BPS retraction (CCA) - authorizations for background user (R/3)

Similar Messages

• Authorizations for background user

  Hi everyone,
          Is it ok to assign the user(system user)  sap_all  profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program  in the background job.
  Thanks.
  Neha.

  >         Is it ok to assign the user(system user)  sap_all  profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program  in the background job.
  >
  Hi Neha,
  You don't need to provide SAP_ALL for any system user id for daily Business you create. And of course it is against Audit policies to provide such access to Background user. This user id should be of type System.
  The authorizations for such user ids should be:
  SBTCH_NAM       Background Processing: Background User Name_
  BTCUNAME = <respestive user name that are going to be authorized for Batch Job execution>
  SBTCH_JOB       Background Processing: Operations on Background Jobs_
  JOBACTION = *
  JOBGROUP = *
  S_BTCH_ADM       Background Processing: Background Administrator
  This is required for the administrator administering background Jobs.
  Also check the following note: Note 101146 - [Batch: authorization object S_BTCH_JOB, S_BTCH_NAM|https://service.sap.com/sap/support/notes/101146]
  Also the user needs access to following Authorizations:
  S_ADMI_FCD       System Authorizations
  S_CTS_ADMI       Administration Functions in the Change and Transport System
  S_LOG_COM       Authorization to execute logical operating system commands
  S_RZL_ADM       CCMS: System Administration
  Regards,
  Dipanjan
  Edited by: Dipanjan Sanpui on Jul 9, 2009 2:21 PM

• Authentication and authorization for AD users in UCM11g

  Hi all
  we are using webcenter content server 11g. I read some where that for 11g users authentication is done in weblogic server environment, mean content server for 11g in now managed by weblogic server only, am i right?. we have successfully integrated Active Directory with weblogic sever and user of AD are able to log-in UCM but they don't have any role like contributor or Admin. How to do this role mapping for AD user in UCM i.e. authorization for these users. Please provide any guidence on this issue any doc or blog, we are new to webcenter suite.
  Thanks
  Somesh

  As you already have weblogic integrated with AD, remains only role mapping and Single Sign-On integration. For authorization, AD must contain groups with exact names as roles in the Content Server. Those groups should be where Group Base parameter in the weblogic ActiveDirectoryAuthenticator point (like OU=Roles,OU=Oracle,DC=example,DC=com). Assigning AD user to the AD group named contributor, will add contributor role to logged Content Server user.
  As for SSO, refer to the:
  http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm
  and
  http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#autoId21
  Procedure steps are:
  Create a user account for the hostname of the web server machine in Active Directory
  Create krb5.ini file, and locate it in the C:\Windows directory at both machines (Domain Controller and WLS host)
  Generate the keytab file
  Create a JAAS Login File named krb5Login.conf
  Put both keytab and krb5Login.conf files to …/user_domains/domains/my_domain/
  Configure the Identity Assertion Provider
  Adjust Weblogic Server startup arguments for Kerberos authentication
  Redeploy CS (and optionally other servers) server with the documentation given deployment plan
  Check web browser configuration (IE and Firefox only)
  Take a deep breath and test
  If successful have a cake and cup of coffee else goto step one
  Regards,
  Boris

• No authorization for activating user status PLIM

  Dear Gurus,
  I'm a newbie to SAP. Currently i'm facing the problem with Tcode KO01 while i'mtrying to create Internal Order. I can initialize the program but after i entered the Order type and pressed enter. Error msg "No authorization for activationg user status PLIM" pop-up. Pls help on this urgently.
  Thanks.

  Dear Payal,
  I checked /nSU53 just after i got the error msg. It said authorization check failed. Authorizaton object B_USERST_T status management: Set/Delete User Status using Transaction.
  Activity:01
  Authorization key: <Dummy>
  Object Catagory: ORC
  Status Profile: 00000002
  What should i do after this???

• Authorization for SNC users

  Hello,
  We are working for authorizations for SNC users.
  Currently we have issue wherein SOH and Unresticted stock info is not displayed on WEB UI?
  What authorization object we are missing?
  We have SNC5.1 customer collaboration.
  Thanks

  Hallo,
  Display mode for objects C_LIME_SI & C_LIME_LOC.
  Regards
  Martin

• No authorization for backgroung user for log deletion

  Hello,
  I have included program SBAL_DELETE in a process chain in order to delete expired application logs periodically. But it doesn't work because I get always this message from backgroung monitor: "You do not have authorization to delete all these logs".
  If I run program manually via SLG2 it works correctly.
  The background user has profile S_BI-WHM_RFC.
  Can anybody advice what am I missing?
  Thank you.
  Branislav

  Hi Branislav
  For the administration processes that are bundled in a process chain, you require authorization for authorization object S_RS_ADMWB.
  To work with process chains, you require authorization for authorization object S_RS_PC
  Check this link
  http://help.sap.com/saphelp_nw04s/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
  Regards,
  Naveen

• Hr Authorization For End User

  Dear Experts,
  The scenario,in PA30 and also in PA40 HR end user should not have access to edit his own data but he/she can able to view his own data and he should have access to edit,create,copy for other employees. Kindly let me know authorization object for the same.
  Regards,
  Deepan
  Message was edited by: Sikindar A

  Hello
  P_PERNR: will prevent or let a user to maintain/see its own data  cfr: P_PERNR (HR: Master Data ? Personnel Number Check) (SAP Library - Authorizations for Human Resources)
  then depending if you use Contextual Authorization or not
  P_ORGIN or P_ORGINCON lets a user to maintain/display the employees' master data.
  Cfr:
  P_ORGIN (HR : données de base) - Autorisations pour HR (Gestion des Ressources Humaines) - SAP Library
  https://help.sap.com/saphelp_erp60_sp/helpdata/en/4c/197c8fad6671459b9dde3e915336b8/content.htm
  regards
  Hadrien

• Profile for Background user

  Hi,
  What are the profiles for BGUSER in?
  how to  its authorization fail?
  we have assigned some tcods to it, is it ok.

  yes you have to maintain it's password and keep it's password somewhere in documentation, so that whenever you will use this user for any application, then you can give the corrrect password there, instead of resetting the password again n again.
  and if somewhere in future, if you reset the password for this user, then you should update that password in the applicaitons where this userid is used, like in RFCs
  since all backgournd jobs are scheduled and run with this user, this user is critical for the system.

• Authorization for super user

  I want to create a super user on the production server who can create and save the queries only (no other authorization). He can save queries only under $TMP.
  For that I have already created role for super user in the transaction PFCG and in business content S_RS_COMP and S_RS_COMP1 I have given all authorization.
  Now User is able to create the query, but when He is going to save it the Error message is coming- 'No authorization for create and change'.
  Please suggest what I am missing.
  Regards,
  Dheeraj

  Hi Dheeraj,
  Have you given auth as per http://help.sap.com/saphelp_nw04/helpdata/en/41/05453caff4f703e10000000a114084/content.htm : Analyst3?

• MIR4 Invoice - Restrict POST Authorization for Some Users

  Hi Experts,
                    We are doing Invoice Release Workflow (MIR7) With 3 level Approval. When the document goes for approval in EDIT mode (MIR4) to multiple Levels anyone can change the document but the post authorization should be given only to the manager.
  We created a Role with authorization object M_RECH_WRK and enabled only (3 Display and 77 Pre-Enter) still post button could not be disabled for some users. Kindly suggest a way to disable POST Option in MIR4 only for certain Users.
  Regards,
  Dheepak

  Hi Dheepak,
  Refer to these thread:
  [Disable post option in MIR7|Disable post option in MIR7;
  [ POSTING ISSUE|MIR7 posting issue;
  Hope you find these useful.
  Reetesh

• Password reset for background user

  Hello
  I have not idea as to why the background user (ALEREMOTE) password gets autoamtically re-set. I'm keep getting ERROR during data load as " Logon is not possible - Too many failed attempt.
  I would like to know, why and where the password is getting re-set. I checked in RFC connection and where else could be possbile that user ALEREMOTE would have wrong password. How would I check the user level trace or log, to understand where and what is going on ?
  Thanks
  BI

  Thanks Dennis. is this S_BCE_68001402 transaction is correct ? when I ran this transaction, I got a message like mo matching user found. then why it is giving me this ERROR too many failed attmepts - user locked for background userid ALEREMOTE.
  Thanks and I would appreciate, if you or anyone can post an immediate message. As this is happening regularly.
  BI

• JMS authorization for default user

  Hi All,
  I need to configure the JMS authorization for WLS 9.2. I succeed to do it for specific user that determined with access control to JMS Topic resource:
  TopicConnection _topicConnection = topicConnectionFactory.createTopicConnection(_user, _password);
  Along with it I succeed to create topic connection without sending the user/password:
  TopicConnection _topicConnection = topicConnectionFactory.createTopicConnection();
  I can't understand why I succeed if I configured the access to a JMS Topic Connection for specific user only. How I can close this access for default user?
  Thanks,
  Igor.
  Edited by igorkh at 10/07/2007 8:30 AM

  Hi,
            The user/pass arguments supplied for the createConnection call in WebLogic is only checked for the createConnection call itself, and there's no ACL check -- the call only checks that the user is a valid user. As far as I know there's no direct way to restrict the ability to create a JMS Connection to a particular JMS user (no way to specify an ACL directly). What you can do instead is configure an ACL on the JNDI name of the connection factory. You can also configure ACLs on your destinations (not just the JNDI name for the destination).
            For pretty much all API calls (not just JMS API calls), WebLogic generally obtains the implicit security credentials stored in the current thread. The current thread's credentials are initialized either by the user/pass that was passed in the most recent time a Context was created by the application using that same thread, or, if on the server and no context was created, the credential can be supplied as part of the EJB's or servlet's configuration.
            These implicit thread credentials are checked in various places when accessing a particular destination, as well as during JNDI lookups (applies if you've configured ACLs in your JNDI tree).
            Tom

• Object level authorizations for deffirent user restrictions

  Hi
  i have 1 object, this object have only 3 values?
  i need authorizations for this object at report level?
  rsa1- i keep authorization relevant?
  rsecadmin i can include this object , here i need give from value and to value? i have 3 values only? suppose user 1 want only 1 value? user 2 need 2 and 3 value? how can i restrict like this ? ple let em know

  Hi Suneel,
  Go to RSECADMIN.
  Here, in maintain authorizations, create authorization for your characteristics along with the special characteristics.
  i.e. in your case, create authorization(assume 0plant is marked as authorization relevant)
  0PLANT
  0TCAACTVT
  0TCAIPROV
  0TCAVALID
  Double click on each characteristic to assign them the authorized value set.
  Thus, you will create two authorizations
  Z_PLANT_1
  0PLANT...................I..EQ..............1
  0TCAACTVT.............I...EQ..............3
  0TCAIPROV.............I...EQ..........ZPROVIDER
  0TCAVALID..............I...EQ...........*
  Z_PLANT_2&3
  0PLANT...................I..EQ..............2
  ..............................I..EQ..............3
  0TCAACTVT.............I...EQ..............3
  0TCAIPROV.............I...EQ..........ZPROVIDER
  0TCAVALID..............I...EQ...........*
  Go to RSECADMIN again in user tab in assignment, assign these authorizations created to the respective users.
  Like assign User1 -
  >Z_PLANT_1
  ................User2  -
  >Z_PLANT_2&3
  Refer  the link below for more information
  [Analysis Authorization|http://help.sap.com/saphelp_nw70/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm]
  Hope this helps,
  Best regards,
  Sunmit.

• Authorizations for the users lost after applying SP15

  Hi,
  Is it possible that after applying any support package, authorizations of the users gets lost?
  Because when we imported SP15, authorizations of the users are affected...
  If yes, what are the precautions to be taken before importing any support package to avoid this....
  The problem is that as a user of the system who does not have full access,
  when they try to run a report either through the Analyzer or through the
  web all they get is "No Authorisation".  Prior to SP15 being applied they
  did have access to the system.
  Now how to restore the authorizations....
  Thanking you,
  Tarun Brijwani

  Tarun,
  This is a normal occurence with SAP support packs and I suggest you to open up an SAP note with SAP support and see if they respond to it. I exactly don't remember the note number but I think there is a comprehensive note that describes in detail about what you are getting in SP and what might be affected. Try installing Service pack stacks and I think SAP releases these once in a quarter and these are more error proof. ( from my experience that's what I gathered). Anyways, hope this helps.
  Thanks,
  Bobby

• Which authorizations for solman user in monitored system?

  We need to know what auths/profiles/roles are reqd in the active client of the ECC system for the solman user so that EWA, Sys Moni and Central System Admin can be done.
  I know one:
  1.     Custom Role u201CZ_SAP_RFC_SM_CONFIGu201D (with authorizations S_RFC and S_RFCACL)
  Can someone please list the roles/profiles or a link where I can get this?
  Thanks
  Prasad

  Hi
  Check the [security guide|https://websmp201.sap-ag.de/~sapidb/011000358700000370562009E.PDF] in page number 85 to 87.
  Hope this helps you
  regards
  Naveen kumar