Creation of role inside a role

hi,
is it possible to create a role under another role in cProjects. I mean, with parent child relations ship.. so, i can see the subrole(s) staffing getting roled up on to the parent role and check the status of supply agianst the demand on the parent role
(which i got from the item through Transfer Demand).
Pls suggest.

Hi sujata,
No, it is not possible to build up a role hierarchy.
Though internally the resource assignments of a role are builed up using a parent-child relations, but it has other meaning as you expected.
Either you need to develop your own program bot fulfill the requirements. Wr you may use the task-role assignement to build you scenario, that means task is used as the 'parent-role'. In this case you get the assigned roles information be rolled up.
Kind regards,
Zhenbo

Similar Messages

Assigning different authorizations inside a role to different users

Hello,
Could someone please guide me to how can we assign different authorizations (authorizations field values) for an authorization object inside a role to different users; i.e. in the role maintenance transaction (pfcg) after we create a new role and add an authorization object to it, if this authorization object has several authorizations (authorization field values), and if I need to add two users to that role, how can I assign to one user an authorization different from that assigned to the other user ?
Thank you in advance.
Best regards.
Reda Khalifa
IT Department - Almansour Automotive Group - Egypt

Hi Reda,
That documentation complicates the subject slightly as it is talking about principles that are at a lower level than the usual role level.
We have 1 authorisation object - S_TRVL_BKS
Authorisations have been created for this object, called S_TRVL_CUS1 and S_TRVL_CUS2
In this context, an authorisation is an instance of an authorisation object that has been populated with data.
Before the profile generator you used to create authorisations (auth objects populated with data) and assign them to profiles which are then assigned to users.
In this example 2 profiles would be needed
Profile1: S_TRVL_CUS1 and S_TRVL_CUS2
Profile2: S_TRVL_CUS2
Miller would be assigned profile1, Meyers would be assigned profile2
The profile generator allows us to easily build authorisations and profiles and packages them up in a role. This way, we can assign transactions and authorisation objects into a role, populate the authorisations (which is what we do in the authorisations tab in the role) and automatically create the profile.
The example in the documentation is still valid because it requires 2 seperate authorisations (and therefore profiles and roles) to be assigned to different people. Unfortunately this is not explained very well in the documentation.
I hope that makes sense, roles are static and the permissions that they give do not vary dynamically. In BW we can use variables to do something similar and to some extent structural authorisations in HR work dynamically however this doesn't apply to R/3 or ECC. (it can be done in come cases but costs many, many £££/$$$'s)
Please let me know if you want me to elaborate further on this
Cheers
Alex

How to view the privilages inside the role

Hi,
How can i view the definition of a role on sqlplus screen
Thanks
Bcj

Want to try something neat -- at least I think so. Put this in a sql script and run it against a user who has table privileges granted to him and through a role, and through roles two levels deep.
set termout on
set feedback off
set verify   off
set linesize 128
set pagesize 35
Accept USER_ID CHAR Prompt 'Enter User ID: ';
COLUMN table_name FORMAT a41 HEADING 'Resource'
COLUMN privilege FORMAT a11 HEADING 'Privilege'
COLUMN grantable FORMAT a9 HEADING ' '
COLUMN via_role   FORMAT a60 HEADING 'Via Role?'
BREAK ON table_name SKIP 1 NODUPLICATES
TTITLE Center 'Tables and Proc. Priveleges Granted to &USER_ID..' skip 2
SELECT LOWER(y.owner || '.' || y.table_name) table_name,
       y.privilege,
       DECODE(y.grantable,'NO','No Grant','Grantable') grantable,
       x.role_granted as via_role
FROM (SELECT CASE SIGN(LEVEL - 1)
               WHEN 0
                    THEN granted_role
                    ELSE granted_role||' ['||grantee||']'
               END as role_granted,
               granted_role
          FROM dba_role_privs
        CONNECT
             BY PRIOR granted_role=grantee
                START WITH grantee = UPPER('&USER_ID')) x,
       dba_tab_privs y
WHERE y.grantee = x.granted_role
UNION ALL
SELECT LOWER(owner || '.' || table_name) table_name,
       privilege,
       DECODE(grantable,'NO','No Grant','Grantable') grantable,
FROM dba_tab_privs
WHERE grantee = UPPER('&USER_ID')
ORDER
    BY 1, 2
TTITLE OFF
BTITLE OFF
REPFOOTER OFF
TTITLE OFF
BTITLE OFF
REPFOOTER OFF
SET FEEDBACK ON
SET PAGESIZE   40
SET LINESIZE   96
SET VERIFY     ON
SET UNDERLINE '-'
SET HEADING    ON
SET TERMOUT    ON

J2EE roles vs Portal roles vs ABAP roles

(I also posted this on portal implementation, but i hope i receive more reactions here )
Dear all,
I have a question about the information on the following link:
http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
It says the following:
"These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
1. These "...certain functions..." they talk about, can someome give an example of these functions?
2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
From what I've read on help.sap.com, you always need to do certain actions in both places.
A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
Kind regards,
Joren

Hi Jorem
Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

Maintaining the authorizations for parent role and derived role

Hi Experts,
Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
Currently we have created the 700 role in our regionally organization and we want to dervie the roles for each country
1 ) we want to do the Auth field (activity level) settings in parent role and Org levels in the derived role .
2) But one my collegue says do the default Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level one)

I will try to answer both your queries here:
"my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
Soumya

Business Role and PFCG Role

Hi all,
I am new to CRM 7.0 Can someone explain What is a Business Role in CRM 7.0 and what is the relationship between Business role and PFCG role. What is the transaction Code to create a Business role.
And also I heard that there is no PCUI in CRM 7.0. Is it true and if so what is used in place of the PCUI
Thanks.
Neha.

Neha,
Next time please do a search in this forum on business roles, and you would find many topics discussing this information more completely. I'm locking this thread due to it fact that this question has been asked many times before by many different people.
These threads explain the topic in more detail:
Re: Reg: Business Role
Assignment pfcg-role to user and assignment pfcg-role to business role
Thank you,
Stephen

Security-role and security-role-assignment not working in WL7.0

Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

Below are the screen shots for PFCG:

Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

Hi
I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
1. Can we integrate both structural authorizations and position based role mapping in one system?
2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
Any help or suggestions on the above would be appreciated.
Thanks and Regards
Arun R

Hi
1. Can we integrate both structural authorizations and position based role mapping in one system?
Yes you can. Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
Create user in SU01.SU10 first before creating infotype 105 in PA30.
4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
*When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.
Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC . SAP currently defaults this to 15 days and this is used to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
Hope this helps.
Charmaine

GRC 10 Role Management - Mass Role Derivation

Hi All -
Does anyone know if it is possible to propagate the authorization data from multiple parent roles to their relevant child derived roles in mass in GRC 10?
Using the standard 'Role Management -> Role Maintenance' feature you can propagate one parent role's auth data to all it's children derived roles; or alternatively if accessing one child role you can copy the auth data from the parent role. Either of these options would require you to open each parent role or each child role to push/pull auth data from a parent role to a child role.
If this is not possible, it seems to leave a gap in the process of creating derived roles in mass?
Via the 'Role Mass Maintenance -> Role Derivation' feature you can create derived roles in mass across multiple parent roles with multiple levels of derivation from each using Org Maps. This will crate my derived roles and populate the organizational values only in PFCG. You can also update the derived role's org values in mass if they change by updating your Org Maps and using the 'Role Mass Maintenance -> Derived Role Org values Update' feature.
However these features do not propagate the non-org authorizations from the parent roles. Without a way to push/pull the non-org authorizations from the parent to the child, creating all the derived roles in mass doesn't quite actually create usable roles.
I've noticed when propagating authorization on a one-by-one basis, GRC creates a background job "Auth Data Propagate". I'm really just hoping there is a way to do this in mass and I am just missing the obvious. I also know it would be possible via an eCATT script directly in SAP, but I'm looking specifically for options via the GRC tool.
Thanks for the help!

Nick -
I actually just received a "final" response from SAP OSS support on this one. Had a note open for the past 9 months or so where apparently the product management & development teams were discussing this issue. The last update I received was about 10 days ago and essentially said this is not currently part of the tool:
"This is an enhancement and is not currently supported. We will take it up in a future release. Please log this in the ideaplace under Access Controls"
While I respect the decision, I can't necessarily say I agree that a "Mass Derivation" tool is working as intended if it cannot push / copy authorizations from a parent to a child role. If it can't create roles that are actually usable it would seem to be an issue with the current solution rather than a future enhancement imo.
The best workaround to this, is to utilize an eCATT script to go through all your derived roles you create in mass via GRC and have it go into PFCG and 'copy from' the parent authorizations and then regenerate the profiles. That will give you actually complete & usable roles in a semi-automated fashion.

How to restrict selected Role under a Role???

Hi Friends,
I have 3 roles, which are Role-1, Role-2, Role-3.
Role-2 & Role-3 are Under/Part of Role-1.
Now, I have assigned Role-1 to a user. By doing this, When he logs in he is able to see the Role-2 and Role-3 also eventhough we havent assigned Role-2&3.
Now My question is, How to restrict a role under a role. For example, I dont want to show Role-3.
When i checked the user roles assigned, i see only Role-1 but not 2 other roles.
Could anyone advice on how to make unwanted role in role. Assuming, no one is going to assign directly with Role-2 & Role-3. They got assigned only Role-1.
Thanks for u r time!!
Thanks,
Raghavendra.P

Hi Praveen,
Thanks for important/useful information. I really dont understand is., Inspite of giving the properties to the each of role/workset, How do we call the approprite under the role. for example :
If we have Role-2 with propery dept=sd,
and Role-3 with propert dept=xi, etc.
Now i have Role-1, within which i have Role-2 and Role-3.
Now, if i want to see only roles with dept=xi then where should i mention and what should i mention.
I understood till creating the properties, assigning the properties to roles/worksets, giving values to properties.
Only i doesnt understood is how to activate which we want in the scenario.
Thanks for your time..!!!
Thanks,
Raghavendra Pothula

How to delete a role from other role.....

Hi All,
I have a query like....
I have created one new role ATH:MDC:INV3 and added two existing roles to that new role on DEV system ie Added ATH:MDC:INV2 + ATH:PUR:PMG0
So,now i need to remove only one role ie ATH:PUR:PMG0 from ATH:MDC:INV3.
All the 3 roles are single roles.
Is there any way to remove/delete that role or do we need to do manually by deleting one by one authorisation,which is time taking process....
Please give me if there could be any better way to approach....
Thanks & Regards,
Swapna.D
Edited by: swapna devi on Feb 1, 2008 3:53 AM

Doug,
You gave me an idea. What if you create a new folder on the desktop. Select the roll above #20, which you said will also select #20, and move that roll to the desktop folder? Will roll #20 move with the one above it? If so, then you could go back to iPhoto, drag them both to the trash, delete trash (will it delete with the roll above it?), Import to Library the pictures where you put them on the desktop.
Caution, you would probably lose some of the info from the roll you delete and re-import, like their dates, etc. So I wonder... can you select, say, half the photos in that roll and Create New Roll? Will the remaining roll still be linked to #20? If so, can you do it again and again until the linked roll only contains 1 picture? Then move it to desktop, trash in iPhoto, and re-import?
What happens if you play with it like that?

Role in a role

Hello everybody,
I'm new to Netweaver Portal and I have a question to the roles. I have the following structure:
* Role1
* * Workset 1
* * * Page 1
and
* Role 2
* * Workset 2
* * * Page 2
But I would like to make role1 as an entry point and include role2 in role1. I do this by "Add Role to Role" with delta link, so that I get the following structure:
* Role1
* * Workset 1
* * * Page 1
* * Role 2
* * * Workset 2
* * * * Page 2
But when I do this, then everybody who is assigned to role1 can see the content from role2. There must be an inheritance somewhere, which I would like to eliminate. Can anyone help me, how to do this?
Thanks in advance

I'm not sure, if my solution is nearly what you mentioned to me. But I found out how to solve this issue for me. I write it here, may be someone else will run in the same situation.
My intention was to create the following structure:
Role 1
Workset 1
Role 2
Workset 2
Role 2 should only be visible when the user is assigned to Role 2. But when I add the Role 2 to Role 1, then the permission of Role 1 overwrites the persmission of Role 2, so that everybody assigned to Role 1 can also see Role2. This was not, what i was looking for.
So to solve the problem, it is not required to add Role 2 to Role 1. Simply define the Roles as they are and merge them at the end. So in my case I defined every Role with the property "Can be merged" and gave all the same "Merge ID". Now the roles are automatically structured as one entry point, as long as they are defined with "entry point" = yes. And the visibility of the roles depends on the assignments from the user.

Asynchr Calls: Partner Role and My Role must be filled in Partner Link dial

Asynchr Calls: Partner Role and My Role must be filled in Partner Link dialog ?
Is the statement true?
Can I leave for synchronous calls one of the role spec vacant?
AFAIK only in asynchronous calls both drop down values must be specified.
Peter

Thanks for fast reply,
Yes, I defined Partner Role and My Role,and also defined a port type for calling back the request.
I just don't know what's the endpoint address which my asynch web service should use to response to my BPEL process.
Is there anyway to find out what's the endpoint address which the BPEL processes receive the callback response from asynchronous services?
Can I get the address which BPEL engine uses to get the responsse from a called web service?
I guess it should be an obvious work but I'm really disappointed with that.

When to use "my role" and "partner role" in BPEL?

I'm a bit confused when to set/use partner role and my role.
Can anyone shed a little light,
regards, Henrik

Saurabh,
> I humbly disagree with your explanation of inputs
No need to be humble, you can boldy disagree. :)
You're right that I did technically use the wrong term in that sentence of my explanation. I updated the post and corrected it. However the gist of what I was saying is still true.
There are two invocation types. People use different terms but here I'll call them request-response and one-way. A request-response invocation type is used for what we typically think of as a "synchronous" process. That is, the service consumer is blocked until the service responds. It's like methodA() in Java calling methodB(). methodA() is blocked until methodB() completes. (In fact, this is exactly what it's like since all invocations on our BPEL engine ultimately go through our Java API.)
In the case of one-way, the service consumer is not blocked. This is often referred to as fire-and-forget. It simply sends its request, then it is free to continue or do whatever it wants. Moreover, nothing is returned to the client (you fired-and-forgot, remember). Typical "asynchronous" BPEL processes uses this invocation type.
So we have those two invocation types. Yet the problem before us how to have an asynchronous process return a result. You can't use request-response because the service consumer is blocked until the process finishes. You can't just use a one-way because nothing is returned to the caller. What to do?
The way the BPEL standard solved the problem is to use two one-way invocation types. The first one is to invoke the process. The second one is a one-way from the BPEL process to the service consumer to return the result. There are some glaring implications of this:
1. When the BPEL process returns it's result, things have now switched: The BPEL process becomes the service consumer, and the (original) service consumer becomes the service.
2. The service consumer has to be able to listen for one-way invocation type requests.
3. The BPEL process has to know how and where to call the service consumer back. This information is passed in the original request. As well as containing the data payload, it contains a callback address and unique identifier. This, in essence, is what the WS-Addressing standard is about.
Now the definition of a one-way invocation type in a WSDL is:
    <portType name="aaa">
        <operation name="bbb">
            <input message="tns:ccc"/>
        </operation>
    </portType>Compare that to a request-response invocation type:
    <portType name="aaa">
        <operation name="bbb">
            <input message="tns:ccc"/>
            <output message="tns:ddd"/>
        </operation>
    </portType>Let's look again out our example WSDL:
    <portType name="SelectService">
        <operation name="processRequestQuote">
            <input message="tns:RequestQuote_processRequestQuote"/>
        </operation>
    </portType>
    <portType name="SelectServiceCallback">
        <operation name="processRequestQuoteResponse">
            <input message="tns:RequestQuote_processRequestQuoteResponse"/>
        </operation>
    </portType>Here comes the good bit... Both portTypes have an <input> operation. But that's because they are both one-way invocation types, and there is no choice but use the <input> element -- that's the standard. You can't imply put <output> because there's no such thing in the standard. However we know that one of those is to actually return the result. That is, it's the output, even though it's labelled <input>.
Hopefully that's given you enough information now. Re-read my first post, above, and it should make more sense.
Incidentally, this is why you rarely see try asynchronous web services, because the caller has to also be a listener. And if you want to call a service, who wants to also have to write code to listen, to handle responses coming out of order, etc. This is one of the advantages of using an orchestration engine like Oracle BPEL Process Manager. The framework takes care of the hard work, and you can simply call an aysnchronous service and not have to worry about how to get the response back -- the engine does it for you.
Regards,
Robin.

Role and Reverse Role

Can the Role and Reverse Role fields be removed from the account competitor view? Thanks.

You can hide the Role fields in the Account Related Information Layout, which a user will see from the Account view. However, the fields are required, so when creating or editing a related account, users will have to see the fields. You can pre-default the values to make it easier for users, though.
Good Luck,
Thom

Creation of role inside a role

Similar Messages

Maybe you are looking for