Location security within roles and org sturucture

Similar Messages

• So Can I determine the business partners linked to user based on the assigned role and org. structure?

  Hello, I am working on a SAP CRM 7 Sales implementation and we are implementing leads and opportunity scenarios. The current business organization model is that there multiple vertical and horizontal departments. This is typical matrix structure. This organization has done the segregation of its clients based on the verticals so every clients belongs to at least one or more Vertical department but Horizontal departments can contact all the clients. In the same way sales executives are also either belonging to one or more Verticals or Horizontal departments? Horizontal sales executive can create leads for any clients available in the system but a Vertical sales executive can only create lead only for the client belongs to his vertical and assigned to him. This can be achieved by creating organization structure and business partner relationship.
  Now the problem statement is that few sales executives need work for both some Verticals and Horizontals at the same time. But requirement is that they should be able to do the both roles with single user id but multiple roles. So when sales executive is creating leads his vertical department, he should only be able to select clients assigned to his Vertical only but when he is creating lead for Horizontal department, he should be able to select any clients.
  So Can I determine the business partners linked to user based on the assigned role and org. structure?
  Please let me know if this is not clear also  note we are only using CRM WebUI no SAP ePortal.
  Thanks a lot your help in advance.
  Regards
  Sudesh Sharma

  Thanks, Tahir
  my problem has solved
  Kind Regards,
  Faisal

• Multiple business roles and org data determination

  Hello together,
  we are having an issue with the organizational data determination. Some users have multiple business roles in different sales organizsations. This means, they are assigned to several units in our org modell.
  This users can select the business role after the login screen. But this selection doesn't affect the org data determination (rule: ORGMAN_12).
  For example. My user is assigned to 4 different org units. After the login i select a role. In debugging i can see this role, but the system selects only the first role and not the role i've selected after the login.
  Is there any other rule which follows the select business role? Or can i assign one user only to one unit?
  Best regards
  Sascha

  Thanks for your reply!
  The problem is, that i need exactly the org unit according to the selected business role at the beginning. Because we have in one company different distribution channel (e.g. 10, 20, 30). And depending on this the user can create an business partner in 10, 20 or 30. So, in our case we have some users assigned to 10 AND 20 AND 30. For each channel we have one role.
  Our org modell looks like this:
  company XYZ
  --channel 10 ( role 'salespro10')
  mustermann-m
  --channel 20 ( role 'salespro20')
  mustermann-m
  --channel 30 ( role 'salespro30')
  mustermann-m
  If the user mustermann-m select salespro10 he should be able to create a business partner in channel 10. And if the user select the salespro20 he should be able to create the bp in channel20.
  But if you use the RH_STRUC_GET i get ALL assigment.
  Best regards,
  Sascha

• Difference between Approver, Role Approver and Org Approvers

  Can someone briefly describe the difference/purpose of the Role and Org approver capabilities. Specifically as if I set someone up as Just a role approver then I can't see them in the Available Approvers list for a Role setup anyhow.
  As a follow on to this is there any way to not allow an approver responsible for an organization also see and approve approvals for a role's approver for a role that is in the organization. It seems to destroy the point of having role approvals if the org approver can still simply execute his approvals form them.
  Z

  Ideally Roles were established to provided access controlls. You can route any work items to any "Approver" based on this role. It can done in your workflows.
  To answer your question, in simple terms, Role's can be spanned across organizations. So, any request made to have a designated " Role", then owner (or Role approver) can approve this request irrespective of the organization he belongs to. Ex: You can your AD Admin for your AD account who is in IS organization.
  Similarly for Org approvers. These approvers basically confirms the user, org CRUD operations.
  I hope this helps.

• Security in iTunes and Match.

  Hi All,
  A quick query on security within iTunes and something I have become increasingly wary about.
  I love iTunes match and the whole icloud thing, with close to 10,000 strong library now available in the atmosphere to multiple devices.
  As a result I’ve been able to donate most of my cd library to good homes after they have been imported.
  One thing that does concern me is the apparent lack of security in iTunes or in iTunes match.
  For example, if someone had access to my laptop or stole it and booted up iTunes (PC), they could quite easily erase the contents of the library/icloud without being prompted for a password or other security.
  It would simply be a case of “ticking the box” that said also remove from icloud.
  That way you library is gone and the core medium that you imported if from is also gone.
  You have therefore no way to rebuild you library unless you originally purchased it all through the store.
  Putting a password on match/icloud prior to deletion would seem the logical way?
  I do hope Apple will address in due course, however f I’m missing something or anyone can point me in the direction of imp[roving my ITunes security it would be greatly appreciated.
  Simon.

  Another screwy album is "Time Traveler" by The Moody Blues.  It has 4 CDs and a "Bonus" CD in the album.
  iTunes Store shows it as a single CD album.
  In iTunes, it shows up as two albums: The first contains Disks 1, 3, 4, and 5, while the second is Disk 2.
  Initially it loaded up as a bunch of separate albums, which I corrected by saying they're all parts of a Compilation. I also had to load the artwork manually.  But I cannot get them to show up all as a single album.
  I wish there were a way to tell iTunes to "merge" multi-CD albums into a single album on iTunes. I've got several of them, and it's annoying that iTunes regards each CD of a multi-CD album as separate albums.

• Maintaining the authorizations for parent role and derived role

  Hi Experts,
  Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
  Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
  1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
  2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
  please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

  I will try to answer both your queries here:
  "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
  The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
  All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
  Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
  Soumya

• Data and Dashboard Security using ROLES Variable in OBIEE 11g

  Hi all,
  I'm currently using OBIEE 11g. I'm wondering how to implement the security for data and dashboard in the 11g.
  Below is the sample of how the security matrix requirement when I use the 10g version. In 10g, we usually use GROUP (for the data filter in RPD) and WEBGROUPS (for dashboard objects) variables in my initialization block to read from database. As we have 2 different variables, it is possible to control security separately for data and dashboard.
  GROUP | Country
  G1 | US
  G2 | FR
  G3 | UK
  WEBGROUPS | Dashboard
  WG1 | D1
  WG2 | D1
  WG3 | D1
  WG1 | D2
  WG2 | D2
  WG1 | D3
  WG3 | D3
  WG3 | D4
  Now, in 11g, the recommendation is to use ROLES variable (for application role). So, how would I apply the required security matrix above in 11g using just ROLES variable? Do I still create G1, G2, G3, WG1, WG2, and WG3 as application roles then only use G1-3 in the RPD to filter the data and only use WG1-3 in the analytics to serve as webgroups?
  Any advice on this? Thank you very much.

  "...Could you elaborate more?"
  I mean that role creation and user->role assignment will be managed outside of to the obiee interface - whether that's via the database, LDAP, fmw etc.
  Webgroup creation and assignment is managed within the obiee interface and I think that has a lot of benefits - generally you have people responsible for shared folders and dashboard creation, so having them responsible for webgroups and presentation permissions is preferable for me.
  "are you saying that I use the role G1-3 only in the RPD, while using the role WG1-3"
  Yes .. I'm assuming you have something like
  G1 | US
  G2 | FR
  G3 | UK
  WG1 | Finance
  WG2 | Marketing
  WG3 | Sales
  Which becomes
  R1 | US
  R2 | FR
  R3 | UK
  R4 | Finance
  R5 | Marketing
  R6 | Sales
  And John belongs to R1 and R4, Fred belongs to R2 and R4 etc. So you would set your data filters against R1-R3 and use R4-R6 like webgroups in the presentation services.
  Regards,
  Robert

• Difference between Structural and Org. Based Security

  Hi
     Could anyone please explain the difference between Structural and Org. based security
  Also could anyone please point to relevant documents.
  Thanks

  Structural authorization:
  ex: assigning roles to position and not to userids.. Listed below are some links that may help you to get started in understanding "Structural authorization".
  http://www.sap-img.com/human/structural-authorization-vs-role-authorization.htm
  http://www.sap-press.de/katalog/buecher/inhaltsverzeichnis/gp/titelID-1071
  https://websmp205.sap-ag.de/~form/ehandler?_APP=00200682500000001337&_EVENT=DISPLAY&COURSE=ADM940
  HB

• Interaction of BW Roles and BWA Explorer Security

  We secure all our BW users via roles these roles have Analysis
  authorizations embedded in them which restrict access to specific
  infoproviders and values in these based on authorization relevant
  infobjects.
  When we try to create a BWA Explorer object in RSDDTPS we are forced to
  assign a userid and an analysis authorization directly in
  the "Authorizations" tab. Our security group only wants to have too
  assign roles to users either via SU01 or CUA.
  Configuration
  BO 2008 Enterprise Server (connected to BW system)
  BW system (Netweaver 7.01 EHP1)
  BWA 7.2
  1) How can we create BWA Explorer objects on a infoprovider without
  directly assigning users in Authorization Tab and how can we make the
  system ignore whatever is on this tab and base access to a BWA explorer
  object on the roles assigned to the user via SU01/CUA.
  2) If a User has roles assigned in BW that give them access to a
  specific infoprovider will this automatically also give them access to
  a BO Server published BWA explorer object built on that infoprovider.
  Related to this do we also need import the same roles and assign to the
  user in CMS server with link to BWA Explorer Server or does the user
  automatically get access to BWA Explorer as long as BWA Explorer is
  published on BO Server.
  3) If the user in BW is assigned roles that limit values based on an
  authorization relevant object is this restriction enforced in the
  values returned in published BWA Explorer for the user. Example
  Authorization Relevant object is Profit Ctr and the user has two value
  roles one contains access to all profit center that role up to a
  hierarchy node limited to the USA and the other contains hierarchy
  analysis authorization limiting access to all profit centers rolling up
  to hierarchy node representing Europe. When a user access's the BWA
  Explorer object which contain profit ctr will the values be limited
  only to USA AND Europe Profit centers or will the BW value based
  security be ignored.
  Please provide advice on above questions and document resources on how
  BW role based security interacts with BWA Explorer.

  Hi Expert,
  I need a solution for same scenario, anyone can give inputs.
  Regards,
  Ganesh

• Security-role and security-role-assignment not working in WL7.0

  Hello all..
  Some EJB components that worked fine in WebLogic 6.1 no longer work in
  WL7.0. It has to do with the security-role and security-role-assignment
  descriptor elements no longer allowing anonymous users to be included in the
  authorization for a bean.
  For example, in WL6.1 placing these items in ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <role-name>Employees</role-name>
  </security-role>
  <method-permission>
  <role-name>Employees</role-name>
  <method>
  <ejb-name>CustomerEJB</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
  <security-role-assignment>
  <role-name>Employees</role-name>
  <principal-name>guest</principal-name>
  <principal-name>system</principal-name>
  </security-role-assignment>
  worked fine for clients creating their context using a simple
  InitialContext() constructor without specifying SECURITY_PRINCIPAL or
  SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
  the security-role-assignment element above told WebLogic that "guest" was in
  the Employees role for purposes of this EJB archive.
  Worked in WL6.1, no longer works in WL7.0. Client receives typical
  permission exception:
  java.rmi.AccessException: Security violation: insufficient permission to
  access method 'create'
  If I explicity connect as "system" things are fine, or I can create a new
  user in the default realm in WebLogic, put a matching <principal-name>
  element in the section above, and connect as that user. Note that if I leave
  off the <security-role> section completely, or set the required role name to
  "everyone", the anonymous access works fine. Apparently the anonymous user
  is a member of "everyone" behind the scenes even though "everyone" does not
  appear in the realm list of groups or roles.
  So, my question boils down to this: Is there a "magic" username in WL7 like
  "guest" was in WL6.1 that can be mapped to the required role name, or must
  every client connection use a true weblogic-created user with appropriate
  role assignments used to map it to the required role name.
  -Greg
  P.S. Note that none of the EJB examples provided with WL used
  <security-role>..
  Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
  www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

  Below are the screen shots for PFCG:

• Issues with test-all role and browser security

  WLS 10.3.5
  I have a deployed application on Linux using a SQLAuthentication and Authorization - all is well here.
  I have setup all the security (without the test-all role) and I cannot access any of the system.
  If I put the test-all role in - I can access the system.
  I have verified the user has all the roles (I used the example bean to display the user and roles on the menu page) and the test-all role is not in the list.
  I have the menu setup to not display items unless the user has the role (this is working fine - SecurityContext.inRole(rolelist).
  So the context is fine.
  I used jazn-data to set the same roles in the taskflows - this is not working at all unless the test-all role is set - I get authorization errors - not authorized).
  Have I missed something in this?
  I have also noticed that if I close the browser (X) without logging out and come back into the system the authentication is totally bypassed and I go back in as the same user as before.
  Is there some way to destroy the previous context every time the welcome screen is executed.

  Add the following parameters to the Run options for the ViewController project:
  -Djps.auth.debug=true -Djps.auth.debug.verbose=true
  Then restart WebLogic, run the app and watch the console - you'll see all the security evaluations take place which should help you to identify the problem.

• Security roles and profiles

  Hello,
  Could you please provide information on "security roles and profiles "
  I would appreciate.
  Regards,
  Alex

  Roles give you authorization to specific area of the system. Use TC pfcg and you will see different setting for a role.
  In specific Role -> Authorization -> click on Display Authorization Data.
  Here all specific InfoArea, Cube, ODS, Reporting componets: display, execute and other security rules are defined.
  User Section: defines who has access to this role.
  Multiple authorization are combined to create an Authorization Profile. You defined a profile at TC su01 and under profile section.
  Hope that helps.
  thanks.
  Wond

• Configure security-role and method permission for EJB 3.0 using Jdev 11g

  The EJB 3.0 session bean created by Jdev 11g EJB wizard does not have ejb-jar.xml. Where and how can security-role and method permission for the EJB be configured?
  For example,
  <assembly-descriptor>
  <security-role>
  <role-name>managers</role-name>
  </security-role>
  <method-permission>
  <role-name>managers</role-name>
  <method>
  <ejb-name>Employees</ejb-name>
  <method-name>setSalary</method-name>
  <method-params>
  <method-param>java.lang.Long</method-param>
  </method-params>
  </method>
  </method-permission>
  </assembly-descriptor>

  user516954,
  By default annotations are used. However, you can create a new descriptor and that will take presidence over any declared annotation.
  --Ric                                                                                                                                                                                                                                                                                                                               

• Difference between SU01 ROLE and attribute ROLE in org.structure

  HI,
  In SU01 transaction ROLE tab employee role is assigned to the user.
  In org. strucute attribute ROLE also contains the employee role.
  what is the difference between ther two ?
  we should mention employee role for the user in SUO1 and attribute ROLE both places to create shopping cart ?
  please guide...points are alloted.
  Thanks
  mani

  Hi SRM guys,
  Just i want to know what is the perpose of the attribute - ROLE in Org.structure
  and what is use of the  ROLE tab in SU01 for user.
  Both places ( attributes and in SUO1-ROLE tab ) need to give the sap_bbp_stal_employee role ???  to shop the user... 
  please confirm ..

• Security report with native roles and the roles they have access to.

  We need a security report that shows the Native/Custom Roles and the roles that they have access to.
  So, an example would be the role US_Acct, and the report would show what roles that has access to (Post Journals, Consolidate, etc).Can this be done?

  Export the Provision report from Shared Services.
  Upload report to Excel or Access.
  Build Tables to show what tasks each Role has access to.
  Build a report that links the provision report and the xref tables.
  You should also do this with Security Classes.