Minimize the number of roles using the Bolt-onu2019s

I read a artical from SDN it discribes the process of maintating Orgnization Authorization in saperate Role. This helps to reduce the no of roles been created. Below is the discribtion. And I tolly agree with the concept . Read below .
>According to Artical
>You can make use of the Bolt-on concept to reduce the total number of profiles that need to be built in an implementation. An example will clarify the benefits of its implementation.
>Letu2019s consider the purchase requisitions. There are two business rules exist for approving the purchase requisitions. One is the plant code, and the other is the Release code. Assume that you company has 10 different Release codes, for various approval ranges. Now, on the other hand, if you have 20 plants, you need to have 20 X 10 = 200 roles. That is 10 roles per plant.
>By using the Bolt-on concept, this can be achieved by removing the authorization objects which control user status (these objects contain no organizational value component) from the transactional role and placing them within their own unique global role with the plant code. This way, you will end up with creating 10 transaction roles without the plant code and 20 global roles, which will have only the plant code in it.
>Further, the appropriate combinations can be determined by the business requirements.
>This approach reduces exponentially the number of roles that need to be built. The end result is that 30 roles are required to achieve the same objective.
>The same Bolt-on process can be implemented when the authorization check is done on an organization level. However, this process will be viable only when the number of roles that needs to be created are more.
As of my understanding we need to isolate all Auth objects from a role and make a saperate role specially only for Org structure. And then give combination of those Org Roles to provide access for those Org Units.
My Question is
1) how do we Identify all Auth obejcts that give access to a Org unit from a given role.
2)How to make a role that gives Authorization for a perticular Org Unit only. (And that role should not have any authorization for Tx or activities)
3)What is recemmended to maintain Org unit Authorization ? Is Bolt-onu2019s mehod suitable to maintain all Org Unit Authorizations?
Edited by: Hussain Sehorewala on Jul 2, 2008 4:11 PM

>
Jurjen Heeck wrote:
> It is non SAP-standard and I generally advise against them for just that reason. It requires a lot of documentation and checks to make sure no-one destroys the concept just by following SAP guidelines. Also upgrades can cause a lot of problems with bolt-ons.
>
> Jurjen
I agree 100% with Jurjen.  It can work well but in the vast majority of times I have seen them, they have led to reduced control, reduced auditability and basically been a mess.  SecureInfo have a tool which builds roles in this way but it also has appropriate controls in place too.
If you look at the following scenario:
You have a functional role and an org role.
If you have org roles for each func role then you are in the same situation as you are with derived roles.
If you start to combine auth objects to build a bigger org role then you are assigning additional auth objects over and above what the transactions in the func role require.  We all know that to properly secure something, you need to control by auth object so in this case you are already potentially opening yourself up to giving excess access.
6 months later you want to remove a tcode from the func role.  If you maintain std SAP method properly then the auth objects will also be removed too if it not shared.   With lots of these objects in the org role then you will need to cross check every single tx in the func role with every object in the org role.  Most people don't bother & that's one of the reasons why this build method can get very, very messy as you lose the link between t-code and object that SU24 provides.
I've used this method in BW a few times & it works really well, but for R/3 it usually ends up with more trouble than it solves.   There are situations where is can make things easier but I would only use it as a supplement to a standard method role build.

Similar Messages

  • How, using Adobe Connect can increase the number of participants in the meeting? I need more than 25 people.

    Hi, I use licensed Adobe Connect. Earlier in the meeting could involve up to 100 people. Now only 25. How, using Adobe Connect can increase the number of participants in the meeting? I need more than 25 people.
    Thanks for your help.

    The purchasing option through adobe.com only allows up to 25 attendees. If you need more than that, you will need to purchase through a reseller. You can find one that is able to sell in your part of the world, here: Adobe Connect Partners. Just reach out to one of the Global Partners.

  • If I change my iPhone phone number can I use the same iTunes backup?

    If I change my iPhone phone number can I use the same iTunes backup?
    Keeping iPhone 4, just want to change number and keep settings and all that.  Is it possible?

    yes

  • I have imported contacts from Outlook to Mail and they have synced via iCloud to my iPhone 3GS. I can't get my iPhone to make a call using these contacts but if I dial the number of any of the contacts on the keypad, the call DOES work! Help me please!?

    I have imported contacts from Outlook to Mail and they have synced via iCloud to my iPhone 3GS. I can't get my iPhone to make a call using these contacts (it tries but then says call ended) but if I dial the number of any of the contacts on the keypad, the call DOES work! Help me please - is there something I need to do to the contacts because tehy came from Outlook? Thanks

    Thank you for replying.    Yes I deleted the old email address..   

  • I have CD version of Adobe Photoshop Element 9. I have CD version of Adobe Photoshop Element 9. I have purchased the new Macbook which does not have DVD drive. Can I download this software over the web and install using the Serial Number I have. Thanks,

    I have CD version of Adobe Photoshop Element 9. I have CD version of Adobe Photoshop Element 9. I have purchased the new Macbook which does not have DVD drive. Can I download this software over the web and install using the Serial Number I have. Thanks,@

    yes,
    Downloads available:
    Suites and Programs:  CC | CS6 | CS5.5 | CS5 | CS4 | CS3
    Acrobat:  XI, X | 9,8 | 9 standard
    Premiere Elements:  12 | 11, 10 | 9, 8, 7
    Photoshop Elements:  12 | 11, 10 | 9,8,7
    Lightroom:  5 | 4 | 3
    Captivate:  8 | 7 | 6 | 5
    Contribute:  CS5 | CS4, CS3
    Download and installation help for Adobe links
    Download and installation help for Prodesigntools links are listed on most linked pages.  They are critical; especially steps 1, 2 and 3.  If you click a link that does not have those steps listed, open a second window using the Lightroom 3 link to see those 'Important Instructions'.

  • My used postpaid moto g was accidentally activated on verizon while I was trying to activate it on the tracfone boyp program. The phone was activated on tracfone  but I could not dial the number *22890 to finish the activation. The setup wizard on the mot

    My used postpaid moto g was accidentally activated on verizon while I was trying to activate it on the tracfone boyp program. The phone was activated on tracfone  but I could not dial the number *22890 to finish the activation. The setup wizard on the moto g will only let you activate the phone on verizon. Had tracfone cs rep on my landline phone and was waiting for verizon rep on the moto g. Waited 20 minutes but verizon rep never answered.
    How and where do I get help from verizon to deactivate the account and release my meid number. Also how do I bypass the setup wizard so that I can activate my phone on TRACFONE?  Thank you.

    There's no other way to track it other than Find My iPhone.  All you can do is wait to see if it ever goes back online.  The serial number will only help to identify it as yours if it is ever found, and the IMEI number would only allow your carrier to blacklist the phone so it couldn't be reactivated on their network, if the carrier offers this service.

  • Count the number of days in the selected range using Customer exit

    Hi Experts,
    we have requirment where user is asking to add a column to report, which will have 'count of days for which key figure is having values' for each of the months and the Header would be 'Day Count'
    Please let me know if its possible using Customer exit?

    Hi,
    In our report we have two characteristics site no. and product and we have 6 key figures of type quantity and Input for the report is Fiscal year/period
    So in the report Key figures are populated with values for respective site no. and product combination
    Now the user wants new column in report which will have header u2018Day countu2019 and it should Simply count the number of days in the selected range that have a volume different than 0 for key figure
    Please let me know if more details are required

  • How do I choose the number to call using Siri?

    How do I correctly choose the number when using siri?
    The issue I am having is this:
    me: " call Tom Smith"
    Siri: "calling Tom Smith, which number would you like to call?... Three: 07897332123 or work: 01811231234?"
    me: "three"
    Siri: "I am sorry I do not understand "three" which number would you like to call?
    How do I tell Siri to call the number listed as "three"?

    It might not be possible to get this to work. It sounds like, when you say "three", Siri is interpreting it as the number 3 rather than the word. You may have hit a limit of Siri's artificial intelligence engine.

  • Hi, folks can some body help me¡  How  I can  use  de second  code  to  the  Itunes card  to  use  the  Itunes card.... My  number is vanished, how  i can submit  my  Itunes card?

    Hi, folks can some body help me¡  How  I can  use  de second  code  to  the  Itunes card  to  use  the  Itunes card.... My  number is vanished, how  i can submit  my  Itunes card?

    iTunes Store: Invalid, inactive, or illegible codes
    http://support.apple.com/kb/TS1292

  • I bought iphone 5 in september last year and the whatsapp which I installed was free of cost.The number which I used is the one I was using in my android phone and validity for its expiring in april but for other users its lifetime free.how can I get it ?

    I bought iphone 5 in september last year and the whatsapp which I installed was free of cost.The number which I used is the one I was using in my android phone and validity for its expiring in april but for other iphone users its lifetime free.how can I get the lifetime free validity?

    kratigupta wrote:
    how can I get the lifetime free validity?
    Huh? AFAIK, such does not exist. Read here:
    http://www.whatsapp.com/faq/general/23014681

  • Count the number of cells used in a formula

    Is it possible to count the number of cells used in a formula?
    For example the following formula: "=Tabel 1 :: D45+D8+F7"
    The answer needed is 3

    From your description, it appears you could use SUMIF to get the totals.
    It's not necessary to know the number of times a name appears in the list to determine the sum of the numbers in the cell to the right, but if you have a separate need for that count, then COUNTIF will do the job.
    As the names may appear in more than one column, you'll need to use one iteration of the formula for each pair of columns containing name and associated number. In your description, there are names in columns C and E, with associated values in D and F respectively, and all of these cells are in the same table (which I'll name Table 1). I would calculate the totals on a second table (Table 2) containing a list of all of the names in column A, starting at A2, the COUNT of times each name is listed in column B, and the sum of the values in cells immeditely to the right of each name in column C.
    Table 2::B2: =SUM(COUNTIF(Table 1::C,A),COUNTIF(Table 1::E,A))
    Table 2::C2: =SUM(SUMIF(Table 1 :: C,A,Table 1 :: D),SUMIF(Table 1 :: E,A,Table 1 :: F))
    Select cells B2 and C2, then fill the formulas down each column.
    Regards,
    Barry

  • Exchange 2010 SP2 RU2 - Indexing backlog reached a critical limit of 48 hours or the number of items in the retry queue is greater than 10000 for one or more databases

    We have been getting intermittent SCOM alarms for our Exchange 2010 MBX server citing "Indexing backlog reached a critical limit of 48 hours or the number of items in the retry queue is greater than 10000 for one or more databases"
    I see events in EventViewer that SCOM is triggering on, but not whats generating the events or how else to test for them.
        get-eventlog -computername SERVERNAME -logname "Application" -after "03/14/2013" | ?{$_.eventid -eq "5604"} | select MachineName,EventID,EntryType,Message | ft -autosize
    One MS Forum post online says it is a bug in RU4, unclear if it may also be a bug in RU2 (our installed version).
        http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/9dcb3011-9327-4935-9479-62b38a6ddd87
        "I was looking for the same error and found this.. it basically says that this is a bug in RU4 and RU4-v2...and it needs to be removed."
    tests using troubleshooting scripts find no issues with search indexer,
        [PS] C:\Program Files\Microsoft\Exchange Server\V14\scripts>.\Troubleshoot-CI.ps1
        Get-EventLog : No matches found
        At C:\Program Files\Microsoft\Exchange Server\V14\scripts\CITSLibrary.ps1:622 char:40
        + $msftesqlCrashes = get-eventlog <<<< -computername $Server -after $StartTime -logname "Application" -source $msftesqlServiceName | where {$_.eventId
        -eq $msftesqlCrashEventId}
            + CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException
            + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand
        Name IsDeadLocked CatalogStatusArray
        SERVERNAME False {DATABASENAME\SERVERNAME, DATABASENAME\S...
        [PS] C:\Program Files\Microsoft\Exchange Server\V14\scripts>
    and tests against searches on each DB themselves show no issues and respond typically within 3 seconds.
        [PS] C:\Program Files\Microsoft\Exchange Server\V14\scripts>Test-ExchangeSearch | ft Server, Database, ServerGuid, ResultFound, SearchTimeInSeconds, Error -AutoSize
        Server Database ServerGuid ResultFound SearchTimeInSeconds Error
        SERVERNAME DATABASENAME b16e3461-257c-40dd-a9ad-99a5f41a927e True 2.937
    I also tried to check the Performance Viewer for the MSExchange Search Indexer and MXExchange Search Indices but am unsure which of the many metrics would indicate this issue.
    We have had no reports of search issues from our users and have been unable to duplicate any impairment in our testing.
    Does anyone else have any suggestions for tests to check or steps to take on this alert? Is it simply a false alarm or a timeout of other sorts during testing? We have 80 DAGs on this server (as well as all our servers, some of which have also reported the
    same alert) and the Test-ExchangeSearch command times out before completely testing all DAGs.

    Hi IAMChrisL,
    Any updates?
    Frank Wang
    TechNet Community Support

  • When i send a imessage it sends it from the number that was on the sim before i transfered my number how do i change it to my number?

    when i send a imessage it sends it from the number that was on the sim before i transfered my number how do i change it to my number?
    ive tried to change it in message settings but the number is grey so im unable to de-select it ?
    any ideas?
    cheers Dan

    Hello joinerdan,
    It sounds like you are unable to change the phone number that Messages is sending messages from because it is grayed out. I recommend the steps outlined in the following article named:
    iOS and OS X: Link your phone number and Apple ID for use with FaceTime and iMessage
    http://support.apple.com/kb/HT5538
    Unlink a phone number
    To remove a phone number from an Apple ID, sign out of FaceTime and Messages on your iPhone:
    Settings > Messages > Send & Receive. Tap your Apple ID, then tap Sign Out.
    Settings > FaceTime. Tap your Apple ID, then tap Sign Out.
    This should remove your phone number from other devices using the same Apple ID with FaceTime and Messages. If the phone number is still available on other devices after you sign out of FaceTime and iMessage on the iPhone, you may need to sign out of iMessage and FaceTime on all your devices, then sign in to FaceTime and Messages again on devices you want to use.
    Note: If you no longer have access to the iPhone that is using the number you want to remove, reset your Apple ID password.
    Thank you for using Apple Support Communities.
    All the best,
    Sterling

  • Issue while posting the invoice in background using the WF-BATCH user

    Hi Friends,
      I am facing an issue while posting the invoice in background using the WF-BATCH user. I am using a invoice approval workflow where in when the approver approvers the invoice the invoice document get posted using a background method, which uses BO FIPP and Method POST and i am returning the Message Text to my workflow container from this method. When i see the log an exception is rasied from this method with an error  message "V004: You are not authorized to change this document", but WF-BATCH is having SAP_ALL and SAP_NEW authorizations. If i try to post the invoice using the method from my user id it is getting posted. What could be the issue. Please advice.

    Hi Sapient,
    The Parameter, Roles would be different for the LOGIN USER and WF-BATCH.. So ask your administrator
    to set the Roles & Parameters similar to that of LOGIN USER to WF-BATCH.
    For further refrence check in SU01 giving the LOGIN USER and then check with WF-BATCH... you would
    find the difference...
    Hope this would help you..
    Good luck
    Narin

  • XMLIndex: finding indexed XPaths and the number of rows in the path table

    Hi,
    I am storing non-schema-based binary XMLs in an XMLType column in 11g (11.1.0.6.0) and would like to index the XMLs either partially or fully using XMLIndex. I'm expecting to have a large number (tens of millions) of XML documents and have some concerns about the size of the XMLIndex path table.
    In short, I am worried that the path table might grow unmanageable large. In order to avoid this and to plan for table partitioning, I would like to create a report of all indexed XPaths in an XMLIndex and to find out how many times each path is actualized in the path table. I would do this for a representative XML sample.
    I have been creating XMLIndexes with different exclude/include paths, gathering stats with DBMS_STATS (estimate_percent = 100) and selecting the number of rows in the path table through USER_TABLES.
    If anyone knows a more straightforward way of doing this all advice is very much appreciated.
    Best Regards,
    Rasko Leinonen

    Thanks Marco,
    I managed to get out all indexed paths using the following SQL. It took a while to understand how the join the XDB.X$PT39CW6BJR8W4VVE0G0LLGA0OCR5 and XDB.X$QN39CW6BJR8W4VVE0G0LLGA0OCR5 tables together but got there in the end. This helps to clarify which XPaths are being currently indexed by the XMLIndex.
    begin
    for v_row in (select PATH from XDB.X$PT39CW6BJR8W4VVE0G0LLGA0OCR5)
    loop
    declare
    v_i BINARY_INTEGER := 1;
    v_id raw(8);
    v_len BINARY_INTEGER := 2;
    v_skip BINARY_INTEGER := 1;
    begin
    while v_i < utl_raw.length(v_row.path) and
    v_i + v_len <= utl_raw.length(v_row.path)
    loop
    v_i := v_i + v_skip;
    v_id := utl_raw.substr(v_row.path, v_i, v_len);
    --dbms_output.put_line(v_id);
    for v_row2 in (select LOCALNAME, flags from XDB.X$QN39CW6BJR8W4VVE0G0LLGA0OCR5
    where ID = v_id )
    loop
    if rawtohex(v_row2.flags) = '01'
    then
    dbms_output.put('@');
    end if;
    dbms_output.put(v_row2.localname);
    if v_i + v_len < utl_raw.length(v_row.path)
    then
    dbms_output.put('/');
    end if;
    end loop;
    v_i := v_i + v_len;
    end loop;
    dbms_output.put_line('');
    end;
    end loop;
    end;
    Example output:
    RUN
    RUN/@accession
    RUN/@alias
    RUN/@instrument_model
    RUN/@run_date
    RUN/@run_center
    RUN/@total_data_blocks
    RUN/EXPERIMENT_REF
    RUN/EXPERIMENT_REF/@accession
    RUN/EXPERIMENT_REF/@refname
    RUN/DATA_BLOCK
    RUN/DATA_BLOCK/@name
    RUN/DATA_BLOCK/@total_spots
    RUN/DATA_BLOCK/@total_reads
    RUN/DATA_BLOCK/@number_channels
    RUN/DATA_BLOCK/@format_code
    RUN/DATA_BLOCK/@sector
    RUN/DATA_BLOCK/FILES
    RUN/DATA_BLOCK/FILES/FILE
    RUN/DATA_BLOCK/FILES/FILE/@filename
    RUN/DATA_BLOCK/FILES/FILE/@filetype
    RUN/RUN_ATTRIBUTES
    RUN/RUN_ATTRIBUTES/RUN_ATTRIBUTE
    RUN/RUN_ATTRIBUTES/RUN_ATTRIBUTE/TAG
    RUN/RUN_ATTRIBUTES/RUN_ATTRIBUTE/VALUE

Maybe you are looking for

  • I cant get my bluetooth to work on a network in sc...

    hi. plz help me coz i cant get my bluetooth device to work in a skool computer.

  • New Macbook Pro Wifi Problem.

    Hi everyone, I just recently bought a macbook pro. The same night I bought it, I started to notice that I would get disconnected everytime I go to certain websites, download something, etc. I would then be disconnected for about 5-10 minutes and then

  • TypeError: s has no properties

    Hello Everyone I have FlashChat with Voice running. Ever since I run the voice chat, my server just randomly freezes and stops responding. This seems to happen when the voice chat gets 3 or more users. So I checked the log and it was giving this erro

  • JNLP and ASPSessionID not working

    We have an IIS-based website where we authnicate a user and then let them launch java applets to make configuration changes. We'd like to become decoupled from the user's Browser-based Java Plugin so that our customers don't have issues every time Su

  • API for interacting with the Content Server (formerly Stellent) repository.

    Is there any API out there that can be used to interact with the Content Server (formerly Stellent) repository? Where can I find the documentation?