Location security within roles and org sturucture
We have been using SAP for some time. We have some specific roles with certain location values for resticiting some access but generally all of our roles when it comes to the org levels, we have used asterisk (*). It was always an out os scope project, but now...things need to change.
Is the only way to builded a proper org sturcture. What document describes the PFCG insertion of $BUKRS in the company code, as an example, and the behavior you will have. Up to this point, those have always been change to (*).
Hi jerry,
You can check the objects in T-Code SU24. Every T-Code is pre-defined with some objects.
Based on the objects defined when you add T-Code in PFCG it will prompt for org values
Hope now you are clear.
For better understanding just go through the following example:
When you add T-code you VA01 there are n number of objects.
The objects C_TCLS_MNT (T-Code VA01)
Authorization C_TCLS_MNT defines whether characteristics are available for entry, using the organizational area.
In classification, you can use organizational areas to restrict which characteristics are selected. This authorization checks whether a user can maintain characteristics of a certain organizational area.
Organizational areas are defined separately for each class type, so authorizations for organizational areas in the user master can be restricted to certain class types. This means that the user has no authorization to maintain characteristics with organizational areas in other class types.
Note
You can define organizational areas for each class type in Customizing for Classification, under Classes.
Defined fields
Field Possible entries Description
Actvt 23 Maintenance of characteristics for
org. area allowed
any other value Display characteristics for org.
area only
Class type (Any)
001 Material class (standard)
017 Document class (standard)
and so on
Org. area (Any) Organizational area
Example:
Field Value
Actvt 23
Class type *
Org. area A - E, K, V
A user can only assign values to characteristics that belong to organizational areas A to E, K, or V. This setting applies to all class types.
Cheers
Soma
Similar Messages
-
Hello, I am working on a SAP CRM 7 Sales implementation and we are implementing leads and opportunity scenarios. The current business organization model is that there multiple vertical and horizontal departments. This is typical matrix structure. This organization has done the segregation of its clients based on the verticals so every clients belongs to at least one or more Vertical department but Horizontal departments can contact all the clients. In the same way sales executives are also either belonging to one or more Verticals or Horizontal departments? Horizontal sales executive can create leads for any clients available in the system but a Vertical sales executive can only create lead only for the client belongs to his vertical and assigned to him. This can be achieved by creating organization structure and business partner relationship.
Now the problem statement is that few sales executives need work for both some Verticals and Horizontals at the same time. But requirement is that they should be able to do the both roles with single user id but multiple roles. So when sales executive is creating leads his vertical department, he should only be able to select clients assigned to his Vertical only but when he is creating lead for Horizontal department, he should be able to select any clients.
So Can I determine the business partners linked to user based on the assigned role and org. structure?
Please let me know if this is not clear also note we are only using CRM WebUI no SAP ePortal.
Thanks a lot your help in advance.
Regards
Sudesh SharmaThanks, Tahir
my problem has solved
Kind Regards,
Faisal -
Multiple business roles and org data determination
Hello together,
we are having an issue with the organizational data determination. Some users have multiple business roles in different sales organizsations. This means, they are assigned to several units in our org modell.
This users can select the business role after the login screen. But this selection doesn't affect the org data determination (rule: ORGMAN_12).
For example. My user is assigned to 4 different org units. After the login i select a role. In debugging i can see this role, but the system selects only the first role and not the role i've selected after the login.
Is there any other rule which follows the select business role? Or can i assign one user only to one unit?
Best regards
SaschaThanks for your reply!
The problem is, that i need exactly the org unit according to the selected business role at the beginning. Because we have in one company different distribution channel (e.g. 10, 20, 30). And depending on this the user can create an business partner in 10, 20 or 30. So, in our case we have some users assigned to 10 AND 20 AND 30. For each channel we have one role.
Our org modell looks like this:
company XYZ
--channel 10 ( role 'salespro10')
mustermann-m
--channel 20 ( role 'salespro20')
mustermann-m
--channel 30 ( role 'salespro30')
mustermann-m
If the user mustermann-m select salespro10 he should be able to create a business partner in channel 10. And if the user select the salespro20 he should be able to create the bp in channel20.
But if you use the RH_STRUC_GET i get ALL assigment.
Best regards,
Sascha -
Difference between Approver, Role Approver and Org Approvers
Can someone briefly describe the difference/purpose of the Role and Org approver capabilities. Specifically as if I set someone up as Just a role approver then I can't see them in the Available Approvers list for a Role setup anyhow.
As a follow on to this is there any way to not allow an approver responsible for an organization also see and approve approvals for a role's approver for a role that is in the organization. It seems to destroy the point of having role approvals if the org approver can still simply execute his approvals form them.
ZIdeally Roles were established to provided access controlls. You can route any work items to any "Approver" based on this role. It can done in your workflows.
To answer your question, in simple terms, Role's can be spanned across organizations. So, any request made to have a designated " Role", then owner (or Role approver) can approve this request irrespective of the organization he belongs to. Ex: You can your AD Admin for your AD account who is in IS organization.
Similarly for Org approvers. These approvers basically confirms the user, org CRUD operations.
I hope this helps. -
Security in iTunes and Match.
Hi All,
A quick query on security within iTunes and something I have become increasingly wary about.
I love iTunes match and the whole icloud thing, with close to 10,000 strong library now available in the atmosphere to multiple devices.
As a result I’ve been able to donate most of my cd library to good homes after they have been imported.
One thing that does concern me is the apparent lack of security in iTunes or in iTunes match.
For example, if someone had access to my laptop or stole it and booted up iTunes (PC), they could quite easily erase the contents of the library/icloud without being prompted for a password or other security.
It would simply be a case of “ticking the box” that said also remove from icloud.
That way you library is gone and the core medium that you imported if from is also gone.
You have therefore no way to rebuild you library unless you originally purchased it all through the store.
Putting a password on match/icloud prior to deletion would seem the logical way?
I do hope Apple will address in due course, however f I’m missing something or anyone can point me in the direction of imp[roving my ITunes security it would be greatly appreciated.
Simon.Another screwy album is "Time Traveler" by The Moody Blues. It has 4 CDs and a "Bonus" CD in the album.
iTunes Store shows it as a single CD album.
In iTunes, it shows up as two albums: The first contains Disks 1, 3, 4, and 5, while the second is Disk 2.
Initially it loaded up as a bunch of separate albums, which I corrected by saying they're all parts of a Compilation. I also had to load the artwork manually. But I cannot get them to show up all as a single album.
I wish there were a way to tell iTunes to "merge" multi-CD albums into a single album on iTunes. I've got several of them, and it's annoying that iTunes regards each CD of a multi-CD album as separate albums. -
Maintaining the authorizations for parent role and derived role
Hi Experts,
Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
Currently we have created the 700 role in our regionally organization and we want to dervie the roles for each country
1 ) we want to do the Auth field (activity level) settings in parent role and Org levels in the derived role .
2) But one my collegue says do the default Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level one)I will try to answer both your queries here:
"my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
Soumya -
Data and Dashboard Security using ROLES Variable in OBIEE 11g
Hi all,
I'm currently using OBIEE 11g. I'm wondering how to implement the security for data and dashboard in the 11g.
Below is the sample of how the security matrix requirement when I use the 10g version. In 10g, we usually use GROUP (for the data filter in RPD) and WEBGROUPS (for dashboard objects) variables in my initialization block to read from database. As we have 2 different variables, it is possible to control security separately for data and dashboard.
GROUP | Country
G1 | US
G2 | FR
G3 | UK
WEBGROUPS | Dashboard
WG1 | D1
WG2 | D1
WG3 | D1
WG1 | D2
WG2 | D2
WG1 | D3
WG3 | D3
WG3 | D4
Now, in 11g, the recommendation is to use ROLES variable (for application role). So, how would I apply the required security matrix above in 11g using just ROLES variable? Do I still create G1, G2, G3, WG1, WG2, and WG3 as application roles then only use G1-3 in the RPD to filter the data and only use WG1-3 in the analytics to serve as webgroups?
Any advice on this? Thank you very much."...Could you elaborate more?"
I mean that role creation and user->role assignment will be managed outside of to the obiee interface - whether that's via the database, LDAP, fmw etc.
Webgroup creation and assignment is managed within the obiee interface and I think that has a lot of benefits - generally you have people responsible for shared folders and dashboard creation, so having them responsible for webgroups and presentation permissions is preferable for me.
"are you saying that I use the role G1-3 only in the RPD, while using the role WG1-3"
Yes .. I'm assuming you have something like
G1 | US
G2 | FR
G3 | UK
WG1 | Finance
WG2 | Marketing
WG3 | Sales
Which becomes
R1 | US
R2 | FR
R3 | UK
R4 | Finance
R5 | Marketing
R6 | Sales
And John belongs to R1 and R4, Fred belongs to R2 and R4 etc. So you would set your data filters against R1-R3 and use R4-R6 like webgroups in the presentation services.
Regards,
Robert -
Difference between Structural and Org. Based Security
Hi
Could anyone please explain the difference between Structural and Org. based security
Also could anyone please point to relevant documents.
ThanksStructural authorization:
ex: assigning roles to position and not to userids.. Listed below are some links that may help you to get started in understanding "Structural authorization".
http://www.sap-img.com/human/structural-authorization-vs-role-authorization.htm
http://www.sap-press.de/katalog/buecher/inhaltsverzeichnis/gp/titelID-1071
https://websmp205.sap-ag.de/~form/ehandler?_APP=00200682500000001337&_EVENT=DISPLAY&COURSE=ADM940
HB -
Interaction of BW Roles and BWA Explorer Security
We secure all our BW users via roles these roles have Analysis
authorizations embedded in them which restrict access to specific
infoproviders and values in these based on authorization relevant
infobjects.
When we try to create a BWA Explorer object in RSDDTPS we are forced to
assign a userid and an analysis authorization directly in
the "Authorizations" tab. Our security group only wants to have too
assign roles to users either via SU01 or CUA.
Configuration
BO 2008 Enterprise Server (connected to BW system)
BW system (Netweaver 7.01 EHP1)
BWA 7.2
1) How can we create BWA Explorer objects on a infoprovider without
directly assigning users in Authorization Tab and how can we make the
system ignore whatever is on this tab and base access to a BWA explorer
object on the roles assigned to the user via SU01/CUA.
2) If a User has roles assigned in BW that give them access to a
specific infoprovider will this automatically also give them access to
a BO Server published BWA explorer object built on that infoprovider.
Related to this do we also need import the same roles and assign to the
user in CMS server with link to BWA Explorer Server or does the user
automatically get access to BWA Explorer as long as BWA Explorer is
published on BO Server.
3) If the user in BW is assigned roles that limit values based on an
authorization relevant object is this restriction enforced in the
values returned in published BWA Explorer for the user. Example
Authorization Relevant object is Profit Ctr and the user has two value
roles one contains access to all profit center that role up to a
hierarchy node limited to the USA and the other contains hierarchy
analysis authorization limiting access to all profit centers rolling up
to hierarchy node representing Europe. When a user access's the BWA
Explorer object which contain profit ctr will the values be limited
only to USA AND Europe Profit centers or will the BW value based
security be ignored.
Please provide advice on above questions and document resources on how
BW role based security interacts with BWA Explorer.Hi Expert,
I need a solution for same scenario, anyone can give inputs.
Regards,
Ganesh -
Security-role and security-role-assignment not working in WL7.0
Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.comBelow are the screen shots for PFCG:
-
Issues with test-all role and browser security
WLS 10.3.5
I have a deployed application on Linux using a SQLAuthentication and Authorization - all is well here.
I have setup all the security (without the test-all role) and I cannot access any of the system.
If I put the test-all role in - I can access the system.
I have verified the user has all the roles (I used the example bean to display the user and roles on the menu page) and the test-all role is not in the list.
I have the menu setup to not display items unless the user has the role (this is working fine - SecurityContext.inRole(rolelist).
So the context is fine.
I used jazn-data to set the same roles in the taskflows - this is not working at all unless the test-all role is set - I get authorization errors - not authorized).
Have I missed something in this?
I have also noticed that if I close the browser (X) without logging out and come back into the system the authentication is totally bypassed and I go back in as the same user as before.
Is there some way to destroy the previous context every time the welcome screen is executed.Add the following parameters to the Run options for the ViewController project:
-Djps.auth.debug=true -Djps.auth.debug.verbose=true
Then restart WebLogic, run the app and watch the console - you'll see all the security evaluations take place which should help you to identify the problem. -
Hello,
Could you please provide information on "security roles and profiles "
I would appreciate.
Regards,
AlexRoles give you authorization to specific area of the system. Use TC pfcg and you will see different setting for a role.
In specific Role -> Authorization -> click on Display Authorization Data.
Here all specific InfoArea, Cube, ODS, Reporting componets: display, execute and other security rules are defined.
User Section: defines who has access to this role.
Multiple authorization are combined to create an Authorization Profile. You defined a profile at TC su01 and under profile section.
Hope that helps.
thanks.
Wond -
Configure security-role and method permission for EJB 3.0 using Jdev 11g
The EJB 3.0 session bean created by Jdev 11g EJB wizard does not have ejb-jar.xml. Where and how can security-role and method permission for the EJB be configured?
For example,
<assembly-descriptor>
<security-role>
<role-name>managers</role-name>
</security-role>
<method-permission>
<role-name>managers</role-name>
<method>
<ejb-name>Employees</ejb-name>
<method-name>setSalary</method-name>
<method-params>
<method-param>java.lang.Long</method-param>
</method-params>
</method>
</method-permission>
</assembly-descriptor>user516954,
By default annotations are used. However, you can create a new descriptor and that will take presidence over any declared annotation.
--Ric -
Difference between SU01 ROLE and attribute ROLE in org.structure
HI,
In SU01 transaction ROLE tab employee role is assigned to the user.
In org. strucute attribute ROLE also contains the employee role.
what is the difference between ther two ?
we should mention employee role for the user in SUO1 and attribute ROLE both places to create shopping cart ?
please guide...points are alloted.
Thanks
maniHi SRM guys,
Just i want to know what is the perpose of the attribute - ROLE in Org.structure
and what is use of the ROLE tab in SU01 for user.
Both places ( attributes and in SUO1-ROLE tab ) need to give the sap_bbp_stal_employee role ??? to shop the user...
please confirm .. -
Security report with native roles and the roles they have access to.
We need a security report that shows the Native/Custom Roles and the roles that they have access to.
So, an example would be the role US_Acct, and the report would show what roles that has access to (Post Journals, Consolidate, etc).Can this be done?Export the Provision report from Shared Services.
Upload report to Excel or Access.
Build Tables to show what tasks each Role has access to.
Build a report that links the provision report and the xref tables.
You should also do this with Security Classes.
Maybe you are looking for
-
Crystal Reports for VS2010 cannot find crdb_adoplus.dll
I installed Crystal Reports for VS2010 successfullly, At least the report editor works without a problem and the viewer control can be placed on a form. My problem is when I try to run it, I get the following exception: System.IO.FileNotFoundExcep
-
Error trying to print report to both pdf and network printer
Hi all, When trying to print a report to my network printer or to pdf I get the two errors attached, one right after the other. The resulting pdf or hard copy has almost everything in it, except for three tables which are completely missing. When I
-
Best way to install a photosmart 5180 on new 8.1
What's the best way to install a Photosmart 5180 on a new 8.1 pc? I have the disc, but I don't think it'll work. Should I download the software and hook it up via USB cable or wireless. The pc is wireless, and I tried to find the printer on the netwo
-
Hello, I have a RV325 Router. Entries in the System Log are repeated over and over. The messages are: 2015-01-20, 04:11:59 Kernel kernel: The MAC table overflow. (Neighbour table overflow.) 2015-01-20, 04:11:59 Kernel last message repeated 8 times 20
-
Examples for Initialization event
can any one give some examples for initialization event with regards nagaraj Moderator Message: Basic question. Thread locked. Edited by: Suhas Saha on Nov 8, 2011 12:56 PM