KM Structure and authorizations

Similar Messages

• USAGE of Logical structure and authorization mode in CATEGORY MODELER

  Hi,
  I am trying to figure out the relevance and usage of the logical structure in the category modeler i.e. hierarchial or attributive. As per the description the hierarchial categorization should not allow duplictae categories but we are able  to create more than one category with same codes i.e. duplicate categories. Please let me know the difference in the functionality of the two category - logical structures.
  Secondly I also want to know what is the usage of the authorizatio mode i.e. either OR or AND.
  Thanks and Regards,
  Jai Mishra

  Hi Andrez,
  Welcome to SDN. This is the standard way LO Cockpit works. The data source will be able to extract the load only from setup tables and then the deltas are based on the init based on the setup tables. I have not tried this. I am sure that you can extract data from R/3 into other datawarehouse systems (other than BW).
  Instead of this standard LO way of extraction, what I would do is to write an interface program (RFC FM or BAPI) from R/3 which would read the data directly from the database tables and put them in a queue or put it in a common area as a file. The other DW system would pick up this and post them. If you have a middleware between your R/3 and the third part (dw) system, this becomes even simpler as the data transfer will be handled by the middleware. The deltas can be handled programatically based on the date and the time stamp. Think about this solution. Hope it helps.
  Thanks and Regards
  Subray Hegde

• Learning SAP BW authorizations structure and hierarchy  -  concepts

  Hello Experts,
  I need a good document for learning Authorizations structuring and hierarchy in SAP BIW 3.5 . I am giving authorizations in BIW but do not hv conceptual nd fundamentalistic knowledge of SAP BW authorizations and its structure . Plz send a good document for learning BW authorizations .............................it may be an excerpt frm FU&FU guide. My Email Id is [email protected]
  A short but complete SAP BW fundamentalistic , concepts and structure & hierarchy covering document is appreciated.
  Requested to revert at earliest as this is very urgent.
  Points guaranteed.
  Regards,
  Somya

  Hi maheshwari ,
  Use these steps for authorizations,
  1.before going to authorizations u have to decide on which Infoobject u have to apply authorizations.
  EX: SD--- Sales Org, MM -> palnt ,purorg,FI> companycode.
  first u ahve to decide which area & on which Infoobject.
  2.goto that Infoobject --> change there check the checkbox Authorization relavent object cahechbox
  2.after that U Have to goto RSSM there u have to create authorization object
  Ex: Zxxx ( XXX is Infoobject Name ).
  3. In the same transaction Screen u have Infocube selection radio Button check that then select on which cube(cube means under that cube all Quaries) u have to make authorization for that perticuler Infoobject.
  4.next goto PFCG create role & save it
  5.goto Authorization tab in that selct edit authorization it will give automatiaclly authorization Templates in that u have to select only S_RS_RREPU & press Enter.
  6. Select manual pushbutton it will ask authorisation object enter ur authorization object what u have created ( zxxx) .
  7.click generate +enter
  8. goto user tab Enter userId+enter + click on usercomparision+ enter
  9.save the role.
  FOR HIRARCHIES:
  1. goto RSSM There u have one rediobutton called authorization hierarchy ( this radio button is very below the RSSM screen)
  2. there u have to select Hierachy on which u have to apply authorization.
  Thanks,
  kiran

• Integrate HR org structure and CUA?

  We are considering a new design for our authorization management on our production ECC 6.0 system.
  There will be 2 productive ECC 6.0 systems; which system you use will depend on your global location.  We currently utilize the HR org structure to assist us with provisioning and deprovisioning accounts on our durrent single ECC 6.0 instance, and we hang composite roles off of positions in the org structure, so that a fair amount of authorization management is automated.
  If we were to put a CUA client over the two productive ECC 6.0 clients, how might that be integrated with the HR organizational model?  Does CUA integrate well with an org structure?  Any experiences with this would be helpful.

  Hi Mary,
  Firstly, are the org structures in the two ECC clients identical - in sync with each other?
  If the org structures are different then it would limit the options that you would have:
  - CUA client would simply be used for the provisioning of the user id
  - The role to position allocation would still take place locally in each of the ECC clients
  - You would have to maintain the 105 relationships locally in the ECC clients
  - You would have to set the role maintenance option in SCUM to local maintenance
  If the org structure is the same on both ECC clients, then it would provide you with some additional options:
  Option 1 - use the approach described above to allow for local maintenance
  Option 2 - ALE the org structure to the CUA client, then allocate the composite roles to the positions on the org structure and maintain the 105 relationship on the CUA client.
  - the roles will then be distributed to the correct child system when the org recon is run
  Option 3 - Use one of the ECC systems as the CUA client (Which we are busy implementing at the moment)
  I'm using my ECC system as my central CUA for the production system, I know that many people would disagree with this due to upgrade requirements and all the rest. However in the Netweaver environment the ECC client is typically on the highest basis release, which caters for the CUA requirement and CUA is far more stable these days which reduces the risk. The other reason we have chosen this route is also the capacity of the ECC production system which is suitable.
  Also the HRORG is maintained on the same system, therefore less ALE requirements to move the org structure between systems etc. In the landscape we currently have BI and Portal, future applications/modules include ESS, MSS, APO and SEM.
  To achieve the solution I create all roles for all applications in the landscape, in the ECC client - for non-ECC roles the role definition is only role name and description (the correct authorisations are then maintained in the relevant child system). These are then distributed via RFC to the various child systems, it requires a couple of small changes but does work fine. All roles are then inlcuded into a composite role, regardless of which child system the role belongs to. The composite role is then allocated to the position in the HR org and once the HR recon is run, the role allocations are distributed to the correct child system. An example of a Line Manager Composite role would include:
  - HR Line Manager (ECC Client)
  - Cost Centre Manager (ECC Client)
  - BW Line Manager Menu role (Portal)
  - BW Line Manager Data role (BI client)
  - Purchasing Approval (ECC Client)
  I'm not sure if this has helped you, but in short the CUA integration with HRORG does work reasonably well and depending on the approach you choose it could affect the amount of maintenance that takes place. Just remember that the structural profile allocations would always take place locally on the ECC clients and only the role allocations can be managed from the CUA.
  Regards
  Sujeet

• About roles and authorizations

  hai friends,
  who will create roles and authorizations plz
  thanks in advance
  suitable answer will be given suitabel points
  kumari

  Roles and authorizations have to be done with Basis team and HR team together, because they are not the usual roles that other modules use. For instance, HR authorizations have different objects for PA, PY, Clusters, BM and CM. For OM and PD, you use transaction OOSP for authorization profiles.
  For my personal experience, when the consulting team ask the basis team to deal with authorizations for HR, they become paralized when they find Structural Authorizations Profiles, Period of responsibility, etc., because they don't know (and it is not their responsibility) about HR objects and concepts handled in txn OOSP.
  In order to avoid this problems, take an extra time for this in your implementation project. Roles and authorizations in HR, when done correctly, takes more time than other modules.

• Difference between Structural and Org. Based Security

  Hi
     Could anyone please explain the difference between Structural and Org. based security
  Also could anyone please point to relevant documents.
  Thanks

  Structural authorization:
  ex: assigning roles to position and not to userids.. Listed below are some links that may help you to get started in understanding "Structural authorization".
  http://www.sap-img.com/human/structural-authorization-vs-role-authorization.htm
  http://www.sap-press.de/katalog/buecher/inhaltsverzeichnis/gp/titelID-1071
  https://websmp205.sap-ag.de/~form/ehandler?_APP=00200682500000001337&_EVENT=DISPLAY&COURSE=ADM940
  HB

• What are the logical structure and physical structure in oracle

  what are the logical structure and physical structure in oracle and how can allocate a DB block size as default size is 8192?

  From the Concepts Guide
  http://download-east.oracle.com/docs/cd/B19306_01/server.102/b14220/toc.htm
  The physical structures are:
  Datafiles
  Control Files
  Redo Log Files
  Archive Log Files
  Parameter Files
  Alert and Trace Log Files
  Backup Files
  The Logical Structures are:
  Tablespaces
  Oracle Data Blocks
  Extents
  Segments

• What is diff b/w Include Structure and Append Structure at Database Level

  Hi Experts,
  Could you please let me know what is the main difference between .Include Structure and .Append Structure at SE11?
  Thanks in advance and for good answer will give good points.
  Sekhar

  Hi,
  1. Append Structures
  Append structures can only be assigned to a single table.
  Append structures are created in the custome rnamespace ( ZZ or YY)
  In case of new versions of the standard table during upgrade, the append structures are automatically appended to the new version of the standard table
  Append structures can not be used with cluster and pool tables
  Append structures are created in transaction SE11. Display the standard table fields and press the Append structure button.
  When you press the button, SAP sugests a name for the new append structure. After you has accepted the name,
  a screen will be shown where you can enter the new fields.
  Remember to activate.
  2. Customizing Includes
  Some of the SAP standard tables contains special include statements called Customizing includes. In contrast to Append structures,
  Note that customizing includes are created by SAP, but the customer supply the fields for the include.
  Customizing includes begin with CI_ and is part of the customer namespace
  One Customizing include can be inserted into more than one table.
  You can find Customizing includes in SE11 under structures.
  Try to take a look at table RKPF which uses the Customizing include CI_COBL (In an IDES system). Next try to add a field to CI_COBL, and activate it. If you go back to table RKPF you will se that your new field has been added.
  Regards,
  Ferry Lianto

• Fields missing in MPD report after change to structure and program

  I have been working on a consistency report for transaction MPD.
  I had created a structure in SE11 for handling the data.  it was all working, but then i had to go and change the name of the fields in the structure.  Now those fields are missing from the report. 
  When i step through the debugger, all the fields are being populated correctly, but these fields are not displayed on screen.  if i change the field names back in the structure and change the code for populating these fields, they appear okay.
  i have created a custom implementation within BAdi MPD_WKB_REPORTING. 
  i have checked the config and it all points to my Z Structure and Z Table Type.  I have logged off and logged back on!  made sure my code is saved and activated...
  any ideas on how i can display these new fields names/values?
  Just for clarity, the field name has changed. not the linked data type.

  thanks for your response, however those notes and program have not done anything to assist my issue.
  i have found the anwser now!
  within the BAdi was a method i had to amend:  IF_EX_MPD_WKB_REPORTING~GET_ALV_PARAMETERS 
  all fixed now!

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• Multiprovider and Authorizations

  Multiprovider and Authorizations:
  The challenge is to ensure you do not have more access trough the multiprovider then you have trough the sourcecubes.
  example:
  Multiprovider, Joining sourcecube 1 + 2 ( Heterogeneous MP combining data from different infoareas)
  Sourcecube 1: Authorizations for company code X+Y
  Sourcecube 2: Authorizations for company code Y+Z
  What company codes in which source cubes will you have access to report on trough the multiprovider?
  1) XYZ from both cubes ?
  2) X from cube 1 , Y from cube 1+2, Z from cube 1
  3) only the common Y from cube 1 +2
  The expected results is scenario 2. Basically the same access/restriction you would get, if reporting directly on the sourcecube's.
  This can of course be tested with a test user with limited authorizations. The obstacle here though is that the authorization setup is defined with roles and a business unit hierarchy authorization object (consisting of several company codes) that is not fully in place yet. Hence the test will not give you a 100 % liable verification.
  Has anyone else faced the same question, or can verify the expected results? I have not found any good documentation on authorization and multiprovider .
  (PS, With Support package 2 for BW 3.0B a new authorization object is available used to define authorizations on a Multiprovider level. S_RS_MPRO - Multiprovider. This gives more flexibility , but is not the answer to the general question)
  Best regards Per Roar

  It depends. When you create an authorization object you decide on which InfoProviders the authorization object is valid. So if it's valid on Cube 1 it doesn't say anything about authorization on the Multiprov.
  Best regards
     Dirk

• How can I remove the Apple ID authorization only on one computer and authorize another in his place?

  how can I remove the Apple ID authorization only on one computer and authorize another in his place?

  De-authorize the computer in question.
  Then authorize the new computer.
  Or de-authorize all computers and authorize only the ones that actually exist.

• HT1933 I have old email address's I used for iTune music purchases and cannot change password on several old accounts. Now some of the music I purchased I can not download and authorize it on my device. What can I do password security does not match my bi

  I have old email address's I used for iTune music purchases and cannot change password on several old accounts. Now some of the music I purchased I can not download and authorize it on my device. What can I do password security does not match my birthdate on two of the accounts. Apple can not send me email with a password authorization on several current accounts that I have with them. How can I contact Apple with this annoying problem I can not fix.

  settings - app/iTunes store - sign out and sign back in with your new id.
  Note - if your older apps needs an update it will use your old apple id and password, as Apps are tied to the apple id that was used to purchase it.
  You can't merge apple id.

• I need to make a task with less as3 code and more timeline structure and event dispatcher !

  I went to an interview in a big company. I had to make a  task in which there is a wall with 3 lines and 5 columns filled with bombs.When you click on a bomb the bomb changes its scale, a robot enters, goes under the bomb and takes it, then goes to a smaller wall, makes the bomb smaller and place it at the same place it had been in the previous wall.I made the task with tween througout as3 code.The interviewer told me it was good but i need to make it with the less code possible and with more complex timeline structure and to use event dispatcher.What is the best way to do this ?

  The immediate thing that comes to mind is they might want to see that you can balance work between design teams and development teams.
  To do that, the robots movements (pick up bomb, bomb grows/shrinks, arms/treads/legs moving, sequences of 'doing things') can be timeline based so animators can work on those separate from code.
  Developers would be working on the logic of keeping score, moving the robot around to the correct spot with path detection, collision detection, etc.
  It's very similar to thinking in simple factories (which Flash is good at being automatically with timelines), and a bit of MVC (or just VC in some cases).
  Big companies have lots of different types of employees so you'll probably be very specific in your role so you're efficient.

• How to access structure in VBScript both Structure and it's only member has the same name

  Hello,
  I VB Script how to access the structure's member if both the structure and the only member has the same name,
  Example,
  Structure name is User and it has only one member called "User" with the Datatype of String.
  When I call using User.User = "Some Text", it is giving me error so I couldn't assign any value to it.
  Kindly help me.
  Nallasivan

  I am using VB Script to Access SAP web Services, the sap web service has a method called user change, there are 3 mandatory parameters username, password and passwordX.
  Here username is string so I can assign value without any problem, password is a type of Bapipwd. Bapipwd is a structure and it has a member called Bapipwd. To access that from VB script I have to use
  Bapipwd.Bapipwd = "Password".
  But when I try to put the statement Bapipwd.Bapipwd = "password" it shows an error message that "Bapipwd doesnt have member called Bapipwd".
  The passwordX also a structure in SAP with the name of Bapipwdx and it has a member "Bapipwd"
  If I user Bapipwdx.Bapipwd="X" it is working fine. Because both the structure and it's member name is different. But Bapipwd.Bapipwd is not working and it gives "Bapipwd doestn't have member Bapipwd"
  I suspect this is due to both the structure and its member has the same name. Kindly help me to access the structure.