Existing roles / authorization joining.

Similar Messages

• Making existing roles watertight for HR data

  Hello,
  I hope to get nudged in the right direction in here. I already descended pretty much to the end of my rope and ... well ... I need some more rope
  The situation is like this - I inherited everything that has to do with maintenance of authorizations on our system half a year ago, the guy that did that before me is no longer in the company (so there's no use in asking what he was thinking (if anything) when he was putting the roles together). Documentation is scarce/non-existing. When it exists it's usually not up to date. I'm not exactly a newbie in authorizations field, but at the same time I'm not really that far away from being a newbie yet, so I'm not beyond listening to basics being pointed out to me.
  <u>The Utopia</u>:
  There are five single roles built for all users of our system (say R1, R2, ... , R5). They're supposed to build on one another, R1 being the basic role, R2 having a couple more authorizations than R1, and so on until R5 which is the role that also has all HR authorizations.
  <u>The Reality</u>:
  The roles have been designed in a hurry and from the top down starting with the sap_all profile and removing some (or most of the) CA, BC and HR authorizations. They were not properly tested. They do not derive from one another in any way ... R2 for example is a complete copy of R1 with some additional objects and values, same for all the others. Every problem needed to be fixed five times, once for every role. That of course resulted in chaos, things got changed just in one place and the basic role suddenly got more powerful than all the rest. These roles are in use in the production system and there are no plans to substitute them with something better in the very near future.
  <u>The Problem</u>:
  Suddenly (yeah, right ) the need arose to have these roles watertight with regard to HR data. I did some rudimentary testing and sure enough they're nowhere near watertight even for the most common HR transactions. There are ranges defined in S_TCODE for which I have no idea why they are as they are, there was access to SA38 given where SAP HR programs with no authorization group (and no transaction code) assigned could be run by everyone ... there's god knows how many other security holes. The only help I got from the HR consultants was the list of all 2000 or so HR transactions (taken from the SAP menu tree) which shouldn't be accessible to a normal user. I suspect I might be in need of a typing monkey to check them all five times
  <u>Question</u>:
  How do I close as many security holes in these roles as possible? What's the strategy when dealing with such tasks? I've made it clear to the management that we probably won't have watertight roles if we don't create new ones, but making a set of new roles created properly from the bottom up is out of the question at this moment.
  I'd be extremely grateful for any advice or if anyone could point me to any kind of documentation about making roles like ours more secure for protecting HR data (and also keeping the users away from any BC stuff).
  In the meantime, I'm off to searching through the archives of the forum.
  ursa

  Mopping the floor with the water running is a spot on description
  Actually we're in the process of setting up new and improved authorizations but (of course!) the testing phase turned out to be much more time consuming than anticipated. No surprise to me, however someone obviously thought authorizations are a matter of defining roles and their menus and the system does everything else by itself. Riiight.
  What I did so far - first I educated myself on the specifics of HR authorizations. I never had to deal with those before, so (for example) it was a surprise to me that there's actually a separate SAP course dealing with HR authorizations Then I compared the existing roles to each other like you suggested and figured out a way that allowed me to do all the modifications with least amount of work. I cleaned most of the infotypes out of P_ORGIN and (to cover my behind), adjusted the ranges in S_TCODE to exclude the 2000 HR transactions our HR consultant listed for me.
  Most importantly - I made it clear to the guys above me, that with the roles we use I can't guarantee HR data to be inaccessible for people who should stay away from it. So ... back to the testing of the new authorizations
  Thanks for your help! It always makes a huge difference to get something like a second opinion when one can't decide if left is better than right or if it's the other way around.
  ursa

• SAP BI : Roles & Authorizations

  Hi,
  I am working on roles & authorizations for SAP BI 7.0 How can I create authorization for a scenario mentioned below:
  One user (userid ALAN) has two vendors under him viz V001 & V001A.
  V001 has access to plant A001, A002 and
  V001A has access to plant A002, A003, F002.
  The data is created in SAP R3 and brought into SRM using criteria based on document type say ELEM. Even though V001 does not have access to plant A003, it can create documents of type ELEM. The business does not want this document to appear for V001.
  The business needs documents to be displayed as follows, irrespective of documents existing in SAP R3:
  Plants A001, A002 for V001 and
  Plants A002, A003, F002 for V001A.
  Please confirm if the following approach will work:
  Create vendor - plant role
  Role 1
  Vendor = V001
  Plants = A001, A002
  Role 2
  Vendor = V001A
  Plants = A002, A003, F002
  Assign User ALAN both roles Role 1 and Role 2.
  Please suggest a solution as I have to deliver about 2000+ roles by end of week.
  Thanks in advance.

  Hi,
  Seems that you are looking for a merge of the authorization. Please take a look in the note 1000004 where you are going to see the explanation about the merging.
  1000004 - Merging and optimizing analysis authorizations
  This documentation should help you.
  Regards,
  Rafael

• E-Recruiting : Role Authorization in e-recruiting standalone scenario

  Hello Friends,
  We have EREC on a standalone system (ERD 100). HR ECC is another system (ECD 300), Enterprise portal in another system (EPD 100).
  we are on EHP 5, EREC 605, Support Pack 7.
  We have activated the single sign on mechanism.
  I have following queries regarding role authorizations on EREC in  standalone model.
  1) We have standard reference users  such as recruiter, manager, decision-maker, data entry clerk, rec.admic etc;  the" RCF_RECRUIT, RCF_MANAGER, RCF_CAND_INT, RCF_DATA_TYP" etc, Should this reference users be created both in EREC & HR system or only in EREC system ?
  2) If the "RCF_XXXX" reference users roles are supposed to be created only in EREC system, how to assign reference user roles to employees whose master data is in HR System. ?
  3) Can support teams concept help for mass authorizations? Can someone elaborate on the support team, support group concepts ?
  Kindly provide inputs.
  Regards,
  ER.

  Thanks Nicole for the inputs.
  Just  expanding my query on the 2nd point regarding assigning Reference users like manager, recruiter to certain employees :
  Example: Say I have Emp. No 20003000. He is an hiring manager, In HR System,  IT105, subtype user id is "20003000".
  To assign RCF_MANAGER reference user role to user id 20003000, should i have to recreate the userid in EREC system as well and assign it in SU01 for this user id.
  Would like to take your comments.
  Thanks,
  Regards,
  ER.

• New Org Level impact in existing roles

  Hi,
  I would like to set/create 2 fields as organizational levels. For example KLART and DOKAR. Checking these I realized there is a big amount of roles "affected" by this change.
  Because I plan to use the organizational level only for new roles , I would like to know which impact could have  this change for existing roles, should one modify the existing roles after creating the Org Levels ? or in contrast they still work as always an no changes / adjustments is needed?
  Thanks and regards
  FedeX

  Thanks Bernhard,
  I have a question
  As I mentioned before my goal is that the existing roles keep working after running that program... and do not want to perform any adaptation....only if there is a real error that avoid work correctly.
  In these 2 cases the role will keep working properly ( I mean restricting in the way that it uses to do).
  1) In case field is copied to the Orglevel area after running the program and the value(s) will stay in both places (OrgLevel and Original place)
  2)  In case field is NOT copied to the Orglevel area after running the program but the value still in the original place .
  right?
  Thanks
  FedeX

• How to determine role authorization of user in MAM?

  Hi everyone,
  I'm new to SAP and SAP MI, and I am currently implementing (or "enhancing") a MAM.  I have the following question on user authorization:
  In terms of role authorizations, does anyone know how I can determine what roles an authenticated user have from SAP?  For example, if user A logs into the MI Client, and if this user accesses the MAM, is there a way for the MAM to know what kind of user roles he/she has?  Is there a SyncBo that will give me such info?  I checked the JavaDocs for the SyncBo's, but they have NO descriptions.  The closest thing that I found was in MAM090 (Interface com.sap.mbs.mam.bo.MAM090).  There are getter methods for getRoleGen(), getProfileResource(), and getPartnerRole().  Are any of these usable?
  Are there any good documents that I can look at to determine what each SyncBo's does? 
  Many thanks!
  Jeffrey

  Hi Jeffrey!
  Here are the 3 different checks you have to look at"Users & Authorizations" for setting up your MAM Users.
  (1) SAP Backend:
  (1a) The SAP MAM User who synchronizes with the Backend from the MI Client should have all necessary authorizations for Plant Maintenance Components of the SAP System that are associated with your MAM Scenarios.Pl refer to the following SAP Authorization Objects I_ALM_ME ,I_AUART,I_BEGRP,I_BETRVORG,I_CCM_ACT ,I_CCM_STRC,I_ILOA,I_INGRP,I_IWERK,I_KOSTL ,I_QMEL,I_ROUT ,I_ROUT1,I_SOGEN,I_SWERK,I_TCODE ,I_VORG_MEL,I_VORG_MP ,I_VORG_ORD,I_WPS_MEB ,I_WPS_REV in your Backend System and have it assigned to the User Profile, based on your requirement.
  (1b) Service User for setting up the MAM & MI Landscape: This user logon info has to be setup in the RFC Destination that is associated with your MAM25 SyncBOs, to logon to the Backend System and this user should have the basic authorizations required to establish the connection.
  (2) MI Middleware: The SAP MAM User who synchronizes with the Backend from the MI Client should have the following Authorization Objects assigned to his/her profile. S_ME_SYNC, S_RFC, S_TCODE.
  (3) MI Client: Refer to MI Security Guide.Pl note that the MI Client MAM User is same as the Middleware User and the Backend User.You should be taking care of this already.This is just a FYI.
  Let me know, if you are looking for any other additional info.
  Thank You
  Gisk

• Role authorization for product selection

  Hi All,
  i have a requirement for which i need your help. Now my Account Manager can see all products while placing an order. I want to restrict his selection to only 5* and 6* products. That means when he will look for placing an order in the next time, he should only see 5* and 6* products not all products. Can you please tell me how to go about this role authorization. 
  your valuable inputs will be appreciated.
  Regards,
  Sasmita

  Hi,
  I feel Access Control Engine would be the most elegant and futuristic solution.
  However, you need to review all the solutions suggested. Solution suggested by Shalini and Ashish are more practical. However, generally partner product range is used in case of Sold-to parties.
  Please review all the solutions suggested and take decision based on circumstances at your client's end.
  You can get more information about Access Control Engine at
  http://help.sap.com/saphelp_crm40/helpdata/en/04/0177f9bb67ac4cafb84bb4d4c1d8fc/frameset.htm.
  Also there are several guides and cookbooks on ACE at service market place.
  Regards,
  Deepak

• Add a base permission to an existing role definition in sharepoint using CSOM

  I have to add a base permission to an existing role definition in sharepoint using CSOM Managed API in SP2013, to update base permission of a permission level. I did use below code . But Role definition is not getting updated. What could be the reason? I
  have updated RoleDefinition and Web as well but it did not help.
    RoleDefinition rd = oClientContext.Web.RoleDefinitions.GetByName("My Permission");
                        if (!rd.BasePermissions.Has(PermissionKind.ManagePermissions))
                            rd.RoleTypeKind.ToString();
                            rd.BasePermissions.Set(PermissionKind.ManagePermissions);
                            rd.Update();
  oClientContext.Web.Update();
                            oClientContext.ExecuteQuery();
  Ashish Baranwal To know what you know and what you do not know, that is true knowledge

  Hi Ashish,
  I tested the same scenario per your post in my environment, and I got the same results as you got.                                                                                                                                                                  
  As a workaround, I recommend to delete the permission level and then recreate the permission level with the needed permissions:
  ClientContext ctx=new ClientContext("http://sp");
  RoleDefinition rd=ctx.Web.RoleDefinitions.GetByName("My Permission");
  ctx.Load(rd);
  ctx.ExecuteQuery();
  if(!rd.BasePermissions.Has(PermissionKind.ManagePermissions))
  rd.DeleteObject();
  BasePermissions permissions = new BasePermissions();
  //add the permissions needed
  permissions.Set(PermissionKind.ManagePermissions);
  RoleDefinitionCreationInformation roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
  roleDefinitionCreationInfo.BasePermissions = permissions;
  roleDefinitionCreationInfo.Name = "My Permission";
  roleDefinitionCreationInfo.Description = "My Custom Permission Level";
  RoleDefinition roleDefinition = context.Web.RoleDefinitions.Add(roleDefinitionCreationInfo);
  context.ExecuteQuery();
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Restricting the ATP user for GATP - corrrect roles/authorizations

  Hi:
  If the dialog user that is used for the ATP check (from ECC to GATP) has more authorizations than needed and this is going to be a problem in production. The user can run SCM transactions from the results screen of ECC and this is not desirable.
  Therefore, the ATP user should be a restricted user that has only authorizations for this specific task. If you know what are the exact roles/authorizations to give to the ATP user, could you share them?
  Thanks in advance.
  Satish

  For R/3 please check OSS  Note 447543 - APO: Authorizations too comprehensive/not user-specific.
  "If it is necessary to have different authorization profiles in APO for different R/3 users when calling in APO, the following solution applies:
  Activate the setting in SM59 that is used for the RFC connection CURRENT USER.
  In the APO system, create the respective users and assign authorization profiles. This is necessary in order to achieve the necessary flexibility concerning authorizations in the APO system."
  For APO :
  AuthorizationsObject   C_APO_ATP in APO .
  please chose activity as per  user role.
  01       Create or generate
  02       Change
  03       Display
  04       Print, edit message
  06       Delete
  16       Execute
  39       Check
  Manish
  Edited by: Manish Kumar Rathi on Oct 21, 2008 1:24 PM

• Delete all existing roles

  Hello,
  we 're using the GRC Provisioning Framework (with IDM 7.1 SP4 and GRC 5.3 SP10_1) and want to delete all existing roles from a user bevor we set new roles to him.
  Is there a general command to do this or have the existing roles to be known?
  Thanks,
  Carsten

  Hello Christian,
  thanks for the quick answer. I'm talking about privileges.
  In the To Identity Store, is it enough to set:
  MSKEYVALUE                   -
     %MSKEYVALUE%
  MXREF_MX_PRIVILEGE     -
  Or do I have to set all existing roles behind the (like priv:grc:xxxx)?
  Thanks,
  Carsten

• Table for Role & Authorization group

  Hi Gurus,
  I am looking for a table or FM to get all roles for Authorization group.
  I tried in SUIM tcode but could not able to find exact DB table for these.
  Giri
  P.S.: To Moderator:
         My earlier thread was locked for the same question, I was searching in SDN and google from last 3 days and could not able to find enough information on it. AGR_USERS, TBRG, TACT are the tables i found. But still there is a link missed between Role & Authorization Group.

  Thomas,
  My report have selection screen with Auth group and user.
  If user provides Auth. Group then need to find all roles linked to auth group and users assigned to that role.
  In my investigation, there is link between Auth. Group <--> Auth. object.
  Also Auth. Object <--> Role.
  but still there is a fine link missing between Auth Group <--> Role.
  For Eg: Auth Object S_TABU_DIS will be associated to all Auth. Groups but assigned to only limited roles.
  I tried to debug the SUIM transaction multiple times but couldn't find the tables to find the link and not able to find the FM's.
  if anybody have any idea to find that link between Auth. Group & Role then it will be helpful....
  Giri

• Track new roles / change in existing roles

  Hi,
  I have a requirement to track the creation of new role OR changes to existing role in the system. In either case I have to send an email to the group of people.
  I tried to find the enhancements but found nothing useful.
  Basically, I need to find how can I track the even for creation / change of a role...
  Please help me out to find the solution for this...
  Thanks,
  Gagan Chodhry

  Hi Atish,
  Thanks for the reply...
  No, I tried to find the enhancements, but could not get the one I need...
  I found couple of things more like transaction PFAC_CHG / PFAC_INS for change or create role, but not sure how  exactly to use these... if these are the correct one to be used....
  Thanks,
  Gagan Chodhry

• Roles,Authorization,Authorization objects for APD

  Hi Experts,
  Can anyone give me the list of roles,authorizations,authorization objects required related to APD.
  Its been a problem for us getting stuck at each authorization.
  With Regards,
  Meiyappan.

  The Analysis Process Designer allows you to work with a large number of objects. This includes different BW objects such as InfoProviders, InfoObjects or queries, and also other objects such as temporary database tables that are influenced by actions  already carried out and are authorization-relevant.
  Note 919614 - APD: FAQ authorization

• Role Authorization Vs ACL in cProjects

  We do not want to use ACL (Authorization at the Project level) to grant authorization. We are looking for a way to have this authorization by roles. Not too sure if the minutest of details can be controlled by authorization objects.
  Of the few requirements that we have, one goes as follows:
  1. We need a role of "Resource Manager" to be able to view all projects. However, this role must not be able to edit the project structure. This is possible. However, another requirement that we have is that this role must have all "admin" level access at the "Resources" level. Which means, this role must be able to staff roles and assign tasks to roles and resources, but must have read-only access to the project structure.
  Can this be done?
  2. Another requirement is with regard to status management. We want a role to have the authorization to set only select statusses. We have a combination of standard and custom stasusses in the status profile that we are using. We look to control the access for roles by which one role can only set a few of these statusses.
  Can this be done?
  Thanks and Regards...

  Hi Peter,
  We have exactly the same need, and unfortunately everything is not solved yet.
  1/ In standard, there is no distinction between project and role authorizations. This means you need 'admin' auth at project level if you want to manage the roles. We created an OSS message for this, and SAP answer was to create a development request --> Until then, and if we get a positive answer, nothing can be done to separate project & role authorizations. So there is no solution today.
  2/ For the statuses, we add to enhance class CL_DPR_STATUS_MANAGEMENT, methods GET_PERMITTED_USER_STATUS and/or GET_PERMITTED_ACTIVITIES. Thanks to this, we are now able to filter the status list that is populated in the screen.
  Regards,
  Matthias

• Assign WB to existing role always require role regeneration

  Dear Expert,
  After we upgrade to BI 7, It appears that everytime when we add a new WB to a existing role in the BEx Analyser, the role didn't generate automatically in the BI backend. This means that the team cannot transport a new WB without a corresponding role generation. We have to transport the new workbook and existing role together.
  But I remenbered that in BW 3.5, we don't need to transport both new WB and existing role. Can anyone tell me if  this is standard practise in BI7.0 or whether there is any configration for this? Thank you very much.
  Best Regards,
  Fuyang

  Hi Fuyang
  In addition to Anil's suggestion one small concern ensure that you havent missed up any of the other workbooks and realted roles...
  Hope its clear a little..!
  Thanks
  K M R
  >
  Chris Fuyang Zhang wrote:
  > Dear Expert,
  >
  > After we upgrade to BI 7, It appears that everytime when we add a new WB to a existing role in the BEx Analyser, the role didn't generate automatically in the BI backend. This means that the team cannot transport a new WB without a corresponding role generation. We have to transport the new workbook and existing role together.
  >
  > But I remenbered that in BW 3.5, we don't need to transport both new WB and existing role. Can anyone tell me if  this is standard practise in BI7.0 or whether there is any configration for this? Thank you very much.
  >
  > Best Regards,
  > Fuyang