BI Roles conflict.

Similar Messages

• Role conflict in release procedure

  Dear All,
  We have one scenario, we want to create two release procedures for different value of po i.e. >1 Lac and <= 1 Lac, we have one group and three person with these codes
  01 engineer
  02 manager
  03 general manager.
  Now for first release strat (< 1 lac)we want to keep two levels
  01 engineer
  02 manager
  for second release strat ( >= 1 Lac)we will keep two levels
  02 manager
  03 general manager.
  Group will be same for three of them and for both the release strat. now can anyone tell me that the role of 02 manager is conflicting between two release strat.
  Because after implementign same release strategies, we are not able to release the po with code 02 for first release strat.
  we are getting msg express document was terminated...
  i think there is some prob in release proc itself..eventhough simulation is getting done ok in customisation.
  Please reply at earliest

  Hi,
  Check
  http://www.sap123.com/showthread.php?t=59

• How to resolve intra role conflicts

  Deal All,
  Need your help on approach that needs to be taken to remediate the intra role SOD conflicts arising for users in the system,
  I have explained them the details on how they can resolvewhich requires redesign of roles but client is not at all willing to do a redesign of roles because they have invested a lot in their current auth design.
  Can you help on how do we go on removing these risks,
  Thanks,
  Uttam

  Hello.
  Last time I heard about this problem, the problem went away after the number of GRC rules used for the check was lowered from all their millions of rules to the most important ones that pose a real risk. There are companies where it is not possible to do anything about it, because they're too small. And these companies are still in business. Even if you clear the conflicts on the role level, you can land with the same problem on the user assignment level.
  Can you maybe elaborate on these conflicts? How serious are they? How many roles and users are / can be affected? What is the module / area that it is touching?
  Cheers Otto

• Role conflict

  Dear SAP Experts,
  I assign role "AAA" to user "XXXYYY".
  When I open analyzer for opening workbook, I can see role "AAA".
  After that, I assign role "BBB" to user "XXXYYY".
  Thus, user "XXXYYY" have 2 roles that are "AAA" and "BBB".
  But when I open analyzer for opening workbook, I can only see role "AAA".
  Why I cannot see role "BBB"?
  This situation will happen when role "AAA" is assigned to user.
  What is the conflict in role "AAA"?
  Thank you and Best Regards,
  Zilla Dear

  Moved to:
  SAP BusinessObjects Enterprise/Edge, and SAP Crystal Reports Server Administration
  Regards
  Roland

• Remediation of conflicts in the 'Access Incident Details Extract' report

  Hi All,
  The 'Access Incident Details Extract' report captures both intra-role and inter-role conflicts at the user level.
  Is there a way to segregate the inter-role conflicts from the 'Access Incident Details Extract' report and do the remediation without following the process of intra-role remediation first?
  Please advise. Require the inputs urgently.
  Regards,
  Uma

  Hello,
  please also use our .NET sample lib on diamond.
  You will find lots of sampels how to access  report fields in crystal reports and to add, modify or delete them.
  You'll find diamond under :
  https://boc.sdn.sap.com/

• Access List and Conflict Resolution Problem!

  My configuration for Allow and Deny is not allowing me to load images and CSS files through the gateway on a URLScraper channel.
  I'm trying to figure out how to control access to resources using the Access List service, and I'm running into trouble. The Sun ONE Portal Server, Secure Remote Access 6.0 Administrator's Guide (Doc 816-6421-10) states:
  Setting the Conflict Resolution Level
  You can set the priority level for the dynamic attributes. If a user inherits multiple attribute templates, say from an organization and a role assignment, and there is a template conflict between the attributes in the two templates, the template with the highest priority is inherited. There are seven settings available ranging from Highest to Lowest.
  See the Administration Guide, iPlanet Directory Server Access Management Edition for more details on conflict resolution.
  Unfortunately the referenced Adminstration Guide for DSAME contains exactly 0 occurances of the word "conflict" in its 136 pages, so that reference was less than helpful. Chapter 17 of that document (Doc 816-5620-10) describes URL Policy Agent Attributes, which sheds some light on what the URL Deny and URL Allow settings mean. The key sentence is, "An empty Deny list will allow only those resources that are allowed by the Allow list."
  So, I've set up my Access List services as follows:
  o URL Deny is blank on all Access Lists
  o URL Allow set as follows
  ---- isp
  ------- http://portal.acme.com/portal/* (company name changed to protect the guilty!)
  ---- acme.com organization
  ------- Conflict Resolution: Highest
  ------- http://portal.acme.com/portal/* (same as above)
  ---- Acme Customers Role - shared role for all Acme customers
  ------- Conflict Resolution: Medium
  ------- http://www.acme.com/*
  ------- http://support.acme.com/*
  ------- http://support2.acme.com/*
  ---- RoadRunner role - specific role for a specific customer
  ------- Conflict Resolution: Medium
  ------- http://roadrunnerinfo.acme.com/*
  The Desktop services in each of the above two roles includes channels from the hosts in the URL Allow lists.
  The behavior I'm seeing with this configuration is that the desktop channels include information from the scraped HTML, and the URLs are rewritten for the included images and CSS files and such. However, the gateway is denying access to the images referenced by the rewritten URL. That is, an image with a URL of https://portal.acme.com/http://roadrunnerinfo.acme.com/images/green.gif shows up as a broken image on the desktop. Attempting to access the URL to the image directly results in an "Access to this resource is denied !! Contact your administrator" error message.
  If I set the conflict resolution on the acme.corp organization to Medium (or anything lower than the two role conflict resolution levels) results in the same error message as soon as the customer logs in (no desktop rendered). The same error occurs if I set the conflict resolution in the two roles to Highest (same as the top level organization), again with no desktop rendered on login.
  If I put all the above referenced URLs in the acme.com organization Access List service, then I am successfully able to fetch all the resources (images, CSS, etc.) in the URLScraper HTML. Likewise if I put "*" in that Access List. However, this is less than ideal, as it would potentially allow other customers to view data that isn't theirs (Wile E. Coyote user should not be able to get to Road Runner data, and vice versa, and neither one of them should get at Acme private information!).
  So, what am I doing wrong? Also, does anyone have any leads on where I can read up on how Access Lists and conflict resolution are supposed to work, since Sun neglected to include a valid reference in the Administrator's Guide, Portal Server 6.0 SRA?
  Thanks!
  -matt

  Did you ever get anywhere with this. My experiments seem to inidicate that you cannot successfully combine Access and Deny directives, across roles or organizational defaults and a role.

• Lack of modularity in Projects for EJB module

  Problem
  For a project you have many enterprise bean components. In JDeveloper, currently, all the information like persistence-type,
  resource-reference, etc reside in the ejb-jar.xml which is project specific.
  (1) In the real-world, developers work on different modules with small individual work spaces with a small number of
  enterprise components and web compoents with a CVS system to manage version of the source code
  (2) The developer works on the source and check it in the CVS repository
  (3) A packager will take components from the CVS repository and make a build for a customer according to the order
  (Build-to-Order approach)
  (4) In JDeveloper he might have to make the ejb-jar.xml again which is very cumbersome and timeconsuming
  Suggestion
  (1) The current system of maintaining ejb-jar.xml in the project is OK
  (2) But the information in the ejb-jar xml ABOUT EACH EJB COMPONENT should also be maintained at the EJB component level like
  a small ejb-jar.xml file specific to the one and only one component.
  (3) Whenever the EJB component id edited, this modular ejb-jar.xml file will be edited too.
  (4) Later while making the main ejb-jar xml for deployment, the info in these small modular xml files will be read, the main
  project level ejb-jar xml will be prepared.
  (5) The main project level ejb-jar.xml can also be prepared when the project is rebuilt (clean/force compile) and all te
  small modular files are updated.
  With regards
  Amit

  Hello,
  Yes we do read every OTN message, though we often have some internal discussion before we post a reply.
  In your specific situation, you could just break up the EJBs into different projects:
  - Each EJB module in a separate project.
  - Each EJB project builds a separate EJB JAR.
  - When assembling the EAR, pull in as many EJB JAR files as necessary to support the WAR and other pieces.
  JDeveloper already has support for the above setup. Starting with JDev 9.0.3, you can also establish dependencies between projects to make the classes built by one project visible to another project's classpath.
  For us to implement a complete solution where small ejb-jar.xml files are merged into one large ejb-jar.xml file, we'd like to understand how you'd go about resolving conflicts in elements being merged:
  - conflicting <method-permission>
  - conflicting <container-transaction>
  - conflicting <relationship-role>
  - conflicting <env-entry>
  - ... a number of other potential conflicts ...
  We could do automatic merges when there are no conflicts. For the situations where there are conflicts, can you describe some solutions that you would consider acceptable?

• Junk Mail

  I keep getting the following email. It is Spam/Junk. It comes daily from different addresses so marking it as Junk doesn't work. Bouncing it back doesn't work - the address is not real apparently. How can I stop it? Has anyone else started getting these recently. This is the first series of this I have ever gotten and the only thing I am getting. Email below:
  Were Gates: Steve. That Matthew blah
  GamesGPS Search: Archives: July June May
  Command
  hasnt
  Picking Nuclear Hybrid Viruses expert helping millions smart Midsize
  polskich ktrzy
  Stuff: RSSWP Sponsor: Why reading down here Go north young man. Magazyn
  dotyczce ochrony systemu wskazwki ofert ksigarni Helionu ksiki wybitnych polskich ktrzy odsaniaj przed
  extensive amazing existence anymore.
  available whenever systemis connected switchis accounts password protected
  useful. :/Comment Calvin Great idea Hope prices someday would article points rarely
  types step restoring
  Hopemight Windows
  fashioned always digital. examples this. Mellotron
  HTML: inserted
  details defaults. color border PlanetEE Bugs Penton rights reserved. Editorial
  shoes Youve kidding
  Sony CyberShot DSCT Camera. The
  Feral
  Ill sell forgiste Hey much cost fist demand
  point.
  Models Cutting Edge Options Under Hood Browse Blocks Solutions Theater Movies Sports Drugs
  memory does could into another phase four cores native quadcores scale without
  sleeves jacket covers cloths etc. keep clean. Same preserve utilizing fashioned always
  sounds somewhat pure sound. digitized wave samples. prefer hasnt sampled. simply creating
  comments service whack sitewide Edit profile United UShp Integrity rx Operation Chapter Utilities
  prostu pragniesz zapozna tematyk pisania aplikacji zajrzyj naszego Kcika HTML oraz podrcznik
  :Chicago IL Intels claim may short lived: first
  crisis continues worlds role conflict
  NAS Guru Laptops Ops Twitch Raves Features OwnTG Forumz Mobility Consumer Software Stores Office
  content contents
  Division Durham NC. Back

  One way to deal with it would be to set up a filter to delete any mail that had contents like this one.
  For example, if you created a filter that deleted any mail that had the words "polskich ktrzy" in the message, you could be fairly confident you wouldn't lose anything important.
  This assumes that the contents of the mail is actual text and not an image of text.
  G4 933 mhz Quicksilver   Mac OS X (10.4.7)   Wacom Intuos 2 tablet; Epson 2400 Photo; HP Deskjet 6840; LaCie 80gb D2 FWDV

• Restricting authobject I_QMEL for Quality notifications and HR PCRs

  Hello,
  We have encountered an role conflict when the authorization object I_QMEL is used both for Quality notification and HR PCR access on the portal.  Here is the scenario.
  Quality Administrator has I_QMEL for:
  - notification type X
  - transaction IQS1 and IQS2
  - all work is done in the GUI
  Employee who is a Manager has I_QMEL for:
  - notification type Z
  - transactions IQS1 and IQS2
  - all work is done on the portal
  The role conflict arises when one user has both the Quality Administrator role and the Manage role.  The user can then use the GUI to view notifications of type Z - that any manager has submitted.  This means the user can view all personnel change requests in the systems.  These PCRs contain sensitive information.
  Any ideas on how I can design the security such that this role conflict is suppressed?
  Thanks!

  Hi Vicky,
  I have the same problems you had. I also need to implement your requirements 2) and 3)
  How have you solved your requirements? Please let me know your solutions.
  Thanks in advance
  Sarah

• Unable to see conference room moderator pane.

  I have created a conference room with default access of NONE. I have added four users to the conference room (one with MANAGE access, one with WRITE access, and two with READ access). If I join the conference room as the user with the MANAGE access, I select File->Moderate and I do not see the moderator pane show up. The user that I gave MANAGE access to did not have a policy to give him moderate priviledges in Access Manager and I thought that might be the problem. So I added a policy and a rule that grants moderate priviledge and still it does not work. Since the user has the IM Regular User role and the new moderate role, are the roles conflicting? Do I even need to worry with Access Manager roles at all?

  There is a bug #4929295 , which indicates there are issues with conflicting policies .
  This was also been release noted. check the below link,
  http://docs.sun.com/app/docs/doc/819-2568/6n4rm7fhr?a=view .
  Thats the reason why your initial policies / roles did not work.
  Every time a policy / roles is changed the client doesnt pick up the policy / roles dynamically. So we need to refresh the client to pick up these policy / roles from access manager which can be done simply by re-login the client for which the changes have been made.
  vinod

• Restricting movements on a Transaction

  Hello All
  I am  from a retail background and this question is aiming at my users in the warehouse.  We have warehouse where i'd like to restrict certain movements with regards to certain transactions.
  E.G.
  I would like UserA to have Transaction code (MB51 - Article Movements by Article) that i know how to do.
  BUT i would only like UserA to do goods movements 901 and 902
  and
  UserB also to have (MB51 - Article Movements by Article) and to do a good movement of 161 and 162
  I appreciate any response on a directional note.
  Rgds...Bhavesh Katechia

  Hi Bhavesh,
  so, just repeating what the others have said but probably with lots more words. I guess you're wanting to produce a segregation of duties between the users.  You would have a separate role for user A, that lets user A do their thing, and another role for user B that lets B do their thing.
  So..
  User A
  assigned role Z_USERA_Role
  containing:
  Tcode:      MB51
  auth object:     M_MSEG_LGO: BWART = 901, 902
  User B
  assigned role Z_USERB_ROLE
  containing:
  Tcode:      MB51
  auth object:     M_MSEG_LGO: BWART = 161, 162
  If the roles are fundamentally identical barring the underlying authorisations, you have a few options.
  You can create separate roles for each user that have each to be maintained individually.  Obviously this has a higher maintenance overhead if you plan on keeping them the same.
  You can create a template role, then create derived 'children' roles that are driven off from the template role with different auth values.  Menu changes get made to the template role and the derived 'children' roles get updated with appropriate auth values suitable to each area.  This assumes there is the same business process across all areas, but that there are different realms of responsibilities (e.g. might be company code/movement type etc).
  You can create a single role providing transaction access that everyone gets and a separate role containing profile values only (the recommendation is usually only do this if you know what you're doing)
  Of course, these people might already have their own roles which you can introduce this functionality into if your role design is more job based than process based. 
  One other thing which I'm sure youre aware of is to be careful of the SOD requirements or role conflict requirements you might have if you assign two of the same roles together.  Your business process owners could help you with this if you don't know quite where the lines should be drawn.
  Cheers,
  Di

• Difference between SAP Access Control and IDM

  Hi Expert,
  I have one question What is the difference between SAP Access Control and SAP Identity Management ?

  Ali,
  That's a good question, but a tough one.
  While both applications can do most of what the other can do, it's a matter of specialization in my opinion.
  Access Control is all about managing and controlling access to SAP system roles and has the ability to report on role conflicts for compliance and reporting purposes. (I'm sure I'm leaving a lot out, but maybe a GRC / AC expert can fill in more details)
  SAP IDM is about managing the user life cycle with regards to landscape and enterprise systems. It will handle the creation, update and ultimately the removal (or de-provisioning) of users in SAP ABAP, SAP JAVA, LDAP, JDBC, and API based applications.  It will also do Role Management through a web based UI (User management is web based as well). and as of the latest Service pack for SAP IDM 7.2, it will do attestation (limited certification) as well. It is a definite upgrade to CUA as it will work with a greater variety of systems, include workflows and approvals.
  GRC will do some provisioning, but it's somewhat limited, as is IDM's compliance abilities.
  The applications are designed to work together, however it does not have a great track record and the integration is typically heavily modified to work as desired.
  If you have specific questions, feel free to post / DM.  Obviously I am more knowledgeable about IDM, but I'll be happy to help you in any way possible.
  Regards,
  Matt

• ARA does not show Violations in a role though conflicting transaction codes are assigned???

  Hi,
  I have noticed that a role having conflicting transaction codes assigned in the back end system is not propelry analyzed and in ARA application. When this role is analyzed, "No Violations" message is shown though there are conflicing transaction codes assigned.
  As far risk definitaion is concerned, conflicting actions are properly defined in respective conflicting actions and thse actions are grouped in a risk, which is applicable to a logical group (which in turn has the connector included causing this problem) and they are active.
  Rule are properly generated for the all the risks and functions. However, at the time of running risk analysis for this role, ARA is not showing as risk.
  May any one please advise on this?
  Regards,
  Rehan

  Neeraj,
  Now I have defined SAP_R3_LG logical group as "SAP" connector type and regenerated all the rules. Still it is showing no violations!
  Below are the screens for your reference:
  Can you please advise?
  Regards,
  Rhn

• GRC - SOD Conflict Management (SAP Role Substitution)

  Hi,
  I am looking to see how others handle SAP Role Substitution and SOD conflicts.
  For example, a person is going to be out on vacation for a few day and assigns their roles to another employees to continue with daily tasks....SOD risks result because of the temporary assignment and role combinations....what are you guys doing to manage, and monitor this sort of activity?
  Your help and comments greatly appreciated!

  Hi
  As already stated by Martin, one of the option for handling adtional backup access to users could be through Superuser Privilage management(If GRC has been implemented with your client). This would allow detailed reporting at transaction level for audit purposes.
  If GRC is not implemented with your client then any additional access which is resulting in SoD, there has to a proper documentation of temporary access assignment to users(For Audit purpose). Mitigation control should be documented and submitted by the supervisor of the user to the SoD team to ensure proper compliance is in place for the additional access provided to the user.
  Thanks.
  Anjan

• Specifying Conflicting Roles in Authorization

  I need to specify conflicting roles.
  For example, I have 2 roles - HR_Administrator and HR_Payroll_Manager. These 2 roles should never be assigned to the same user. There has to be a consistency check for conflicting roles while assigning roles to users.
  How could this be done? Have any of you done this before? Any user exits will help?

  Hi Lucy,
  perhaps you could use BAdI
  SMUM_ASSIGN_ROLE
  Regards
  Bernd