Create Authorization Profile Manually
Dear Experts,
I want to know the Tcode through which I can create Authorization Profile.
I know that through PFCG we can create a Role and from there we can generate a Profile, But how can i create a profile without creating a Role.
I think this is possible because the Profile : SAP_ALL does not have a role.
Regards
>
Mishra.Manas wrote:
>
Tcode through which I can create Authorization Profile
>
> It's actually the task of a SOX or Security Consultant. If you have rights to acess SU02 you can do it.
> Go to Profiles------>Create.
> Here you can create a profile without a role being generated.
It is nothing to do with a SOX consultant unless that person is also a security administrator.
Similar Messages
-
Unable to create outlook profile manually
Hello,
I have two Exchange 2013 Servers with combined roles with DAG configured. I am not using any cas server load balancer. I created manual entries of AutoDiscover pointing to one of the Exchange server. Now I am able to create Outlook 2013 profile automatically
through AutoDiscover and there is no problem (Even with automatically configuration it is giving strange server name like [email protected])
BUT when I try to create any user profile manually by giving one of the Exchange Server name, It gives me an error message
The action cannot be completed. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action
Kindly anyone please guide me where is the problem?
Thanks in advance.yes I set the proxy but in my Outlook connection setting it is showing strange server name
see the snapshot
That's by design. Exchange 2013 no longer uses a common name (like a CASArray or common namespace) to connect directly to the mailbox. It now uses the [email protected] to have Outlook connect to the Exchange Server. It will still
use the Outlook Anywhere address to connect to the CAS Server, but the server name will always be that GUID.
The best way to configure the Outlook Profile is to let Autodiscover handle the profile creation. if for what ever reason you can not (really there isn't a compelling reason why), then you need to obtain the ExchangeGUID from Powershell. You
can use:
Get-Mailbox -Identity <username> | fl identity, ExchangeGUID
to get that information. Again, Autodiscover is the easiest and painless way to go.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread -
Training Authorization Profile
I would like to create Authorization profile for Training Authorization by adding object P, L, D, E. and allow user only to be able to maintain those employees in specific cost center.
I tried to add object "K" with specific cost center value, but it is not working.
we can achieved the same by addiing a record for each "P" object with employee number value and it is working fine. But this is not a practical way.
Please if you have any idea let us know how to d this.
M. KhalidHi,
If you don't have authorization for the transaction 'IL01', enter this transaction and in another window open transaction SU53. This will display the authorization check failed details. From there you can find out the the authorization object checked.
Regards,
Soumya. -
Create Display Authorization Profile for SAP Transaction SPRO (IMG).
Dear All,
In my current implementation project there is an requirement to create display authorization profile for SPRO. I have tried a lot but was not able to do so.
Any one is having an experience in creating display profile for SPRO (IMG) ? If any one has worked on this issue then please guide me.
Thanks,
AvinashHi
This is security related question. I am not security expert.
But you can check this, Include the following authorization objects in the profile and assign this profile to the target user.
S_IMG_ACTV
S_PROJECT
S_PROJ_AUT
S_PRO_AUTH
and assign activity = 03 (Display).
Hoipe it helps.
regards
Srinivas -
Steps for creating structural authorization profile using trans. OOSP
Dears,
Could someone please guide to the steps for creating a structural authorization profile using transaction OOSP, to authorize on the HR Payroll Area.
Thanks.
RedaHi,
There are comprehensive guidelines on help.sap.com for creation of structural authorizations: http://help.sap.com/saphelp_erp2004/helpdata/en/34/49ba3b3bf00152e10000000a114084/content.htm
However, please bear in mind that you cannot limit access to certain payroll area with structural authorization. For that you should use standard PA authorization object (you can use field organizational key to store Payroll Area VDSK1 in IT0001):
P_ORGIN http://help.sap.com/erp2005_ehp_02/helpdata/en/3e/b8b83b5b831f3be10000000a114084/content.htm
Cheers -
How to create and allocate authorization profiles?
How to create and allocate authorization profiles? please issue step by step and usage of TC:PFCG.
Hi Srinivas,
I would like to try to explain how to create an authorization profile.
1. you have to create a user with the Tcode SU01 at first
2. run Tcode /nPFCG.
3. enter a name for the role (naming convention is here very important) which you want to create and then click on "create Role".
4. enter a short description for the role and then click on Authorization tab.
5. now you are required to save the role. Click on it and continue.
6. click on the tab "change authorization data" and select the authorization template what you need.
7.change the authorization field value.
8.click on button "Generate".
9.click on button Back
10. click on Tab user to assign the role to the user which you created in step one
11.click on button User comparison and then complete comparison
Hope this helps -
PFCG manually created Authorizations synchronized to Menu
Hello Colleagues,
one question please regarding role creations under PFCG.
The normal way is first under "Menu Tab" to create the user menu.
The authorization objects related to your design at Menu Tab will automatic create under Authorization Tab.
But what about if create first your manually authorizations (objects) under Authorizations Tab and afterwards you will have your manually created authorizations und Menu Tap?
Is there a synchronizing passable
After I finalize my manually authorization design at Authorization Tab and I create afterward some objects under Menu Tab this will update (destroy) my manually design under Authorization Tab.
What is the best practice way here please?
Maybe sufficient documentation are available for this point?
Many thanks in advance!
Regards,
JochenHi,
I would suggest to ask this question on security forum. You'll get much better feedback there. The best practice is to not use manually created objects. You should always associate them to transaction or something else. It won't update your manually inserted objects because PFCG does not know their relation to transaction.
Cheers -
Can I creat the structural authorization profile in batch?
Hi All:
I have a question.
I need to creat structural authorization profile in transaction code OOSP, it's OK if I enter new entries in the OOSP and then maintenance the authorzation profile like object type; object ID; Eval. path and so on.
But there are so many new entries need to be created that I want to use lsmw to realize batch in put.
But when I use the transaction code "OOSP' to record the screen during the LSMW, I failed to see the "athorization profile maintenance" screen , that is, I can enter new entry, give it a name and text still, but cannot maintenance the authorzation profile like object type; object ID; Eval. path. In other words,the "athorization profile maintenance" screen is missing during the LSMW recording screen!
Can anyone tell me what's the reason?Hi All:
I have a question.
I need to creat structural authorization profile in transaction code OOSP, it's OK if I enter new entries in the OOSP and then maintenance the authorzation profile like object type; object ID; Eval. path and so on.
But there are so many new entries need to be created that I want to use lsmw to realize batch in put.
But when I use the transaction code "OOSP' to record the screen during the LSMW, I failed to see the "athorization profile maintenance" screen , that is, I can enter new entry, give it a name and text still, but cannot maintenance the authorzation profile like object type; object ID; Eval. path. In other words,the "athorization profile maintenance" screen is missing during the LSMW recording screen!
Can anyone tell me what's the reason? -
Need steps to create: Users, and then allocate authorization profiles.
Hello,
I have set up release procedures using a how to doc which was posted an sap123.com. It doesnt go through how to do this, only gives a screen shot. The SAP environment is a test environment for training. We have maybe 4 users existing in system. I would like to know how to first create a user, then go through PFCG and create and allocate authorization profiles. They need to be able to approve PR's/ PO's using the two release codes and release groups I have set up. The steps I followed are posted here: http://www.sap123.com/showthread.php?t=59.
Thanks for any help.Thanks. I do have authorization to create users/ roles & such. I have created 3 specifically to test the workflow I am trying to set up that contains release procedures.
In PFCG - I created a new role MATMGT. On the Menu tab, Assign Transactions screen, could someone please tell me what the Transaction Code would be so that, when I goto the Authorizations tab and click on the Change Authorization Data button, I get a "Materials Management: Purchasing" row displayed in the Change Role: Authorizations screen. I am following http://www.sap123.com/showthread.php?t=59 - and am stuck at the "Create and allocate authorisation profiles" section, as there are no steps detailing the usage of PFCG. -
How to activate authorization profile in ERP 6.0
Hi,
Could you give me a hint please.
In ERP 6.0 system, I copied a authorization profile from &_SAP_ALL_13, and changed it.(saved successfully)
But clicking activation, message "Unable to activate, authorizations missing: ..." is shown in pop-up.
What happend in this process.
In R/3 46C system, such a message is not shown.
authorization profile activation process changed in ERP 6.0?
I did following actions;
T-CD: SU02
- Profile: &_SAP_ALL_13 / With any options off -> Create work area for profiles
- -> Copy Profile
- Copy profile From &_SAP_ALL_13 To Z_SAP_ALL_13 -> Execute
T-CD: SU02
- Profile: Z_SAP_ALL_13 / With any options off -> Create work area for profiles
- change some objects in the profile (include delete line) -> Save -> Activate
regards,
KatsumiDear Katsumi,
Go to change authorization data and check weather every node is in green.If not expand every node and check anything in yellow or red that should come in green.Then generate that profile Shift+F5.
Now after generating your profile make sure to click on User Comparison.
Also there might be a possibility that user must not be having enough authorization.In that case :
From the user login wherever this message authorization faliure is coming type /nsu53 and see for missing authorization.
Now go to your login(considering that you have full authorization) use tcode PFCG and role in which use tcode is residing.Add manually the missing object which reflects on the SU53.Again generate and make user comparision.
Now come back to user login and again try .If that is still not coming repeat the above 2 steps.
Regards,
Ashutosh
Edited by: ashutosh singh on Aug 13, 2008 7:53 AM
Edited by: ashutosh singh on Aug 13, 2008 7:54 AM -
We would like set up our BW security to allow a user to have access to one set of cost elements in one profit center hierarchy node, and a different set of cost elements in another profit center hierarchy node.
Placing each combination together in a single authorization object, results in a single profile that allows access to all the cost elements in both sets. Placing them in separate authorization objects, results in two mutually exclusive profiles that excludes both sets of data. We were able to create a role that combined the two sets in a single profile that operates correctly, but...
Our problem is that we have more than a thousand profit centers, and maintaining a such a role for each will be a management nightmare. Is there another way to create these compound profiles? Is there a way to mass create or load these profiles or the roles that could create them?Hi Dries,
Following are the steps to create a composite profile:
To create or maintain a composite profile, choose User maintenance ® Manual Maintenance ® Edit profile manually.
or
Use transaction
SU02
Then proceed as follows:
1)Generate a work area (profile list) by choosing Generate work area, or entering the name of the composite profile you want to create or maintain. 2)The system displays a list of profiles. This list is empty when you create a composite profile.
3)Choose Create, Change, Delete or Copy.
If you choose Create, you should then choose the profile type Composite profile in the dialog box.
From the list of profiles, choose the name of the single or composite profile to be included in the composite profile using Add profile. To do this, use the pushbutton, Add profile.
You can add a virtually unlimited number of profiles to a composite profile.
When creating composite profiles, you can enter profiles that have not yet been created or activated. However, you must create and activate the missing profile(s) before you can activate the composite profile.
Hope it helps.
Please award points if it is useful.
Thanks & Regards,
Santosh -
Exporting Authorization Profile
Hi All,
In IDES ECC 6.0 there is a user Authorization Profile "IDES_USER", is there a way that i can export and import this profile in my ECC 6.0.
please help and get poits...
ZeeshanHi Zeeshan,
I would like to just say only one thing: It is not a good idea moving a object between two systems with different releases.
This is security profile onlyso may not do any damage but dont try it for other objects.
Also coming back to your topic. Uplaod download of profiles is not possible. I am talking about profiles and not roles in my opnion.
Transportation could have been a solution but may not work because of differences in TP release of IDES ECC6.0 and ECC6.0 systems.
Best option is to manually create the profile.
Wait for other comments though.
Regards.
Ruchit.
Message was edited by:
Ruchit Khushu -
How to get all authorization objects for a certain authorization profile
Hi ABAP experts,
I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
So:
- where are these values stored (dictionary table)?
- is there already a FM or a report to read all authoriation values for a certain authorization profile?
Thanks in advance.
Best regards,
OliverHi,
check the following it might useful for you:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
if helpful reward points are appreciated -
Query related to Authorization profile.
Hi Professionals,
Please help me out as I'm not a BASIS consultant but PP.....
We've created Users profile and assigned them profiles that contain a particular bunch of Transaction codes module wise.
Now we want to to create and assign such a Authorization profile to Users which will contain all Display transaction codes either related to all modules OR that particular module only say PP, MM, FI, CO etc.....
For example
MM03- Display material master
CS03- Display material BOM
CR03- Display work center
ME53N- Display Purchase requisition etc.
Is there any standard profile for that that are already provided by SAP? If it's there, how do we know that are related to what module?
Suppose if we assign such profiles, what will be implications related to future and user discipline?
Thanks & Regards,
Abu ArbabHi Abu, don't worry about being a PP consultant, most of us here are not Basis either, rather we focus on security.
There are no standard roles delivered by SAP which give this. There are standard SAP display roles but none will include all the display transactions for a module.
What you should do is get each functional team to list the dispay transactions which are used by the business processes which they have configured. There is no point in creating a display role with 500 transactions if the business processes only requires 30 transactions. Access is more usually required for business processes rather than module so you would often need to combine your modular display roles to cover a single process.
By building the roles to include the transactions you use rather than are available, you also avoid one of the mistakes often seen with using standard SAP roles - users having wider authorisations than they require to perform their job. -
How to make changes in Authorization profile?
Dear Guru's
In R/3 4.7 i used to change authorization profile in tcode SU02.where as in ecc 6.0 i dont find any change option it shows "Generated profile can only be displayed"
I want to remove the particular tcode from that authorization profile.please help.
Regards
AKIAki
In new SAP versions, they have replaced direct profile generation with Roles concept and all the new profiles are attached to the roles. Follow this link and read it completely and understand the concept.
http://help.sap.com/saphelp_bw21c/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm
You cannot change a profile directly, instead you will have to insert authorization from the existing profile into a new role and generate a new profile for that role.
Goto PFCG, create some new Z role. Save it, then goto authorizations tab, in the profile text box enter the profile name you want to edit authorization of. Goto change authorization Data. make the required changes. Then in the menu on top left hand side you will see a red and white ball press that and generate profile. Now you have a new role with required authorization. You can attach the role to required users.
Rahul
Maybe you are looking for
-
I'm not finding software I purchased in my purchase history. Can anyone help lead me to where to find it. I have the software on my IMac and want to install it on my new laptop. I cannot find it? Help! Thanks, Chad
-
ERROR IN FILE--XI--RFC SCENARIO. BAPI did not UPDATE the DATABASE TABLE
Hi I have created a scenario FILE -XI- RFC File is picked by file adapter - Its working fine I have used BPM In RFC side i used BAPI_INCOMINGINVOICE_CREATE Its working fine and return an Invoice Number and Fisical year . When i Check this in the R
-
Cant add a link to a network file to a new email
Hi Gents I'm having heaps of trouble - in fact finding it impossible - to add a FILE hyperlink into a newly composed email to send to recipients who can open the file. The file is on THEIR computer network, not mine, and I use the UNC path for the re
-
Hi, I have a business requirement where we need to generate pdfs on-demand and at time the app may get n number of request...As of now we were using the CR.NET and this resulted in whole bunch of warning related to jobs waiting for the license to get
-
RoboHelp 7 ACE Exam Now Available
Hello all, I'm just wondering if anyone knows when Adobe made the RH7 ACE exam available. Last week I went here: http://partners.adobe.com/public/ace/main.html and saw "Adobe® RoboHelp® 7.0 Exam number 9A0-079" available from Prometric. So just out o