Creating the Authorization Matrix?

How requirement gathering should be done?
What is procedure to Create Authorization Matrix in SAP Secuirty Project?

Hi Ajit,
If you are starting new to security, then you can go through books like authorizations made easy, and can also enroll for the SAP ADM courses. There are also good books for authorizations and the procedures for implementing it on SAP-PRESS. You can buy them too.
You can search this forum for certification too:
SAP Security Certification
To answer your question on job and process based roles:
Process roles are roles that contain at least one tcode, but are usually a set of tcodes, reports and programs.  They represent a defined granular business process with specific functions within the R/3 environments. Set of these roles make up a job for a user.
Job roles are roles containing multiple tcodes, reports and programs which make up specific Job Functions .These may also be referenced as Position-Based Roles. In most cases, users are only assigned one Job Role
Hope this helps
Abhishek

Similar Messages

  • Intervals not working in Creating the Authorization Object

    Hi All,
      I am currently working on Authorization.We have created the Z Authorization object by using the TCODE RSECADMIN.After clicking the maintaince button, the set of Info Objects are displayed. I have entered the hardcoded values for employee responsible Info Object.
    For Example
    Employee responsible No = 10 to 20.
    I have created the Role by using the TCODE PFCG.I have given my created Z Authorization object and assigned the User.
    After doing this,I am checking for the specific User. After running the query, for the particular user, the data is displaying for the Info object "Employee responsible =10." For Other Values ie) 11 to 20. is not displaying in the report.
    Can you please guide me how to solve this issue.
    Thanks,
    Ram.

    Dear Siva,
    We also had the same issue. Its a program bug, as suggested by SAP applied following note to resolve the issue.
    Note 1247549 - Message Brain A174 when you execute an input-ready query
    hope it helps...
    regards,
    Raju

  • Best Approach to create Security / Authorization Schema for an APEX Apps

    Hi,
    I am planning to create a Security / Authorization Schema for an APEX Application.
    Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
    I am looking for following features...
    1. users LOGIN and then user's name is stored in APEX_USER...
    2. Based on the user, I want to restrict the Application on following levels.
    - TABS
    - TABS - Page1 (Report
    - Page2 (Form)
    - Page2 (Region1)
    - Page2 (Region1, Button1)
    - Page2 (Region1, Items,....)
    AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
    I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
    My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
    Also what should be the FRONT end, we should have to enter these detail...
    SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
    Thanks,
    Deepak

    Hi Raghu,
    thanks for the detial info.
    so that means..I should have 2 table...
    master table (2 columns - username, password)
            username    password
       user1       xxxx
       user2       xxxx2nd table (2 columns - username, chq_disp_option)
    - In this table, we don't have Y/N Flag you mentioned..
    - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
    - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
    - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
              username    chq_disp_option
       user1       re_region1
       user1       re_region2
       user1       tb_main
       user1       Page1
       user1       Page5
       ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
    - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
    Thanks,
    Deepak

  • Updation of Authorization Matrix

    Dear Experts,
      We have implemented SAP in July 2010. At that time we were provided with a Authorization Matrix Sheet (Excell Sheet) for all users in SAP. But after that so many changes were made, authorizations added or removed / new users added / users blocked.
    Is there any method in SAP to update the authorization matrix.
    thanks.

    It has to be done manually.

  • Authorization to Create the Alert Rules?

    Hello All,
    I created the Alert category in ALRTCATDEF transaction, now when i want to create the Alert rules in RWB.
    Add Rule and Change Rule is in disable mode. my user have SAP_XI_ADMINISTRATOR authorization,
    please tell me any other authorization role required to create the alert rules in RWB.
    Thanks and Regards,
    chinna

    Hi,
    Steps of alert configuration :
    Prerequisites
    The following prerequisites have to be met in order to use the Alert Management (ALM):
    u2022 For using the Alert Inbox (BSP based display program of ALM), the corresponding service has to be activated in the service maintenance transaction SICF. Choose Default_host ® sap ® bc ® bsp ® sap ® alert inbox, and Activate in the context menu.
    u2022 For customizing or administration of the Alert Management the corresponding authorization role has to be assigned. The end users do not need any additional authorization.
    u2022 The central alert server must be maintained as an RFC destination in transaction SM59 in the local system. If there is no suitable user, you have to create a user for the RFC connection in the central alert system in transaction SU01. To make this RFC destination known as the RFC destination of the Alert Management System in the local system, the central alert server must also be selected as the RFC destination in transaction SALRT1 of the local system or in Settings ® RFC-Destination of Alert Server.
    If the central alert server is running on the local system in the same client, you do not have to maintain an RFC destination. In this case, you can simply enter NONE in transaction SALRT1.
    u2022 If external communication types, such as e-mail, SMS, and fax are used, these communication types must be correctly configured in SAPconnect, because the alerts are then sent from the central alert system via SAPconnect.
    Process Flow
    The following describes the process flow from alert configuration (transaction ALRTCATDEF) to alert display and confirmation (for example in the alert inbox transaction ALRTINBOX):
    1. Optional: You can define alert classifications. These are useful to group alert categories. For example, you can create an alert classification CRM that contains alert categories referring to CRM. Alert classifications can now have subclassifications. This enables you to build up your own classification hierarchy. Especially, if you use the Alert Mangement (ALM) extensively, classification and subclassification help you to organize your ALM alert landscape and to have a clear overview.
    2. For different types of alerts you have to define different categories. The category contains various properties and other specifications that define the alerts within that category, for example expiry date, or the escalation recipient. You can define an alert category to suit your business requirements and assign the category to the corresponding classification. For example, for the alert classification CRM you can create the alert categories Contract Cancelled and Decrease in Sales. When the critical situation defined in the alert category arises, the system recognizes this and sends an alert instance of this category to the recipients determined. The alerts can always be found in the display programs configured for the recipient (UWL, application-specific program, or alert inbox). Additionally, the alerts are sent via eventual external communication channels, such as e-mail, sms, or fax.
    3. You have to determine recipients so that the Alert Management knows who the recipients of alerts of a particular category are and that the correct parties are informed.
    4. You can configure the way how alerts are processed. For the general use of the Alert Management you do not have to change the default settings. However, if for example you want to send alerts to third-party systems, or to be able to confirm alerts by SMS/Internet mail, or to have logs written, then you have to configure alert processing.
    5. There is a number of Alert Management administration reports that you must schedule according to your requirements. For example, report RSALERTPROC must be executed in order to enable escalation.
    6. Alerts of a particular category must be triggered by an application at runtime. Triggering alerts can be done in various ways. You can call a function module directly or use middleware components that trigger alerts, such as the Business Object Repository (BOR), Post Processing Framework (PPF), SAP Workflow, or CCMS.
    7. Recipients can view the alerts assigned to them in the UWL of Enteprise Portal, in application-specific display programs, or in the alert inbox. In addition, alerts can be received as e-mail, SMS, or fax, if these external communication channels are configured in SAPconnect.
    8. If the problem causing the alert is solved by a recipient, the recipient can confirm the alert, this means its status is changed and it will not be delivered, escalated, or displayed anymore. Alerts are generally confirmed by the recipient in the display program, such as the UWL or Alert Inbox. However, if an alert is sent by Internet mail or SMS message, it is also possible to confirm it by sending an Internet mail or SMS message back to the SAP system. Alert Management uses inbound processing for this.
    Refer these links :
    Check these Usefull BLOGs also
    /people/bhavesh.kantilal/blog/2006/07/25/triggering-xi-alerts-from-a-user-defined-function
    /people/michal.krawczyk2/blog/2007/04/26/xipi-throwing-generic-exceptions-from-any-type-of-mapping
    /people/michal.krawczyk2/blog/2005/09/09/xi-alerts--step-by-step - Alert Configuration
    I tried to format it..But Dunno why it's appearing this way...**
    Edited by: Sainath Chutke on Aug 12, 2010 8:43 AM

  • Can I creat the structural authorization profile in batch?

    Hi All:
    I have a question.
    I need to creat structural authorization profile in transaction code OOSP, it's OK if I enter new entries in the OOSP and then maintenance the authorzation profile like  object type; object ID; Eval. path  and so on.
    But there are so many new entries need to be created that I want to use lsmw to realize batch in put.
    But when I use the transaction code "OOSP' to record the screen during the LSMW, I failed to see the "athorization profile maintenance" screen , that is, I can enter new entry, give it a name and text still, but cannot maintenance the authorzation profile like  object type; object ID; Eval. path. In other words,the "athorization profile maintenance" screen is missing during the LSMW recording screen!
    Can anyone tell me what's the reason?

    Hi All:
    I have a question.
    I need to creat structural authorization profile in transaction code OOSP, it's OK if I enter new entries in the OOSP and then maintenance the authorzation profile like  object type; object ID; Eval. path  and so on.
    But there are so many new entries need to be created that I want to use lsmw to realize batch in put.
    But when I use the transaction code "OOSP' to record the screen during the LSMW, I failed to see the "athorization profile maintenance" screen , that is, I can enter new entry, give it a name and text still, but cannot maintenance the authorzation profile like  object type; object ID; Eval. path. In other words,the "athorization profile maintenance" screen is missing during the LSMW recording screen!
    Can anyone tell me what's the reason?

  • Devlopment of authorization matrix

    Hi All,
    I need to devlop an authorization matrix using resecadmin transaction.
    what is a genral idea behind authorization matrix?
    What should be the steps to create authorization matrix?
    What things should be included for creation of the authoriaztion matrix?
    Regards,
    deepak

    Hi,
       Check these links.
    Authorization Matrix
    What is Authorization Matrix?
    Regarding Making user authorization matrix
    Regards,
    Balaji V

  • User can not create the quotation in PCUI

    Dear All,
    User salesrep is not able to create the quotation in PCUI. When he select the quotation tab and click on create button one pop up appears but no quotation appears in it and he can not select it for creating the quotation.
    I have checked the authorization objects for this user. Seems everything is ok from authorization point of view.
    User has authorization to create, display and delete for quotation in object CRM_ORD_LP.
    Please help me regarding this.
    Regards
    Pankaj Vispute

    Hi,
    Please check whether u have assign transaction type of quotation and iviews to salesrep user from Portal admin and related portal role to u r User.
    Regards,
    DD's

  • How to get the values for the Authorization Object Fields....

    Hi Everyone,
    I'm pretty new to the SAP Security and have been working on the Basis sides...I created a new role in PFCG and added a few transactions (ME13) and clicked on the Authorizations tab. In there, the authorization tree is in yellow and red. After providing the Org Values, only the yellow lights remain (apart from the green one ofcourse). Now how do we get the values for the different auth obj fields that are in yellow... say for example
    Conditions                                                   COND
    Maintain Condition: Auth. for Use/Appl./Cond.Type/Table      V_KOND_VEA
    Activity                       03                                                                        ACTVT
    Application                                                                                KAPPL
    Condition table                                                                                KOTABNR
    Condition Type                                                                                KSCHL
    Usage of the condition table                                                                 KVEWE
    Here the values for V_KOND_VEA fields e.g. KAPPL, KOTABNR etc are missing.
    My question is how do we get these values in regard to the requirement provided by the client...is it the functional guys who provide these values or else how is a security person supposed to know it...
    All the help in this regard is sincerely appreciated along with the awarding of points...

    Hey thanks Alex and Catastrophe for the quick response...
    I'll be sitting with the functional team and reviewing the roles created.
    Thanks for all the help once more
    Regards,
    Akash.

  • How to use the transformation matrix in Placed Suite.

    I am in trouble how to use the transformation matrix Placed Art (PlacedSuite ). 
           AIRealMatrix rasterMatrix;
    AIRealMatrix placedMatrix;
    if (artType == kRasterArt {
         error = sAIRaster-> GetRasterMatrix (art, & rasterMatrix);
    } else if ((artType == kPlacedArt) {
         error = sAIPlaced-> GetPlacedMatrix (art, & placedMatrix);
    When I converted to using the transformation matrix of PlacedArt, the target art could not be converted to expect.
    I could convert in case of the RasterArt. (The reference point of the transformation matrix of RasterArt is (0,0).) 
    In the PlacedArt, preference point is not (0,0)?
    The tx/ty of the transformation matrix of PlacedArt is not correct? 
    In the transformation matrix of RasterArt and Placed Art, how are those two different?

    The short answer is "no", (0, 0) is not the origin of placed art (unlike kRasterArt). Off the top of my head, I believe when you place art, its original state is upside-down and flipped horizontally in the upper-right of the artboard. If you want to see where it starts, simply create an identity matrix and apply that as the matrix for the kPlacedArt and you'll see how it starts. Yes, its pretty crazy.
    minimum99 posted some code that might help. I haven't tried it (I rolled my own years ago) but I'd give it a whirl:
    http://forums.adobe.com/message/3195790#3195790

  • How do I change the authorization on my laptop

    I have a windows 7 laptop that was the first place we installed Adobe Digital Edition and we used one email address.  Now we do not have access to the email account any more and want to chagne the authorization account to our new email account.  We have created the new ID on the web and I am logged in using it to write this request for help.  I cannot find any way to change the authorization account on my laptop.  I have tried uninstalling, deleting the digital editions folder, rebooting, and re-installing but it stills shows the authorization account using the old email address.
    Ideas?

    I found the answer in another discussion
    5. Jul 3, 2008 4:32 PM (in response to (JGS))
    Re: How can I change computer authorization after two Adobe IDs have been merged together?  
    The clean way to deauthrorize your computer is to launch ADE, and then press Ctrl+Shift+D (Windows) or Cmd+Shift+D (Mac). After deauthorizing, you will be forced to reactivate/authorize when you next run ADE.  --
    Jim Lester
    Adobe Systems

  • How to create the relationship between ESSBASE 11 and DM in OBIEE11

    Hi Experts,
    I have one requirement that there is one property table named 'Store Master' in DW,and it contains a lot of attribute, such as Open Date, Close Date, IS 24 Hour etc.
    But another data source is essbase and based on this source, I create all reports.
    In ESSBASE, it has one dimension and hierarchy Location, and it has four level, Country(L1),Region (L2),Province(L3),Store(L4)
    So I want to know how to create the relationship between Location (ESSBASE) and Store Master (DM).
    I try to create one relationship in physical layer between Gen4,Location and Store, then drag the open date and close date into Location Dimension in BMM,then Presentation Layer.
    When I drag column 'Open Date' ,'Gen4,Location ' and 'Sales' into reports, it will generate the following error message:
    State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 43119] Query Failed: [nQSError: 14020] None of the fact tables are compatible with the query request Dim Region.Store Open Date. (HY000)
    However, when I remove the column 'Open Date'. it will be ok.
    So what I missing the steps? Please help me. Thanks.

    >
    '2. Now, pull the 'Store' column from relational DB onto the Gen5, Location column from Essbase. This action now creates, two logical sources for your 'Store' column.'
    If the length from different data source is not same,such as 1001(DM),L_1001(ESSBASE), can I drag the 'Store' column from relational DB onto the Gen5, Location column from Essbase?
    I think it does not work.Right?Hi,
    I am not sure if you are talking about the length(as in varchar(128)) of the member value being different in different sources, or the member itself is different in both the sources.
    I am still assuming, that you are referring to the members not same in both the sources.If it is, the whole concept of federation is based on conforming dimensions. So, it needs that the same dimension information is present in both the sources and then only, you know we can analyze the numbers based on this dimension. So, either the dimension being different in both sources, or the members not present in both the dimensions might lead to incorrect numbers.
    So I select Store Attributes in relation DB and Location in ESSBASE in physical layer, then create the physical join, such as right("Hour Sales"."H_Sales".""."H_Sales"."Gen6,Location",4) = "Authorization".""."EDW"."T_EDW_MDM_STORE"."US_CODE", then drag the OPEN_DATE and CLOSE_DATE in relation DB to Location in ESSBASE in BMM,finially drag them into presentation layer.We create physical layer relationships, to send over the same relation to the underlying database during querying. So, creating a physical relationship between essbase cube and relation database would not help here.
    When you set up this federation, BI Server sends individual queries to each source and maps the conforming dimension members internally.
    Hope I was clear, and this helps.
    Thank you,
    Dhar

  • How to create the relationship between ESSBASE 11 and DM  in OBIEE 11G?

    Hi Experts,
    I have one requirement that there is one property table named 'Store Master' in DW,and it contains a lot of attribute, such as Open Date, Close Date, IS 24 Hour etc.
    But another data source is essbase and based on this source, I create all reports.
    In ESSBASE, it has one dimension and hierarchy Location, and it has four level, Country(L1),Region (L2),Province(L3),Store(L4)
    So I want to know how to create the relationship between Location (ESSBASE) and Store Master (DM).
    I try to create one relationship in physical layer between Gen4,Location and Store, then drag the open date and close date into Location Dimension in BMM,then Presentation Layer.
    When I drag column 'Open Date' ,'Gen4,Location ' and 'Sales' into reports, it will generate the following error message:
    State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 43119] Query Failed: [nQSError: 14020] None of the fact tables are compatible with the query request Dim Region.Store Open Date. (HY000)
    However, when I remove the column 'Open Date'. it will be ok
    So what I missing the steps? Please help me. Thanks.

    >
    '2. Now, pull the 'Store' column from relational DB onto the Gen5, Location column from Essbase. This action now creates, two logical sources for your 'Store' column.'
    If the length from different data source is not same,such as 1001(DM),L_1001(ESSBASE), can I drag the 'Store' column from relational DB onto the Gen5, Location column from Essbase?
    I think it does not work.Right?Hi,
    I am not sure if you are talking about the length(as in varchar(128)) of the member value being different in different sources, or the member itself is different in both the sources.
    I am still assuming, that you are referring to the members not same in both the sources.If it is, the whole concept of federation is based on conforming dimensions. So, it needs that the same dimension information is present in both the sources and then only, you know we can analyze the numbers based on this dimension. So, either the dimension being different in both sources, or the members not present in both the dimensions might lead to incorrect numbers.
    So I select Store Attributes in relation DB and Location in ESSBASE in physical layer, then create the physical join, such as right("Hour Sales"."H_Sales".""."H_Sales"."Gen6,Location",4) = "Authorization".""."EDW"."T_EDW_MDM_STORE"."US_CODE", then drag the OPEN_DATE and CLOSE_DATE in relation DB to Location in ESSBASE in BMM,finially drag them into presentation layer.We create physical layer relationships, to send over the same relation to the underlying database during querying. So, creating a physical relationship between essbase cube and relation database would not help here.
    When you set up this federation, BI Server sends individual queries to each source and maps the conforming dimension members internally.
    Hope I was clear, and this helps.
    Thank you,
    Dhar

  • How can i check the authorizations for a query in sap bw 3.1c

    Hi,
    While running one query i am getting warning message is  : you do not have authorization to read object ZVERSION  and few column results also not displaying.
    I would like to check is there any authorization check for this query and could you explain how we use the authorizations in our BW.
    Thanks in advance....

    if you execute su53, the authorization check failed cannot be displayed for reports. because you are executing query in BEx is it?
    for this you can trace the userid that executing query to check the authorization check failed. Go to st01 and find out the authorization check failed there.
    And you can find in RSRT too. i am not sure that.
    One more option is there to check the authorization with help of matrix that you prepared for assigning access/authorization to the users.
    Hope this would help you.

  • Error while generation of the Authorization object (

    Hi Gurus,
    I have created a Authorization object Z_CCTR3 for 0costcenter authorization.
    but getting following error while generation of the Authorization object (type is Flat authorization)
    "Error occurred when reading the data from DataStore object Z_CCTR3"
    Any inputs will helpful...
    Sonal.....

    Hello everybody,
                             my problem is solved.For the UDConnect, whatever DATA SOURCES you create gets registered in a FUNCTION MODULE which has a capacity of only 99 enties, so to increase it implement the SAP NOTE 876340 - UDC Error available on SERVICE MARKET PLACE.
    This problem occurs with BW version 3.5 level 17 or below.
    Regards,
    Priyanka
    Edited by: Priyanka Joshi on Jun 10, 2008 11:03 AM

Maybe you are looking for

  • Why is my to-do list not showing in mail

    I have watched tutorial on setting up to-do lists in Mail but my mail application is not show To-Do only notes and flagged are showing under the reminders heading.  How can I fix this?

  • Problem with image url

    Hello, today I have a problem with image url. I wanted Image to change when mouse dragged over it. But nothing happened. Any ideas? def maxIco: ImageView = ImageView{ image: Image{ url: "{__DIR__}ikony/max.png" onMouseDragged: function(event: MouseEv

  • Mouse Pointer on Table

    Dear All, I am displaying some values on the table. but, when i run my VI, the mouse pointer becomes different when i move it on table. it becomes some sort of editable one. How can i show the standard mouse pointer to move on the table ? Thanks, Rit

  • Can't create and reset icloud id

    i updated my ios to ios7.1 i just recently knew about air drop.. it took me a while to figure out that i need to sing in on icloud, i tried and i found out that i was trying to create an account for it before and unfortunately i can't remember my log

  • [SOLVED] Installation of Enemy Territory fails

    Hi Archers , System: Archlinux 64bit 32bit libs: (installed with pacman "What else ") lib32-glibc, lib32-gcc-libs, lib32-alsa-lib, lib32-libstdc++5, lib32-openal, lib32-libxdamage, lib32-libxfixes, lib32-sdl Nvidia Driver (also installed with 32bit l