Job role design - transaction role and auth object role

Similar Messages

• APO roles and auth objects

  Hello all,
  Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
  thanks

  I was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
  http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
  There is a list of useful APO transactions here
  http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
  I can't help with the standard roles as I build my own.

• SoD Analysis , tables to relate roles, transactions and auth objects

  Hi everyone,
  I am analyzing my company SAP roles in terms of segregation of duties, however I having a problem.
  I need a table/report to give me for each role, every transactions and for each transaction in the role every authorization objects.
  For example I want to know for Role B that have transaction C which have the follow authorization object D with values X and Y.
  Therefore I want to know for each role and respective transactions which are only display or/and execute or/and editable. How can I do that?
  Thanks!

  Hi,
  There is no default report/table which gives you the required information. However, you can achieve this by using SQVI. Join the tables, and create a tcode for the same. Refer the below link:
  Re: SAP Query in SQVI transaction
  Alternatively, you can download all the data into spreadsheet and create Pivots to plot the information.
  The other alternative is to have a custom program built which takes the information from AGR_DEFINE, AGR_AGRS, AGR_1251, AGR_1252, AGR_TCODE tables.
  Hope this helps!!
  Regards,
  Raghu

• Need Role Design for Oil and Gas industry

  Hi All,
  i have a requirement of designing roles for Oil and Gas industry. Could any one share some material/link or overview on the same.
  if not all, Role Design on UOM is also fine
  regards
  Plaban

  Hi Mythily,
  If you already know something about explortion of oil, then you will find PRA (production and revenue acconting) interesting. This module deals with exploration of oil and gas and then distributing the revenue to owners.
  You can find detailed information in help.sap.com. Follow the link given below for PRA help:
  http://help.sap.com/saphelp_oil46csp2/helpdata/en/ec/9d2c3adcc8431be10000000a114084/frameset.htm
  Reading some of the material will give you more clarity whether you like it or not.
  And it is perfectly fine to have ABAP knowledge, that will help in going deep into Oil and gas.
  Rgds,
  Abhishek

• Multiple PFCG Roles to a user and one business role

  Hello SAP CRM Experts,
  we are facing a problem then I need your help.
  The external user can access the CRM through three distinct business roles.
  However, for each of these business roles, there are specific access
  rules configured in three different PFCG profiles.
  In the registration of the user (SU01), are assigned the three profiles
  PFCG because the user must have access to three different business roles.
  However, for one of the profiles the ability to modify the document
  service order is blocked and for the other is allowed to modify this
  document.
  Is there a customizing where I can associate the PFCG role to the
  business role, and then, when the user logs into the system, it
  identified the business role that he accessed the PFCG profile associated.
  However, this configuration is not working, and did not solve the problem.
  It seems to me that there is a merge of all the permissions that the user
  has, and is not being considered the PFCG role associated with the
  specific business role.
  This is really correct? The merge permissions occurs?
  Best regards,
  Diogo Lupinari

  Yes, thatu2019s correct.  When user is assigned multiple PFCG roles, all authorizations are in play.

• Appraisals object type VA and auth object P_HAP_DOC

  The system is running 2005 version. While running
  APPCHANGE tcode the program ignores values in PD Profile
  for object type VA. Furthermore the program bypasses
  the check against P_HAP_DOC object. Any hints why this happens? F.ex 2005 IDES system we have performs these checks ok.

  Hi Carlos,
  The Otype VA - Template, VB- Criteria group and VC - Criterion.
  The hierarchy is as follows
  VC is blow VB is below VA.
  The objects as such wil be created in the HRP1000 as usual.
  In addition, there are tables which starts with HRHAP* which holds the appraisal document related data.
  But the table contents cannot be seen from SE11 or SE16. Create a SQ01 Quick viewer query for the Database tables.
  Hope this helps.
  Reward points if it helps you.
  Regards,
  Subbu.

• security-role and auth-constraint

  Hi Everybody,
  I want to know the relation between the <role-name> tags defined under <security-role> tag and the <auth-constraint> tag (defined for web-resource-collection).
  Assuming that tomcat is being used, should the <role-name> of <security-role> map to a role defined for tomcat and then the <role-name> of <auth-constraint> map to the <role-name> of <security-role>.
  Or how does it all work ? How are these two <role-name> tags related ?
  Thanks in advance for your time.
  Vikas

  in <security-role> you define the roles, in <auth-contraint> you tell which role is allowed to use the protected resource

• Conceptual problem: 2 roles, 1 for access and 1 for allowed activities

  Hello,
  in SAP BW 3.5, I'd like to have separate role for
  - access to something (queries, inforarea, etc.)
  - authorization to perform an action (01 Create, 02 Change, 03 Display, Execute, etc.)
  The driver being that all users will have at least 2 roles, one telling what they can access and one telling what they are allowed to do.
  So far, S_RS_COMP is not that useful because it combines these 2 concepts.
  Any idea, how I may be able to do it?
  Thks in advance!

  Dear "Smurf",
  As you state yourself, there is no obvious solution. Maybe a clarification of what you want to realize could help. Could it be that your distiction between "access" and "authorization for an action" is a bit fuzzy? What I want to say is that to grant access at least means to give authorization "03 Display".
  What you could is to make a distinction between "datamodel access" (S_RS_COMP + RSINFOAREA, ...), "reporting access" (role with report menu) and "content access" (role with content based authorization objects). Maybe this idea helps.
  Greetings,
  Stefan

• Same Auth Objects CM in su24

  Hi All –
  In SU24 for a Tcode SU01 in “S_TCODE” the following auth objects are CM.
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  & for Tcode PFCG
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  I am developing a role initially with SU01 Tcode. For the auth object S_USER_AGR, I am giving 01,02,03,06 field values.
  Later I add PFCG Tcode for same role “P_TCODE”. For the auth object S_USER_AGR , I am giving 22,21 field values.
  My question is if the role is assigned to a user
  1.     will he be able to create, change, display, & delete roles using PFCG ????
  2.     What is the best way to restrict the user’s in create, change, display, & delete???
  3.     For PFCG Tcode none of the Auth. Obj’s (the objects that are added by adding SU01 or PFCG Tcode VIA MENU)are maintained in the role what would be the implication??
  Thanks,
  VJ

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• Manually added auth objects and Derived roles

  If there are manually added auth objects in the parent role do they come across to the derived roles?
  Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

  yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
  yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
  if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
  http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• Difference in Objects maintained in SU24 and inside the role.

  Hi Experts,
  I noticed that for t.code F-67,default objects maintained in SU24 are different from the objects associated with same t.code in a role.
  In SU24 only three objects are associated(F_BKPF_BUK,F_BKPF_KOA and S_TCODE), wherein a role there are eight objets maintained.(F_BKPF_BED,F_BKPF_BEK,F_BKPF_BES,F_BKPF_BLA,F_BKPF_BUK,F_BKPF_GSB,F_BKPF_KOA and F_FAGL_SEG)
  Please clarify ! what is the reason of this difference.
  Regards,
  Mukesh

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• Auth objects required for creating super,power,end user roles

  Hi ,
  I need to create 3 roles according to the below requirement. can you tell me what auth objects req inorder to fulfill customer requirement.
  1.     Super User: 
       Have the access to Create/Modify/Delete own queries
       Can create Variables, CKF, Structures, Formulas & RKF at the cube level (global)
  2.     Power User :
       Have the access to Create/Modify/Delete own queries
       Can create Structures, Formulas at the query level
  3.     End User
       Have the access to run and navigate reports at the local level
  Hope I will get reply soon
  Thanks

  Karunakar -
  Few things you have to keep in mind when you are giving access to the reports and queries.
  S_RS_COMP only will not do.
  have you assigned S_RS_COMP1 and S_RS_MPRO for info areas and multi/info providers.
  and one more auth object S_RS_ICUBE for info cubes. you have to assign what ever the info cubes that you need to give access to the users.
  Then only user will get full access.
  precisely in order you can say,
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  and S_RS_MPRO.
  These are main auth objects which are related to info cube, info area access and BEx access.
  Hope this would give you clear pic.

• Relation between Roles and Course/Object ID

  hi
  Please tell me the HR-infotype having roles/position/job in relation with Course/object Id.
  HRP1000 have only courses .
  or please tell me how to make relation between two i.e. roles and course/object id
  S@chin

  all these
  Characterstic will available in differnt Infotypes   Check the tcode PP01
  and check with the help of the Objects
  for Course ID