MSS (non-webdynpro) Authorizations and Roles
Do you know the MSS 60.1 business package authorizations and roles that are required for the backend R/3 system? I noticed an SAP note exists for the webdynpro version (#798967) but didn't see a note for the old package.
Umair,
I know this auth object is required for webdynpros in new business package but does it apply for old traditional java MSS package too?
Thanks, John
Similar Messages
-
Regarding Authorizations and Roles
Hi All,
Can anyone explain me about Authorizations and Roles ,in detail.
regards,
AliLinks for Learning about Authorizations:
http://help.sap.com/saphelp_nw70/helpdata/en/44/599b3c494d8e15e10000000a114084/frameset.htm
http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm
http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
http://help.sap.com/saphelp_nw04/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
Links to learn about Roles:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
Assign points if helpful,
Venkat -
Hi all!!
Im creating an authorization object; for restrict some key figures of infocube.
I want to restrict only four or five key figures for one cube and the user can see all the characteristics; is possible to do this??
I found this way; but really is not that I want:
I created an authorization object; that contains for example: 0material and Key fig.
In transaction PFCG in the role; i go the authorization and include the object that I created and put the values * for material and the key figure that I want to see.
But I want that the user can see all the chars; no necessarily 0material and hide some key figures.
Thanks for the answer,
Greetings,
MonicaHi!!
Thanks for the answer
When I do this; and execute the query; I can see all the key figures; (they are in the area of columns) and for example I dont want to see one of them.
Im not sure If Im doing something wrong.
I followed this steps:
1. I created in RSSM and authorization object with only 1KYFNM
2. In PFCG I added to the role the object that I have created and put in the values of ratio; the ratios that I want to see.
3. I actualizated the roles for the user.
Then I executed the query and I see all the KF; I dont have any authorization variable in the query because I want that applied for all the chars.
Thanks again,
Mónica -
Authorizations and role maintainance
Please tell me that How are the authorizations in a role maintained?
ThanksHi,
For Role and authorization Maintenance T.code is PFCG.
1. Identify the users what kind of Role and authorization needs to be given,
you can divide the role like PA , OM, TIME and Payoll.
2. There are 2 kinds of role - a) Single Role and b) Composite Role.
3. In the Role - give a name and click on create single role.
then you will find differnt tabs - 1) description, 2) Menu,3)Authorization and user.
You can define according to the requirement or you can copy from the standard role and assign to this.
Thanks
Sethu -
Check users authorizations and role
Hello!
How can I check the authorizations of
Web Dynpro application users and also his role.
Thanks
rgds
sasHI,
Pl go through Following link
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/wd%20java/web%20dynpro%20security.pdf
https://help.sap.com/javadocs/index.html
use the method isMemberOfRole.
Regards
Ayyapparaj -
End User Authorizations and Roles
Hi,
What all the authorizations i need to give to an End User, who uses the device.
Is it necessary for the userid to be same in <b>MI Client, MI server, Backend</b> systems.
Let me explain wat an end user does
>logs into MI client
>performs first synchronization
>Executes Mobile Application assigned
>and performs synchronization at the end of the day
rgds,
KiranHi Kiran
Probably I wanst clear with my reply. You need to assign both the above mentioned authorizations to the same user who is performing a sync from the MI Client. S_ME_SYNC is required for the user to perform a sync from MI Client to MI server. S_RFC is required for the same user so that the data can be transferred from MI server to SAP backend and vise versa.
Hope I am clear now
Best Regards
Sivakumar -
BI 7.0 authorizations and roles
Hi,
It's possible to use only old authorization profiles like in version 3.5 in BI 7.0 ?
I mean , i don't want to use the new authorizations that BI 7.0 has.
I wan to use the old authorizations like in BI 3.5.
I just wan to use PFCG.
I don't want to use the transactions like: rsecadmin,rsu01,RSA1,rsd1
It's possible ?
Thank's a lot.Hi,
SAP strongly recommend to use the new Analysis Authorizations in SAP NetWeaver 7.0. The Authorizations will not be further developed (enhanced). Pls chk this link;
http://help.sap.com/saphelp_nw04s/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm -SAP Service Marketplace /bifaq
You can use the Reporting Authorizations which are still the same in both.
S_RS_COMP and S_RS_COMP1 are the auth objects which controls the reporting parameters.
Authorizations to Work with a Query
http://help.sap.com/saphelp_nw04/helpdata/en/80/1a68b4e07211d2acb80000e829fbfe/content.htm
Example for Reporting Authorizations -
http://help.sap.com/saphelp_nw04/helpdata/en/41/05453caff4f703e10000000a114084/content.htm
Regards
CSM Reddy -
Authorization or roles assign?
Hi All,
I have installed Xi 3.0 on windows server 2003.but my users are getting this error not able to create a product. Its says "You
are not authorized to view the requested resource 403 forbidden".
What all the authorizations and roles i need to set for every user.
Regards,
RohitError: HTTP 403 Forbidden
Description: The server understood the request, but is refusing to fulfill it
Possible Tips:
Path sap/xi/engine not active
HTTP 403 during cache refresh of the adapter framework - Refer SAP Note -751856
Because of Inactive Services in ICF Go to SICF transaction and activate the services. Refer SAP Note -517484
Error in RWB/Message Monitoring- because of J2EE roles Refer SAP Note -796726
Error in SOAP Adapter - "403 Forbidden" from the adapter's servlet. Because of the URL is incorrect or the adapter is not correctly deployed.
<i>From
/people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
Regards,
Prateek -
Custome MSS Webdynpro form and update & approvel process.
Hi,
I developed MSS form using Webdynpro Java and want to add the submit (not for actual update) as well as approvel / rejection process.
what is standard process is to route the PCR Notifications through the HR Administrator who will then process them in the backend, to facilitate any audits & validations before actual update.
so where to store the data , before actual update? we i need to use xml ? how to get the notification no in this case ?
is the are way to store data directly in r3. and get those data from iqs_special_data_get, if it is good practice.
what is solution of my requirement, please guide me.
Thanks
AliHi raza ,
To study the standard MSS PCR process , please study the development guide for PCR available at SAP
Service marketplace .
Standard MSS PCR forms are designed at SFP in ABAP and are processed through BADI QISR1.
for PCR workflows refer -
WS31000009 ISR_CONTROL
WS31000010 ISR_APPROVE
WS31000011 ISR_PROC
I would suggest to study the standard process first before doing any customizing .
Thanks,
sahiba -
Authorization Object And Roles For Functional Consultant
Dear Expert,
What kind of respective Authorization Object And Roles would be provided to Functional Consultant (FI,MM, SD, PM, PS, CO, HR )at the time of implementation ?
Thanx in advance
PavelThanks Juan,
We now already have it here and in the NW IDM forum a few times as well...
Cheers,
Julius -
SAP Portal Network - WebDynpro iView and SAP Application iView sharing
Hello All,
I've read about the restrictions in SAP Portal supporting the WSRP standard for application sharing. Mainly WebDynpro iViews and SAP application iViews sharing is not supported. That is in the case of a SAP Portal as producer and Non-SAPPortal as consumer.
I'm interested in a WebDynpro iViews and SAP application iViews sharing in a only-SAP Portals Network, where SAP Portals act as producer and consumer.
I've heard about the Remote Role Assignment and Remote Content Copy that are used in such case. I would like to ask if anyone knows if these can help overcome the restriction in sharing WebDynpro iViews and SAP application iViews that is present with WSRP? And if the advantage of WSPR, that is the application execution and rendering on the producer side, and as follows decreasing of bandwidth usage, is remaining in the case of the Remote Role Assignment and Remote Content Copy.
Thanks,
MladenHi Manish,
for sharing content between SAP and non-SAP Portals, your case, refer to
http://help.sap.com/saphelp_nw2004s/helpdata/en/43/23fb36cad10d23e10000000a1553f7/frameset.htm
All the possibilities and restrictions of WSPR in the case of SAP EP are explaind there.
For sharing content between only SAP Portals refer to my other thread:
Portal Network - Content Sharing
Hope it helps you!
Mladen -
Authorization for Role Assignment
Dear Experts,
I have a scenario whereby a user is able to assign a set of roles to end-users but should not be allowed to do so for himself. I could only think of assigning user groups to the person's authorization which restrict him to assign roles to end-users from specific user groups. However, this is not desirable in our scenario as this means we need to maintain user groups for the entire organization (which is a huge organization). I would like to enquire if anybody has implemented similar requirements via standard/alternative means. Any suggestion and advice is appreciated. Thanks.Louis,
I think this is a standard security and authorizations question, and not really HR specific. You are correct in that the standard way to achieve this is with user groups. However, it doesn't have to be as onerous as you are thinking. The usual way of achieving this, of having an authorizations administrator or user administrator who can manage standard end-users but not him- or herself is to assign just that user to a group, typically called SUPER, and not worry about assigning groups to all the other end-users (or at least, not for this purpose). You might also put all other high-power basis users, like the system administrator and any other security administrators, into this SUPER group, since you don't want anyone other than the super-superuser to manage them. Then, you assign the user administrator role the S_USER_GRP authorization with the usual activities for user group ranges 0-SUPEQ and SUPES-Z. This allows the role to manage users in all user groups except SUPER.
I would also only allow this role to work with authorization profiles starting with the standard T, and role names in the pattern Z. Then make sure that this role itself is not in the Z* customer namespace, but instead in the Y* customer namespace, and this way you prevent the user administrator from getting through a loophole and being able to create or modify non-SUPER users and simply assign them to the User Administrator role as a way of bypassing the above restriction.
You should also not allow the User Administrator role to directly modify roles or profiles, only to create users and assign them to existing roles in the Z namespace.
I trust that this helps.
--Matt -
Background job fails for BDC profile creation and role assignment
Hi Experts,
I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
Below is the process of job
1. ZMIS_AUTH_OBJECT_CREATE
Variant : auth-create
2. ZMIS_AUTH_ASSIGN_TO_ROLE
Variant : auth-assign
The problem is in second program, runs in foreground but fails in background.
Code which i have written in my second program
***BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
***Generation of Profile created
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14 .
Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
Regards,
ChetanHi Praveen,
Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
To achieve this i have written two programs
1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
"" Creation of Authorization Object
CALL FUNCTION 'ZAUTHOBJ'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
g_authname_001 = 'ZDUMMY_MIS'
g_targetauth_002 = wa_tab-auth
g_authtxt_003 = wa_tab-short_desc
g_authtxtmd_004 = wa_tab-med_desc
marked_04_005 = 'X'
g_authtxt_006 = wa_tab-short_desc
g_authtxtmd_007 = wa_tab-med_desc
tctiobjnm_04_008 = 'ZBUS_UNIT'
g_authtxt_009 = wa_tab-short_desc
g_authtxtmd_010 = wa_tab-med_desc
marked_05_011 = ''
opt_01_012 = 'EQ'
low_01_013 = wa_tab-bu
g_authtxt_014 = wa_tab-short_desc
g_authtxtmd_015 = wa_tab-med_desc
marked_04_016 = 'X'
g_authtxt_017 = wa_tab-short_desc
g_authtxtmd_018 = wa_tab-med_desc
tctiobjnm_04_019 = 'ZCONTRCT'
g_authtxt_020 = wa_tab-short_desc
g_authtxtmd_021 = wa_tab-med_desc
marked_05_022 = ''
opt_01_023 = 'EQ'
low_01_024 = lv_contract
g_authtxt_025 = wa_tab-short_desc
g_authtxtmd_026 = wa_tab-med_desc
g_authtxt_027 = wa_tab-short_desc
g_authtxtmd_028 = wa_tab-med_desc
g_authname_029 = wa_tab-auth
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
"" Creation of role
LOOP AT it_role INTO wa_role.
CLEAR wa_text.
wa_text-text = wa_role-desc.
wa_text-langu = 'E'.
APPEND wa_text TO it_text.
wa_jobrole-agr_name = wa_role-role_name.
wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
wa_method-usmethod = 'CHANGE'.
CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
EXPORTING
jobrole = wa_jobrole
parent = wa_parentrole
method = wa_method
TABLES
* RETURN =
shorttext = it_text
* LONGTEXT =
* MENU_NODES =
* MENU_TEXTS =.
ENDLOOP.
2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
""*BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message .
COMMIT WORK AND WAIT.
""*Generation of Profile created
LOOP AT it_role INTO wa_role.
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
ENDLOOP.
For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
Regards,
Chetan -
How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client and i propose two methode
1- Creation of Ztcode ZVL32N and do changes ABAP program level
2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32NI think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.
-
How to use the user and role API's and where to use it
Hi All,
I have configured SSO for my UCM11g. Now my application authenticates through the Oracle SSO login page. Currently it is working with SQL authenticator.
Now, i have to use LDAP authenticator. when i will configure the LDAP authenticator, i have to use the user and role API's to fetch the user profile information from LDAP. i have got the API's which will be used to fetch the respected information, but i am not getting as where i will write those java programs and how this API will be used in my application. what settings i need to do on it so that application uses the API's. ?
Please can anyone help me on this.
thanks,
SaurabhHi, Mithu,
Thanks a lot for your help in advance.
I have carefully read the document: https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6b66d7ea-0c01-0010-14af-b3ee523210b5.
Now, I think I have to set the processor of every actions in every process if I use the GP for processing the workflow.
I am better to hope that I can set the processor to the role for every actions in every process in the runtime through get the organizational structure in the WDA(webdynpro for java or webdynpro for java). Thus, the customer don't set the processor to the role for every action in every process when runing in the GP. I don't know how to do this.
Whether the function is not supported in the GP? If so, I have to config two organizational structure: in the R/3 and in the Portal. I don't think our customer don't receipt this solution.
Do you give me some hints? Thanks a lot. My email: [email protected]
Thanks again.
Thanks & Regards,
Tao
Maybe you are looking for
-
Can a 128 ssd storage still effectively work if I install windows 8.1 plus msoffice and a window-based proposal system? I plan to buy a macbook air entry level with 1.7 gh i5 processor.
-
How do you get iMessages sent to your e-mail address only and not your phone number?
I want to send messages using my texts as well as iMessages to my girlfriend, she has a iPhone 3GS (I have iPhone 4) but i can't receive her texts when my internet is off, and only get her iMessages when I have turned my internet on. Is there somethi
-
Accessing the SOAP fault received by OSB Service Call Out
I have a proxy service with multiple OSB service call outs, which access a backend server via SOAP. If the backend server returns a fault, the proxy service' exception handling kicks in and the exception handling flow is triggered. That flow provides
-
Manual and mandatory condition type??
Hi What happens when you do not enter a value for a manual and mandatory condition type? What are the difference between these two?
-
Does anyone know how to remove the search history in the new iOS 6 Maps? I have a iPhone 4S and don't like how there is no easy way to clear history. thanks,