  Pages of the application and their sections are defined or modified together with the group, role or user who has access to them.
  For this u can use the createActiveGroup and createActiveRole methods of the GroupsAndRolesAccessFacade class.
  I've been in situations where end users very strict about the functionality of the application.
  If you try to abstract web development, u can think of writing to database, reading from database and modifying the database as actions.
  Each of these actions should have suggester, approver and implementor.
  Thus u can't call the createActiveGroup method for example, without calling first the requestActiveGroupCreationHelper and then the approveOrDeclineActiveGroupCreationHelper method.
  After the pages a group has access to have been defined with the createActiveGroup method, a developer can find out the pages and their sections a group has access to by calling the getMinimumInformationAboutGroup method.
  Further more, if the application is very strict, that is if every action which envolves writing to the database must be recorded, this concept of suggester, approver and implementor is available throught the recordActiveGroupAction method.
  For example, there is a web shop, its managers can change the prices of the products, but the boss will want to know who had the dared to lower prices.
  This action of lowering prices, is an action of modifying the information in the database and u can save in the database who suggested it, who approved it and who implemented it.
  Now that I write about the functionality of the macro pattern, I realise that some methods should have more proper names and I haven't had time to write documentation in the API, but this will be a complete when I add the web pages for the architect to use for defining access control and for the end users to view who and what is doing with their application.

• SAP Best Practices on assigning roles for Auditors

  Dear Gurus,
  We need to set up SAP roles for auditors in or system for SRM ECC & BI.
  Could you please suggest on wich roles should be granted to the auditors as best practice to follow on?
  I will really apprecciate your help.
  Best Regards,
  Valentino

  Hi Martin,
  Thanks for your interest. I would be very happy to work with folks like you to slowly improve such roles as we find improvement possibilities for them, and all benefit from the joint knowledge and cool features which go into them. I have been filing away at a set of them for years now - they are not evil but still usefull and I give them to an auditor without being concerned as long as they can tell me approximately what they have been tasked to look into.
  I then also show them the corresponding user menu of my role for these tasks and then leave them alone for a while... 
  Anyway... SAP told me that if we host the content on SDN for the collaboration and documentation to the changes in the files, then version management of the files can be hosted externally for downloading them (actually, SAP does not have an option because their software does not support it...).
  I will rather host them on my own site and add the link in the SDN wiki and a sticky forum post link to it than use a generic download service, at least to start with. Via change management to the wiki, we can easily map this to version management of the files on a monthly periodic update cycle once there are enough changes to the wiki.
  How about "Update Tuesday" as a maintenance cycle --> config updates each second Tuesday of the month... to remove authorizations to access backdoors which are more than "just display"...
  Cheers,
  Julius

• Modifying SAP standard roles - best practice

  Hi,
  Is there a Best practice How-to guide for configuring SAP BPs roles for client use.  I know I shouldn't change the content delivered by SAP but I'm not quite sure what I should delta link copy into client namespace.
  I am implementing MSS.  Do I just delta link copy the Manager role into client namespace or I should make a delta link copy of the My Staff workset then make changes to the workset and assign it to a completely new ClientManager role?
  I have the TransportEP6Content how to guide but it doesn't say explicitly what is best parctice.  This doc references 'HowTo Use Business Packages in Enterprise Portal 6.0' but it isn't where it says it is on service marketplace.
  TIA,
  J

  Hi,
    'How to use Busiess Packages in Enterprise Portal 6.0' is available in this link.
  http://help.sap.com/bp_epv260/EP_EN/documentation/How-to_Guides/misc/Using_Business_Packages.pdf
  Check out for the best practices.
  Regards,
  Harini S

• Portal Design - Best Practices for Role and Workset Tab Menu

  We are looking to identify and promote best practices in SAP Portal Design. 
  First, is there a maximum number of tabs which should exist on the highest level tab menu, commonly called the role menu?  Do a large number of tabs on this menu cause performance issues?  Are there any other issues associated with a large number of tabs on this menu?
  Second, can the workset tab menu be customized to be 2 lines of tabs?  Our goal is to prevent tab scrolling.
  Thanks

  Debra,
  Not aware of any performance issues with the number of tabs in the Level 1 or 2 menus, particularly if you have portal navigation caching enabled.
  From an end user perspective I guess "best practice" would be to avoid scrolling in the top level navigation areas completely if possible.
  You can do a number of things to avoid this, including:
  - Keep the role/folder/workset names as short as possible.
  - If necessary break the role down into multiple level 1 entry points to reduce the number of tabs in level 2.
  An example of the second point would be MSS.  Instead of creating a role with a single workset (i.e. level 1 tab), we usually split it into two folders called something like "My Staff" and My Finance" and define these folders as entry points.  We therefore end up with two tabs in level 1 for the MSS role, and consequently a smaller number of tabs in level 2.
  Hope that helps......
  Regards,
  John

• Composite Release Roles Best Practice

  I have a question in regards to best practice for utilizing composite release roles.
  We had an issue recently where Purchasing Doc Type (M_BEST_BSA - BSART), Release Code (M_EINK_FRG - FRGCO) and Release Group (M_EINK_FRG - FRGCO), which are maintained at the task role were over written with blanks when derived from the template role.  The template role has these three fields maintained as blanks.  All other data is consisten from the template role to the task role with the exception of the Organizational Levls (ie Plant, Purchasing Org, Purchasing Group).  We then have a variety of task roles that make up the composite.
  Would it make sense to maintain these three fields as Org Level data at in the task role?
  What are our other options?
  Thanks for your assistance.

  We do have DEV, QA, PRD, Training and Sandbox environments.  Our standard practice is to develop in DEV (200) role out to the other DEV clients and then transport to QA for UAT.  I have come across on occasion where the roles are not consistant across all DEV clients and if development work was completed on a role in DEV that was not consistant with the production role then we would be fubar.  This did occur a few weeks back; however, it was caught in time.
  Chain of events went as follows
  1. Request submitted to remove a plant value
  2. Dev work completed and moved to QA.  Based on screen shots of UAT we can see that the three fields were yellow at this point (blank values)
  3. End user did not recognize the caution flags as they were only looking at org value to ensure plant was removed.
  4. Developer failed to highlight the unmaintained fields
  5. Roles moved to production which halted purchasing teams
  This hole thing is very confusing 
  My only guess was the development work was completed on an old role in the wrong dev client.  But then this opens up another issue.  Why was there an old role as standard practice is to move the new roles to all dev clients once completed.