Max roles & Profiles in user?

How many roles can we assign to the user? What is the maximum limit of the roles and profiles for the user?? *

Dear Praveen,
You can assign 300 authorization profiles to a user (see SAP Note 410993).
Note 410993:
You would like to know the maximum number of:
profiles per user
authorizations per profile
authorization values per authorization
Reason and Prerequisites
All maintenance transactions work with the USR04, USR10 and USR12 tables.
Solution
As of Release 4.6A, the structure of the database tables used, and not the kernel, causes some restrictions:
1. Table USR04: Profile assignments for users
 This table contains both information about the change status of a user as well as the list of profile names that were assigned to the user.
 The PROFS field is used to save the change indicator (C = User created, M = User changed) and the name of the profiles assigned to the user.
The field is defined with a length of 3,750 characters. Since the first two characters are for the change indicator, 3,748 characters are still available for the list of profile names per user. Since the maximum length for each profile name is 12 characters, the maximum number of profiles per user is 312. Note 841612 delivered a solution for increasing the number of usable profiles per user from 300 to the maximum value of 312.
 Possible enhancements:
When you use roles exclusively, the number of profiles per user can only be doubled by assigning a reference user.
If you also use manual profiles, you can combine these to form collective profiles.
 Caution: In principle, we must advise against using these options. Reason:
Enhancements of this type increase the risk of an unwanted summation of authorizations. On the other hand, the number of entries also increases in the user buffer for authorizations (table USRBF2), which may result in longer runtimes when you perform authorization checks.
2. Table USR10: Authorizations or subprofiles per profile
 Due to the length of the AUTHS field (3,750 characters), you can enter the following maximum values in the manual profile maintenance (transaction SU02):
300 subprofiles per collective profile or
150 authorizations per single profile
Of course, the maximum value of 150 authorizations applies to the profiles generated in transactions PFCG or SUPC. Therefore, after you exceed this threshold, a new profile is automatically created.
3. Table USR12: Authorization values per authorization
 To save the authorization values, you use the VALS field, which is 3,750 characters long (just like the PROFS field in the USR04 table). Since the values can have different lengths, the number of values per authorization also varies. If you are unsure about whether VALS can accept all of the values that you maintain, you can check the length of the character string using the following formula:
NSTRING =
3 + 18*NFLDS +
NNORM( 1)(MAXLEN( 1)+1) + NGENE( 1)(MAXLEN( 1)+3) +
NNORM( 2)(MAXLEN( 2)+1) + NGENE( 2)(MAXLEN( 2)+3) +
... +
NNORM(NFLDS)(MAXLEN(NFLDS)+1) + NGENE(NFLDS)(MAXLEN(NFLDS)+3)
What the parameters mean:
NSTRING = Total length of the character string in VALS
NFLDS = Number of fields in the authorization object (10 = maximum)
MAXLEN(I) = Number of characters in the longest value in field I
NNORM(I) = Number of normal (not generic) values in field I
NGENE(I) = Number of generic values in field I
I = 1, ..., NFLDS
The absolute maximum length of an authorization value is 40 characters. NNORM(I) and NGENE(I) are the total number of values maintained in the 'From' and 'To' columns in field I.
Example:
The following authorization (chosen at random) for the S_USER_AUT object demonstrates how to apply the above formula:
Field No. Field Name From Value To Value
 1 ACTVT 03
 08
2 AUTH TESTFIAUTH00 TESTFIAUTH10
 Z*
3 OBJECT F_KNA1*
 F_BKPF*
 F_KNKK_BED
The variables have the following values:
NFLDS = 3
I MAXLEN(I) NNORM(I) NGENE(I)
1 2 2 0
2 12 2 1
3 10 1 2
This results in the following value for the length of the characterstring in the VALS table field:
NSTRING = 3 + 18*3 +
 2( 2 + 1) + 0( 2 + 3) +
 2(12 + 1) + 1(12 + 3) +
 1(10 + 1) + 2(10 + 3) = 141
Further explanations:
If NSTRING is greater than 3,750, the authorization cannot be activated or generated, which means that the values must be distributed across several authorizations. Exception: The profile generator can automatically divide authorizations in roles (activity groups) with just one field (example: the S_TCODE object) into up to 100 generated authorizations.
If profile generation fails because a role contains too many values for an organisation level, you cannot use additional authorizations to solve the problem. Due to the cross-object validity of organizational levels, their values would automatically be copied to the new authorizations. In this case, you only have the option to distribute values across several roles.
Hope this will help.
Regards,
Naveen.

Similar Messages

User, Role, Profile Synchronization Job Fails

Hi Gurus,
When I am scheduling a job the User, Role, and Profile Sync. job fails giving an error
"Cannot assign a java.lang.String object of length 53 to host variable 5 which has JDBC type VARCHAR(40)."
This happens when the synchronization happens with a portal system. We dont have a ruleset for the portal system, So if I put in a "*", it includes this system and results in the error, If I manually select all other system, it works fine. Is there any way to remove this error so that I can schedule the jobs without having to select every system manually.
Regards,
Chinmaya

Hi,
As per my knowledge, in the Portal system, you should perform only user sync. Roles/profile sync will not work since portal will have workset roles.
Please refer SAP Note 1168120, which may help you to understand the limitations
Hope this helps!!
Rgds,
Raghu
Edited by: Raghu Boddu on Nov 4, 2010 7:39 PM

Solution Manager 4.0 Solution Monitoring User -Roles-Profiles for Satellite

Hi All,
I have installed Solution Manager 4.0 (OS -Linux ,Database - DB2) .
Now i need to connect solution manager to the R/3 4.6C
Satellite Systems (DEV, QAS ,PRD) for Solution Monitoring
and Service level Reporting .
I have read the configuration guide , but unable to get clear idea .
1) what users (alos type of user -Dialog , Service, Communication etc) do i need create in DEV , and Test in QAS for solution Monitoring .
2) what exact roles /profiles need to be assigned to these users in satellite systems .
3) what users/roles /profiles needs to be done in SOLMAN system
i have applied all the required plug ins and support packs
in satellite systems and solman 40 ..
Please advice . Your response will be a great help for me .
Satish

Hello Satish,
Just clarify, if u have meant connecting the satellite systems for EWA reports to be precise. Early watch Reports. If its is the case, then repond so that i can putin my inputs which may be helpful for you in this config.
Rgds,
Sri

Trying to understand "User/Role/Profile Synchronization" and Batch Analysis

Hello,
Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job.
I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile to be included to the full and incremental jobs?
How the incremental analysis logic is built ?
br Janne

Janne,
In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
In terms of CC tables:
VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
VIRSA_CC_GENOBJ >> User, Role and Profile master data
VIRSA_CC_GENACT >> User-action, role-action and profile-action data
VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
VIRSA_CC_SAPOBJ >> Action-permission
VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
Hope this helps.
Regards,
Imanol

Function module to modify the user roles & profiles

Hi All,
I am working on user maintenance and i need a function module to modify the user roles & profiles.
Thanks in Advance.
Phani.

i used the below fms
BAPI_USER_ACTGROUPS_ASSIGN for assigning the roles.
delete the profiles of the user qnd assign the profiles to the user:
BAPI_USER_PROFILES_DELETE
BAPI_USER_PROFILES_ASSIGN
i used the above FMs for my requirement.
Regards,
Phani.

How to check user role/profile

Dear all,
I'm finding function module to get a list of profile/role of user. Would you please suggest me on this?
Btw, if you have any other advise please feel free to let me know.
Thanks in advance.
Peersit

I've just found the related threads on this site.
User Profile Details
Re: User Profile Details
User Wise Authorization/profile report needed
User Wise Authorization/profile report needed
Have a good day.

List roles/profiles/authorizations for end user

HI All
Can anyone please give the list roles/profiles/authorizations
that needs to be added to our end user id so as to view
(Only Display) all the BEx Reports.
Points assured
Thanks
Vijaya

Hi Vijaya,
Go through this link:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a07122ae-8216-2a10-c9a5-996717a0648b
Thanks,
Ajay

Structural authorization : role, profile, user group

Dear All,
I am working in OM in Structural authorization, can anyone tell me difference among Roles, profile, user group.
I am mainly concerned with roles and profiles, What exactly is role and what is profile.
Pl give me practical example....
Regards,
Kumar

Hi kumar,
Roles: It is divided in to single role and Composite Role. It is used to maintain your list of allowed transactions and reports as a menu. Once you assigned this role to the user, he / she can access only those transactions, what you maintained in the menu.
Profile: It is based on the authorization object. Unless untill, you generate the profile, the system will not consider the authorization for the assigned menu. You can provide the authorization based on various objects like infotype, transaction code, master record, org key,..
User Group: Used to set the unique set of rules for the specific user. How system should react in case of specific user group.
Good Luck
Om
Reward it, if u feel helpful.

Compliance Calibrator 5.2 user/role/profile sync

I have run into an issue with a user. Where the user is getting flagged as having risks associated in basis for having a combination of transactions. Under CC it is saying that she has S_Develop Auth Obj with Activity 1 and 2. However when we check the user in R3 all of her profiles and roles that have a Basis associated and have the auth object she has activity 3. So the information is not synchornizing properly.
Thanks for any help

when was the last time you ran a user/role/profile synchronization or a batch risk analysis for this user ?
In case you need more info, check : https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/50cd7177-5c22-2a10-8cba-8e0c64bc4ea8
Regards.

Single role limit to user

Hello
Some of the users might get more than 300+ single roles to users in production, is that Ok,
This is getting to effect user buffer area ? Please let me your thought and your experience regarding the number of roles limit to users.
Thanks
Damodar

A profile name is 12 characters long and the USR04 field can fit 312 of them into one record before the lights go out.
However... table USREFUS has a field REFUSER also has a length of 12 char yet you can fit another 312 profiles into it...
So the actual limit is 624 profiles.
Technically there is NO LIMIT to the number of roles as some roles might contain only menus or UME mappings or personalization keys. It is only when PFCG noticed that the assigned profiles have reached the limit that it throws an error.
Other UI's for role assignment (such as some tools out there...) do not respect and react to this limitation and let you run into the problems as if it were your own fault.
If a the average user needs more than max 10 roles you should anyway start rethinking / optimizing your authorization concept IMO.
Cheers,
Julius

Maximum roles assignment per user

Hi,
I am in a security project and after role designing is done there are lot of roles designed by our functional consultants. And there are 33 company codes present in the company. And few end users are responsible for 20 company codes, So when I saw per user more then 450 deriroles created. Now my question is can I assign 450 roles to a user?
As far as I know 312 roles can be assigned to user max. But is there any profile parameter available in SAP so that I can assign more then default maximum roles.
Thanks,
Sudip

An auditor once had the task to audit a system of "mine" and ended up going for speculation about improvement possibilities in his presentation to the CIO (who was originally an ABAP developer when he started in the company!)
<blabla>The overall security of the roles could be improved by using composite roles to reduce the number of roles (okay... you can use "personalization" attached to composites...) and therefore profiles assigned to the users. This will (apparently) make maintenance easier (I think he wanted to derive the composites?) and produce less SoD conflicts requiring mitigating controls, thereby avoiding long debates with the auditors each time.</blabla>
I let him walk into that one on his own steam... the resultant discussion was like a Montypython scene, or possibly even Blackadder...
Cheers,
Julius
ps: Regarding [my hat|http://www.google.ch/imgres?imgurl=http://www.chocolates-ala-carte.com/look/news/candy_mag_feb07/c_i_hat.jpg&imgrefurl=http://www.chocolates-ala-carte.com/look/news/candy_mag_feb07/index.html&usg=__m6YWntia9g543IgeOxZBu_JYSSw=&h=361&w=458&sz=137&hl=de&start=0&zoom=1&tbnid=GQ3eRe-oXx12_M:&tbnh=135&tbnw=172&ei=WkltTc_-Aoa6vwOflpm5BA&prev=/images%3Fq%3Dchocolate%2BAND%2Bhat%26um%3D1%26hl%3Dde%26rlz%3D1R2ADSA_deCH392%26biw%3D1259%26bih%3D544%26tbs%3Disch:1&um=1&itbs=1&iact=hc&vpx=126&vpy=74&dur=9750&hovh=199&hovw=253&tx=143&ty=108&oei=WkltTc_-Aoa6vwOflpm5BA&page=1&ndsp=21&ved=1t:429,r:0,s:0]: easter is around the corner.
pps:
If someone can convince me that it's a good idea to increase the max number then I will eat Julius' hat
Actually I can smell blood in the water here via object K_REPO_CCA...
Edited by: Julius Bussche on Mar 1, 2011 8:40 PM

How to count direct plus indirect roles assigned per user (8.1.7.4) ?

Hi, because of the 148 max roles limit in 8.1.7.4 (and because we use Noetix that generates many roles !), we would like to build a query that can be used as an alert and that tells us the following: Number of roles (direct and get from inheritance of roles).
For instance:
user howmanyroles
Fred 12
Noetix 125
..

1.-
2.c
3.a
4.a
5.c
6.b
7.a
8.d
9.b
10.a -
11.a
12.c
13.b
14.d
15.c
16.a -
17.a
18.d
19.c
20.a
21. -
22.d
23.b
24.?
hope it helps u.
Thanks
Kuljeet

How to determine role authorization of user in MAM?

Hi everyone,
I'm new to SAP and SAP MI, and I am currently implementing (or "enhancing") a MAM. I have the following question on user authorization:
In terms of role authorizations, does anyone know how I can determine what roles an authenticated user have from SAP? For example, if user A logs into the MI Client, and if this user accesses the MAM, is there a way for the MAM to know what kind of user roles he/she has? Is there a SyncBo that will give me such info? I checked the JavaDocs for the SyncBo's, but they have NO descriptions. The closest thing that I found was in MAM090 (Interface com.sap.mbs.mam.bo.MAM090). There are getter methods for getRoleGen(), getProfileResource(), and getPartnerRole(). Are any of these usable?
Are there any good documents that I can look at to determine what each SyncBo's does?
Many thanks!
Jeffrey

Hi Jeffrey!
Here are the 3 different checks you have to look at"Users & Authorizations" for setting up your MAM Users.
(1) SAP Backend:
(1a) The SAP MAM User who synchronizes with the Backend from the MI Client should have all necessary authorizations for Plant Maintenance Components of the SAP System that are associated with your MAM Scenarios.Pl refer to the following SAP Authorization Objects I_ALM_ME ,I_AUART,I_BEGRP,I_BETRVORG,I_CCM_ACT ,I_CCM_STRC,I_ILOA,I_INGRP,I_IWERK,I_KOSTL ,I_QMEL,I_ROUT ,I_ROUT1,I_SOGEN,I_SWERK,I_TCODE ,I_VORG_MEL,I_VORG_MP ,I_VORG_ORD,I_WPS_MEB ,I_WPS_REV in your Backend System and have it assigned to the User Profile, based on your requirement.
(1b) Service User for setting up the MAM & MI Landscape: This user logon info has to be setup in the RFC Destination that is associated with your MAM25 SyncBOs, to logon to the Backend System and this user should have the basic authorizations required to establish the connection.
(2) MI Middleware: The SAP MAM User who synchronizes with the Backend from the MI Client should have the following Authorization Objects assigned to his/her profile. S_ME_SYNC, S_RFC, S_TCODE.
(3) MI Client: Refer to MI Security Guide.Pl note that the MI Client MAM User is same as the Middleware User and the Backend User.You should be taking care of this already.This is just a FYI.
Let me know, if you are looking for any other additional info.
Thank You
Gisk

How to capture the role of the user logged in CRM

Hi
How to capture the role of the user logged in CRM so as to restrict the Account group selection ; While creating a sales Order .
Can we deternine the profile in the related view .If so how , and what tables can we use to do so.

hi,
I think you should check CRM table AGR_USERS.
Regards
Michael

Table used for storing roles/profiles assignment in CUA lansscape

Hi,
following is my cua setup
master client - 999 of SRM 4.0
child client - 101 of ECC 5.0
child client - 202 of SCM 4.1
in cua all distribution works on its logical name assign to respective client.
here is my question
lets say user 'XYZ' in master client assign single as well as composite role and composite profiles assigned in the master as well as child system.
please tell me in which table this relationship is maintain in sap that Composite roles/profile is from which cua client.
from my finding the tables which store the role and profiles from master and child system are i.e. USRSYSACT & USRSYSPRF.
but i am not able to find table which store the roles to user and user to profiles assigment in CUA setup,can someone please help me.
Thanks,
John.

Hi Check the tables
USR10 -role definition
AGR_PROF -Profile for Roles
AGR_TEXTS - Role descriptions
AGR_USERS - Assignment of roles to users
AGR_DEFINE - Auth profiles
if needed see other tables with USR* and AGR_*
Reward points if useful
Regards
Anji

Max roles & Profiles in user?

Similar Messages

Maybe you are looking for