Hierarchy Objects - Authorisation in Roles

Similar Messages

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• Is there a Limit on number of authorization objects in a role?

  Hi all,
     Is there a Limit on number of authorization objects in a role because I am getting the following error.
  Authorization is full. Please enter fewer values
  Message no. 01262
  Diagnosis
  You have included too many values in an authorization.
  Procedure
  Please distribute the data to at least two authorizations and combine them in a profile.
  Thanks.

  Hello Neha,
  Message no. 01262 refers to the entered values in an authorization, not to the objects listed in the profile!
  So this message tells you, that you have to split the authorization, as the authorization contains too many values. It is not a quesiton of that you have entered too many different objects to the profile!
  Please refer also to:
  [SAP Note 410993|https://service.sap.com/sap/support/notes/410993]
  and
  [SAP Note 943796|https://service.sap.com/sap/support/notes/943796]
  b.rgds, Bernhard

• *How to Delet one same object from different roles*

  I need to delete one auth object from different roles, Couls any one please advise me how can i do this and if there will be any complications involved with tis.
  Best regards:
  Maq

  In PFCG, it may be that you have added some objects manually. To remove them you will have to go to pfcg.
  Even if you first remove the objects from su24, you will have to go to all the roles through pfcg to generate them in expert mode by selecting the third option (edit old status and merge with new data)

• Use of action links in combination with hierarchy object in analysis

  Hi All,
  From OBI 11g release hierarchy objects are available in the presentation layer of OBI. We make often use of these hierarchy objects. We also make use of action links to drill down to a analysis with more detailed information. This more detailed analysis should inherit the values of the higher-level analysis. In combination with the hierarchy objects this can give problems.
  An example:
  Let's say we have the following atttributes:
  Hierarchy object date (year, quarter, month), a product column and # of units shipped measure. On the column # of units shipped we have defined an action link to a more detailed analysis.
  Now, let's say the user clicks on the year 2011 in the hierarchy object. The quarters for 2011 are shown. The 'normal' product column attributes contains 'Product A'. The user makes use of the action link that is available by clicking on the measure value of # of units shipped. He clicks on the value that is based on quarter 2 of 2011 and 'Product A'. The detailed analysis is set to filter the analysis on the product and date dimension. In this example the analysis is filtered on 'Product A' but not on the value Quarter 2, 2011. Hierarchy object values are not passed through on clicking on a action link.
  Is there any workaround for this issue? We want to make use of the hierarchy object but users expect to also pass the hierarchy object value to the underlying detailed analysis

  I am facing the same issue...
  First check it out:
  http://prasadmadhasi.com/2011/12/15/hierarchicalnavigationinobiee11g/
  http://www.rittmanmead.com/2010/10/oracle-bi-ee-11g-navigation-passing-parameters-using-hierarchical-columns/
  I solved it by using Go URL link. I pass value of hierarchy level (whichever level it is). For Year it is 2012, month: 2012-03.
  Now ugly part: in url I pass 2 parameters that refers to the same value : "Time"."Year"="2012", "Time"."Month"="2012"
  In target report I apply filter: "Time"."Year" "Is Prompted" OR "Time"."Month" "Is Prompted"
  This way in target report only one of filters will work : depending from which level you navigated from source report.
  If you decide use this approach be carefoul with URL syntax, remember about double quotes etc. In my case it was:
  Parameter : value
  PortalGo : [LEAVE EMPTY]
  path : %2Fusers%2Fweblogic%2FMIS%20EVAL%2FT_Target
  options : dr
  Action : Navigate
  col1 : "Time"."Year"
  val1 : [SELECT TIME HIERARCHY COLUMN]
  col2 : "Time"."Month"
  val2 : [SELECT TIME HIERARCHY COLUMN]
  Remember to:
  Remove “=” after PortalGo
  Surround value attribute with double quotes - e.g. @val1=”@{6}”
  After you "adjust" your URL text manually (unfortunatelly it won't be done automatically) it should look like:
  http://10.10.10.100:7001/analytics/saw.dll?PortalGo@{1}&path=@{2}&options=@{3}&Action=@{4}&col1=@{5}&val1=”@{6}”&col2=@{7}&val2=”@{8}”

• Trouble when adding / modifying authorization objects in a role through ERM

  Hi everyone!!!
  We're having some issues when configuring ERM, we followed the Post-Installation guides and we are done with the config part, but when we try to do an example creating a role, we're getting an error message when attempt to add the authorization data.
  When we look at the log, we find this message:  /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
  This is the last log...
  2010-11-05 17:03:42,515 [SAPEngine_Application_Thread[impl:3]_30] ERROR /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
  java.lang.Throwable: /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
       at com.virsa.re.service.sap.dao.SAPRoleTimestampDAO.getRoleChangedDetails(SAPRoleTimestampDAO.java:136)
       at com.virsa.re.bo.impl.ConcurrentAccessRoleBO.isRoleChangedInPFCG(ConcurrentAccessRoleBO.java:228)
       at com.virsa.re.role.actions.AuthAuthorizationDataAction.pageLoad(AuthAuthorizationDataAction.java:6865)
       at com.virsa.re.role.actions.AuthAuthorizationDataAction.execute(AuthAuthorizationDataAction.java:213)
       at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
       at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
       at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Plz help us, we can't find any information about this error.
  Regards
  Connie

  Hi,
  Settings need to be checked-
  1. Connectors must be identical for all components for a particular system and test connection should be successful.
  2. Unicode should be checked for RAR connector.
  3. Patch Level should be same on GRC and Backend and all backend post-installation activites must be completed  - (BC set activation, Program etc)
  4. RAR Objects Import must be done.
  5. ERM Background jobs must be completed before doing Role Creation- Transaction/Object/Field sync, Org Value sync and activity sync.
  If above activities are done, no issues should occur in tcode/Object assignment in role.
  Regards,
  Sabita

• How we can remove  one authorization object from multiplt roles

  How we can remove one authorization object from multiplt roles

  > Correct me if I am wrong !!
  O.K., Here I go
  > But if the object is maintained in SU24 and if you use Expert mode for generation of the role then again those objects may be pulled.(make sure you never use expert mode once you delete the objects)
  Actually using expert mode and choosing 'edit old status' is the only way to avoid objects being 'pulled in' after menu changes.
  > As jurjen said, you may download the tables and instead of deleting the object from the excel sheet, change the value of the object in column "DELETED" = X, by doing this only the objects get inactivated(but remain in PFCG).
  I am not speaking of downloading tables but about downloading roles from PFCG. This will not get you a spreadsheet but a flat textfile. If you whish to set the object status to deleted you'll have to swap the space on position 207, right behind the 'U, S, G' flag,  with an 'X' for all corresponding lines.
  Jurjen

• Cannot add objects in the role

  Hi,
  i have created a role in sap portal, but i cannot see the properties of this role by clicking on properties button in the role editor.
  other problem: i cannot add any object in this role, when i open the role and trying to add a page object for example, nothing happened.
  Hawever i have an administrator role.
  Any help?
  Thanks

  Thanks for your response.
  my role is not locked.
  for more details:
  i have created zpage in Folder named PAGE
  i have created ziview in a folder IVIEW
  i have created zrole in a folder ROLE.
  i have opened zrole in the role editor and have clicked on zpage to add it in zrole bur nothing happened.
  in the role editor i cannot also see the properties by clicking on properties button in role ditor

• Mass change of authorization objects in several roles

  Hello,
  we have to change a authorization object in almost 200 roles. Is there any possibility for mass change of authorization objects in several roles? We don't use the central SAP user administration.
  Best Regards
  Andreas Walter

  > at the moment all entries has the value "*". We want to change this value into "0001".
  Good!
  Here comes:
  1- download all relevant roles in once from PFCG. Make sure you use an appropriate codepage so you don't loose special characters in the role and menu texts.
  2- copy and backup the download file
  3- in the download file (is a text file)  look for all lines starting with AGR_1251 and conatining M_MATE_WGR and the field you want to change
  4- take out the star and two spaces and replace by 001. This file is a set of fixed record length table exports and keeping the original length is very important.
  5- upload the edited file and generate the profiles.
  As you may see this is not SAP standard and completely at your own risk. Best try in a sandbox client first.
  Good luck!
  Jurjen

• Disable an Authorisation object for Multiple roles.

  Hi ,
  I need to Disable an authorisation object F_BKPF_BUP for about 345 roles.Is there any way by which we can make mass changes.Doing it for individual role would take a lot of time.kindly advice.
  Thanks in advance

  Hi,
  1. Go to SE16 --> table  USOBT_C --> put object F_BKPF_BUP in the field "Object" --> execute without restriction. Download the list of TCodes.
  Now go to Table AGR_TCODES --> put the list of TCodes (found with above method) in the field "Extended name" as multiple selection --> execute and download the list of roles.
  Look up your list of 345 roles with this list. After matching, you need to sort out the TCodes present in this list of roles which is checking the object F_BKPF_BUP.
  2. Now go to SU24.. go to option "Authorization Object" and NOT in the Transaction section.
  Put the Object and execute.... go to change mode.... check the proposals for the TCodes you sorted at last step of point 1. Make the proposal Do Not Check where ever it is not so.
  Move the Workbench Transport through Landscape. Your purpose will be done. But you should also keep in mind if the TCodes are present in other roles besides of your 345, those will become vulnerable.
  Regards,
  Dipanjan

• Deletion of Authorisation object from many roles

  Hi Gurus,
  How can we deleted one customized authorisation object included in many roles at once?
  Do it one by one is little bit time consuming. Please help me out.
  Thanks
  Firoz.

  >
  Jurjen Heeck wrote:
  > > You can use CATT/eCATT to record the steps and try it out. While recording you can include a step to click the find button and input the authorization object which you want to delete and then delete it.
  >
  > I do not think ECATT can handle the correct cursor positioning.
  >
  > My question to the original poster is:
  > How many roles are affected? This gives an idea about the amount of investigation which is reasonable to find a workaround.
  I believe it can be done with SECATT using the "find button" to locate the auth object thus addressing the cursor positioning but I will NEVER advise or go the SECATT or ECATT script route for regeneration of roles.  I just do NOT trust a script to automatically regenerate a role unless they number in the thousands or several hundreds.
  To answer your question, I'll do it one at a time.  And as Jurjen pointed out you need to run a query to find out exactly how many roles are affected, you might be pleasantly surprise.  Run SE16->AGR_1251 to find out how many auth objects need to be corrected.
  Good luck!

• Hierarchy Analysis Authorisation

  Hi All
  We are trying to limit the output of a HR Sickness report depending on the user's position in the Org Structure hierarchy. We can't use structural authorisation as its not maintained in ECC.
  We have the org struct in BI and we want to setup dynamic Analysis Authorisation (AA). So we want to create AA with hierarchy restriction on 0orgunit based on a variable. Then at runtime the variable is populated by ABAP with the user's org unit. The report then shows the data for the user's org unit (and all other org units below in the org structure).
  In RSECADMIN I can create a new authorisation object and add 0orgunit to it. On the Hierarchy Authorisations tab  I hit the create button and select orgeh hierarchy . Then I press the 'select variable' button and I get the error message 'No variable of type Customer/SAP exit for characteristic 0ORGUNIT exists'.
  What am I doing wrong? Where do I specify a variable for 0ORGUNIT so that it can be available in the selection screen?
  Thanx
  Asif

  https://wiki.sdn.sap.com/wiki/display/BI/AuthorizationinSAPNWBI
  http://www.sdn.sap.com/irj/scn/events?rid=/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144&overridelayout=true
  Go through these links. Hope this would help you.

• Export / import tablespace with all objects (datas, users, roles)

  Hi, i have a problem or question to the topic export / import tablespace.
  On the one hand, i have a database 10g (A) and on the other hand, a database 11g (B).
  On A there is a tablespace called PRO.
  Furthermore 3 Users:
  PRO_Main - contains the datas - Tablespace PRO
  PRO_Users1 with a role PRO_UROLE - Tablespace PRO
  PRO_Users2 with a role PRO_UROLE - Tablespace PRO
  Now, i want to transfer the whole tablespace PRO (included users PRO_MAIN, PRO_USER1, PRO_User2 and the role PRO_UROLE) from A to B.
  On B, I 've created the user PRO_Main and the tablespace PRO.
  On A , i execute following statement:
  expdp PRO_Main/XXX TABLESPACES=PRO DIRECTORY=backup_datapump DUMPFILE=TSpro.dmp LOGFILE=TSpro.log
  On B:
  impdp PRO_Main/XXX TABLESPACES=PRO DIRECTORY=backup_datapump DUMPFILE=TSpro.dmp LOGFILE=TSpro.log
  Result:
  The User PRO_Main was imported with all the datas.
  But i 'm missing PRO_USER1, PRO_User2 and the role PRO_UROLE...
  I assume, i 've used wrong parameters in my expd and / or impdp.
  It would be nice, if anybody can give me a hint.
  Thanks in advance.
  Best Regards,
  Frank

  When you do a TABLESPACE mode export by specifying just the tablespaces, then all that gets exported are the tables and their dependent objects. The users, roles, and the tablespace definitions themselves don't get exported.
  When you do a SCHEMA mode export by specifying the schemas, you will get the schema definitions (if the schema running the export is privied) and all of the objects that the schema owns. The schema does not own roles or tablespace definitions.
  In your case, you want to move
  1. schemas - which you already created 1 on your target database
  2. roles
  3. everything in the tablespaces owned by multiple schemas.
  There is no 1 export/import command that will do this. This is how i would do this:
  1 - move the schema definitions
  a. you can either create these manually or
  b1. expdp schemas=<your list of schemas> include=user
  b2 impdp the results from b1.
  2. move the roles
  expdp full=y include=role ...
  remember, this will include all roles. If you want to limit what gets exported, then use:
  include=role:"in ('ROLE1', 'ROLE2', ETC.)
  impdo the roles just exported
  3. move the user information
  a. If you want to move all of the schema's objects like functions, packages, etc, then you need to use a schema mode
  export
  expdp user/password schemas=a,b,c ...
  b. If you want to move only the objects in those tablespaces, then use the tablespace export
  expdp user/password tablespaces=tbs1, tbs2, ...
  c. import the dumpfile generated in step 3
  impdp user/password ...
  Hope this helps.
  Dean

• System Privileges, Object Privileges and Roles in Oracle 10g r2

  Hello,
  I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
  I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
  Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
  Thanks,
  R

  Rich V wrote:
  Hello,
  I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
  I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
  Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
  Thanks,
  RHi, you can use dba_role_privs,role_sys_privs views,for more information see
  http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/admusers.htm
  http://www.cuddletech.com/articles/oracle/node36.html

• Changing object name of role is not reflected

  When I change the Current Object Name for a specific role this change is not reflected. The role still retains it original name in the PCD or when I assign the role to a user.
  This only happens for a specific role in our system. For all other roles the change of the Object Name works fine.
  What am I overlooking?

  Hi ,
  Please check that when you change property 'name' of the role and then click on save button you shud get a  'save successful ' kinda message.
  If not then may be your role is locked by some other portal user id and thus not allowing you to change it. Please note that this will also not allow to change any property of the role, so you can test this by trying changing the other properties of the role.
  If this is not the case, then compare the properties of two roles one whichis working fine and the one which is not.
  Thanks,
  Namrta Mahajan