Channels and authorizations roles

Hi all,
Is it possible control the channels access using groups and roles organizations?
For example: user A access web service 1 and ws 2, user B access ws2 and ws3 and C access all ws.
Thanks in advance and best regards,
Renato.

This issue it's covered by the oss note <a href="https://websmp110.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=852237&_NLANG=E">Note 852237 - Extended authorization concept of the XI runtime</a>.
Regards,
Sandro

Similar Messages

  • RAP and MAPs change the channel and Radio Role

    I have a WLC 2504 with version  AIR-CT2500-K9-7-5-102-0, LAPs are AIR-CAP2602E-A-K9
    I set serveral LAPs for working in mesh mode, I set three Bridge Group Name, the first group has one Root AP and three MAPS working in channel 157, every MAP has a switch connected to its ethernet port.
    the second group has 2 LAPs one Root and one MAP, all working in channel 48. The MAP  is connected to a switch.
    the third group has  2 LAPs, one root and one MAP, all working in channel 149. The MAP  is connected to a switch.
    The issue is the next:
    At the beginnig every LAPs were associated to its bridge group and in the channel defined but suddenly all LAPs of group 1 move to channel 48 (second group) includind the ROOT AP. This happend after the switch that connect to the RAP was disconnect from  LAN.
    In order the associate once again LAPs of the first group  to the channel I defined previously I connected RAP to the switch once again I notice the channel shown was 48 and in downlink role mode.I change to channel 157 reset the LAP and wait several minutes; after the first reset the RAP remains in channel
    48 (it must be 157), I reset once again and wait severeal minutes. Finally the RAP was up and working in channel 157.
    After this I reset the MAPs that corresponde to BGN 1 , after severasl minutes finally just one MAPs for BGN 1 was show in the correct channel and in the correct Radio role, I have to reset several times  the other MAPs until they were shown in the channel I set previously and in the correct radio role.
    I would like to know the reason the RAP and MAP move to a differente channel eventhough I define de Bridge Group Name in every one and the specific channel.
    regards

    Hi scott ,
    Thanks for your explanation, very clear.
    In my scenario  every RAP connet to a switch where I define VLANs and specific VLANs are allow to pass. If RAP and MAP join to a different RAP (different BGN)
    it will allow to pass traffic or maybe don't allow traffic I needs to .  That's why I worry about the keep the MAPs join to the correct RAP and the RAP keep in the BGN and channel set previously.
    is there any option to this  avoid this issue?
    Thanks a lot for your time
    regards

  • Transport Release frequency for Authorization Roles

    Hi,
    At my present customer all system changes are transported via release management. The current frequency of releases is 2 times a year. This includes SAP support packages, customizing, abap AND authorization roles.
    Now I would like to establish a different, quicker release 'speed' for authorization roles only (f.i. once a week).
    I already motivated my request with many reasons (role changes can be considered as master data changes; the lack of speed leeds to insecure 'workarounds'; role management issues are 'redesigned' to user management issues; etc.) but what I am still looking for are reference documents, best practices, audit reports in which the same advise is described.
    Could you please help me with my quest?
    Thank you!
    Kind regards,
    Lodewijk

    Hi Lodewijk,
    I agree, that is is useful to define a specific schedule for transporting roles in oposite to the schedule for updating the software, however, I do not have a document described some best practise. Anyway, the following link may help you to convince the management, that you can setup a process including 4-eyes checks on the transports:
    [TMS Quality Assurance|http://help.sap.com/saphelp_nw70ehp2/helpdata/en/9c/a544c6c57111d2b438006094b9ea64/frameset.htm]
    Using this process you would accept transports only which cointains roles (R3TR ACGR...).
    Kind regards
    Frank

  • Pfcg and business roles

    hi all,
    we have the requirement where we have to create 4 businessroles and out of 4 a manager  rolerequires authrization for all 4and customer rep requires authrization . for 3
    how to achieve that?
    i have crated 4 pfcg id s for 4 roles and assigned it to a business role(manager) which is copied from the standard.
    since manager requires 4 roles i  created 4 manager roles and assigned 4 pfcg ids
    is this the correct approach?
    please help out as i was new to crm 2007
    thanks
    madhuri

    The business role is user for customazion of web ui screens, while authorization roles are used for security reasons. So you need 4 business roles only if you need to maintan 4 different types of screens. If not, use just one.
    On the other hand I guess you need 4 authorization roles because you want to give 4 different types of authorizations to users.
    So, if you need just one type of screen, create one business role and assign it to users simply by using parameter CRM_UI_PROFILE. and authorization role assign via pfcg.
    But if you need 4 b roles and 4 a roles that are always in corelation 1:1 then you can do it also as you wrote.

  • RFC Sender - Logon User - What Roles and Authorizations?

    Hi,
    Scenario: RFC Sender --> XI --> JDBC
    What necessary Roles and Authorizations has to be given for Logon User (in Sender RFC Communication Channel).
    It has to be moved to production soon. My Client wants to give only Roles and Authorization that are necessary for the Logon User.
    With Regards,
    Manikandan R

    Hi ,
    U need to give ECC Authorisation
    Application server : ECC Server
    Sytsem no : ECC system number
    Logoon User : ECC any username
    password : password for above user
    clientr : ECC client ( From which client u are sending to RFC adapter)
    Regards,
    Jayasimha jangam

  • Roles and Authorization strategy for SAP BIBO

    Hello All,
    We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
    Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
    Current structure is like,
    User 1 belongs to Plant1 of Country1
    User 2 belongs to Plant2 of Country2
    user 3 belongs to Plant3 of Country1 etc..     
    We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
    As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
    The options we considered are,
    1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant  1, 2 or 3 and provide necessary authorizations.
    2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
    We are also forced to avoid Bex queries in BW and hence,  trying to connect Multiproviders directly in BO universe.
    How should we go forward in designing the authorization concept? Any better ideas?
    Thanks and Regards,
    Srinivas

    There are two ways which we can implement this kind of authorization based on my knowledge.
    1. Data Security purely at BW
    If the data is secured based on roles and users, there is no  need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
    Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
    2. Data Security from BO
    Let's assume that, if nothing is set at BW and every thing to be take care from BO.
    Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
    Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
    So you would need to create many restrictions for different permutations and combinations.
    I never tries this option with Multiprovider. But It worked well with NON-SAP data.
    Hope this helps!
    Regards
    Gowtham

  • Use of default XACML with custom role mapper and authorization provider

    Hi,
    Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
    My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
    Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

    I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
    Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
    The chosen approach depends on where you're getting the role information from.

  • Role Mapper and Authorizer

    At one point I posted a forum entry and posted a solution for my entry regarding keeping the app deployments around while recreating/overwriting the domain using WLST offline. Keep App Deployments while recreating the domain in WLST offline
    Things seems to work, except that I noticed that the XACML Role Mapper and Authorizer that were created the first time around (when there is no domain folder) are getting replaced by default Role Mapper and Authorizer (on subsequent runs when the domain folder already exists and we overwrite the domain)
    Basically the first readDomain is causing this. without reading the domain, I cannot get the app list.
    System.setProperty("com.bea.cie.script.throwException","true")
    appdeps={}
    try:
      readDomain('c:/temp/basicWLSDomain')
      cd('/AppDeployments')
      apps=ls(returnMap='true')
      for app in apps:
      appdeps[app]=ls(app,returnMap='true', returnType='a')
    except:
      pass
    try:
      closeDomain()
    except:
      pass
    #=======================================================================================
    # Open a domain template.
    #=======================================================================================
    readTemplate("c:/wls11/wlserver_10.3/common/templates/domains/wls.jar")
    #=======================================================================================
    # Configure the Administration Server and SSL port.
    # To enable access by both local and remote processes, you should not set the
    # listen address for the server instance (that is, it should be left blank or not set).
    # In this case, the server instance will determine the address of the machine and
    # listen on it.
    #=======================================================================================
    cd('Servers/AdminServer')
    set('ListenAddress','')
    set('ListenPort', 7001)
    create('AdminServer','SSL')
    cd('SSL/AdminServer')
    set('Enabled', 'True')
    set('ListenPort', 7002)
    #=======================================================================================
    # Define the user password for weblogic.
    #=======================================================================================
    cd('/')
    cd('Security/base_domain/User/weblogic')
    cmo.setPassword('weblogic11g')
    #=======================================================================================
    # Create a JMS Server.
    #=======================================================================================
    cd('/')
    create('myJMSServer', 'JMSServer')
    #=======================================================================================
    # Create a JMS System resource.
    #=======================================================================================
    cd('/')
    create('myJmsSystemResource', 'JMSSystemResource')
    cd('JMSSystemResource/myJmsSystemResource/JmsResource/NO_NAME_0')
    #=======================================================================================
    # Create a JMS Queue and its subdeployment.
    #=======================================================================================
    myq=create('myQueue','Queue')
    myq.setJNDIName('jms/myqueue')
    myq.setSubDeploymentName('myQueueSubDeployment')
    cd('/')
    cd('JMSSystemResource/myJmsSystemResource')
    create('myQueueSubDeployment', 'SubDeployment')
    #=======================================================================================
    # Create and configure a JDBC Data Source, and sets the JDBC user.
    #=======================================================================================
    cd('/')
    create('myDataSource', 'JDBCSystemResource')
    cd('JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
    create('myJdbcDriverParams','JDBCDriverParams')
    cd('JDBCDriverParams/NO_NAME_0')
    set('DriverName','com.pointbase.jdbc.jdbcUniversalDriver')
    set('URL','jdbc:pointbase:server://localhost/demo')
    set('PasswordEncrypted', 'PBPUBLIC')
    set('UseXADataSourceInterface', 'false')
    create('myProps','Properties')
    cd('Properties/NO_NAME_0')
    create('user', 'Property')
    cd('Property/user')
    cmo.setValue('PBPUBLIC')
    cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
    create('myJdbcDataSourceParams','JDBCDataSourceParams')
    cd('JDBCDataSourceParams/NO_NAME_0')
    set('JNDIName', java.lang.String("myDataSource_jndi"))
    cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
    create('myJdbcConnectionPoolParams','JDBCConnectionPoolParams')
    cd('JDBCConnectionPoolParams/NO_NAME_0')
    set('TestTableName','SYSTABLES')
    #=======================================================================================
    # Target resources to the servers.
    #=======================================================================================
    cd('/')
    assign('JMSServer', 'myJMSServer', 'Target', 'AdminServer')
    assign('JMSSystemResource.SubDeployment', 'myJmsSystemResource.myQueueSubDeployment', 'Target', 'myJMSServer')
    assign('JDBCSystemResource', 'myDataSource', 'Target', 'AdminServer')
    #=======================================================================================
    # Write the domain and close the domain template.
    #=======================================================================================
    setOption('OverwriteDomain', 'true')
    setOption('CreateStartMenu', 'false')
    writeDomain('c:/temp/basicWLSDomain')
    closeTemplate()
    #=======================================================================================
    # Exit WLST.
    #=======================================================================================
    exit()
    So I thought I will create the XACML Authorizer and Role Mapper myself instead of letting the default domain creation process do it. but that is resulting in duplicates on the first run (when the domain folder does not exist) and in the subsequent runs (when the domain folder already exists), I see one XACML and one default.
    cd('/')
    create('base_domain', 'SecurityConfiguration')
    cd('SecurityConfiguration/base_domain/Realm/myrealm')
    ls('a')
    create('XACMLAuthorizer', 'weblogic.security.providers.xacml.authorization.XACMLAuthorizer','Authorizer')
    create('XACMLRoleMapper', 'weblogic.security.providers.xacml.authorization.XACMLRoleMapper','RoleMapper')
    I am going no where with Oracle Support. I am wondering if anyone ran into this before.

    com.oracle.cie.config-wls-schema_10.3.6.0.jar has various SecurityConfiguration XML fragments and the wrong fragment is being used when the domain is recreated.
    I am thinking it is a logic issue in domain creation.

  • Business Explorer Roles and Authorizations

    Hi,
    I am using Business Explorer Query Designer and Analyzer ( Excel Work book add on) with BI 7.0.
    I need to create roles and authorizations for the end users to create queries and view queries in excel by using Business Explorer Query Analyzer.
    Kindly suggest me what are the standard transactions, roles and authorizations to be given to the end users.
    Thanks and regards
    Murugesan

    I dont have idea about Bi 7.0 ..
    If its bw 3.X i jusz used rrmx --->>excel ->addins-->>queries --->pop up window --->here we need rfs object S_RFC
    Finally rrmx tcode and general roles which has S_RFC  autorisation object and the query .
    Regards,
    Naveen

  • How to create authorization role for just displaying query prefix Q and X.

    Hi Expert,
    I hope someone can help me on how to create authorization role for just displaying and executing  BEX  Queries prefix Q and X. I'm currently using SAP BI 7.1.
    Actually, I already created one role called : Z_FORINDO_ONLYDISPLAY_QX
    where I only put in the Authorization Component (in the Role Maintenance - Tcode 'pfcg'):
    -->Manually Business Information Warehouse
        --> Manually Business Explorer - Components
    Activity : Display, Execute, Enter, Include, Assign
    InfoArea : *
    InfoCube : *
    Name(ID) of a reporting component : *
    Type of a reporting component : Calculated key figure, Restricted key figure, Template structure
        --> Manually Business Explorer - Components
    Activity : Display, Execute
    InfoArea : *
    InfoCube : *
    Name(ID) of a reporting component : Q* , X*
    Type of a reporting component : Query
    But, the problem is I still can make changes on that queries (Q* and X*). Even, I still can run query with prefix Z. I use S_RS_RREPU Tamplete for Query Display and execution.
    Please assist. Very much appreciate your help. Thanks.
    Edited by: nadiyah salleh on Mar 18, 2008 11:22 AM

    Question close. This issue has been resolved.

  • What Roles and Authorization Req

    Hi All,
    I am getting the Error in SOAP to RFC Sync secnario.
    User using one URL through that URL he is trying the send the data to before sending the req user have the USER ID and Password. what are the Roles and Authorization req for that user id and password. Are they service user id ?
    Regards

    This user ID have roles similar to Service user PIAPPLUSER or XIAPPLUSER. However, it is recommended not to provide this user detail directly to sender system. Instead create a new user and provide that to your partner.
    Regards,
    Prateek

  • Roles and authorizations in BI content

    Hi experts,
    I'm trying to define a very simple scheme of roles and authorizations for my queries.
    So, i'm trying to limit the acess by infocube and DSO, but I'm missing the authorizations objects for Cube and DSO.
    I know that authorization object for queries it's S_RS_COMP.
    So my roles would be something like
    BI_ROLE_FI
    Authorization Object                                  Autorization Object Value
    Acess query (S_RS_COMP)                         NA                              
    Infoobject (whats the object???)                   0FIGL_C01
    DSO (whats the object???)                            0FIGL_O14
    BI_ROLE_PUR
    Authorization Object                                  Autorization Object Value
    Acess query (S_RS_COMP)                         NA                              
    Infoobject (whats the object???)                   0PUR_C01
    Can you help me find out whats the missing information
    Thanks and regards
    Joana

    Hi,
    Iu2019ve gave authorization to the object youu2019ve mentioned, but itu2019s still not working.
    Basically what I have is the following:
    One role that allows me to execute queries, workbooks, etc.
    A second role, dependent on the area of work, that should allow me only to have access to queries  from cubes/MP/DSO that are specific to users area.
    I will then give each user role 1 + the adequate role 2, depending on their work area.
    For role 1 I have got:
    S_RFC     
    Activity: 16
    Name of RFC to be protected: *
    Name of RFC object to be protected: *
    S_TCODE     
    Transaction code: RRMX
    S_GUI     
    Activity: 16
    S_USER_AGR     
    Activity: 01, 02, 03
    Role Name: ANLG_BI_01
    S_USER_TCD     
    Transaction code: RRMX
    S_RS_AUTH     
    BI Analysis Authorization: BI_ALL
    S_RS_COMP     
    Activity: 03, 16
    InfoArea:*
    InfoCube: *
    Name (ID) of a reporting component: *
    Type of a reporting component: *
    S_RS_COMP1
    Activity: 03, 16, 22
    Name (ID) of a reporting component: *
    Type of a reporting component: *
    Owner (Person Responsible) for a reporting Component: *
    S_RS_TOOLS
    Logical Command Name: THEMES
    Iu2019ve tested this role, and it works u2013 they can access queries, create workbooks, create permanent model workbooks
    For role 2 u2013 Finance I have     
    S_USER_AGR     
    Activity: 01, 02, 03
    Role Name: ROLE2
    S_RS_ADMWB
    Activity: 03,66
    Data warehousing workbench Object: INFOAREA
    S_RS_ODSO
    Activity: 03
    Infoarea: 0FIGL_ERP
    DataStore Object: 0FIGL_014
    SubObject for ODS Object: *
    S_RS_ICUBE
    Activity: 03, 66
    Infocube SubObject: *
    Infoarea: 0FIAP
    InfoCube: 0FIAP_C02
    S_RS_MPRO     
    Activity: 03
    Infoarea: 0FIN_REP_SIMPL_1_ERP
    MultiProvider: 0FIAP_M20, 0FIAP_M30
    MultiProvider SubObject: *
    I then gave to my test user this 2 roles, and with that user I can still see every infoarea, and access all reports.
    I will have more specific roles u2013 to other areas (SCM, TV, etc), but I chose this one has an example.
    First question I have: can I manage my requirement in 2 different roles: one for action that can be performed (role 1) and other for areas that they can access data from (role 2)?
    What objects/restrictions am I missing in role 2?
    Many thanks
    Joana

  • After BI 7.0 Upgrade, Authorization Roles and profiles are not visible

    Hi Gurus,
    We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
    As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
    I verified in SU01 for user access and every are assigned there roles and they are green.
    Do we need to add any new authorization object to fix this issue, please let me know
    Thanks and appreciate your help.
    Thanks
    Ganesh Reddy.
    Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PM

    Hi Ganesh,
    check the behaviour, if you assign
    S_USER_AGR                          
       ACT_GROUP = "..name of the assigned role.."
       ACTVT = 03 (for "display")    
    b.rgds,
    Bernhard

  • Deleting FICO Roles and Authorizations

    Hi Guys,
    i want to Delete some roles and authorizations from a user profile.I have the user id and I want to know what roles are assigned to the user.
    Which tcode can be used for the same and how to delete the fico roles assigned to that sap user id.
    thanks,
    Srikanth.

    Hi,
    I got the solution. It is SUIM.
    Anyways thanks for the help
    srikanth

  • About roles and authorizations

    hai friends,
    who will create roles and authorizations plz
    thanks in advance
    suitable answer will be given suitabel points
    kumari

    Roles and authorizations have to be done with Basis team and HR team together, because they are not the usual roles that other modules use. For instance, HR authorizations have different objects for PA, PY, Clusters, BM and CM. For OM and PD, you use transaction OOSP for authorization profiles.
    For my personal experience, when the consulting team ask the basis team to deal with authorizations for HR, they become paralized when they find Structural Authorizations Profiles, Period of responsibility, etc., because they don't know (and it is not their responsibility) about HR objects and concepts handled in txn OOSP.
    In order to avoid this problems, take an extra time for this in your implementation project. Roles and authorizations in HR, when done correctly, takes more time than other modules.

Maybe you are looking for

  • How to use one dynamic connection managers for multiple parallel data flow tasks

    hi there:    I have 6 databases residing on the same server. What I want to do is  call a store procedure with identical name on each database dbo schema and transport results to a centralized place. The key is to have those SPs run in parallel inste

  • HP Pavilion dv6618ca (dv6500) - NO AUDIO (Audio Device either disappears or no sound)

    Hi There, I hope someone can help me. I have been struggling with NO AUDIO problem for last 4 weeks. Intially I had a big red cross in front of voice control button. I had to reformat and installed original softwares using recovery. Now audio is avai

  • IPhone 5 Audio on Movies and music is distorted

    I have a new iphone 5 and noticed a great deal of distortion when playing back music and videos. I have tried the EQ settings (all of them)  with no improvement. All my videos and music are apple lossless (music) and videos are at least CD quality au

  • Dynamic form in Mac OS

    Hi, we have created an acrobat dynamic form using Livecycle Designer . We have a web application, where when the user wants to open the form, we prefill some fields in the form and display it in the browser. Here is how it works, 1. The form was desi

  • Graph using parameter

    Post Author: pkarnes CA Forum: Charts and Graphs Long story short- have a list of transaction amounts that inc/dec an account balance.  The account's beginning balance is a parameter.  Created a running total of transaction amounts, then created a fo