BI 7.0 authorizations and roles

Similar Messages

• MSS (non-webdynpro) Authorizations and Roles

  Do you know the MSS 60.1 business package authorizations and roles that are required for the backend R/3 system?  I noticed an SAP note exists for the webdynpro version (#798967) but didn't see a note for the old package.

  Umair,
  I know this auth object is required for webdynpros in new business package but does it apply for old traditional java MSS package too?
  Thanks, John

• Regarding Authorizations and Roles

  Hi All,
  Can anyone explain me about Authorizations and Roles ,in detail.
  regards,
  Ali

  Links for Learning about Authorizations:
  http://help.sap.com/saphelp_nw70/helpdata/en/44/599b3c494d8e15e10000000a114084/frameset.htm
  http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm
  http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
  http://help.sap.com/saphelp_nw04/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
  Links to learn about Roles:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
  http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
  Assign points if helpful,
  Venkat

• Authorizations and roles

  Hi all!!
  Im creating an authorization object; for restrict some key figures of infocube.
  I want to restrict only four or five key figures for one cube and the user can see all the characteristics; is possible to do this??
  I found this way; but really is not that I want:
  I created an authorization object; that contains for example: 0material and Key fig.
  In transaction PFCG in the role; i go the authorization and include the object that I created and put the values * for material and the key figure that I want to see.
  But I want that the user can see all the chars; no necessarily 0material and hide some key figures.
  Thanks for the answer,
  Greetings,
  Monica

  Hi!!
  Thanks for the answer
  When I do this; and execute the query; I can see all the key figures; (they are in the area of columns) and for example I dont want to see one of them.
  Im not sure If Im doing something wrong.
  I followed this steps:
  1. I created in RSSM and authorization object with only 1KYFNM
  2. In PFCG I added to the role the object that I have created and put in the values of ratio; the ratios that I want to see.
  3. I actualizated the roles for the user.
  Then I executed the query and I see all the KF; I dont have any authorization variable in the query because I want that applied for all the chars.
  Thanks again,
  Mónica

• Authorizations and role maintainance

  Please tell me that How are the authorizations in a role maintained?
  Thanks

  Hi,
  For Role and authorization Maintenance T.code is PFCG.
  1. Identify the users what kind of Role and authorization needs to be given,
  you can divide the role like PA , OM, TIME and Payoll.
  2. There are 2 kinds of role - a) Single Role and b) Composite Role.
  3. In the Role - give a name and click on create single role.
  then you will find differnt tabs - 1) description, 2) Menu,3)Authorization and user.
  You can define according to the requirement or you can copy from the standard role and assign to this.
  Thanks
  Sethu

• Check users authorizations and role

  Hello!
  How can I check the authorizations of
  Web Dynpro application users and also his role.
  Thanks
  rgds
  sas

  HI,
  Pl go through Following link
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/wd%20java/web%20dynpro%20security.pdf
  https://help.sap.com/javadocs/index.html
  use the method isMemberOfRole.
  Regards
  Ayyapparaj

• End User Authorizations and Roles

  Hi,
  What all the authorizations i need to give to an End User, who uses the device.
  Is it necessary for the userid to be same in <b>MI Client, MI server, Backend</b> systems.
  Let me explain wat an end user does
  >logs into MI client
  >performs first synchronization
  >Executes Mobile Application assigned
  >and performs synchronization at the end of the day
  rgds,
  Kiran

  Hi Kiran
     Probably I wanst clear with my reply.  You need to assign both the above mentioned authorizations to the same user who is performing a sync from the MI Client.  S_ME_SYNC is required for the user to perform a sync from MI Client to MI server.  S_RFC is required for the same user so that the data can be transferred from MI server to SAP backend and vise versa. 
  Hope I am clear now
  Best Regards
  Sivakumar

• Authorization or roles assign?

  Hi All,
  I have installed Xi 3.0 on windows server 2003.but my users are getting this error not able to create a product. Its says "You
  are not authorized to view the requested resource 403 forbidden".
  What all the authorizations and roles i need to set for every user.
  Regards,
  Rohit

  Error: HTTP 403 Forbidden
  Description: The server understood the request, but is refusing to fulfill it
  Possible Tips:
  Path sap/xi/engine not active
  • HTTP 403 during cache refresh of the adapter framework - Refer SAP Note -751856
  • Because of Inactive Services in ICF –Go to SICF transaction and activate the services. Refer SAP Note -517484
  • Error in RWB/Message Monitoring- because of J2EE roles – Refer SAP Note -796726
  • Error in SOAP Adapter - "403 Forbidden" from the adapter's servlet. –Because of the URL is incorrect or the adapter is not correctly deployed.
  <i>From
  /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
  Regards,
  Prateek

• Authorization Object And Roles For  Functional Consultant

  Dear Expert,
  What kind of respective Authorization Object And Roles would be provided to  Functional Consultant (FI,MM, SD, PM, PS, CO, HR )at the time of implementation ?
  Thanx in advance
  Pavel

  Thanks Juan,
  We now already have it here and in the NW IDM forum a few times as well...
  Cheers,
  Julius

• Background job fails for BDC profile creation and role assignment

  Hi Experts,
  I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
  Below is the process of job
     1. ZMIS_AUTH_OBJECT_CREATE
         Variant : auth-create
     2. ZMIS_AUTH_ASSIGN_TO_ROLE
         Variant : auth-assign
  The problem is in second program, runs in foreground but fails in background.
  Code which i have written in my second program
  ***BDC for Profile creation and assignment to Roles
      CALL FUNCTION 'ZROLE'
        EXPORTING
         ctu                     = 'X'
         mode                    = p_mode
         UPDATE                  = 'L'
  *   GROUP                   =
  *   USER                    =
  *   KEEP                    =
  *   HOLDDATE                =
         nodata                  = '/'
          agr_name_neu_001        = wa_role-role_name
          text_002                = wa_role-desc
          text_003                = wa_role-desc
          text_004                = wa_role-desc
         value_01_005            = 'T-ML330881'
          h_fval_low_01_006       = wa_role-auth
          profn_007               = lv_profile
          ptext_008               = lv_text1
  * IMPORTING
  *   SUBRC                   =
       TABLES
         messtab                 = temp_message.
  ***Generation of Profile created
  CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
       EXPORTING
         activity_group                      = wa_role-role_name
  *     PROFILE_NAME                        =
  *     PROFILE_TEXT                        =
        no_dialog                           = ' '
        rebuild_auth_data                   = ''
        org_levels_with_star                = ' '
        fill_empty_fields_with_star         = 'X'
        template                            = ' '
        check_profgen_tables                = 'X'
        generate_profile                    = 'X'
        authority_check_pfcg                = 'X'
     EXCEPTIONS
       activity_group_does_not_exist       = 1
       activity_group_enqueued             = 2
       profile_name_exists                 = 3
       profile_not_in_namespace            = 4
       no_auth_for_prof_creation           = 5
       no_auth_for_role_change             = 6
       no_auth_for_auth_maint              = 7
       no_auth_for_gen                     = 8
       no_auths                            = 9
       open_auths                          = 10
       too_many_auths                      = 11
       profgen_tables_not_updated          = 12
       error_when_generating_profile       = 13
       OTHERS                              = 14  .
  Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
  Regards,
  Chetan

  Hi Praveen,
  Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
  To achieve this i have written two programs
  1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
  "" Creation of Authorization Object
  CALL FUNCTION 'ZAUTHOBJ'
          EXPORTING
           ctu                    = 'X'
           mode                   = p_mode
           UPDATE                 = 'L'
  *   GROUP                  =
  *   USER                   =
  *   KEEP                   =
  *   HOLDDATE               =
           nodata                 = '/'
           g_authname_001         = 'ZDUMMY_MIS'
            g_targetauth_002       = wa_tab-auth
            g_authtxt_003          = wa_tab-short_desc
            g_authtxtmd_004        = wa_tab-med_desc
           marked_04_005          = 'X'
            g_authtxt_006          = wa_tab-short_desc
            g_authtxtmd_007        = wa_tab-med_desc
           tctiobjnm_04_008       = 'ZBUS_UNIT'
            g_authtxt_009          = wa_tab-short_desc
            g_authtxtmd_010        = wa_tab-med_desc
           marked_05_011          = ''
           opt_01_012             = 'EQ'
            low_01_013             = wa_tab-bu
            g_authtxt_014          = wa_tab-short_desc
            g_authtxtmd_015        = wa_tab-med_desc
           marked_04_016          = 'X'
            g_authtxt_017          = wa_tab-short_desc
            g_authtxtmd_018        = wa_tab-med_desc
           tctiobjnm_04_019       = 'ZCONTRCT'
            g_authtxt_020          = wa_tab-short_desc
            g_authtxtmd_021        = wa_tab-med_desc
           marked_05_022          = ''
           opt_01_023             = 'EQ'
            low_01_024             = lv_contract
            g_authtxt_025          = wa_tab-short_desc
            g_authtxtmd_026        = wa_tab-med_desc
            g_authtxt_027          = wa_tab-short_desc
            g_authtxtmd_028        = wa_tab-med_desc
            g_authname_029         = wa_tab-auth
  * IMPORTING
  *   SUBRC                  =
         TABLES
           messtab                = temp_message.
  "" Creation of role
  LOOP AT it_role INTO wa_role.
        CLEAR wa_text.
        wa_text-text = wa_role-desc.
        wa_text-langu = 'E'.
        APPEND wa_text TO it_text.
        wa_jobrole-agr_name = wa_role-role_name.
        wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
        wa_method-usmethod = 'CHANGE'.
        CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
          EXPORTING
            jobrole          = wa_jobrole
           parent           = wa_parentrole
           method           = wa_method
         TABLES
  *   RETURN           =
           shorttext     = it_text
  *   LONGTEXT         =
  *   MENU_NODES       =
  *   MENU_TEXTS       =.
      ENDLOOP.
  2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
    ""*BDC for Profile creation and assignment to Roles
      CALL FUNCTION 'ZROLE'
        EXPORTING
         ctu                     = 'X'
         mode                    = p_mode
         UPDATE                  = 'L'
  *   GROUP                   =
  *   USER                    =
  *   KEEP                    =
  *   HOLDDATE                =
         nodata                  = '/'
          agr_name_neu_001        = wa_role-role_name
          text_002                = wa_role-desc
          text_003                = wa_role-desc
          text_004                = wa_role-desc
         value_01_005            = 'T-ML330881'
          h_fval_low_01_006       = wa_role-auth
          profn_007               = lv_profile
          ptext_008               = lv_text1
  * IMPORTING
  *   SUBRC                   =
       TABLES
         messtab                 = temp_message .
     COMMIT WORK AND WAIT.
  ""*Generation of Profile created
    LOOP AT it_role INTO wa_role.
      CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
       EXPORTING
         activity_group                      = wa_role-role_name
  *     PROFILE_NAME                        =
  *     PROFILE_TEXT                        =
        no_dialog                           = ' '
        rebuild_auth_data                   = ''
        org_levels_with_star                = ' '
        fill_empty_fields_with_star         = 'X'
        template                            = ' '
        check_profgen_tables                = 'X'
        generate_profile                    = 'X'
        authority_check_pfcg                = 'X'
     EXCEPTIONS
       activity_group_does_not_exist       = 1
       activity_group_enqueued             = 2
       profile_name_exists                 = 3
       profile_not_in_namespace            = 4
       no_auth_for_prof_creation           = 5
       no_auth_for_role_change             = 6
       no_auth_for_auth_maint              = 7
       no_auth_for_gen                     = 8
       no_auths                            = 9
       open_auths                          = 10
       too_many_auths                      = 11
       profgen_tables_not_updated          = 12
       error_when_generating_profile       = 13
       OTHERS                              = 14
      IF sy-subrc <> 0.
        MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
                WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
      ENDIF.
    ENDLOOP.
  For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
  i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
  Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
  Regards,
  Chetan

• How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level.

  How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client  and i propose two methode
  1- Creation of Ztcode ZVL32N and do changes ABAP program level
  2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32N

  I think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.

• BAPI to get all user lists for input object,authorizations, and profiles

  Hi Experts,
  BAPI to get all user lists for input specific object, authorizations, profiles and values?
  Any useful answer will be rewarded with suitable points.
  Thanks,
  Rohan

  Hi
  use the fun module/Bapi's
  BAPI_USER_GET_DETAIL
  BAPI_USER_LOCPROFILES_ASSIGN
  BAPI_USER_LOCPROFILES_DELETE
  BAPI_USER_LOCPROFILES_READ
  BAPI_USER_PROFILES_ASSIGN
  BAPI_USER_PROFILES_DELETE
  SUSR_BAPI_USER_PROFILES_ASSIGN
  SUSR_BAPI_USER_PROFILES_DELETE
  also you can use the tables UST12 for user based authorizations
  AGR_USERS   -roles assignment for users
  AGR_PROF  - Profile data for roles
  AGR_DEFINE - Auth Profiles for users
  See the AGR_* and US* tables further
  Reward points if useful
  Regards
  Anji
  Message was edited by:
          Anji Reddy Vangala

• Security and roles in Nakisa TVN

  When a Nakisa role is mapped to an SAP role, does it limit the data that the person who is running that role sees?  For example, if an employee logs in and is assigned a "Employee" role, is it possible to limit the org chart that the employee sees to only his org unit and below?

  Hi there,
  This depends on which architecture you are using, Live or Staged. In Live OrgChart uses SAP structural authorizations and therefore the user only sees what data they can see in SAP. In the Staged version you have to build roles and map SAP roles to them. In STVN2.1 OrgChart there are 5 pre-configured security roles available out of the box, which do include a "derives and below" security role ("Derives and Below" allows a user to see information about objects in the structure below them).
  It is possible through configuration to allow a logged-in user to start at their location in the structure and also to prevent them from navigating up the structure. This configuration can be very complex and requires full knowledge of configuration of authentication as well as authorisation (ie roles) in order to achieve what you want. It is also possible to limit data fields and fields in the search etc through less complex configuration and if you're really clever you can customise the application in order to do things based on particular roles (like display a pop-up message at login etc). However, that takes a thorough knowledge of how the application works to achieve and only few consultants outside of Nakisa and provide that level of customisation.
  I hope that helps.
  Luke

• Security  and roles while upgrading to bi7

  hi
  Guys  i ha ve question about upgrade
  what will happens to security and roles while upgrading from bi3.5 to 7 ?
  is this can be migrated into bi7 from bw 3,5 , if so how ?
  or do we need to create separate  again in Bi7 ?
  u r answer will be much apreaciated

  Hi,
  this can be upgraded but it is not a must. SAP recomend to use the new concept provided by NW 7.0...
  You can switch on/off obsolete Authorization concept with RSCUSTV23. For security and clarity reasons make a u201Ecleanu201C new setup u201Efrom the scratchu201C (much easier, less complex than in 3.x)...
  Check this upgrade guide it will give you all informations:
  [SAP NetWeaver 7.0 BI Upgrade Specifics|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/10564d5c-cf00-2a10-7b87-c94e38267742]
  New BI Authorizations set in SPRO (maintenance in RSECADMIN)
  - During technical upgrade, and if you used an authorization concept in BW3.x
  switch back to u201Cobsolete Concept with RSR Authorization Objects)u201D
  - Important: After technical upgrade switch back to the new Concept and see
  note 820183 and 923176 New BI Authorizations set in SPRO (maintenance in RSECADMIN)
  - During technical upgrade, and if you used an authorization concept in BW3.x
  switch back to u201Cobsolete Concept with RSR Authorization Objects)u201D
  - Important: After technical upgrade switch back to the new Concept and see
  note 820183 and 923176
  Other links/notes which could be helpful:
  Note 923176 - Support situation authorization management BI70/NW7.0
  New Analysis Authorizations for BI Reporting:
  http://help.sap.com/saphelp_nw04s/helpdata/en/80/d71042f664e22ce10000000a1550b0/
  content.htm
  Regards
  Andreas

• Authorizations in role creation

  hi,
            any body can help me. in which table the status of maintained, changed, satandard is available. suppose when we change the filedvalues of one object it will be maintained in one table and shows the changed and maintained status flags in display autorizations screen of role. help me.

  Hi Mukka
  Hope it will help you.
  reward if help.
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Sy-SUBRC values
  4              User has no authorization in the SAP System for
                 such an action. If necessary, change the user
                 master record.
  8              Too many parameters (fields, values). Maximum
                 allowed is 10.
  12             Specified object not maintained in the user
                 master record.
  16             No profile entered in the user master record.
  24             The field names of the check call do not match
                 those of an authorization. Either the
                 authorization or the call is incorrect.
  28             Incorrect structure for user master record.
  32             Incorrect structure for user master record.
  36             Incorrect structure for user master record.