Checking a tranaction in a role

Similar Messages

• How add Authorization check for user with assigened role for t.code-MIR4

  Hi All,
  Regarding authorization how to check authorizations check for user whith assigned roles for the t.code MIR4  using ABAP.
  In Detail:2)     All users are allowed to go to MIR4(invoice number), But ONLY for users with role: MM_RELEASE_INVOICE can proceed to do the posting.
  suggest me...
  Thanks,
  srii..

  Hi Sri ,
  first u need to find out  in which user rules u are using this object , after that if u want to restrict users then remove create/change values from that object values .
  make use of Tcode SUIM to find out all roles which are using this Object.
  or
  ask ur basis guy to remove authorizations to create/change....
  regards
  Prabhu

• Report to check the open authorization in Roles

  Hi All,
  Is there any standard SAP report or option to find out the list of roles with open authorizations(auth data incomplete) in the R/3 system?
  We are on R/3 4.7.
  Thanx
  Balaji Srinivas

  I've found a solution on netweaver 2004 for which I think does work on 4.7 as well:
  Use SE16 to get the data from tables AGR_1251 and AGR1252 with the following selection criteria:
  For the "LOW" field open the selection subscreen, go to "exclude ranges" and in the lower limit you enter "#!" where the exclamation mark is the lowest in the ascii range (character 33) and the hash is there to escape any special meaning so SE16 will accept it. In the "upper limit" enter "ÿ", character 255. Now you've told the system not to return any row with a valid ascii character in the "LOW" field for the objects.
  You may want to filter for "DELETED" <> "X" as well in AGR_1251.
  Hope this helps
  Jurjen

• How to Check How Many Times FSMO Roles was Changed?

  Thanks Gary!

  Hello guys!
  I'm in a new company and we recently had problems with Primary Domain Controller.
  I had need to seize all FSMO roles from a dead server to another.
  In the past I read a lot of articles and most of them describe that the best practice is to change de FSMO roles once in life.
  I need to know if that is true and if it is a way to know how many times FSMO was changed on a domain.
  Thanks in advance,
  Marcelo.
  This topic first appeared in the Spiceworks Community

• Checking if a user has a role (FGAC)

  Hi!
  I am implementing Fine Grained Access Control on a table and in my policy function I do not want to restrict the amount of result data on a select if the current user has a certain role (otherwise I want to).
  My idea was to check USER_ROLE_PRIVS/ROLE_ROLE_PRIVS for the role, but the stored procedure runs with definer-rights, so that won't help.
  Running the procedure with invoker-rights won't help either, since not the current user is the invoker of the policy function but the DB system (user sys?).
  And finally, the definer of the policy function does not have DBA privs, so I can't select the DBA_* views to check if the current user has the role.
  Is there another way to check if the current user that is known inside the policy function by the USER variable has a certain role?
  Thanks for your help!
  Marcus

  Hi Frank,
  thanks for your answer!
  Frank Kulash wrote:
  Policy functions are run by the user who queries or tries to do DML on the table.I don't see that this is happening. Here's my test case:CREATE OR REPLACE FUNCTION CU_is_member_of
  (v_role IN VARCHAR2) RETURN NUMBER
  AUTHID CURRENT_USER
  is
  v_res VARCHAR2(255);
  begin
  SELECT COUNT(*)
  INTO v_res
  FROM
  (SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
  UNION
  select GRANTED_ROLE from role_role_privs)
  WHERE UPPER(GRANTED_ROLE)=UPPER(v_role);
  RETURN to_number(v_res);
  end;
  CREATE OR REPLACE FUNCTION POLIFUNC_PARTTYPES_WRITE
  (p_schemaname IN varchar2, p_tablename IN varchar2)
  RETURN VARCHAR2
  IS
  BEGIN
  IF USER=p_schemaname
  THEN RETURN '';
  ELSE
  BEGIN
  if SYSWM_TOOL.CU_is_member_of('#ACT#WMT_MANAGE_PARTTYPES')=1
  THEN RETURN ''; -- *****
  ELSE
  BEGIN
  RETURN '1=0';
  END;
  end if;
  end;
  END IF;
  END;
  CALL SYS.DBMS_RLS.ADD_POLICY('SYSWM_TOOL', 'TBL_PARTTYPES', 'POL_PARTTYPES', 'SYSWM_TOOL', 'POLIFUNC_PARTTYPES_WRITE', 'select'); --TODO: SELECT-&gt;UPDATE,INSERT,DELETE
  If the policy function is run by the user who queries, then I would expect that a user who has the role querying table TBL_PARTTYPES would see all entries since he would run into the line marked with *****.
  SQL&gt; select SYSWM_TOOL.CU_is_member_of('#ACT#WMT_MANAGE_PARTTYPES') FROM DUAL;
  SYSWM_TOOL.CU_IS_MEMBER_OF('#ACT#WMT_MANAGE_PARTTYPES')
  1
  SQL&gt; SELECT COUNT(*)
  2 FROM
  3 (SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
  4 UNION
  5 select GRANTED_ROLE from role_role_privs)
  6 WHERE UPPER(GRANTED_ROLE)=UPPER('#ACT#WMT_MANAGE_PARTTYPES');
  COUNT(*)
  1
  So, the current user has the role and the stored function CU_IS_MEMBER_OF works correctly. However:
  SQL&gt; select count(*) from syswm_tool.tbl_parttypes;
  COUNT(*)
  0
  What am I missing here?
  Marcus

• Authorization object in procurement that checks user role

  Hi Experts,
     Please let me know if we have any standard authorization objects in the transactions PO or PR that checks the SAP User role. Authorization check can be done by sap role, we are not botherd checking on company code, purchase group and so on, Is there any standard procedure to find out that or any function module available to check that by passing user role.  << removed >>
  Cheers
  Mohan
  Edited by: Rob Burbank on Feb 19, 2010 12:24 PM

  easiest way to find all authorization objects is to execute SU24.
  There you enter the transaction code for which you want find the authorization objects.

• Individual Account Creation in IC_AGENT business role.

  Hi,
  After system got upgraded from 6.0 to EHP1, marketing attributes are not working as expected.
  When i create an Individual Account type in ZIC_AGENT business role, it gets created successfully but its marketing attributes are not getting set when i check in the Account overview.
  There is a BADI implementation of "BUPA_GENERAL_UPDATE", i debugged and found that in FM "CRM_MKTBP_READ_KSSK_AUSP", system is trying to get the attributes from table "ausp"
        select * from ausp into table et_ausp
            where partner_guid = lv_guid
            and klart = 'BUP'.
  I think, somewhere configurations are not done correctly. But i am aware where i check all these configurations for markting attributes corresponding to BP. If you know then please let me know.
  Thanks
  Raman.

  Hi,
  You can check it in ,
  MARKETINGPRO ( business role ) -> Marketing ( work center ) -> attribute Sets
  search for the specific attribute/attribute set. go to OV page ..there will b check box for person and organization.
  Regards
  Sandeep Kumar B

• Crystal Report: Save a Crystal Report to BW, no Roles found

  Integrating BusinessObjects Enterprise and BW:
  - Some configuration works have been done
  - Crystal Report can connect to BW
  when [Save a Crystal Report to BW], then Connect to BW,
  Dialog "Save a Crystal Report to BW" show up, but in Roles Description : "No Entry Found"
  somebody any ideas, thanks!

  Hi,
  please check the following thread:
  [No roles in Crystal Reports available;
  Regards,
  Stratos

• SAP R/3 : Indirect Role assignments - Is position unique to every user?

  Hi.
  While am exploring /learning SAP R/3 roles and auth, I would appreciate if I could get clarity on the following :
  This  link on SDN on Indirect role assignments are very informative.
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f03e6f6c-8c16-2a10-1581-ed8812e2effe
  This link is also more explanatory : http://my.affinitext.com/public/book/5442/-1/1423831
  So if my understanding is correct, it is better to assign roles - indirectly by position, so that if an employee's position changes, his role can be removed, based on position again ??? And somewhere we are linking with infotype 105.
  My only doubt is : if we are going to assign roles by position and remove the roles by position, so that as the position of an employee changes, the previous roles become null and void and new roles can be assigned as per new position.
  So would like to know :
  as to whether this position number which we see from PA20, is unique to every user on the system ?
  So that, if there is a need to remove a role based on postion, we could remove the role from PO13;
  BY doing that, then will it not affect other users ?
  Can somebody help me understand this.
  Because if i want to see the effect immediately, if i go to PFUD and put the role name and say execute, i see that the role which was removed from PO13 is gone immediately from the user.
  Many thanks
  Indu
  Edited by: Indumathy Narayanan on Nov 22, 2011 9:25 AM

  GOT IT THANKS.
  Hi Prashant.
  Good morning and wishes.
  Can you please help me understand this.
  I understand from HR person that position is uniquely defined (from hire to retire)
  and roles are generally given based on position.
  However, I see a person : whose roles have been assigned as per position all these years.
  He had 2 roles in project A. He now moved into a different project B.
  But. when i check, i still see the roles - reflecting on SU01  & well as in the tab of user of the role X under pfcg.
  BUT when i check PO13 - and put the position / relationship and say overview.
  I dont see the roles at all there.
  Why this is so.  Why the discrepancy on different screens.
  Also How can I get a confirmation that - these roles are actually removed and is not there for the user.
  Rather.
  How could the removal of roles based on position become completely effective on the system.
  So that all screens display the same information.
  Also would like to know - whether it is ok to remove the role expiry date directly from PFCG/ROLE Display/user tab/select user/
  and then make the role invalid or expired / or extend the expiry.
  Many thanks.
  Indu
  Edited by: Indumathy Narayanan on Dec 7, 2011 12:09 PM
  Edited by: Indumathy Narayanan on Dec 7, 2011 1:42 PM
  Edited by: Indumathy Narayanan on Dec 7, 2011 5:17 PM

• Problem in Creating a Business Partner Role

  Hi Frns,
  I am trying to create a BP Role from CAC->SAP Business Partner->Business Partner->Business partner Roles->Define BP Roles.
  I copied BUP003 and given my BP Role name as ZEmp.
  When i try to save it, it is giving an error message saying
  "NO STANDARD ASSIGNMENT DEFINED FOR BP ROLE CATEGORY BBP003".
  I have checked in BBP003 Category in the same.
  What could be the problem?
  Thanks in Advance
  Rohan

  Hi Roshan,
           You have Created a BP Role,
  You must also have assgned the Same to a BP Role Category Check the Settings for BP Role Category Assignment and when Appropriate you shall Assign Std Assignment of BP Role Category to your BP Role by Selecting the Check Box
  Referal Notes:
  BP Role Category
  Attribute of a BP role.
  Use
  The role category makes it possible for SAP and customer programs to program on the BP role.
  Dependencies
  The role category depends on a differentiation type.
  Any number of BP roles can be assigned to a role category, with one role always acting as the standard role per role category.
  It is possible to control the update of a role by assigning a role category to a role.
  Hope it Anwers your Queries..
  Thanks and Regards,
  RK.

• Migrate SOFS Role between 2012 R2 Clusters

  I have a sofs role configured on a 2012R2 3 node cluster, and I need it moved to a different cluster so that the nodes on the current cluster can be rebuilt. Both clusters use a CSV. The share that is used by the sofs sits on a CSV (connected by iscsi on
  each node)
  Im trying to understand the advice here:
  http://technet.microsoft.com/en-us/library/dn659431.aspx
  Method 1 is confusing because it discusses migrating virtual machine storage with VMM but I dont see how this relates to a SOFS.
  Method 2 seems most applicable, however when I use the 'Copy Cluster Roles Wizard, and I select the source cluster, it brings up a list of role available to be migrated, and I cannot select the single SOFS I want to move. If I check one box, it automatically
  checks the box for every role on the cluster, and I dont want to move everything.
  Also, im confused about the process of the migration and what exactly migrates once I get past the first issue above.
  Should I be running this wizard to migrate the role to the new cluster, then connecting the iscsi for the lun to the 3 destination nodes and mounting as a csv ? and then disconnecting the csv from the source cluster ? or vice versa ? or?
  cant find a good guide for this. Any advice or pointers in the right direction much appreciated.
  tks

  Hi dfgsdfgf,
  Could you clarify “and I select the source cluster, it brings up a list of role available to be migrated, and I cannot select the single SOFS I want to move.” If I am not
  misunderstanding, are you trying to “migrate” one of the SOFS cluster node to new server? You must migrate the SOFS role, but can’t the node.
  More related information:
  How to Move Highly Available (Clustered) VMs to Windows Server 2012 with the Cluster Migration Wizard
  http://blogs.msdn.com/b/clustering/archive/2012/06/25/10323434.aspx
  Migration Paths for Migrating to a Failover Cluster Running Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn530781.aspx
  Migrate Cluster Roles to Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn530779.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• CRM 7. How to make mandatory the BP Roles on CRM Web User Interface.

  Dear CRM Gurus,
    The requirement in our project is to have as mandatory at least one BP Role (except the default role of BP). Is there any way to implement or configure the CRM system to display an error message when a user tries to save a BP from WEB UI without having maintained the BP Role ?
  Thanks in advanced, John

  Hi Jhon,
  Before raising the error message as Garcia suggested check the collection of bp_roles.. if no roles maintain then raise the message.
  you can raise the message in eh_onsave event of BP_HEAD/BPHEADOverview.
  Sample code to check the collection of bp roles..
  DATA: lv_collection TYPE REF TO if_bol_bo_col,
              lr_bp                TYPE REF TO cl_crm_bol_entity.
    lr_bp ?= me->typed_context->builheader->collection_wrapper->get_current( ).
    CHECK lr_bp IS BOUND.
  TRY.
        lv_collection = lr_bp->get_related_entities(
               iv_relation_name = 'BuilRolesRel' ).
  *     delete difftype-dependent roles (not maintainable/ displayed
  *     in standard)
        cl_crm_uiu_bp_roles_service=>filter_difftype_dependent(
          CHANGING cr_collection = lv_collection ).
  *     delete lifecycle stages (which are roles as well) from coll
  *     of "normal" roles
        cl_bp_accountlifecycle_service=>filter_roles_exclusive_stage(
          CHANGING cr_collection = lv_collection ).
      CATCH cx_crm_genil_model_error.
  *       should never happen
        EXIT.
      CATCH cx_sy_ref_is_initial.
    ENDTRY.
  check lv_collection->size( ) le 0.
        raise error message.
  Hope this helps.
  Cheers,
  Sumit Mittal

• What is  the purpose of assign roles to portal please describe

  what is  the purpose of assign roles to portal please describe

  Hi,
  You assign Roles to Users and not to portals.
  Check this to know about Role:
  http://help.sap.com/saphelp_nw70/helpdata/EN/45/c0d8e962336000e10000000a1553f6/frameset.htm
  So a role has contents that a user can see and also privilages that the user can have (UME Actions).
  http://help.sap.com/saphelp_nw70/helpdata/EN/fb/33f520d15f8f4092a60381365620b2/frameset.htm
  When a user is assigned certain roles which have contents and also UME Actions, this user sees them when he logs on onto the portal and also has this set of  privilages.
  Regards,
  Praveen Gudapati

• How to get the role name in which query is published ?

  Hi Experts,
     Is there any table where i can get the name of the role in which a particular query is published. I know that if i have a role , i can check in pfcg giving that role name and in menu tab i can see all the queries published under that role. But if i know query but not role how to get the role name . Is there any table or functon modules or programs to get the information.
  Thanks & Regards
  Vamsi Kiran

  Check this table
  AGR_HIER

• BW authorizations based on assigned PPM users/roles + inherited roles

  Dear experts,
  We using PPM 5.0 SP7, and we are having trouble defining authorizations for BW reports.
  We would like to use the same authorizations as in PPM business client, so that BI would use/check the authorization from business client.
  This check would include:
  - users or roles gain access from direct assignment to an item
  - users or roles gain access that is inherited in the bucket structure, both structure and classification buckets.
  Users would have access to BW reports, but they could see data only from the same structures/classifications or direct assignments that are given to them in PPM business client.
  Can we utilize the same authorization methods, or do we need to create and maintain this in another place (BW)?
  If needed, how to create similar authorization model to BW?
  Kind regards,
  Antti Forsell

  Hello,
  Please see these docs,
  [Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
  [An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
  [Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
  Thanks
  Chandran