Creating Custom Role

Hi,
We want to create custom roles in ABAP (su01) and assign them to some user ids.
The role should have below previleges:
1) Developer Access (already provided) role and the users are able to create Objects in ESR and ID.
2) Should have access to create Namespace in ESR.
3) Should have access to create Alerts in ALRTCATDEF.
I think SAP_XI_CONTENT_ORGANIZER_ABAP and SAP_XI_CONTENT_ORGANIZER_J2EE should help in the above requirement.
Can anyone please confirm?
Do not suggest to give ADMIN access
Thank you,
Pankaj.

Hi,
I did see the link, but still I am not aware which role should be used to access ALRTCATDEF tcode.
If I assign SAP_XI_CONTENT_ORGANIZER_J2EE, then the user will be able to create Namespace, but what about creating alerts?
The link just mentions about RWB -> Alert Configuration and Alert Inbox, but nothing about ALRTCATDEF tcode.
Thank you,
Pankaj.

Similar Messages

CUP Custom Role Attributes

All -
My question is about creating custom role attributes in CUP. I read in the "SAPu2122 GRC Access Control 5.3 Document Version 3.10 u2013 December 2009" on page 245 that "You can also define your own attributes to support your needs by adding custom fields." I have two questions:
1) Can I defined custom role attributes outside of the delivered ones (Company, Functional Area, Application Area, Business Process, Business Sub-Process, and Functional Area & Company)?
2) If "yes", where do I do this in CUP?
I'm running AC 5.3 SP10.
Any help would be appreciated.
Thanks,
Daniel

Hi Daniel,
Yes , you can define your own attributes as many as you want
Configuration --> Custom Fields --> Field Label
All these Field Labels will be shown as separate tab (Tab Name : Custom Attribute) , so in this tab you will get all the attributes which you have creates manually .( You can check this in configuration guide CUP)
Hope this will help you
Thanks
Uma Shankar Tekumudi

Custom role creation using secatt

hi sap peers!
can somebody tell me if it is possible to create custom roles using secatt or catt script.
if it is possible then how to do it.
thanks

Hi,
I hope This could help you.
http://help.sap.com/saphelp_nw2004s/helpdata/en/2a/121e3bd711bb04e10000000a114084/frameset.htm
You can find the eCATT Tutorial in the above link.
Cheers
Soma
Message was edited by:
soma pradeep

How to use the custom role which is created by user

Hi,
Can any one suggest how to use custom role created by developer in webcenter portal.
Thanks in Advance
Regards,
Ankur Bhatia

Hi Daniel,
Thanks for ur Reply,
But i am not able to understand where to write the above code.
Also Suppose if a role "GeneralAdmin" is activated for a user then how it behaves like a "GeneralAdmin".
Means where is the code was written so that it behave like GeneralAdmin after activation.
Thanks & Regards,
Ankur Bhatia
Edited by: 986921 on Mar 5, 2013 3:49 AM
Edited by: 986921 on Mar 5, 2013 3:49 AM

Is it possible to create a custom role based on SELECT_CATALOG_ROLE?

I have a scenario where one user needs to see the DDL of another user:
HR schema:
CREATE OR REPLACE TYPE "HR"."CONTACT" IS OBJECT (
HOME VARCHAR2(40),
BUSINESS VARCHAR2(40)
SCOTT schema:
CREATE OR REPLACE TYPE "SCOTT"."EMPLOYEE_CONTACT" IS OBJECT (
EMP_NUMBER NUMERIC,
EMP_NAME VARCHAR2(50),
HOME HR.CONTACT,
WORK HR.CONTACT
When logged in as SCOTT, I can execute the following to get the DDL for EMPLOYEE_CONTACT:
SELECT DBMS_METADATA.GET_DDL('TYPE','EMPLOYEE_CONTACT') FROM DUAL;
but when I try to analyze it further, i.e. get the DDL for HR.CONTACT:
SELECT DBMS_METADATA.GET_DDL('TYPE','CONTACT', 'HR) FROM DUAL;
I get the following error:
13:11:59 [SELECT - 0 row(s), 0.000 secs] [Error Code: 31603, SQL State: 99999] ORA-31603: object "CONTACT" of type TYPE not found in schema "HR"
ORA-06512: at "SYS.DBMS_METADATA", line 4018
ORA-06512: at "SYS.DBMS_METADATA", line 5843
ORA-06512: at line 1
... 1 statement(s) executed, 0 row(s) affected, exec/fetch time: 0.000/0.000 sec [0 successful, 0 warnings, 1 errors]
If I grant the SELECT_CATALOG_ROLE to SCOTT, then I can get the DDL details for HR.CONTACT.
I am reluctant to recommend to my users SELECT_CATALOG_ROLE (or SELECT ANY DICTIONARY) as these permissions seem overly broad.
Is it possible to create a role that is based on SELECT_CATALOG_ROLE but limits SCOTT's ablity to get DDL to only artifacts from HR?

Hi Yes,
But this means you have to rebuild your list in content columns and a as a content Type.
best regards,
Paul Keijzers
Check my website http://www.kbworks.nl or follow me on
@KbWorks be sure to Check my
SharePoint-Specialist.nu for dutch informationworkers check
Wat Is microsoft SharePoint.nl for dutch readers who want to know what
microsoft office365 is.

Is there any way to create admin role only for one resource.

Hi all,
I am trying to create an admin role with 'update user' capability. But I want to restrict the user(with the admin role) to be able to update a user's attribute only for one resource, The user(with the admin role) should not be able to update the attributes of the other resources which a user have.
Is there any way to create admin role only for one resource?
I customized the tabbed user form to show only one resource attribute (deleting the missing fields and adding my tab for the resource) and then assigned this new User Form to the user(with the admin role) in security tab.
It works fine. But the problem is that if any user(with the admin role) is also admin of some other resource then he/she will not be able to view the other resource attributes.
Please suggest,
thanks

The loop function always repeats the same region so of course the fade is also copied. So option+drag the original region to make a (non clone) copy, fade the first region and loop the second one (which you just copied).

Error Importing a Transport in portal - Using custom role

Hello Everyone,
I have a custom role XYZ which has a few worksets copied (as delta links) from the standard System Administration Role. These worksets include Transport, Portal Display and Monitoring.
Now, I have assigned a user ABC the following roles:
1.Role XYZ
2.Content Admin Role
When the User ABC with the above mentioned roles, tries to import a transport package into the system he gets and authorization error. (This error does not occur if I assign the user Super Admin Role).
Error Details :
com.sapportals.portal.transport.RepositoryAccessControlException
Import data Access denied. (Object(s): pcd:..
Object ID:
Transport File: ..
Original Exception:
com.sapportals.portal.pcd.gl.PermissionControlException: Import data Access denied. (Object(s): pcd:..
at com.sapportals.portal.pcd.gl.transport.PcdGlTransportAdapter.checkPermission
at com.sapportals.portal.pcd.gl.transport.PcdGlTransportAdapter.startElement
at   com.sapportals.portal.pcd.gl.xml.ContentHandlerManager.startElement
<b>Questions:
1.     Is it really possible to have this functionality (ability to Import and Export without Assigning System admin or super admin roles) achieved?
(I went through a thread Portal role for transporting objects on SDN which discusses this scenario)
2.     How should I check for additional authorizations required for Importing / Exporting Transport packages into portal. (without having assigned the super admin role or system admin role).</b>Thanks To all of you
Joan Thomas

Thanks for the inputs.
I have fixed the problem.
To assign content objects to a package, you need at least read permission for the objects to be assigned.
You can only import objects into the Portal Content Directory if you have read/write permission for each folder in the Portal Catalog where the imported objects will be stored.
To create a transport package in a certain folder of the Portal Catalog, you need read/write permission for this folder.
These 3 points helped me do the required.
Raj

Problem in assigning custom role to a user

Hi everyone,
Can anyone tell me how to assign a custom role to a user?
I have created a set of IViews which are assigned to a workset and the workset is assigned to a new role.
I assign this new role to my user account.
But, I am not getting the role which I have assigned to my user account.
What am I missing???

Hi Daya,
Check the below links:
[Setting up Portal Roles|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e0ba66fd-3c4e-2a10-1090-e1217a92c147?QuickLink=index&overridelayout=true]
Step by step guide to create roles and worksets. [Wiki blog|http://wiki.sdn.sap.com/wiki/display/EP/Makeiview,workset,pageandassignrole]
Check the [help.sap|http://help.sap.com/saphelp_nw70/helpdata/en/1e/89570091620b428807f5bce4b45e7f/frameset.htm] document to get idea about Portal Content Objects.
Regards,
Anand G

CRM 7.0 How to create Business role & generate

Hi Team,
Can you please let me know some breif idea about CRM 7.0 security guide.
How to created Business role is this part of functional activity?
Whats the role of Technical colleagues BASIS guys in CRM 7.0 security .
Please help me to get some document regarding business role creation , generation , assignment & authorization checks in CRM 7.0.
Thanks & Regards,
Vyash Mishra

Hello Viyash
I will add the most important information for generation of business roles and assignment of authorizations to users.
You must first create the PFCG roles. PFCG role is built based on the Business Role.
Please see documentation in : SPRO
SAP Implementation Guide => Customer Relationship Management
UI Framework > Business roles > Define Authorization Role
Then the PFCG role can be assigned to the business role in
SAP Implementation Guide => Customer Relationship Management
UI Framework > Business roles > Define Business role
Finally you must assign business roles to Organizations or positions in organizations in
SAP Implementation Guide => Customer Relationship Management
UI Framework > Business roles > Define Organizational Assignment
The users that are assigned to such organizations / positions will be therefore linked to the business role.
With the previous steps the users will have the authorizations that are assigned to the PFCG profile that is linked to their business role.
Business roles are the main way to configure authorizations for users in CRM but you have more options that give you flexibility.Each business role has assigned one PFCG role, but the relationship between business role and PFCG role is not strict. You can even assign a dummy PFCG role to a certain business role in business role customizing and then go to transaction PFCG and assign other PFCG role(s) to the users that are assigned to that business role.
I would say that the previous tasks must be performed by the basis team but in cooperation with the functional team
Best Regards
Luis Rivera

Error creating custom reports. Permissions issue with custom reports

I am having permission issues with reports. I am building a new Configuration Manager 2012 infrastructure and I have configured the Site server on Server1 and the DB is on Server2. Server2 also hosts the Reporting Point and SSRS roles/features. If
I look in Monitoring at the Site Status and Component Status are all green no issues with the setup.
Running SQL 2008 SP2 (no CUs). I have a service account that I used to install Configuration Manager and SQL. This service account is running the SQL service on Server2 and i am using the same account as the Reporting Services Point Account.
I log into the SCCM console with a different user account, lets call it Admin1. This account is a member of the Full Administrator role. I can run any built in report.
When I open the SSRS website and try to create a custom report I connect the DataSource using Windows Authentication. So the Datasource is connecting using the logged in users account. In this case Admin1. I test the connection and it connects fine.
I test this query. (Select * from v_R_System) I only have about 10 workstations discovered so the report shouldn’t be very big. I get an error “The Select permission was denied on the object ‘v_R_System’, Database ‘CM_XXX’, schema ‘dbo’. (Microsoft sql server,
Error: 229)”
I have fixed the SELECT permission error by going into the database (using SQL Management studio) and granting Admin1 Select rights to the Configuration Manager database. I can now run the above query and make custom reports.
My 2<sup>nd</sup> problem is that other members of the Full Administrator role cannot run these custom reports unless I go into the database and grant them the SELECT permission.
Question:
Should I have to manually go into the database to add SELECT permissions(i could use a group)? shouldnt Configuration Manager take care of this for me?
Maybe the built in reports use the SQL service account rights and the custom ones do not? Am I doing something wrong with the Datasource when I create these custom reports?
What is the correct process for creating custom reports?

I think i am getting closer to a solution. After the Custom report is created. i can go back into the report. Delete the DataSource. Then browse for a dataSource. there is a datasource located in http://server2/reportserver/ConfigMgr_XXX/
That datasource is used by all builtin reports. if you view the properties on the Credentials tab it is set to "do not use credentials" and the option is greyed out / cannot be changed.
it looks like i still need the SELECT permissions on the database to create the report initially but at least i have solved the problem with viewing these reports.
Can anyone confirm that what i did is correct?

Wlconfig with custom role mapper always fails FIRST time only

WLS 8.1 sp2.
I have a very strange problem, where I'm "coldstarting" a server and
configuring it, much like the ant build script for medrec. Only I have a
custom role mapper (medrec has a custom authentication provider). Anyway,
the first time I execute this task (after a clean), it consistently fails
like so:
[wlconfig] OK
[wlconfig] OK
BUILD FAILED
file:P:/dgs/build.xml:186: Unable to create mbean:
weblogic.management.MBeanCreationException: - with nested exception:
[java.lang.ClassNotFoundException:
weblogic.management.configuration.com.combinenet.security.CNRoleMapperProvid
erMBean]
(that class looks bogus to me, BTW, as my provider class is
com.combinenet.security.CNRoleMapperProvider)
Now, the SECOND time I execute "coldstart", which runs wlconfig, the server
starts up fine, and my custom role mapper is loaded successfully. So,
obviously I figured something was left around the first time which somehow
helped matters, but the strange thing is that I delete the entire domain
directory before "coldstarting" the server, and I also re-copy the role
mapper provider jar into the mbeantypes directory, so I'm very puzzled. I'm
copying the coldstart task below (and the clean).
Can anyone tell me what's wrong with this task that would make it fail the
first time through after a clean? Is this a bug? And why would it succeed on
all subsequent attempts (without a clean)? I just don't see anything wrong
with what I'm doing.
TIA,
Miles
<target name="coldstart"
description="Start a new DGS Server with an empty config"
depends="configServerEnv,startPointBase,configPointBase,dist" >
<delete dir="${dgs.root}" quiet="true"/>
<mkdir dir="${dgs.root}"/>
<wlserver
beahome="${bea.home}"
dir="${dgs.root}"
domainname="${dgs.domain}"
host="${dgs.host}"
port="${dgs.port}"
servername="${dgs.serverName}"
username="${wl.username}"
password="${wl.password}"
productionmodeenabled="false"
generateconfig="true"
action="start">
</wlserver>
<wlconfig url="t3://${dgs.host}:${dgs.port}"
username="${wl.username}"
password="${wl.password}">
<query domain="${dgs.domain}" type="Server"
name="${dgs.serverName}"
property="dgs.server"/>
<create type="JDBCConnectionPool"
name="DgsPool"
property="dgs.pool">
<set attribute="CapacityIncrement" value="1"/>
<set attribute="DriverName"
value="com.pointbase.jdbc.jdbcUniversalDriver"/>
<set attribute="InitialCapacity" value="1"/>
<set attribute="MaxCapacity" value="10"/>
<set attribute="Password" value="${pointbase.password}"/>
<set attribute="Properties" value="user=${pointbase.username}"/>
<set attribute="RefreshMinutes" value="0"/>
<set attribute="ShrinkPeriodMinutes" value="15"/>
<set attribute="ShrinkingEnabled" value="true"/>
<set attribute="TestConnectionsOnRelease" value="false"/>
<set attribute="TestConnectionsOnReserve" value="false"/>
<set attribute="URL" value="jdbc:pointbase:server://localhost/demo"/>
<set attribute="Targets" value="${dgs.server}"/>
</create>
<create type="JDBCTxDataSource" name="DGS Tx DataSource">
<set attribute="JNDIName" value="DgsTxDataSource"/>
<set attribute="PoolName" value="DgsPool"/>
<set attribute="Targets" value="${dgs.server}"/>
</create>
<create type="JMSConnectionFactory" name="Queue">
<set attribute="JNDIName" value="jms/QueueConnectionFactory"/>
<set attribute="XAServerEnabled" value="true"/>
<set attribute="Targets" value="${dgs.server}"/>
</create>
<create type="JMSJDBCStore" name="DgsJDBCStore"
property="dgs.jdbcstore">
<set attribute="ConnectionPool" value="${dgs.pool}"/>
<set attribute="PrefixName" value="Dgs"/>
</create>
<create type="JMSServer" name="DgsJMSServer">
<set attribute="Store" value="${dgs.jdbcstore}"/>
<set attribute="Targets" value="${dgs.server}"/>
<create type="JMSQueue" name="Registration Queue">
<set attribute="JNDIName" value="jms/REGISTRATION_MDB_QUEUE"/>
</create>
</create>
<create type="MailSession" name="Dgs Mail Session">
<set attribute="JNDIName" value="mail/DgsMailSession"/>
<set attribute="Properties"
value="mail.user=joe;mail.host=mail.mycompany.com"/>
<set attribute="Targets" value="${dgs.server}"/>
</create>
<create type="StartupClass" name="StartBrowser">
<set attribute="Arguments" value="port=${dgs.port}"/>
<set attribute="ClassName" value="com.combinenet.test.StartBrowser"/>
<set attribute="FailureIsFatal" value="false"/>
<set attribute="Notes" value="Automatically starts a browser on
server boot."/>
<set attribute="Targets" value="${dgs.server}"/>
</create>
<set mbean="Security:Name=myrealmDefaultAuthenticator"
attribute="ControlFlag" value="SUFFICIENT"/>
<set mbean="Security:Name=myrealmDefaultAuthenticator"
attribute="MinimumPasswordLength" value="10"/>
<set mbean="Security:Name=myrealm"
attribute="DeployPolicyIgnored" value="false"/>
<set mbean="Security:Name=myrealm" attribute="DeployRoleIgnored"
value="false"/>
<set mbean="Security:Name=myrealm"
attribute="FullyDelegateAuthorization" value="true"/>
<set mbean="Security:Name=myrealm"
attribute="AuthenticationProviders"
value="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaul
tIdentityAsserter"/>
<set mbean="Security:Name=myrealm" attribute="RoleMappers"
value="Security:Name=myrealmDefaultRoleMapper|Security:Name=myrealmCNRoleMap
perProvider"/>
<create type="com.combinenet.security.CNRoleMapperProvider"
domain="Security" name="myrealmCNRoleMapperProvider"/>
<set mbean="Security:Name=myrealmCNRoleMapperProvider"
attribute="Realm" value="Security:Name=myrealm"/>
<query domain="${dgs.domain}" type="Server" name="DgsServer">
<set attribute="StdoutEnabled" value="true"/>
<set attribute="StdoutSeverityLevel" value="64"/>
<set attribute="ListenAddress" value=""/>
<set attribute="ListenPort" value="${dgs.port}"/>
</query>
<query domain="${dgs.domain}" type="WebServer" name="DgsServer">
<set attribute="LogFileName" value="logs/access.log"/>
</query>
</wlconfig>
<copy file="${dist}/lib/dgs.ear" todir="${dgs.root}"/>
<wldeploy action="deploy"
source="${dgs.root}/dgs.ear"
name="dgsapp"
user="${wl.username}"
password="${wl.password}"
verbose="true"
adminurl="t3://localhost:7001"
debug="true"
targets="${dgs.serverName}"/>

<sleep hours="10"/>
</target>
<target name="clean"
description="Clean the build tree(s)"
depends="init">
<delete dir="${build}" verbose="true"/>
<delete dir="${dist}" verbose="true"/> (dist is where the ear file is
created)
</target>

g_wolfman wrote:
Are you using Parallels?
Wolfman, thats a good hint!
Additional info at --> http://reviews.cnet.com/8301-13727_7-20106682-263/macbook-airs-double-booting-wi th-parallels-and-filevault-enabled/
Thanks for the input.
Lupunus

Use of default XACML with custom role mapper and authorization provider

Hi,
Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
The chosen approach depends on where you're getting the role information from.

Create Customer with Account group ZO05 to BP

Dear RE Experts,
In my project there are three scenarios related to BP and Customer.
1) Create BP with Account Group Zo05 to Customer (Which is Working)
2) Create Customer With Account Group Zo05 to BP
3) Create only Customer (No BP) With Account Group ZO01,ZO02,ZO03,ZO04,ZO06 and ZO07
I want help from Experts how to create last two scenarios in RE? What configuration is need?
What is Tcode to create only customer?????
Thanks in Advance...
Manzoor

Hi,
Goto SPRO\Cross-applications components\master data synchronization\synchronization control
check whether is it activated from cutomer --> BP
And also check the following setting
Goto SPRO\Cross-applications components\master data synchronization\customer&vendor integration\business partiner settings\settings for customer intration\define BP role for direction customer to BP
might be it will give some solution to your 2nd problam and finall fir 3rd issue you can use XD01 to create customer and don't assign these account groups in "Define BP role for direction customer to BP"
Srini

Creating Customer from employee who is hired in HR

Hi
Please tell me if there is some way to create customer records from employee record created in HR
Is there any report or transaction available that will create a customer record by using/copying the HR employee record without entering data again.
regards
Pravin

Hi Pravin,
let me correct you.
As the employee codeand you can maintain sales related data T-Code
PA30
and through info type 900 sales org.,sales office,sales group.
You can use sales employee code as a partner means who has taken order or during return who is responsible for return delivery.
You can create emloyee no. as vendor (FI & CO intgrtaion) e.g. for salary,travel advence,etc.
Hope this will help you the role of employee id and integrtaion.
Best Regards
Sainath

How to create a role which contains few query for the user

Hi,
I need a create a role in the security which should contain few custom BI queries and then assign the users to the role.
Even I have to assign the vendor to their unique vendor number in the security perespective for the created BI Reports.
Thanks!!

Try this link http://www.sapecc.com/bw_security/bw_security_newquery.htm

Creating Custom Role

Similar Messages

Maybe you are looking for