Master role-derive role concept and FICO role in dev system!!!

Similar Messages

• Maintaining Backend roles and frontend roles(synchronising)

  hello all,
  I have a problem, and thats how will I maintain properly both backend roles in R/3 and frontend roles on the PORTAL? like ESS/MM ROLES for portal?
  What I mean I can set them up, but I am worried on that if we setup a role for the backend we may not always remember to set up the backend roles if you know what I mean?
  we use a template which has the role mapping i.e backend and frontend but how do we succesfully synchronise these 2 roles for each users, as each user will always have both roles setup, but worry is sometimes they wont be IN SYNC with each other?
  this is worrying, any ideas?

  Hello, 
  If both the roles are not synchronized, then the user will face authorization error.
  Then we can conclude that both the roles are not synchronized.
  thanks,
  Darshan G

• Master role & Derived role concept

  Hi Friends ,
  We have master and drive role concept in our project . ABC_XXXX (Master role )  ABC_1000(Derived role) (1000= company code)
  Now we need to maintain some values in master roles lets say display :03 .  Should we regenrate deived role  as well ?
  If we regenrate derived role  , Do inhertiance relatioship breaks? and we need to maintain company code =1000 value again ?
  Please suggest.
  regards

  Forgot to answer some more questions you had asked. Adding them here:
  Now we need to maintain some values in master roles lets say display :03 . Should we regenrate deived role as well ?
       - use the steps I mentioned in my earlier reply to re-generate derived roles from the Master role.
  If we regenrate derived role , Do inhertiance relatioship breaks?
           - please use the steps I suggested, the inheritance will not break. And this is an advantage of Master-->derived role.thats the meaning of having this concept in SAP.
  and we need to maintain company code =1000 value again ?
  --- No you dont need to. (you can check and see this manually).
  Hope it helps...
  Soumya
  Edited by: Soumya Thomas on May 20, 2010 12:34 PM
  Edited by: Soumya Thomas on May 20, 2010 12:35 PM

• DB table for Derived Roles and Parent Roles

  Hi Expart,
  In which DB table the Derived Roles and Parent Roles are store .that is i need to find out the derived role and parent Role .i have completed the Complex and single role by table AGR_AGRS
  But i have to find out the table for Derived Role
  Plz help me to get those table
  Thanks in advance
  Tarak

  It's the same table as for the master role: AGR_DEFINE (field PARENT_AGR is filled for derived roles).
  ~As from Forum

• Deleting FICO Roles and Authorizations

  Hi Guys,
  i want to Delete some roles and authorizations from a user profile.I have the user id and I want to know what roles are assigned to the user.
  Which tcode can be used for the same and how to delete the fico roles assigned to that sap user id.
  thanks,
  Srikanth.

  Hi,
  I got the solution. It is SUIM.
  Anyways thanks for the help
  srikanth

• Standard FICO roles& profiles

  Hi Experts,
  If I have to create a FICO user, what roles (or profiles) should I attach to the user?
  Or, i other words, what are the standard roles (or profile) for FICO?
  Same questions for other modules also (SD,MM,PP..)
  I checked in transaction PFCG and found so many roles for FI, CO, SD and other modules.Thats why I am confused whether I have to attach all the roles available.
  Thanks and Regards,
  Moulianth

  I have SAP ECC6.0 IDES where I can find so many roles for FI, SD etc.So, I am confused which roles to be attached.Secondly, I am a BASIS guy and not aware of FICO transactions. So, I can create my own roles if I know the important transactions in those modules.
  Now, the task is to know the transaction codes and the functionality of that transactions.
  Can you help me regarding this?
  If you are a BASIS Consultant, then it is the responsibility of the Functional consultants to prepare a list of Transaction codes and map to the users, super users etc.*
  I checked in Google that there are huge no. of FICO transactions available like BASIS transactions.Please let me know, if any user is allowed to have full FICO authorisation( I mean to say if the user is allowd to perform all FICO transactions),should I add all the FICO transactions in PFCG?
  All users sholud not given authorisations to all T codes. There should be an hieraracy and the management should take responsibility of finalising the roles.*
  In BASIS, there is a concept of super user. The user DDIC is the super user of BASIS and is allowed to run any BASIS related transactions and is created during installation.Is there any super user concept in FICO and for other modules?
  Yes even in other modules there is a concept of Super User*

• Semantics and its' role in Business Services

  Role and importance of semantics in the context of services and SOA:
  Semantics refer to interpretation of information and not the literal definition of information/ data. Applying semantics to information turns it into “knowledge”. Semantics is the act of applying references and drawing conclusions given a set of more scientific informational constructs. Typically semantics are derived using the context in which information is presented. Transposition on the other hand allows applies the rule of inference where in one can draw conclusions on the implication of truth based on some set of facts.
  Read more about this at <a href="http://entarch.blogspot.com/2007/10/semantics-and-its-role-in-business.html">Surekha Durvasula's</a> blog.
  Surekha is an Enterprise Architecture of a large retail company

  Hi shalini,
          Thanks for the reply and can you please say me the menu path for T.code BUSD
  And can u please say the difference between 4.0 and 5.0 versions
  Regards
  Narayana
  Message was edited by:
          manam narayana
  Message was edited by:
          manam narayana

• BP created with category Person and BP Role Consumer is not replicated

  Hello Gurus,
  I have created a BP with Category Person and BP Role Consumer but after saving my BP is not getting
  replicated to ERP, though in the Clasification Tab i could see consumer is being selected and the Account
  group 0170 - Consumer showing up. 
  I have also checked in PIDE transaction in ERP system this Account group has clasification E which is Consumer.person,and as numbe range is assigned to this Account group 
  i have checked in middleware there is an error message which says "BP XXXX doesnt not exist as customer,change not possible" and aslo one more message which says "no classification is assigned to BP"
  any customizing is missing in CRM system, or only customiaing required is in ERP only?
  Thanks and Regards
  chandu

  Hi,
  With respect to your question on below link.
  Re: BP created with category Person and BP Role Consumer is not replicated
  Please find the below path in ECC
  SPRO>Logistic General>Business Partner>Customer>Define Account Groups and Field Selection for Customers.
  Select 0170 Consumer account grp and click on details. You will see the Number range in General Data.
  Copy that number range and goto below path and check if the number range is internal or external.
  SPRO>Logistic General>Business Partner>Customer>Define and Assign Customer Number ranges. The popup will appear and select Define Number ranges for customer master. Click on display intervals. You will see the number range is mainatined internal or external.
  Hope this helps.
  Regards,
  Chandrakant
  Edited by: Chandrakant A on Dec 15, 2009 7:41 PM

• Announcing General Availability of PowerShell Connector and Release Candidate of Generic SQL and SAP Roles/Users

  The FIM team is pleased to announce the availability of some additional Connectors for FIM2010R2.
  General Availability of PowerShell Connector
  The PowerShell Connector can be used to communicate with a system through PowerShell scripts. This allows an easy and flexible way to communicate with other systems but also to pre-/post-process data and files before handed over to the FIM Synchronization
  Service. We believe the community will help providing scripts for this Connector for various systems and will open a place where scripts can be published for reuse.
  TechNet docs:  
  http://go.microsoft.com/fwlink/?LinkID=393057
  Download:         
  http://go.microsoft.com/fwlink/?LinkID=393056
  Release Candidate of Generic SQL Connector
  The Generic SQL Connector will allow you to connect to any database where you have an ODBC driver available. It enables new features compared to the built-in MA such as support for Stored Procedures, running SQL scripts, built-in delta import support, import
  multiple object types, connect to multiple tables, and much more. This Connector is built on ECMA2.3 which allows schema discoverability to be customized in the Sync Engine UI. A pre-release of the next Sync Engine hotfix is included with the Connector download
  and is required for the Connector to work.
  Download:         
  https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52652
  Release Candidate of SAP Users and Roles/Groups
  The updated SAP templates for Users and Roles/Groups allows you to manage Users, Roles, and Groups in SAP. This also include password sync for Users to SAP. The Connector will make sure roles are represented as groups to make it possible to manage these
  with bhold. This template will require the previously published WebService Connector:
  http://go.microsoft.com/fwlink/?LinkID=235883.
  Download:         
  https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52651
  If you have participated in any other Connector preview program you will have access to the Release Candidate downloads. If you have not participated before then to get access to the preview programs on Connect either join the program “Identity and Access
  Management”, “FIM Synchronization Service Connectors Pre-release” on
  http://connect.microsoft.com/directory or follow this link
  http://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6709&pageType=1
  We have also published an update to the Generic LDAP Connector adding support for some additional LDAP directories, see
  http://support.microsoft.com/kb/2936070/. If you have additional LDAP directories you think we should support, please feel free to contact me.
                  On behalf of the FIM Sync team,
                  /Andreas Kjellman

  On Tue, 18 Mar 2014 08:09:43 +0000, David Burghgraeve wrote:
  We've been using the OpenLDAPXMA to be able to connect to ACF2 CA-LDAP (from Computer Associates) running on a IBM Z-OS Mainframe System. We've been using it for password synchronization since 2004 on MIIS. Today it's still used via the
  OpenLDAPXMA (64bit) on FIM 2010 R2.
  We had to tweak the password management component in the OpenLDAPXMA to support the error messages we get from the ACF2 System, as we support a multi-master password setup between Mainframe and Active Directory (one can change the password on
  MF and/or on Windows). by example  "LDP0406E ACF2 error modifying lid(ACF00155 NEW PASSWORD CANNOT BE THE SAME AS CURRENT PASSWORD)".
  Additionally, we cannot get the delta import to work with the CA-LDAP, there's no capability in it and we tried to use the time attribute to use in the query for recent changes, but it does not work. (I think we need it in a large integer format
  or unix time integer).
  Would be great to have Microsofts' support in this :)
  In a case like this where your follow-up has nothing to do with the
  original post you should create a new thread.
  Having said that, neither of the MAs to which you refer are official
  Microsoft MAs and as such there is no support from Microsoft available.
  Also, keep in mind that the ECMA1/XMA extensibility framework has been
  deprecated and replaced by the ECMA 2.0. You should plan on replacing
  existing ECMA1 management agents with ECMA2.0 connectors.
  Paul Adare - FIM CM MVP
  "It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
  a half a pack of cigarettes, it's dark, and we're wearing visors."
  "Hotsync." -- Paul Tomblin & Peter da Silva

• GRC 10 Role Management - Mass Role Derivation

  Hi All - 
  Does anyone know if it is possible to propagate the authorization data from multiple parent roles to their relevant child derived roles in mass in GRC 10? 
  Using the standard 'Role Management -> Role Maintenance' feature you can propagate one parent role's auth data to all it's children derived roles; or alternatively if accessing one child role you can copy the auth data from the parent role.  Either of these options would require you to open each parent role or each child role to push/pull auth data from a parent role to a child role. 
  If this is not possible, it seems to leave a gap in the process of creating derived roles in mass?
  Via the 'Role Mass Maintenance -> Role Derivation' feature you can create derived roles in mass across multiple parent roles with multiple levels of derivation from each using Org Maps.  This will crate my derived roles and populate the organizational values only in PFCG. You can also update the derived role's org values in mass if they change by updating your Org Maps and using the 'Role Mass Maintenance -> Derived Role Org values Update' feature. 
  However these features do not propagate the non-org authorizations from the parent roles.  Without a way to push/pull the non-org authorizations from the parent to the child, creating all the derived roles in mass doesn't quite actually create usable roles. 
  I've noticed when propagating authorization on a one-by-one basis, GRC creates a background job "Auth Data Propagate".  I'm really just hoping there is a way to do this in mass and I am just missing the obvious.  I also know it would be possible via an eCATT script directly in SAP, but I'm looking specifically for options via the GRC tool.
  Thanks for the help!

  Nick -
  I actually just received a "final" response from SAP OSS support on this one.  Had a note open for the past 9 months or so where apparently the product management & development teams were discussing this issue.  The last update I received was about 10 days ago and essentially said this is not currently part of the tool:
  "This is an enhancement and is not currently supported. We will take it up in a future release. Please log this in the ideaplace under Access Controls"
  While I respect the decision, I can't necessarily say I agree that a "Mass Derivation" tool is working as intended if it cannot push / copy authorizations from a parent to a child role. If it can't create roles that are actually usable it would seem to be an issue with the current solution rather than a future enhancement imo. 
  The best workaround to this, is to utilize an eCATT script to go through all your derived roles you create in mass via GRC and have it go into PFCG and 'copy from' the parent authorizations and then regenerate the profiles.  That will give you actually complete & usable roles in a semi-automated fashion.

• 'Standard Role' 'User' 'Business Partner' and 'Internet User'

  hii
  Currently I m working on E-Recruitment 6.0 BSP's..
  Can somebody explain me....
  1)
  'Role' 'User' 'Business Partner' and 'Internet User'
  Kindly help me undertand the relation between the above mentioned IDs and there creation
  2)
  I have created Business Partner(External Person) ID using BP(txn)...Kindly let me know how to create the 'Internet ID' and 'PW'
  So that I can use it for HRRCF_StART_EXT (BSP)
  kindly explian...or mail me any documention related to
  E-recruitment to my id [email protected]
  Looking for a immediate reply
  Regards,
  Raghav

  Role - is the same as the concept of role in R3. SAP Delivers some pre confogured authorisation profiles for some standard roles.
  Roles are assigned to user depending on the client's requirement.
  Business Partner is the same as BP in CRM. basically, the following will be BPs in ur system:
  Each independent user of the recruitment process - as BP Branch.
  All third party recruitment vendors as BP Type Agency.
  All employees will also be BP in the system.
  All external applicants.
  You can create internet user using the t code SU05. You can also use the R3 sytem user credentials to log on to the url application by configuring the system to use the SAP login. (this is done thru t code SICF)
  Hope this helps.

• BC4J Connection and database ROLE

  Hi,
  We have an application with several root Application Modules. We need to connect using a determined database user and role (with password). The problem is that the Connection Wizard does not support this feature.
  I need to issue these commands after establishing connection:
  SET ROLE my_role_name IDENTIFIED BY my_role_password
  ALTER SESSION SET CURRENT_SCHEMA = my_schema
  What is the best way to do that? I know I can issue those commands from each AM, but I'd like to do that in one place only (i.e. the connection or something like).
  Thanks
  Lapolla

  You could derive from ApplicationModuleImpl and perform this operations in overwritten prepareSession() method.
  Markus

• What is CK11 and CK24? And what role do they play in A/c Detrn. ?

  Hi,
  What is CK11 and CK24? And what role do they play in A/c Detrn. ?
  Regrds,
  Binayak

  Hi,
  CK11n is to run a cost estimate.
  Suppose,
  If material price (ROH) is Rs.10,
  There are two activities, setup & processing in the machine.
  Setup = Rs.5
  Processing = Rs.10.
  The system will add all these values & then give a estimate as Rs.25. Suppose there are other costs involved , system will include this.
  where as CK24, is to mark & release after a costing estimate.
  (ie) this is used by FI to update the price in the material master for future use.
  These transactions are normally used if costing is done through product cost collector. Eg. In Repetitive manufacturing Scenario.
  Hope this helps,
  Reward if useful.
  Regards,
  Senthilkumar SD

• Deploy software packages and applications (roles) to rolebased assets

  Hi everybody,
  I'm new to SCCM and I need some advice about how to deploy software suites (fixed lists of software packages and applications) automatically to our rolebased assets. Rolebased assets are assets that have predefined software suites or 'roles'. Combinations
  of several roles on a single machine are possible. We currently use Altiris NS for our software deployments. The system I have there is as follows.
  - regkey on the local machine defining the role(s) for that asset (values are streamed from our CMDB into the local registry) 
  - dynamic collection for each role based on the value in the regkey
  - task assigned to the collection to install the role(s) (a fixed list of packages and applications)
  - as stated several roles can be assigned to a single asset
  For the deployment of several roles to the same machine we use a in house built solution called Sequence Installer (SQI). SQI keeps track of which role it is installing and will put other roles in a queue. It also has retry and reset functionalities.
  In case of failure it will automatically retry from the failed step. We can also manually restart the SQI from the start or from the failed step.
  We are planning to migrate towards SCCM 2012 R2 and the purpose is to do as much as possible out-of-the-box. Meaning SQI should become obsolete and replaced by SCCM built-in functionality.
  For SCCM, I'm thinking to do it like this: use the regkey to populate a collection for each role and work with a task sequence for the role installation. I'm sure that will work, but perhaps there are far better and simpler ways to do this in SCCM? Furthermore,
  I'm afraid SCCM will not be as flexible as SQI when it comes to automatically retrying and/or resuming the installation sequence in case of failure (failures caused by something that doesn't need manual intervention of course, like source corruption,
  non-blocking failures, et cetera).
  Another way of doing it could be UDA, create a functional user representing each role and assign software to the user. Then link the assets needing a role as primary devices to the user representing the role and pre-deploy the software (in an OSD scenario).
  But again, also in this scenario I need the capability to automatically restart and retry failures.
  It would be great if I could get some other opinions on the subject, thanks guys!
  Kind regards,
  Chris

  nope, I did not start actual testing of the scenario, and this for several reasons (I'm sure TimDK understands what I'm talking about :-))
  - I work at a financial institution where things tend to go very slow (understatement of the year...)
  - I have a lab environment but no rights to create AD stuff for example, I have to officialy request these things and that takes time...
  - lab environment testing is very high-level (wake-on-lan, 1E nomad testing, et cetera), we'll promote in the near future to our test and development environment where more in-depth testing can be performed
  In short, I'm thinking about the concept(s) that can be used, actual testing and playing with it will be for later... I thank everybody for the tips, my goal is to get some thoughts and insights from the experts, one can only learn... I will feedback later
  about the what and how and which solution will actually gets implemented.
  Regards,
  Chris 

• Funktion Roles and Value Roles

  Hello,
  i read in a SAP Press book something about funktion roles and value roles.
  Can someone explain me how this work.
  kind regards,
  Bernhard

  I would suggest taking preventative legal action against anyone who even mentions "functional and value" roles - particularly if they give the impression that transaction codes, activities and org-levels can be built in seperate roles - because when the concept goes downhill (which it will!) then they will unlikely be around to clean up the mess nor take responsibility for it.
  Rather steer well clear of this type of concept.
  Cheers,
  Julius