BO authorization model with sap roles / access tot folders, functionalities

Similar Messages

• How to synchronize Identity System Roles with SAP Roles?

  Hello, experts!
  Could you give me an advice?
  I'm trying to perform role syncronization between SAP R/3 and Identity Manager, but the default task definition (Resource Role Synchronizer) can't find a
  SAP resource (for example method getResourcesSupportingObjectTypes can't find resource with attribute type activityGroups (SAP Roles)).
  Do you have an experience with syncronization SAP and IDM Roles ?
  How it is possible?
  Thank you!

  May be somebody knows what odjectType attributes like Roles (activityGroups) or Profiles has?

• Webi  Bypassing BEx Authorization Variable with SAP Exit

  BEx query has Hierarchy Node Variable with Authorization as processing type. Its set as User Input ready
  When the Webi report is refreshed, the LoVs appear as per the Authorization. However, if user doesn't select any value (pushes from right to left in variable screen) he gets NOT_AUTHORIZED error. Which is not intended, it should check the authorization in the background via SAP exit and populate the result. This is how it runs inBEx query.
  However, in Webi it's giving NOT_AUTHORIZED error? This is how the product is designed to work or is it a bug.
  I see several forum threads and SAP KBAs/notes but they are not answering my question. Could anyone please help.
  I am ready to provide more details on this error.
  Thanks,
  Tilak

  Hi,
  this is how authorization variable would work in any of the clients and not just Web Intelligence.
  You created an authorization variable which is configured as "read for input", so the user is getting prompted.
  So In Web Intelligence the LoV shows up.
  if the user does not select a value, then you are not sending a value, so you basically asking for all data and you are not allowed to see all data and therefore you are getting the message "no authorization".
  if you are making authorization variables as ready for input then the user needs to select the proper values - regardless of the BI tool.
  if you want the authorization to be check in the background then the authorization variable should be configured to not have ready for input.
  regards
  Ingo Hilgefort

• Getting Started with SAP-HCM training

  Dear All,
  After quiting job in India, I have recently shifted to USA on H4 visa. My professional background includes four years of experience into Human Resource with one of the leading DTH providers in India. I want to do SAP-HCM training, which might help in career start in US market.Looking forwarded for a proper guidance & suggestions..............How to start ?
  Regards,
  Anud

  Hi Anud,
  if you follow this link you will find under "support" the recruit to retire business processes that cover all aspects of HCM training & certification in the SAP context.
  https://training.sap.com/shop/catalogue/by-business-process
  Instead of attending in person training you can receive access to all learning content for self-study via SAP Learning Hub, which also includes instructor moderated Learning Rooms and access to training systems with SAP Live Access, helping you prepare for SAP Certification.
  https://training.sap.com/shop/learninghub
  Good luck!
  Arnold

• Gain a competitive edge with SAP HANA certification

  Please see the following blog:
  http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/27492
  Regards,
  Marc
  SAP Customer Solution Adoption (CSA)
  Edited by: Marc Bernard on Nov 29, 2011 11:59 AM

  Hey Vitaly,
  1) It's a private training course provided with SAP HANA access. Also, the trainer is supposedly the first person to be certified in HANA in Southeast Asia (he currently works in Singapore). The link is below:
  http://www.eknazar.com/houston/ekClassifieds/product_desc.php?id=422617&al=1
  I don't think they are affiliated with SAP, but I should ask. The reason I preferred this training is it was 5 day training with 1 month access to SAP HANA, and little cheaper cost. The training SAP provided was only 2 day class - felt it would be too overwhelming (and I don't think they give HANA access besides maybe 2 days)
  2) Money is gone? So $1,300 down the drain if you fail? Jeez. Is there a way to just pay for taking the test rather than paying for the training also?

• SAP Role to limit access to few ledger accounts

  Hi
  I have created a SAP role which has Display access to FAGLB03 using pfcg.
  I want to restrict this role only to a certain number of Ledger accounts.
  Say like XXXX5, XXXX17, XXXX23. XXXX45 etc;
  Can we restrict using any Authorization object?
  Thanks
  Hari.

  Hi Duggineni,
  I would suggest you to make a use of Authorization Group in GL Master
  F_BKPF_BES
  I have create one role ZFAGLBO3, in which T.Code FAGLBO3 is authorized, and users are assigned to this role ZFAGLBO3, now all these users can access all the GL by t.code FAGLBO3, but except for few GLs, in which I have entered Authorization Object "OTHG". So your reqirement was to restrict few GLs in roles, which can be met by using Authorization Object F_BKPF_BES.
  In above role you can see highlighted object F_BKPF_BES, have NIL value against BRGRU.
  Now I have created one test user, who have this role ZFAGLBO3.
  See the results:
  All GL master don't have authorization objects, so this user can display the balances.
  He can
  Note: These user can't display balances in FAGLB03 for few GLs, which is your requirement, that I understand. Just add the any authorization Groups in GL master in this case i have entered in one GL "OTHG", see below snapshot: 
  When these users of profile "ZFAGLBO3" try to display balances of few GLs who have Authorization Group field filled in master data, system will give below error:
  I hope this will clear your understanding, and give you an idea, how you can use this to meet your requirement.
  Regards
  Javed

• Problem Connecting with SAP R3 for creating new model

  Hi,
  i have a problem with connecting to the SAP R/3 when i want to create a new model with BAPIs.
  The error is:
  Internal Error has occured.
  Plugin name: Web Dynpro Model Editor Services
  Method: next Pressed
  Message: Internal error - see detail information in exception trace.
  Exception: Failed to execute runnable
  How do i get to the exception trace, or what could be the problem?
  Regards. Stefan

  Hi, thanks for your answer.
  I changed the things, but now this problem appears.
  org.eclipse.swt.SWTException: Failed to execute runnable (java.lang.ExceptionInInitializerError: JCO.classInitialize(): Could not load middleware layer 'com.sap.mw.jco.rfc.MiddlewareRFC'
  JCO.nativeInit(): Could not initialize dynamic link library librfc. Found version "620.0.941" but required at least version "620.0.1220".)
  What can i do with this mistake?

• Crystal Reports access to SAP/CRM 6.0 with Integration with SAP Solutions

  Hello,
  we are running Crystal Reports 2008 with SAP CRM 6.0.
  To boost productivity or Report writeing we need especially access to:
  - Function Modules
  - the CRM Business Objects Repository (Transaction SW01).
  What kind of SAP/CRM  ( or SAP / ERP )  Objects can be accessed with the Integration for
  SAP Solutions ?
  The BO Documentation  [BusinessObjects XI Integration for SAP Solutions User's Guide|http://help.sap.com/businessobject/product_guides/boexir31SP2/en/xi31_sp2_bip_sap_user_en.pdf]  does not give a clue if this is possible.
  However,  Ingo Hilgefort stated in his book that it is at least possible to access  ABAP Functions, SAP Querries and SAP InfoSets.
  What is the minimum product portfolio and the necessary Version - Can I install the following products stand alone ?
  Crystal Reports 2008
  Integration for SAP Solutions
  Tomcat / Jaco
  or
  Must I need at minimum BO Edge  and must install the CMS Server ?
  Thank You
  Martin

  HI,
  What kind of SAP/CRM ( or SAP / ERP ) Objects can be accessed with the Integration for
  SAP Solutions ?
  here is also a blog about this:
  /people/ingo.hilgefort/blog/2008/03/23/businessobjects-and-sap-part-4
  However, Ingo Hilgefort stated in his book that it is at least possible to access ABAP Functions, SAP Querries and SAP InfoSets.
  >> correct. It is also in the Installation Guide / User Guide for the SAP Integration kit. You can use ABAP Functions, ABAP / SAP Queries, InfoSets, Tables
  What is the minimum product portfolio and the necessary Version - Can I install the following products stand alone ?
  Crystal Reports 2008
  BusinessObjects Integration for SAP Solutions
  BusinessObjects Edge or BusinessObjects Enterprise
  Ingo

• Restiction on SAP Lumira user with BI_DATA_ANALYST role

  Hi,
  Is there an option to disable the SAP Lumira user with BI_DATA_ANALYST role from loading the Excel data into SAP Hana?   We would like the user to be able to create story boards and publish it on SAP LUMIRA server using HANA views but not allow him to load any flat file data.
  Thanks,
  Lakshmi

  Manish - if you are on BI4 there is no need for the SAP Integration Kit with Web Intelligence
  You can connect using the BEx Query
  For Lumira right now you can connect using the BEx query but only in the Visualize room - more enhancements are planned in 1.27 - see SAP Lumira Webcast including H1 Plans with BW Updates
  I don't think Gateway is needed in these scenarios
  Tammy

• Use of default XACML with custom role mapper and authorization provider

  Hi,
  Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
  My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
  Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

  I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
  Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
  The chosen approach depends on where you're getting the role information from.

• SAP Roles and Access for SAP Implementation team members

  Hi,
  Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
  If not, what is the correct practice?
  Kindly let me know

  Madhu,
  It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
  You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
  Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
  But I know just how demanding they can be....
  Best of luck
  Tony

• Integration of SAP IS-U Two Contract Model with CRM 7.0 Contract Mgmt

  Hi,
  We have 2-Contract model for all customers in SAP IS-U for distribution and supply services. We are also planning to implement CRM 7.0 Contract management and integrate with SAP IS-U. There is a talk in the air that CRM 7.0 Contract Management does not work with 2-Contract model in IS-U because of some POD replication issues in CRM and heard that some clients are currently facing this issue. 
  Our client is operating in Deregulated environment and we were planning to use Two contract model to separate the services.
  Has anyone faced this issue in your projects or Is SAP working on this issue?
  Please let me know if there are any workarounds where we can still use 2-contract model and integrate with CRM 7.0? Any help or inputs that can you can provide will be very helpful to us.
  Thanks in advance.
  Sachin

  DearSachin,
  As per Design it's only possible to have one contract at the same time per PoD.
  If you in a deregulation market it's recommended you to use the IDE integration in CRM.
  Unfortunatly your desired business scenario can be achieved on project base only. There are several ideas how to provide the data and the information. One would be to download only the most used contract category into the CRM system (eiher grid usage or supply) and have the other contract only in IS-U (no replication). With a customer enhancement it would be possible do retrieve the whole supply sceanario within the IC webclient.
  Another idea would be to attach a new customer based field to the contract which indicates if the contract is a grid usage or supply contract and have the check for double contracts respect that data - this solution is quite tricky and should be considered only by very experienced consultants.
  Or use 1 installation with 1 contract for simple supply scenario. The schema contains a rate for both, distribution and default supply. The default supply can be switched with an installation fact. In CRM, there is 1 contract with 1 product. If a customer switches to a 3rd party supplier, an inbound message from the supplier creates a second installation with a supply contract and switches off the default supply rate. This installation/contract is not visible in CRM, it is not replicated to CRM.
  As you can see, there are some ideas how to solve your needs on project base, but unfortunatly SAP generally will not change the main architecture which allows several contracts per PoD.
  I hope this information is helpful for you.
  Regards
  Olivia

• SAP GRC Access Control 5.3 intergration with orcale

  Good Day GRC Gurus,
  We want to integrate SAP GRC Access Control 5.3 with ORACLE.
  It would be great if someone could share some documents, presentation and experience on the same.
  Thanks in advance!!!!!!!!!!!!!
  Thanks and Regards,
  Jagat

  Hello Hersh,
  RTA for Oracle is basically a set of PL/SQL stored procedures to create grc schema, grant access and object creation. The package was created using oracle 11.5.10.2 version. I am not sure about the compatibility of the package with the new versions of oracle but still batch mode risk analysis is achievable even if the RTA is not compatible.
  I do not really like batch mode but it does serve the purpose. If I get a chance to test oracle RTA on new version I will surely share it with you.
  Best Regards,
  Amol Bharti
  http://amudee.com

• Synchronize SAP Roles with IDM Roles

  Hi, i have a question concerning SAP integration in IDM.
  Is it possible to import the Roles from SAP (named Activity groups) in IDM? And how does the "synchronize identity system roles with resource roles" function work?
  Thanks in advance!
  gojo

  The job synchronizes FND Users with the Workflow directory service (plus any other systems you specify). PER is a special case, and will only be synchronized with the Workflow directory service if they are associated with a user - otherwise the records are not included. If they have corresponding HZ_PARTY records, then these may be synchronized, but should not really be used for notifications, since there is no login mechanism for the users to view the notification sent to a party record.
  HTH,
  Matt
  WorkflowFAQ.com - the ONLY independent resource for Oracle Workflow development
  Alpha review chapters from my book "Developing With Oracle Workflow" are available via my website http://www.workflowfaq.com
  Have you read the blog at http://thoughts.workflowfaq.com ?
  WorkflowFAQ support forum: http://forum.workflowfaq.com

• LDAP (openldap) authorization with DAP (dymamic access policy)

  Hello,
  We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.

  Hi
  I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
  Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
  Hth
  Herbert
  Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.