Manually added auth objects and Derived roles

Similar Messages

• Manually added Authorization object

  All ,
  What is the impact for manually added authorization objects in the roles after the system upgrade??

  My 2 cents, since I don't see any replies.
  I try to avoid manual auth objects on a role as much as possible.  One problem with manually auth object is in PFCG, it will not give a reference to what transaction the auth object came from.  Unless thoroughly documented this can be an audit issue. 
  In regards to upgrades, I don't this it will have any affect.  It is usually the tcodes that are affected.

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• Maintaining the authorizations for parent role and derived role

  Hi Experts,
  Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
  Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
  1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
  2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
  please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

  I will try to answer both your queries here:
  "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
  The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
  All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
  Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
  Soumya

• Master role and derived role concept

  Guys,
  1) How to assign the organizational levels for the derived role?
       Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  Greatly appreciate for some body's help.

  >  1) How to assign the organizational levels for the derived role?
  >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  Only if you assign the master roles to users. (and maybe for testing, see 3)
  >
  > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
  >
  >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
  >
  >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  See 2, it goes there automatically. No choice.
  Jurjen

• Missing Master and Derived Roles

  Hello All,
                I have got an odd scenario and I am hoping some of you might have run into the same issue or might point me to the right direction.
  Back ground
  We are on ECC 5.0 and have Master Derived Concept, and then Derived Roles are grouped in Composites
  We recently( Last week ) created some ( say 34 ) Derived roles and some (10) composites using a combinition of the newly created derived and some Old derived roles.
  Transported The derived seperatly and Composites seperately. Transports went successfully into QA and PRD.
  This week we noticed that all of the 34 derived roles are missing in DEV ONLY along with 28 Master of the 34 Child Roles. All the Childs and master still exist in QA and PRD.
  We have tried to look up the change Doc of the missing roles or the profiles or the authorizations of the missing roles and there is no change log under suim. Change Log shows when the role was created but nothing after that. According to Basis transports does not have any unusual log
  Since its a DEV system so no delete transports have come into DEV, therefore delete transport could not be an option.
  I have also uploaded one of the missing master roles from the PRD to DEV and it is succfully established the relation with the childs. I was hoping it might shake up the Change History regarding missing role but it did not, It now shows when the role was created earlier( 2006 ) and This week  agian but no Delete History
  Any Ideas on how to explain this behavior

  Another possible and imaginable human error worth looking into is that at some stage in the past a transport request was created for the master and child roles -- okay.
  Then the child roles were "broken" by changing org. levels and other fields in the authorization maintenance, so the roles themselves were deleted with the intention of creating them again from one of the "template" child-roles --> okay, seems reasonable to have happened.
  Then (here is the problem!) someone released the transport before the new child roles were created. This is interpreted by the system to be a deletion transport of roles.
  Additionally the sequence of the transports might have added additional obscurity to the issue and now, much later on, someone imported the transport into production which deleted the roles.
  <conspiracy_theory>
  The person then deleted the transport request from the queues and archived the change documents in SU83.
  </conspiracy_theory>
  Cheers,
  Julius

• Audit tool which generates Users, Roles, Auth objects, and Values

  Hi,
  I have a list regarding authorization provided by auditors.
  Here I want to know how the auditors generated the list.
  Do you know the transaction code or the program ID.....?
  Probably the data in the list was extracted from our system, and some data were manually processed or added.
  Hard to write down but fields and examples appear in the list;
  -FIELDS-
  User
  Group
  Full Name
  Rule
  Side
  Operator
  Role
  Authorization
  Attribute
  Attribute Value
  Associated Role
  Associated Authorization
  Associated Attribute
  Associated Attribute Value
  -EXAMPLES-
  testuser01
  group001
  user01 test
  Create Maintain Sales Order vs Create Maintain Customer Master Records
  LHS
  Any
  Z_ROLETEST_001
  Authorization=T-D524126500, Object=S_TCODE
  TCD
  FB01
  Z_ROLETEST_002
  Authorization=T-D524126600, Object=F_BKPF_BUK
  ACTVT
  1
  Thank you in advance.
  /Y.Shirako

  > Install ABAP on your system which provides files for them to crunch in an SQL (or similar) database.
  > Tool extracts data via RFC calls into your system that is then processed externally.
  Yes, the interfaces of those tools are often a hazard in themselves...
  I typically recommend customers to delete them completely. Sometimes this comment also exists in the code itself, but who reads code now-a-days in GRC projects, and why should they have to? ;-(
  This looks very much like one of those tools (where the SQL statements are built externally).
  Cheers,
  Julius

• *How to Delet one same object from different roles*

  I need to delete one auth object from different roles, Couls any one please advise me how can i do this and if there will be any complications involved with tis.
  Best regards:
  Maq

  In PFCG, it may be that you have added some objects manually. To remove them you will have to go to pfcg.
  Even if you first remove the objects from su24, you will have to go to all the roles through pfcg to generate them in expert mode by selecting the third option (edit old status and merge with new data)

• Derived roles are getting overwritten everytime when I update Master Role.

  Hi Experts !
  We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
  Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
  Please help and give your valuable advise.
  Regards,
  Lokesh Bajaj

  Hi Lokesh,
  The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
  Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
  You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
  Cheers

• Error In Derived Role

  Hi,
  We are implementing SRM5.0
  We have prepared Derived Roles copyed with Standard Roles for testing and added the Objects and T.Codes.
  Role created -->        ( B_D_SRM_PURCHASER_M51     )
  Once we logged in with the user ID with this role the next screen show the following error.
  Kindly help me make me understand where I need to do the correction for the same.
  ERROR
  Runtime Errors         ITS_ERRMSG_EXCEPTION
  Short text
      Error message occurred.
  The ITS service "bbpstart" had to be terminated because the Web AS has sent
  the following error message:
  Error message: " You are not authorized to use Transaction BBPGLOBAL"
  Message type: "E"
  Points would be awarded for help
  BR,
  Vijay Mittal

  Hi,
  What is your support package level of SRM_SERVER. If you are havining SRM_SERVER 550 and package level SAPKIBKT07 then you will get ITS_ERRMSG_EXCEPTION
  Please upgrade ypur support pakage.
  Reason for this dump: You use the browser to work with the Supplier Relationship Management (SRM) system. In some cases, "ITS_ERRMSG_EXCEPTION" error pages are displayed (if you are using the integrated SAP Internet Transaction Server ITS 6.40 or 7.00). For example, this occurs because the user has no authorization for this transaction. However, the user does not immediately see what the problem is.
  And you can ignore this message as well if you are not getting any complain from customer side.
  Please find SAP Note: Note 1129873 - SRM template for SAPMSYST_40 (2)
  Regards,
  Krushna Biswal
  Edited by: Krushna Biswal on Aug 18, 2008 8:50 AM

• Mass generation of Derived Roles

  Hello,
  SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
  Thanks.

  Hello,
  we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
  Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
  - parent roles and derived roles: you will find them in table AGR_DEFINE
  - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
  - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
  - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
  HTH and kind regards
  Jens Hoetger

• Auth Objects on ME23N

  Hi Guys,
  I'm trying to find the authorisation objects that control the GRIR information on the Display PO's tcode - ME23N.
  I have to seperate roles with ME23N tcode - one shows the GRIR info on the details section and the other not.
  Just trying to understand which auth object controls the display and which values to assign to have it displayed or not.
  Rgds,
  Thinus

  I use SU24 to see which auth objects is involved.
  The problem I have is that the amounts on the Purchase Order History tab is not showing when I assign one role, but when I assign the other, it does.
  I guess what I should do is do a comparison on the auth objects and values with the 2 ME23N's in both roles.
  This might give me an indication on the possible differences.
  Comments??

• Manual assignment of object into Transport request

  Hi Experts,
  Very recently I saw in my developement system that one object ( ABAP Report ) has been assigned directly to the Transport request number not into the task number . I have also checked that the object is not locked into TR which should be normally locked.
  My Question is that how it is possible and is their any advantage / disadvantage to follow this type of way ?
  Also if another user wants to change the same report , then will another new TR be generated or new task of same TR be generated ?
  Thanks in  adv. Waiting for youe kind response.
  Thanks.
  A Miter.

  Arit,
  Ideally the objects should get included in a TR when we change/create a object assigned to a package.But while manually adding an object to a TR one needs to be sure about the PROGRAM ID and OBJECT TYPE of that object and the rest of the subobjects related to it.If we manually add an object in a TR there is a chance that the related subobjects will not get transported.
  So.the best way is only to get the objects added to the TR automatically while creating the TR.But,sometimes it will be helpful if we know the mechanism of adding the objects in the TR manually.Sometimes
  Thanks,
  K.Kiran.

• Importing master role from ECC into portal throws derived role exception

  Hello,
  While uploading master and derived role from backend system into the portal I am getting the following exception.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED
  Does it imply that the derived role is already imported with the import of master role and there is no need to explicitly import the derived role?
  The landscape uses role upload tool of portal for UME.
  Regards
  Pooja

  Hi Pooja,
  There is a limitation with the role upload tool that the derived roles cannot be uploaded.
  The migration is only able to upload roles which have their own menus. Derived R/3 roles does not have menus themselves as they derive them from other roles. The purpose of the migration is to bring the R/3 navigation structures into the portal. Therefore you can only migrate the role from which your role is derived.
  Regards
  Anja

• Master Universe and Derived Universe

  Post Author: AmitP
  CA Forum: WebIntelligence Reporting
  Hi
  I am making changes to the Master Universe because of which the Derived Universe gets in to the read only mode. If I want to work on or edit the master and derived universe simultaneously, whether it is possible to do it?
  If yes what is the way of doing it?

  >  1) How to assign the organizational levels for the derived role?
  >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  Only if you assign the master roles to users. (and maybe for testing, see 3)
  >
  > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
  >
  >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
  >
  >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  See 2, it goes there automatically. No choice.
  Jurjen