Creating standard roles transaction

Hello,
Please let me know transaction code of standard roles creation in SAP Business Workflow.
Regards,
Amey

Create Roles
The role also contains the authorizations users need to access the transactions, reports, web-based applications and so on, contained in the menu.
You can assign a role to an unlimited number of users.
Procedure
To create a single role:
1.     Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy Access. You go to the role maintenance.
2.     Specify a name for the role.
The roles delivered by SAP have the prefix 'SAP_'. Do not use the SAP namespace for your user roles.
SAP does not distinguish between the names of simple and composite roles. You should adopt your own naming convention to distinguish between simple and composite roles.
3.     Choose Basic maintenance (in the Profile, Other objects menu).
4.     Choose Create.
5.     Enter a meaningful role description text. You can describe the activities in the role in detail.
You may use an existing role as a reference.
6.     Assign transactions, programs and/or web addresses to the role in the Menu tab. The user menu which you create here is called automatically when the user to whom this role is assigned logs on to the SAP System. You can create the authorizations for the transactions in the role menu structure in the authorizations tab.
If you want to call the transactions in a role in another system, enter the RFC destination of the other system in the Target system field.
You should only use RFC destinations which were created using the Trusted System concept () to guarantee that the same user is used in the target system. This is only necessary if you want to navigate via the Easy Access Menu in the SAPgui.
If you use the Workplace Web Browser, you can use any destination containing a logical system with the same name.
If the Target system field is empty, the transactions are called in the system in which the user is logged on.
You can also specify a variable which refers to an RFC destination. Variables are assigned to the RFC destinations in the transaction SM30_SSM_RFC.
To distribute the role into a particular target system, specify the target system (its Release must be 4.6C) and choose Distribute. This function is most useful when you use the Workplace.
You can create the user menu:
o     from the SAP menu
You can copy complete menu branches from the SAP menu by clicking on the cross in front of it in the user menu. Expand the menu branch if you want to put lower-level nodes or individual transactions/programs in the user menu.
o     from a role
this function copies a defined role menu structure in the same system into the current role. You can also copy the menu structure of a role delivered by SAP. Click on the menu branches and copy them.
o     from an area menu
You can copy area menus (SAP Standard and your own) into a role menu. Choose an area menu from the list of menus and copy the transactions you want.
o     Import from file
See Upload/Download roles.
o     Transaction
You can put a transaction code in the user menu directly.
o     Program
This function puts programs, transaction variants or queries in the user menu. They need not be given a transaction code.
ABAP Report
Choose a report and a variant. You can skip the selection screen.
You can generate a transaction code automatically and copy the report description by setting checkboxes.
SAP Query
Enter a user group and query name. If the query has a variant, you can specify it. You can also specify a global query. See Query work areas.
Transactions with variants
The system administrator can create transaction variants in the SAP System Personalization. Transaction variants adjust complex SAP System transactions to customer business processes, by e.g. hiding superfluous information and adding other information such as pushbuttons, text or graphics. You can put a transaction variant call in a user menu by entering the transaction code and variant which you created in the transaction SHD0.
BW report
Include a Business Information Warehouse report. Enter the report ID.
ReportWriter, Search, Report
These function put other application-specific report types in the user menu.
o     Others
Enter other objects:
Web address or file
Enter internet/intranet links with a descriptive text and the web address. You can enter a file name if the browser can call an application.
Drag and relate component
Enter the component name.
Knowledge Warehouse link
Use the Document field possible entries help. Choose the information object type. You go to a selection screen in which you can search for the object in the Knowledge Warehouse.
There are other pushbuttons for editing the user menu. Choose a menu entry with the cursor before you call one of the following functions.
Function:     Meaning
Create folder
Group transactions, programs, etc. in a folder
Change node text
Change a menu entry text
Move down
Move a menu entry down one place
Move up
Move a menu entry up one place
Delete nodes
Delete a menu entry
Any subnodes are also deleted.
Delete all nodes
Delete the complete role menu
Translate node
Translate a menu entry
Documentation
Display the documentation of transactions, programs, etc.
Find doc.
Find programs
You can restructure the menu by Drag & Drop.
The Menu tab status is red if no menu nodes are assigned. If at least one menu node is assigned, the status is green.
You can assign Implementation Guide (IMG) projects or project views to a role under Utilities  Customizing auth. Do this to generate IMG activity authorization and assign users. The authorization to perform all activities in the assigned IMG projects/project views is generated in profile generation. You make the assignments in a dialog box. Choose Information to display more information on using this option.
7.     Save your entries.
You have created a role.

Similar Messages

Standard Role for 000000 for role category MKK is not permitted

Hello SAP Gurus,
I am working on RM-CA and was trying to create a business partner using T-code FPP1 and BUP1.
I was trying to create a business partner as an organization.
WHen I try to save the record I get the error "Standard Role for 000000 for role category MKK is not permitted" Msg P082.
I've checked the view V_TB003 and I see that the Standard Role is assigned to the MKK category.
Has anyone encountered this problem before? What is the fix for this? What am I missing?
Thanks

Hi Jamal,
Please check the following steps:
1. In view V_TB003, please check if the BP role category "MKK" is assigned to the BP role "MKK".
2. In view V_TB109, please check if the BP role category "MKK" is assigned to the transaction code FPP1
I hope it helps!
Regards,
Gabriel Santana

Creating a Z transaction in SRM portal !!!

Hello SRM Gurus,
I am new to SRM and have to create a new custom 'Z' transaction and have a complex requirement to build.
The following steps I think needs to be followed:
1) Creating the custom transaction in SRM SAP GUI system (Module Pool Programming).
2) Creating internet service for this above transaction from SE80. Saving and Publishing this internet service on web.
I am not sure about the second step whether it will be ITS / BSP / or Webdynpro screens.
Please your inputs will be very helpful.
BR,
Chirag Mehta.

Hi,
You can create the module pool application in the normal way as we do in R/3.
Now if you need to quickly provide this transaction as a web link in the SRM screen,you can add it in the MENU of any of the std roles.So all the users who have that role attched to their user ID's will be able access/execute that transaction from SRM web.
The only problem here is the look and feel .It will be same as the WINGUI screen when you login to SRM system.Only it will be shown in the SRM protal.
See the foll thread for details;
Custom Transaction in SRM
If you need a more finished look(more concerned abt the UI rather then application use),you can create a BSP /Web dynrpo application instead of module pool and publish the same on SRM Web portal.
You have lots of threads on SDN custom applications using these recent technologies .Pls see the below links for more pointers;
web dynpro -->WebDynpro in SRM
BSP-->Re: Changing standard SRM(contains links to BSP tutorials).
I have only worked previously on the module screen transactions and published them on the web which easy and less time consuming.
BR,
Disha.
Do reward points for useful answers.

Creating a role for t.code FBL1N

Hi All,
Creating a role (PFCG), I've to assign the t.code FBL1N only.
In this role and for the t.code FBL1N, I've to exclude a certain Vendor Account Group.
Could anyone help me?
Thanks

Hi ,
For the task that you want to perform .
First of all have a basic idea of how the authorization objects pertaining to a T code are checked , go to T code SU24 and give the input transaction as FBL1N and execute . there you will find the list of all the authorization objects that would be available for FBL1N.
go through their documentation and understand the behaviour .
Secondly , in case of FBL1n you cannot restrict based on account group at the granual level you can control on document type authorization group F_BKPF_BLA .
For creating a role Go to t code PFCG create a role assing the t code , provide the auhtorization values , generate the role and assign the role to the user ID that you want to assign it to .
Hope this helps .
Regards ,
Dewang T .

Calling a Standard SAP transaction VA03 from another web dynpro application

Hi All,
I have a requirement wherein I need to call the standard SAP transaction VA03 whenever a sales order is selected in some other we dynpro application so that the sales order gets displayed.
No regarding usage of OBN for the above functionality I have certain queries:
1. In order to call VA03 do I need to create a transactional iview for it or is there any direct method.Also how to pass this sales order number as parameter to the T.Code.
2. Can we use standard business object BUS2032 for OBN or a new Business object is created.What exactly is the purpose of these standard business objects in portal and when should they be used.
Thanks in advance
Aman Gupta

Hi Aman - Do you have a portal team in your project or you have to create the IVIEWS yourself?
I do have a portal team and I dont know how they create the IVIEWs but for example, I will go to my portal team and I will ask them to create an IVIEW for TCODE VA03, they will created and they will tell me the input parameters they entered for the IVIEW so I can call OBN and display in webdynpro.
SAP in SRM has webdynpro e.g. for BUS2121 and they have an IVIEW already implemented in the portal context pointing to the webdynpro of BUS2121 so we can used the IVIEW by calling OBN and passing the parameters; in my case the object_type will be 'shc' and the operation will be 'display' and the paremeters itab will be the GUID of my shopping cart, that way the OBN can understand which Shopping cart open and in which operation mode.
I also did something like your requirement, I need it to display a specific case in Records Management but SAP has a standard IVIEW for records management 'RMREGEDIT' that didn't work for my requirement so I went to SE38 created a program that displayed the case based on GUID and I created a TCODE of my custom program. Portal team created a custom IVIEW of my custom TCODE and they told me the input parameters to call the TCODE in OBN and I pass in the itab parameter the GUID of the case using the FM that I post before.
The action to call the OBN is in the event handler ON_CLICK of my ALV and the action is getting trigger when the user actually clicks a HYPERLINK in the ALV.
Hope this helps you!
Please feel free to ask me more details if you need.
Jason PV

CRM 7.0 How to create Business role & generate

Hi Team,
Can you please let me know some breif idea about CRM 7.0 security guide.
How to created Business role is this part of functional activity?
Whats the role of Technical colleagues BASIS guys in CRM 7.0 security .
Please help me to get some document regarding business role creation , generation , assignment & authorization checks in CRM 7.0.
Thanks & Regards,
Vyash Mishra

Hello Viyash
I will add the most important information for generation of business roles and assignment of authorizations to users.
You must first create the PFCG roles. PFCG role is built based on the Business Role.
Please see documentation in : SPRO
SAP Implementation Guide => Customer Relationship Management
UI Framework > Business roles > Define Authorization Role
Then the PFCG role can be assigned to the business role in
SAP Implementation Guide => Customer Relationship Management
UI Framework > Business roles > Define Business role
Finally you must assign business roles to Organizations or positions in organizations in
SAP Implementation Guide => Customer Relationship Management
UI Framework > Business roles > Define Organizational Assignment
The users that are assigned to such organizations / positions will be therefore linked to the business role.
With the previous steps the users will have the authorizations that are assigned to the PFCG profile that is linked to their business role.
Business roles are the main way to configure authorizations for users in CRM but you have more options that give you flexibility.Each business role has assigned one PFCG role, but the relationship between business role and PFCG role is not strict. You can even assign a dummy PFCG role to a certain business role in business role customizing and then go to transaction PFCG and assign other PFCG role(s) to the users that are assigned to that business role.
I would say that the previous tasks must be performed by the basis team but in cooperation with the functional team
Best Regards
Luis Rivera

How to add button in standard SAP transaction

Hi All,
I would like to know how to add a button in the application toolbar of the standard SAP transaction CO01/CO02. Is there a screen exit for this?
Hope you can help. Thanks
Regards,
April

Check Enhancment CCOWB001. If not then u can search the below list, all of which are called from the T-code.
CCOWB001            Customer exit for modifying menu entries
COIB0001            Customer Exit for As-Built Assignment Tool
COZF0001            Change purchase req. for externally processed operation
COZF0002            Change purchase req. for externally procured component
PPCO0001            Application development: PP orders
PPCO0002            Check exit for setting delete mark / deletion indicator
PPCO0003            Check exit for order changes from sales order
PPCO0004            Sort and processing exit: Mass processing orders
PPCO0005            Storage location/backflushing when order is created
PPCO0006            Enhancement to specify defaults for fields in order header
PPCO0007            Exit when saving production order
PPCO0008            Enhancement in the adding and changing of components
PPCO0009            Enhancement in goods movements for prod. process order
PPCO0010            Enhancement in make-to-order production - Unit of measure
PPCO0012            Production Order: Display/Change Order Header Data
PPCO0013            Change priorities of selection crit. for batch determination
PPCO0015            Additional check for document links from BOMs
PPCO0016            Additional check for document links from master data
PPCO0017            Additional check for online processing of document links
PPCO0018            Check for changes to production order header
PPCO0019            Checks for changes to order operations
PPCO0021            Release Control for Automatic Batch Determination
PPCO0022            Determination of Production Memo
PPCO0023            Checks Changes to Order Components
STATTEXT            Modification exit for formatting status text lines

Adding field in standard SAP transaction output results.

Hi,
I have to add a new field in standard SAP transaction output results.
Can any one tell me what are the ways (brief explanation) that I can do this?
If using exists - then what kind of exists I have to use? And how to find out the possibility with user exists?
Thanks for your time.
Thanks.
Chris.

Hi,
There are so many ways to find out the user exits.
Hi,
To see SAP Exits -> Use Tcode SMOD
To See create a project for Customer Exits -> Use Tcode CMOD
There are projects to which Exits are assigned. Selects the relevant projects.
What is User Exit:
http://www.sap-img.com/abap/what-is-user-exits.htm
How to find then:
http://www.sap-img.com/abap/a-short-tutorial-on-user-exits.htm
All Exits List:
http://www.easymarketplace.de/userexit.php
Do a search on SAP Exits, Customer Exits, enhancements, etc
Step 1 :- Execute transaction
step 2 :- Click on Status Menu
step 3 :- Double click on the program (screen) __?????___
Step 4 :- Search source code for the 'Customer-Function' string using the find button. Remember to select 'In main program'.
Step 5 :- A list of search results should be displayed indicating where all function exits can be found.
You can now double click on each of them to go to its position in the source code. This also
allows for the insertion of breakpoints so that you can test if the exits are called in the
appropriate place.
Step 6 :-Once you have found the Function Exit within the source code (Find Function Exit) you need to
access the actual function module it executes. This is done using the following steps:
Step 6.1 :-
Step 1
Locate desired 'Call Customer-function' statement within source code.
Step 2
If code is not within main program (module pool) e.g. SAP* then you will need to find this
out by selecting 'Main Program' from the 'GOTO' menu. The Main program for transaction
Step 3
The actual function module name can now be calculated based on the information retrieved,
it is defined by the following format:
EXIT_<Program name>_<Exit number>
eg :- 'EXIT_SAPLMR1M_004'.
Step 7.1:-
Once you have found the Exit function module
Step 1
Execute transaction CMOD
Step 2
Select 'SAP Enhancements' from the 'Utilities' menu.
Step 3
Select 'All selections' from the 'Edit' menu.
Step 4
Now populate the Component name field with the exit function module and press
the execute button.
Step 5
A list of all Exits(Enhancements) containing that function module should now be displayed.
Step 5
You can now double click on the desired exit to display a detailed description of its uses and a list of all
components contained in it.
Implementing Function Exit
This is required in-order to activate Function exit:
Step 1
The first step is to enter source code into function module in the usual way i.e. via SE37.
There will already be an include declaration within the code with the following
format: Include zx*.
Double click on this to create it, source code can then be entered within here.
Although it is good practice to create another include with this to store your
code, this allows separation of difference enhancements allowing them to be easlity
removed without de-activating the enhancement.
Step 2
Execute transaction CMOD and create new Enhancement. Enter name and press the create
Button.
Step 3
The following screen should be displayed, enter short text then click on the 'Enhancement
Step 4
Now enter the Exit name (enhancement) which contains the desired Function Exit.
Step 5
Return to initial screen of CMOD and press the activate icon. The exit is now ready for use.
Please Mark The Helfull Answers & close the thread.
regards
dj
reward for all useful answers.

Is it possible to create dimension roles in AWM?

Hi,
Is it possible to create dimension roles in AWM like the way we have in OWB ?
If yes, please direct on the way to do this.
Many thanks in advance for your kind inputs.
Piyush

I think what you need is to use the ALIAS option that is part of the DEFINE DIMENSION statement
DEFINE DIMENSION ALIASOF
The DEFINE DIMENSION ALIASOF command defines a dimension alias for a simple dimension. An alias dimension has the same type and values as its base dimension. Typically, you define an alias dimension when you want to dimension a variable by the same dimension twice.
Additionally, You can use a LIMIT statement to limit alias dimensions and define variables and relations using an alias dimension. However, you cannot maintain an alias dimension directly; instead you maintain its base dimension using MAINTAIN.
Syntax
DEFINE name DIMENSION ALIASOF dimension [TEMP] [AW workspace] [SESSION]
Arguments
name
The name of the object you are defining. For general information about this argument, see the main entry for the DEFINE command.
DIMENSION ALIASOF
If you look at this example if provides a great example of how to use this feature:
http://download.oracle.com/docs/cd/B19306_01/olap.102/b14346/dml_x_decimal006.htm#ABC1485326
But of course the main issue here is how to generate the standard form metadata required to support this feature and make the dimension alias avaliable and visible within AWM. That is the difficult (and I would say impossible) part of the process since this feature is not supported by the AW XML API (at least I don't think it is, you could check the API docs to see if this is supported). if it is not supported then the management of this feature would all have to be controlled via OLAP DML commands (load dimension members etc) but you would still not be able to include it within a cube definition and then maintain that cube using AW XML API.
Does that help?
Keith

Hiding a selection screen field for Standard Report Transaction

Hello All,
We are trying to hide a check box on the selection screen for a standard sap report transaction (s_alr....). We can hide it by creating a variant but then if the users don't select it, the checkbox will be visible. We can't use transaction variant to hide this since its not a dialog transaction.
We don't want any users to select that option by clicking on the checkbox and then running the report. Any suggestions or help is much appreciated.
Thanks,
Sal

Did you think about modifying the standard report by adding NO-DISPLAY to the parameter option?
If you are not allowed to modify another option - although much more effort - would be to replicate the standard selection screen in an own Z-report and at the end do a SUBMIT standard report WITH parameter
In your won report you can easily hide that parameter and always pass a space to the standard report.
To submit data to the standard report just use
DATA: lt_par TYPE TABLE OF rsparams.
build the selection table based on the selection criteria the user entered and do:
SUBMIT rep USING SELECTION-SCREEN 1000
WITH SELECTION-TABLE lt_par.
Then just remove access to the standard transaction and create an own transaction for your custom report which is added to the users authorized transactions.
Not the easiest way to do it, but it does work.
Regards,
Michael

Standard roles in BW (SU01) to use BPC 10.1?

Hi experts,
I'm currently working on BPC 10.1 and I'm trying to figure out which roles are necessary in tc SU01 to use BPC 10.1. The 10.0 security guide specified two standard roles needed for the users, /POA/BUI_FLEX_CLIENT and /POA/BUI_UM_USER. However the 10.1 security guide does not say anything about standard roles so I'm wondering if it's the same roles as in 10.0...
Please advise
Best regards,
Lars

Hi Shekar,
The solution provided by the Note 2068917 can resolve the issue.
It worked for me. Just create an ABAP program with the following code and execute it.
Please provide the appropriate 'username' and '_AppsetName' as per your requirement.
DELETE FROM RSBPC_WEB_UP　WHERE　user_id　=　'username'　AND　NAME　=　'colSeq'　AND　CATEGORY　=　'members_AppsetName'.
WRITE　SY-SUBRC　　.

Standard Role "SAP_QAP_BW_DASHBOARDS" Unavailable in ECC System

Hello Experts.
We are trying to Implement Embedded Analytics in our R3 system, from the SAP documentation I came to know that in order to execute the standard Reports/Dashboards as a pre-requisite we need to have the role "SAP_QAP_BW_DASHBOARDS" assigned to user. but we are unable to find the mentioned standard role in our system.
We have already raised an OSS message but it is also of not much help.
we are at SAP ECC 6.0 EHP 6.
Any help/comment would be appreciated.
Thanks & Regards
Neeraj.

We also got a reply from SAP saying
"The role SAP_QAP_BW_DASHBOARDS was never delivered (and it was not
planned to be delivered, too). This role was just meant for SAP
internal usage during dashboard development. Thus, the documentation
which states that you should assign this role to your users for
dashboard usage is incorrect."
and they suggested we shall create our roles on our own based on our business need, for example how the roles shall look like they have created a note "2001264" where its clearly mentioned how to create the role.
Hope this help to anyone else having the same problem.
Thanks & Regards
Neeraj.

Modify Script to Create User Role on Single Database.

Hi All,
Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
Can anyone help me to modify the script?
--===================================================================================
-- Description
-- Database Type: MSSQL
-- This script creates a role called 'gdmmonitor' for ALL databases.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
-- before runnign this script
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
-- Note:
-- If you wish to use a different login name (instead of 'sqlguard') you need to change
-- the value of the variable '@Guardium_user' in the script below;
-- (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
-- after runnign this script
-- Nothing to do, the script already creates the db user
-- User/Password to use
-- User: sqlguard (or any other name, if changed)
-- Pass: user defined
-- Role: gdmmonitor
--===================================================================================
PRINT '>>>==================================================================>>>'
PRINT '>>> Creating role: "gdmmonitor" at the server level.'
PRINT '>>>==================================================================>>>'
-- Change to the master database
USE master
-- *** If a different login name is desired, define it here. ***
DECLARE @Guardium_user AS varchar(50)
set @Guardium_user = 'sqlguard'
DECLARE @dbName AS varchar(256)
DECLARE @memberName AS varchar(256)
DECLARE @dbVer AS nvarchar(128)
SET @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
SET @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
IF (@dbVer = '8') SET @dbVer = '2000'
ELSE IF (@dbVer = '9') SET @dbVer = '2005'
ELSE IF (@dbVer = '10') SET @dbVer = '2008'
ELSE IF (@dbVer = '11') SET @dbVer = '2012'
ELSE SET @dbVer = '''Unsupported Version'''
IF (@dbVer != '2000')
BEGIN
-- This privilege is required to peform a specific MSSQL test.
-- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key)
-- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop
-- Purpose: To display provider property, not changing anything.
PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
END
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if they exist
CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the role gdmmonitor on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.spt_values TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysconfigures TO gdmmonitor
GRANT SELECT ON dbo.sysdatabases TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syslogins TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
-- Grant execute privileges to the role for MSSql Common
PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON sp_helpdbfixedrole TO gdmmonitor
GRANT EXECUTE ON sp_helprotect TO gdmmonitor
GRANT EXECUTE ON sp_helprolemember TO gdmmonitor
GRANT EXECUTE ON sp_helpsrvrolemember TO gdmmonitor
GRANT EXECUTE ON sp_tables TO gdmmonitor
GRANT EXECUTE ON sp_validatelogins TO gdmmonitor
GRANT EXECUTE ON sp_server_info TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sql_logins TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
GRANT SELECT ON sys.server_role_members TO gdmmonitor
GRANT SELECT ON sys.configurations TO gdmmonitor
GRANT SELECT ON sys.master_key_passwords TO gdmmonitor
GRANT SELECT ON sys.server_principals TO gdmmonitor
GRANT SELECT ON sys.server_permissions TO gdmmonitor
GRANT SELECT ON sys.credentials
TO gdmmonitor
--This is called by master.dbo.sp_MSset_oledb_prop.
--By defautl it should have already been granted to public.
GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR
END
-- Re-add the dropped members
IF EXISTS (SELECT 1 FROM #rolemember)
BEGIN
PRINT '==> Re-adding the role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- END of role creation on database
PRINT '==> END of role creation on: ' + @dbName
PRINT ''
-- Change to the msdb database
USE msdb
set @memberName = ''
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if it exists
TRUNCATE TABLE #rolemember
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the gdmmonitor role on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
GRANT SELECT ON dbo.backupset TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
-- Grant execute privileges to the role for MSSql 2005 or above
PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
END
IF (@dbVer > '2000' and @dbVer < '2012')
--This sp is not available in SQL 2012
BEGIN
GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
END
-- Re-add the dropped members
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the temporary table
DROP TABLE #rolemember
-- END of role creation on database
PRINT '==> END of gdmmonitor role creation on: ' + @dbName
-- Role creation complete
PRINT '<<<==================================================================<<<'
PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
PRINT '<<<==================================================================<<<'
PRINT ''
PRINT '>>>==================================================================>>>'
PRINT '>>> Starting application database role creation'
PRINT '>>>==================================================================>>>'
use master
DECLARE @databaseName AS varchar(80)
DECLARE @executeString AS varchar(7950)
DECLARE @dbcounter as int
set @dbcounter = 0
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
and not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @dbcounter = @dbcounter + 1
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
'/*find any members of the role if it exists*/ ' +
'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
'INSERT INTO #rolemember ' +
'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
'WHERE usr.uid = mbr.memberuid ' +
'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'/*Drop the Role Members If they exist*/ ' +
'IF EXISTS (SELECT * FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/*drop the role if it exists*/ ' +
'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'BEGIN ' +
'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_droprole ''gdmmonitor'' ' +
'END ' +
'/* Create the role */ ' +
'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_addrole ''gdmmonitor'' ' +
'/* Grant select privileges to the role for MSSql Common */ ' +
'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON dbo.sysmembers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysobjects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysprotects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysusers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
'/* Check if the version is 2005 or greater */ ' +
'IF (' + @dbVer + ' != ''2000'') ' +
'BEGIN ' +
'/* Grant select privileges to the role for MSSql 2005 and above */ ' +
'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
'GRANT SELECT ON sys.all_objects TO gdmmonitor ' +
'GRANT SELECT ON sys.database_principals TO gdmmonitor ' +
'GRANT SELECT ON sys.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON sys.database_role_members TO gdmmonitor ' +
'END ' +
'/* Re-add the dropped members */ ' +
'IF EXISTS (SELECT 1 FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/* drop the temporary table */ ' +
'DROP TABLE #rolemember ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT '' ''' +
'PRINT '' '''
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
-- Adding user to all the databases
-- and grant gdmmonitor role, only if login exists.
PRINT '>>>==================================================================>>>'
PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '>>> on all databases.'
PRINT '>>>==================================================================>>>'
USE master
/* Check if @Guardium_user is a login exist, if not do nothing.*/
IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
BEGIN
PRINT ''
PRINT '************************************************************************'
PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
PRINT '*** Please add the login and re-run this script.'
PRINT '************************************************************************'
PRINT ''
END
ELSE
BEGIN
DECLARE @counter AS smallint
set @counter = 0
-- This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
-- 99% of the time, this is totally unnecessary. But in some rare case on SQL 2005
-- the loop skips some databases when it tried to add the @Guardium_user.
-- After two to three executions, the user is added in all the dbs.
-- Might be a SQL Server bug.
WHILE @counter <= 3
BEGIN
set @counter = @counter + 1
set @databaseName = ''
set @executeString = ''
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
where not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'/*Check if the login already has access to this database */ ' +
'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'/*Check if login already have gdmmonitor role*/ ' +
'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'AND usr.name = ''' + @Guardium_user + ''') ' +
'BEGIN ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END ' +
'END ' +
'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
'execute sp_adduser [' + @Guardium_user + '] ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END '
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
END -- end while
-- Required for Version 2005 or greater.
IF (@dbVer != '2000')
BEGIN
-- Grant system privileges to the @guardium_user. This is a requirement for >= SQL 2005
-- or else some system catalogs will filter our result from assessment test.
-- This will show up in sys.server_permissions view.
PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
END
PRINT '<<<==================================================================<<<'
PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '<<< on all databases.'
PRINT '<<<==================================================================<<<'
PRINT ''
END
GO

Thanks a lot Sir... it worked.
Can you also help me in troubleshooting below issue?
This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
SA account with highest privileges is been used for script execution. errors received are as follow:
>>>==================================================================>>>
>>> Creating role: "gdmmonitor" at the server level.
>>>==================================================================>>>
==> Granting MSSSQL 2005 and above setupadmin server role
==> Starting MSSql 2005 role creation on database: master
(0 row(s) affected)
==> Dropping the gdmmonitor role members on: master
==> Creating the role gdmmonitor on: master
Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
The procedure 'sys.sp_addrole' cannot be executed within a transaction.
==> Granting common SELECT privileges on: master
Msg 15151, Level 16, State 1, Line 117
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 118
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 119
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 120
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 121
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 122
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 123
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 124
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 125
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 126
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
==> Granting common EXECUTE privileges on: master
Msg 15151, Level 16, State 1, Line 130
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 131
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 132
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 133
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 134
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 135
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 136
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.

Break sap standard role into two sub roles

hi,
i have one SAP standard role. now i want to break this role into two sub roles. how shall do it.
please suggest me.
regards
ramesh
Edited by: Ramesh Sammiti on Jul 31, 2008 11:00 AM

Hi Ramesh,
When you say that you want to split the SAP Standard role into two roles:
1.Do you mean to say that you want to split the transactions and authorization data of the SAP Standard role into two separate Z* or Y* roles?
2.Do you want to copy the SAP Standard role into two different Z* or Y* roles and then modify the authorization data according to your company's requirements?
In the above two scenarios you must copy the SAP Standard role into Z* or Y* roles in PFCG transaction with the appropriate naming convention and make necessary changes in both the transaction data and the authorization data.
Please be clear which SAP Standard role you are willing to split into roles and i can provide more details.
Hope this helps.
Regards,
Kiran Kandepalli

Issue when accessing standard LM transactions via ITS

Hi,
We are implementing WM using ITS Mobile.
We have developed certain custom screens and also used standard transactions such as LM02 and LM04.We have created a internet service for transaction LM01 and published all our custom and standard screens within the service.
When testing the transactions in R/3 using LM01 transaction..there were no issue...
But when testing the same in ITS....once we enter into a standard transaction like LM02(By clicking the corresponding menu entry) and click on Back button...it must bring me back to my menu( transaction LM01)...instead...my ITS session gets logged off...displaying message...'You have been logged off from SAP NetWeaver Application Server'.
We are facing the same issue when we try to access standard LM transactions via ITS...
I tried to analyze by debugging from ITS....but the flow of R/3 and ITS remains the same...
These are my service parameters..
~THEME     99
~SINGLETRANSACTION     1
~ITSMOBILE     1
~TRANSACTION          LM01
~SOURCES     ZWM_MENU,itsmobile
~GENERATEDYNPRO     1
~POPUPS     1
Did any of you face a similar kind of issue when accessing standard LM transactions in ITS ?
Kindly Suggest.
Regards,
Thyagu.
Edited by: Thyagu Natarajan on Jan 25, 2011 1:00 PM

Hello,
I am also trying to implement WM using ISTMobile, but i have a little problem... when i am in my local network the service works and calls the page in the browser, but when i am in other network it gives me "Could not connect to remote server" (off course).
I undertand that i can´t access my server through other networks... but can anyone tell me if i it is possible to access SAP ITSMobile transactions through the internet?? Is the solution create a VPN network to my local network or something like that?
Thanks a lot.

Creating standard roles transaction

Similar Messages

Maybe you are looking for