BW Authorizations, Profile and Roll

Similar Messages

• Authorization profile description

  hi experts,
  In tcode su01, we have authorization profile and its description for a user.
  I have a report in which authorization profile has been displayed. I need the <b>authorization profile description</b> next to it. I found the field PTEXT in table USR11 has got the description. However i dont have any relation (key) between  USR11 and (usr01, 03, 04). Kindly suggest me some idea to get the description.
  Thanks in advance.
  Senthil

  hi Senthil,
  Check
  UST04                          User masters                        
  UST10C                         User master: Composite profiles     
  UST10S                         User master: Single profiles        
  UST12                          User master: Authorizations         
  USTUD                          Students                           
  Regards,
  Santosh

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• After BI 7.0 Upgrade, Authorization Roles and profiles are not visible

  Hi Gurus,
  We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
  As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
  I verified in SU01 for user access and every are assigned there roles and they are green.
  Do we need to add any new authorization object to fix this issue, please let me know
  Thanks and appreciate your help.
  Thanks
  Ganesh Reddy.
  Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PM

  Hi Ganesh,
  check the behaviour, if you assign
  S_USER_AGR                          
     ACT_GROUP = "..name of the assigned role.."
     ACTVT = 03 (for "display")    
  b.rgds,
  Bernhard

• Roles and their authorization profiles time period

  Can roles and their authorization profiles be assigned to a user for a limited time period?
  please reply
  Thanks
  Edited by: tracey_hrecc6.0 on Nov 1, 2010 5:24 PM

  Hi,
  It is possible.
  Read below links for more details
  http://help.sap.com/saphelp_mic10/helpdata/en/69/1810a4c51144dc833353183155ec88/content.htm
  http://www.sap-img.com/basis/frequently-asked-questions-on-authorization.htm
  http://help.sap.com/saphelp_wp/helpdata/en/cd/cc5664d22a11d296110000e82de14a/content.htm
  Regards
  S.Ravi
  Edited by: S.Ravi-at-SAP on Nov 25, 2010 5:36 AM

• How to create and allocate authorization profiles?

  How to create and allocate authorization profiles? please issue step by step and usage of  TC:PFCG.

  Hi Srinivas,
  I would like to try to explain how to create an authorization profile.
  1. you have to create a user with the Tcode SU01 at first
  2. run Tcode /nPFCG.
  3. enter a name for the role (naming convention is here very important) which you want to create and then click on "create Role".
  4. enter a short description for the role and then click on Authorization tab.
  5. now you are required to save the role. Click on it and continue.
  6. click on the tab "change authorization data" and select the authorization template what you need.
  7.change the authorization field value.
  8.click on button "Generate".
  9.click on button Back
  10. click on Tab user to assign the role to the user which you created in step one
  11.click on button User comparison and then complete comparison
  Hope this helps

• Authorization profile that provides "all authorizations" for PP and LO

  Hi:
  I'm looking for several authorization profiles provided by SAP:
  (1) Allow a user with "all authorizations" to work with PP module (Production Planning)
  (2) Allow a user with "all authoirzations" to work with LO module (Logistics)
  For examples, I found that there is the profile M_ALL that allows a user "all authorization" (universal authorization" for MM (Material Management) module.
  If you have some idea about one of these above (1) and/or (2) profile, please help. Any help would be appreciated.
  Thanks a lot,
  Thuan Nguyen

  Thuan,
  You can build it using PFCG fairly quickly. Go to PFCG, you will see a button called "Selection Criteria", all authorization objects are group by module (Object Class). You can include all PP auth objects in one shot. Logistic will separate into few class (General, Controlling, Warehouse Management, etc).
  It will be fairly clear to you once you get there.
  Hope this help.
  Thanks,
  Lye

• Need steps to create: Users, and then allocate authorization profiles.

  Hello,
    I have set up release procedures using a how to doc which was posted an sap123.com. It doesnt go through how to do this, only gives a screen shot. The SAP environment is a test environment for training. We have maybe 4 users existing in system. I would like to know how to first create a user, then go through PFCG and create and allocate authorization profiles. They need to be able to approve PR's/ PO's using the two release codes and release groups I have set up. The steps I followed are posted here: http://www.sap123.com/showthread.php?t=59.
  Thanks for any help.

  Thanks. I do have authorization to create users/ roles & such. I have created 3 specifically to test the workflow I am trying to set up that contains release procedures.
  In PFCG - I created a new role MATMGT. On the Menu tab, Assign Transactions screen, could someone please tell me what the Transaction Code would be so that, when I goto the Authorizations tab and click on the Change Authorization Data button, I get a "Materials Management: Purchasing" row displayed in the Change Role: Authorizations screen. I am following http://www.sap123.com/showthread.php?t=59 - and am stuck at the "Create and allocate authorisation profiles" section, as there are no steps detailing the usage of PFCG.

• Authorization profile

  Hi all,
  I am new to security. i have got some questions.
  what is a profile?
  with profile what system does?what is its necessity
  can anybody give me the guides for security.
  Regards,
  R.Suganya

  Hallo.
  To grant the access rights of a authorisation to a user, you must assign the user to the role (or tho a profile, but sap recommend to a role). You can assign users using either the Profile Generator or user administration. Based on the transactions and reports selected for each role, the Profile Generator automatically determines all authorization objects required for performing the functions specified, and creates the corresponding authorization profile (in pfcg, with object evaluation of SU24).
  Authorizations are assigned using profiles in the form of roles, which are
  entered into the user master record.
  There is a difference between Authorization and authorizatzion profiles generated: Authorization profile contains authorizations for different authorization objects, authorization objects contain different authorization controlled in the Transaction.
  You create profile in pfcg after having saved the Rolle with his own authorization.
  pfcg --> role create - role model and save - profile generate.
  su02 --> see authorisation in profile.
  Alberto

• ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

  We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
  Thank you for any help or ideas,

  When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
  On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

• Query related to Authorization profile.

  Hi Professionals,
  Please help me out as I'm not a BASIS consultant but PP.....
  We've created Users profile and assigned them profiles that contain a particular bunch of Transaction codes module wise.
  Now we want to to create and assign such a Authorization profile to Users which will contain all Display transaction codes either related to all modules OR that particular module only say PP, MM, FI, CO etc.....
  For example
  MM03- Display material master
  CS03- Display material BOM
  CR03- Display work center
  ME53N- Display Purchase requisition etc.
  Is there any standard profile for that that are already provided by SAP? If it's there, how do we know that are related to what module?
  Suppose if we assign such profiles, what will be implications related to future and user discipline?
  Thanks & Regards,
  Abu Arbab

  Hi Abu, don't worry about being a PP consultant, most of us here are not Basis either, rather we focus on security.
  There are no standard roles delivered by SAP which give this.  There are standard SAP display roles but none will include all the display transactions for a module.
  What you should do is get each functional team to list the dispay transactions which are used by the business processes which they have configured.  There is no point in creating a display role with 500 transactions if the business processes only requires 30 transactions.  Access is more usually required for business processes rather than module so you would often need to combine your modular display roles to cover a single process.
  By building the roles to include the transactions you use rather than are available, you also avoid one of the mistakes often seen with using standard SAP roles - users having wider authorisations than they require to perform their job.

• How to make changes in Authorization profile?

  Dear Guru's
                  In R/3 4.7 i used to change authorization profile in tcode SU02.where as in ecc 6.0 i dont find any change option it shows "Generated profile can only be displayed"
         I want to remove the particular tcode from that authorization profile.please help.
  Regards
  AKI

  Aki
  In new SAP versions, they have replaced direct profile generation with Roles concept and all the new profiles are attached to the roles. Follow this link and read it completely and understand the concept.
  http://help.sap.com/saphelp_bw21c/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm
  You cannot change a profile directly, instead you will have to insert authorization from the existing profile into a new role and generate a new profile for that role.
  Goto PFCG, create some new Z role. Save it, then goto authorizations tab, in the profile text box enter the profile name you want to edit authorization of. Goto change authorization Data. make the required changes. Then in the menu on top left hand side you will see a red and white ball press that and generate profile. Now you have a new role with required authorization. You can attach the role to required users.
  Rahul

• Authorization checks and objects

  Do you have a tutorial for this topic for dummies? thanx in advance

  Hi
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Thanks
  Seshu

• ISE - Authorization Profile issue

  I'm running a trial of ISE and I'm attempting to create the authorization profile with the following settings:
  Name: Posture_Remediation
  Access Type: Access_Accept
  Common Tools:
  Posture Discovery, Enabled
  Posture Discovery, ACL ACL-POSTURE-REDIRECT
  The documentation says Common Tools, but in the screen shot it shows Common Tasks which is accurate to my install. Doc: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic19
  The issue is that I do not see a Posture Discovery option in the Common Tasks area. Can I add these the attributes using the Advanced Attributes settings or is there something I need to enable to display the Posture Discovery option within Common Tasks?
  Any help would be appriceated.
  Andrew

  Hello Andrew,
  As per your query i can suggest you-
  Creating a New Authorization Policy
  Use this procedure to create a new authorization policy.
  To create a new authorization policy, complete the following steps:
  Step 1 Choose Policy > Authorization > Standard.
  Step 2 Click to select either Insert New Rule Above or Insert New Rule Below.
  A new policy entry appears in the position you designated in the Standard panel of the Authorization Policy window.
  Step 3 Enter values for the following authorization policy fields:
  •Rule Name—You need to define a rule name for the new policy.
  •Identity Groups—Choose a name for the identity group that you want associated with the policy.
  –Click + ("plus" sign) next to the word "Any" to display a drop-down list of group choices, or choose Any for the policy for this identity group to include all users.
  •Condition(s)—Choose the types of conditions or attributes for the identity group associated with the policy. Click + next to Condition(s) to display the following list of condition and attribute choices that you can configure:
  –Select a Condition Name option from the drop-down list (Simple Conditions, Compound Conditions, or Time and Date Conditions) as needed.
  –Select one of the Attribute options as needed. This displays a list of dictionaries that contain specific attributes related to the dictionary type.
  When you select an attribute, you can define it as Equals, Not Equals, or Matches using a pull-down list of operator options, and select an AND or OR directive using a pull-down directive option.
  For more information please refer to the link -
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html

• ISE Authorization Profile Question

  Hi,
  We are implementing ISE at a university and using dynamic VLAN allocation to segment the traffic into vlans of a manageable size - we do not want to use geographically based vlans for a number of reasons. However there is one scenario which I am struggling with.
  A number of students will be living in university owned houses which are not directly connected to the university network. In these houses an ISP will provide an ADSL circuit. These ADSL circuits will be aggregated back at the university data centre and will connect down one piece of wire to the university network. I haven't completed my testing yet but the general theory is that we can use multi-auth to allow them on to the network and apply appropriate access restrictions (these restrictions will differ from those applied to those applied when they connect "on campus") . However, in order to do this, I will need to create an authorization policy based on where they are coming from (ie what switch and what port). I can see how I can use Identity Groups to identify which switch the traffic is coming from but for the life of me I have no idea how I would identify the port.
  Anyone have any ideas how I might achieve my goal?
  Thanks
  Alan              

  Hi
  Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources. The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.
  An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request and can include:
  • A profile name
  • A profile description
  • An associated DACL
  • An associated VLAN
  • An associated SGACL
  • Any number of other dictionary-based attributes