Developing Roles and transport strategy.
Hello,
I need to finalize the Role development Plan.
I am not sure where do we built , test and transport roles to production.
I am thinking of developing roles in development in dev in a seperate clint . This clint will be copy of golde client.
Then this roles will be tested in quality and finally send to production.
Hence forth any changed to role will go thourh same cycle.
Please suggest !!!
>There are some things which you cannot add into roles if they are not set up (responsibility area heirachies, profit centre groups etc) so you need to ensure that non-transportable config is also made in your security client.
Thats a imp point th to my that you have bought to my notice. Are there any coustomizing such no range and stuff that can not be transported?
I wonder if its the case then all coustomizinf will be need to be done in QUA and PRD system seperately as well.
Also one thing i would like to mention is that I am trying to avoid development of roles on Actual devement client cause I am afraid of hamppering the coustoming data which developing roles . Cause most of my development of roles will take place by trial and error method .
So I am aprehensive to use development cline and find alternatives
Similar Messages
-
Roles and Authorization strategy for SAP BIBO
Hello All,
We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
Current structure is like,
User 1 belongs to Plant1 of Country1
User 2 belongs to Plant2 of Country2
user 3 belongs to Plant3 of Country1 etc..
We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
The options we considered are,
1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant 1, 2 or 3 and provide necessary authorizations.
2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
We are also forced to avoid Bex queries in BW and hence, trying to connect Multiproviders directly in BO universe.
How should we go forward in designing the authorization concept? Any better ideas?
Thanks and Regards,
SrinivasThere are two ways which we can implement this kind of authorization based on my knowledge.
1. Data Security purely at BW
If the data is secured based on roles and users, there is no need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
2. Data Security from BO
Let's assume that, if nothing is set at BW and every thing to be take care from BO.
Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
So you would need to create many restrictions for different permutations and combinations.
I never tries this option with Multiprovider. But It worked well with NON-SAP data.
Hope this helps!
Regards
Gowtham -
SAP Query Use and Transport Strategy
Anyone wish to share their experience in the use of SAP Query? We generally have an understanding that we don't want to be giving out this tool to end-users in Production. We would like to create queries, and when we wish to give them out we'll attach t-codes to them and roll them out.
However in practice, this is becoming difficult. An example is where in our gold client we create queries and then we would typically transport to our unit test client. But whenever we do an export, it generates a transport request. Before we are done testing we may end up with 10's of transports for a single query?
Anyone have some ideas on a transport strategy for SAP Query? How about it's use in Production? Our landscape for changes are typically DEV Gold -> DEV Test -> QAS -> PRD. We would ideally like our transport strategy for queries to match what we do for everything else.HI,
Query objects are transported in different ways according to the query area in which they were created.
In order to know which transport options are available, you must first understand how query objects are created.
<b>Standard Area</b>
Query objects are stored in the client-specific table AQLDB. They are not connected to the Change and Transport Organizer.
<b>Global Area</b>
Query objects are stored in the cross-client table AQGDB. They are connected to the Change and Transport Organizer.
http://help.sap.com/saphelp_47x200/helpdata/en/d2/cb467f455611d189710000e8322d00/content.htm
Global area objects can be transported into other systems. Standard area query objects can not only be transported to other clients within their own system, but into all clients of other systems as well. In addition, query objects can be transported from the global query area to the standard query area and back within the same system.Transports are normally performed by the system administrator, not by end-users. For this reason, you need the appropriate authorizations
Check the below links for detailed explanation
<b>Transporting Global Area Objects</b>
http://help.sap.com/saphelp_47x200/helpdata/en/ec/052786a30411d1950a0000e82de14a/content.htm
<b>Transporting Standard Area Objects</b>
http://help.sap.com/saphelp_47x200/helpdata/en/ec/052789a30411d1950a0000e82de14a/content.htm
<b>General Transport Description</b>
http://help.sap.com/saphelp_47x200/helpdata/en/d2/cb4699455611d189710000e8322d00/content.htm
<b>Generating Transporting Datasets</b>
http://help.sap.com/saphelp_47x200/helpdata/en/d2/cb46a6455611d189710000e8322d00/content.htm
<b>Reading Transport Datasets</b>
http://help.sap.com/saphelp_47x200/helpdata/en/d2/cb46e7455611d189710000e8322d00/content.htm
<b>Managing Transport Datasets</b>
http://help.sap.com/saphelp_47x200/helpdata/en/d2/cb46f4455611d189710000e8322d00/content.htm
<b>Transporting Objects between Query Areas</b>
http://help.sap.com/saphelp_47x200/helpdata/en/ec/05278ca30411d1950a0000e82de14a/content.htm
I hope this solves your purpose.
Regards,
Vara
Message was edited by:
varaprasad bhagavatula -
Alternate development landscape and transport path - release management
We are discussing a proposal within our company to build a landscape that includes separate clients and transport paths for development of new system enhancements vs. ongoing production support. The idea is to keep all new development in a separate stream and prevent any conflicts with any required production support changes. This approach was used on a project where I previously worked, and we are seeking input from other SAP shops that use this approach, as well as any best practice documentation to assist us in development of an internal proposal on the topic. I would be grateful for any input on this topic, as well as the topic of release management. I have done quite a bit of searching on SDN and BPX and am just not finding anything.
Note that I also posted this question in the BPX general discussion forum because I was not clear exactly how it should be categorized. I apologize if this was not the appropriate course of action.Hi Bob
without being an expert. You could check the documentation for "Change and Transport System" (CTS) in help.sap.com. It comes with some "strategic" information as well.
The CTS "belongs" to SAP NetWeaver, and an extended version is available "CTS". Further recommendation would be that you check out the SAP Servicemarketplace information for SAP NetWeaver for "CTS". The use of such large functions is normally described in presentations as well.
regards
Andreas R -
Roles and Attributes Maintenance
Dear all, I am a little lost in a current project on this topic. When using ERP 2005 and not using the Virsa Access Enforcer, how and where are roles and especially their attributes maintained?
Do customers create the roles including the attributes usually in a development system and transport it to the productive environment or how is this process handled.
Any information on this would be highly appreciated.
thanks,
StefanIt's probably best if you start by reading that fine manual [User Administration and Identity Management in ABAP Systems|http://help.sap.com/saphelp_nw70/helpdata/en/fa/f63f4222fab16be10000000a155106/content.htm] which leads you to the detailed description of the [Authorization concept|http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm].
-
Creating t.code for ABAP query and Transport it TO Production and run it .
Hi Friends
Thanks for ur reply ,
The requirement is that i want to create tcode for abap query and that query can be regenearted ,
in case of regeneration programe name i got answer programame name will be change, i created and modified query but i saw the same programe name ,,, may be it changed when it is trasnported if so then what ??
and also pls give me solution for asiging tcode for query which is going to be regenerated.
thanks and regards
farukhDear Farukh,
As we know,
Query is created in Production server and a corresponding program is generated by System.
What we have to do is just to assign the program to the desired transaction code in Development server and transport it.
If you have any doubts please let me know.
Kindly assign points if you find this info usefull.
Regards,
Lijo Joseph -
Attaching Package and transport request for existing SAPScript
Hi!
I require to attach development class and transport request in one existing SAPScript. Can anyone please suggest how to do?
Thanks and regards,
AtanuHi Atanu,
You can try following two methods -
1. Display SAPSCRIPT and use option goto -> Object directory entry and change the "Package".
2. If that is not allowed, try using Txn. SE03 and try changing Object directory entry from there.
If you assign a package which is transportable, system will prompt you for a transportable request.
Cheers,
Sanjeev -
Hi,
The development staff require access to multiple schema objects on the db but I am loathed to assign the 'ALL' to the DDL privileges as I would like to
restrict access to a specific schema without limiting the developers to their own schema.
Presently i given the below privileges, Please tell me developer point of view which privileges is required?
GRANT EXECUTE ANY PROCEDURE TO DEVELOPER_ROLE;
GRANT DROP ANY TRIGGER TO DEVELOPER_ROLE;
GRANT DROP ANY VIEW TO DEVELOPER_ROLE;
GRANT ALTER ANY SEQUENCE TO DEVELOPER_ROLE;
GRANT CREATE ANY INDEXTYPE TO DEVELOPER_ROLE;
GRANT CREATE TRIGGER TO DEVELOPER_ROLE;
GRANT EXECUTE ANY PROGRAM TO DEVELOPER_ROLE;
GRANT ALTER ANY PROCEDURE TO DEVELOPER_ROLE;
GRANT CREATE SEQUENCE TO DEVELOPER_ROLE;
GRANT SELECT ANY SEQUENCE TO DEVELOPER_ROLE;
GRANT ALTER ANY TRIGGER TO DEVELOPER_ROLE;
GRANT EXECUTE ANY TYPE TO DEVELOPER_ROLE;
GRANT ALTER ANY TABLE TO DEVELOPER_ROLE;
GRANT CREATE VIEW TO DEVELOPER_ROLE;
GRANT CREATE ANY INDEX TO DEVELOPER_ROLE;
GRANT DROP ANY INDEX TO DEVELOPER_ROLE;
GRANT CREATE TYPE TO DEVELOPER_ROLE;
GRANT ALTER ANY INDEX TO DEVELOPER_ROLE;
GRANT CREATE ANY PROCEDURE TO DEVELOPER_ROLE;
GRANT DROP ANY INDEXTYPE TO DEVELOPER_ROLE;
GRANT CREATE ANY MATERIALIZED VIEW TO DEVELOPER_ROLE;
GRANT CREATE ANY SYNONYM TO DEVELOPER_ROLE;
GRANT CREATE ANY SEQUENCE TO DEVELOPER_ROLE;
GRANT CREATE INDEXTYPE TO DEVELOPER_ROLE;
GRANT EXECUTE ANY INDEXTYPE TO DEVELOPER_ROLE;
GRANT DROP ANY TYPE TO DEVELOPER_ROLE;
GRANT CREATE MATERIALIZED VIEW TO DEVELOPER_ROLE;
GRANT DEBUG ANY PROCEDURE TO DEVELOPER_ROLE;
GRANT CREATE ANY VIEW TO DEVELOPER_ROLE;
GRANT ALTER ANY TYPE TO DEVELOPER_ROLE;
GRANT CREATE ANY TRIGGER TO DEVELOPER_ROLE;
GRANT CREATE ANY TYPE TO DEVELOPER_ROLE;
GRANT DROP ANY SEQUENCE TO DEVELOPER_ROLE;
GRANT DROP ANY TABLE TO DEVELOPER_ROLE;Hi;
There is no specific answer for your question, you can create some role which can create function or procedure etc. You can give some basic grant to developer role and than you can add new grant in that role or can create one other new role for your developers
Regard
Helios -
Creation and transportation of query from development to simulation system
Hello experts,
I need to create a new Query in the development system in the General Ledger folder in Financial reporting. and then I need to transport the same to the simulation system. what are the correct steps I need to follow to do the same if have to avoid any issues during this transportation.
Do I need to do any modifications to the role ZS_XX_BEX_MENU and transport the same?
Could anyone help me in this regard giving me the exact procedure I need to follow.
RegardsNo need to modify, but if it is $temp then change it has ur won request.
follow the genral procedure
1)In RSA1 Go to Transport tab and collect ur query.
Drag to right screen
If it is in $Temp change it to your own request. For this You may need Access.
2)Query contains all objects which were used in that query.
if any Info object that are created newly then check for Transport
3) Then, finally click on transport(Truck) icon
4) By default, it will collect all new objects including newly created Info Objects also. You can change the collections of your own selection.
You will get a Request Number here. Please save this Number so that you can check this at SE09
5) In SE09 search for your Request Number.
6)Release The request by subsequent process onwards( Means sub contents like infoprovider first and then Query) -
Transport roles and analysis authorization with user assigned
Hi expert,
I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
Thanks for your time,
LuisHi,
In role administration, you have the following options for transporting roles:
You can download the roles from one system and upload them into another
You can import the role from a remote system using RFC
You can transport the roles with the transport function.
Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
Transporting Roles with the Role Transport Function
1. Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
2. Enter the role to be transported and choose Transport Role.
The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
For more information go thrpugh the below link
http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
Regards,
Marasa. -
ChaRM: usage of ChaRM and none-Charm transport strategy
Hi ChaRM-TMS Gurus!
We have the following [SAP system landscape |http://www.file-upload.net/view-1086963/SDN_TMS_Ist_Soll.jpg.html] and would like to use ChaRM approach simultaneously.
What are the minimal requirements concerning transport layers/routes, which settings should be changed?
How much and which transport layer/routes does ChaRM need?
a) 1 any new transport layer/route
b) standard transport layer, transport layer "SAP" and others
Should all the standard transport layer/routes from virtual systems to real QAS and PRD systems or can I start as follows:
1) Leave the current TMS settings unchanged
2) Activate the extended transport control
Result: the current setting will be client specific and all the old transport requests will be moved to client specific transport routes
3) change the transport strategy (from mass transport to single transport)
3) Define new transport layer
4) Define new transport route for SAP objects from DEV to QAS
and assign the transport layer from 3) (client specific)
5) Define new transport route ZXXX from DEV to QAS
and assign the transport layer from 3) (client specific)
6) Define the delivery transport route from QAS to PRD (client specific)
7) activate and distribute the settings
Thank you very much indeed!
ThomHi Martin,
Solmaniacs' assumptions are correct. You can have as many source clients as you want.
As long as
- STMS configuration (transport routes, and domain links) are consistent
- SMSY configuration (logical components are declared properly with assigning the right role types to systems/clients)
- Project declaration are done correctly (so that from Solman solar_project_admin you can read the STMS as confiured in the distant STMS domain)
- IMPORTANT: those configuration GO ALONG with each other !! (SMSY should nt contradict STMS for example...)
The tasklist that is generated for each Solman project will be as follow
- Node 1: Header Tasks (commun to all systems)
- Node x: Corresponding to track x declared in Project (each Source System will have his own node with the corresponding track under)
- Node x+1
- Node ...
- Last Node : Tasks for Tasklist closure - checks on scma consistancy and CTS projects closure
So you'll always have n+2 nodes in your tasklist; n beeing the number of declared source (=dev) systems in project
For each action launched from change docuemnts like creation of TR, release of TR or Retrofit (as Solmaniac said) you'll have an additional pop-up that will appears letting you choose the system you want to use for the action
Hope its helpful
Regards
Khalil -
Role and Analysis Authorization Transport
Dear Experts,
I'm working with migration authorization project from 3.5 to 7.0. My doubt is when migrate in development enviroment enhancement each whith join S_RS_AUTH with Analysis Authorization which the role doesn't have any users assigning and transport to test enviroment where have a same role with user assigning. Do lose the user assign?
Thank for all,
LuisHi,
I think it will orverwrite the Role. If you want to lock the target system against import of user assignments, you can goto sm30 (Table - PRGN_CUST). Make an entry - USER_REL_IMPORT (value - NO).
Thanks -
ESR role in different development, test, and production systems
Hello,
I want to know the role of ESR in development, test, and production system. Do I have to install ESR in every seprate installated SAP CE machine??? or should It be centrally and development., test and production systems can use it?? Does software release process effects in the whole landscape??
does Test and Production system requires ESR??? or all used services are embed into released software SCA files to test and production system???
Regards,
NaeemHey,
as far as I understood the ESR is a design time tool, i think you don't need to have a productive instance.
I think it should be installed on your PI systems. And I would prefer to have at least a devel and a test installation, to
separate services on test machines from those who are running on productive systems.
as you can't differentiate the services by their name but just by their systems, you should have separate ESR Instances.
Nevertheless I think it could be possible to run only one ESR....
Kind Regards
Christof -
Roles and responsiblities of oracle dba in development team
What should be the roles and responsiblities of oracle dba in development team?
Does Application dba should have oracle user credentials on db box?Hi, Application DBA work as like production DBA, while resolving issue SLA would not apply for them . Apart from this developement team pressure will be there.
These are points remembered.
Creating test Db for testing environment,
Schema Replication of POC
replication the DB for interface setup .
User , Space management.
Roles and Security management
Space Forecasting -this will be useful when you are estimating for storage
need to give application set up to Production DBA with proper specification.
maintaining the schema changes
Ensure that right script shas to provide the Production DBA team .
Deployment of the application.
performance tuning..
All environment memory /CPU statistisc need to check by regular interval.If any issues need to escalte to INFRASTRUCTURE team
HTC
tippu -
As XI developer what are the roles and authorization i shoul have in realti
Hi Experts,
As XI developer what are the roles and authorization i shoul have in realtime, as a dveloper is it possible for me to crate namespace and business system, can any one please exaplain me abt business system in real time scenario.
thanks
dhanushHi Dhanush,
your authorizations will be decided depends on your role in your team.
yes you will have authorization for creating name space ,but your bussiness system will be created by Basis pesron and assign it to your scenario.
Business System is a logical entity which represents logical view of your technical system. (eg a client in R3 system can be respresented as business system in SLD) For one technical system you can have multiple business systems.
Look in to these links for detalis of bussiness systems.
http://help.sap.com/saphelp_nw04/helpdata/de/31/f0ff69551e4f259fdad799a229363e/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/de/87/7277e8fba34421a45d97a41ec27381/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/7b/d4653fd1d3b81ae10000000a114084/content.htm
Reward points if found usefull......
Maybe you are looking for
-
Trying to Install RMS application 13.2.2 and I get past the pre-installation checks and when I get to the Data Source details and enter the data source details with the check box checked to validate the schema/Test Data Source I get the following err
-
Multiple conditions in Query doesn't work
Hi all, I've made a query pointing on a Multiprovider wich 's made of two main dimension ( multiple infoproviders ) : contract and pricing and on the other hand Sales and Revenues. In my Query, one condition's concerned by a contract & pricing key f
-
Mac os x server 3.0.2 open directory master disappear from list
Hi, There is a very funny Mac OS X Server 3.0.2 issue. After I updated my mac os X server from 3.0.0 to 3.0.2. as my host name is conflict with other Mac mini, I changed X server's Mac mini's host name, computer name and localhost name. When I restar
-
HELP!!! "Restart" problem after installation of OS Mountain Lion
Dear Apple People, I have upgraded my Macbook Pro 13 (bought last year) from Leopard to Mountain Lion. After some days my computer stopped to start normally and restarts every minute. Please see attached the photos. I have searched other topics and i
-
Wireless networks connections are not showing up
I have a 3000 C200 model with windows 7 installed. From a few days the wireless network connections are not being detected. The networks are being detected in my other laptop. Can someone please help me in resolving the issue.