Need everyone input: authorization profiles assigned to ALEREMOTE
If the process chain runs fine in your system, please go to SU01 to check the profiles assigned to the user ALEREMOTE and feed back with the profiles assigned to ALEREMOTE. Anyone's input is greatly appreciated and will be rewarded with points.
Thanks
Hi Kevin.
We have at my company a large implementation of systems including several BW systems. One of these also hosts SEM. Here it was first setup with SAP_ALL, but after my security review they actually could tailormake a role for these activities. The input for this role we created by a simple authorization trace.
On request I can provide you with this information.
It is also the recommended solution to really modify the authorization of users like ALEREMOTE, due to the large security risks you take in RFC destinations otherwise.
Similar Messages
-
ISE reports. Need report for Authorization Profiles
in ISE 1.1.1 pack 2 how do I run a report that will give me all authorizations with the blackhole_wireless_access for the past 2 months?
TIA
ScottOperations -- report / Catologs -- AAA protocols -- Radius Authenitications -- Run and Query
narrow down focus as best you can. for instance by device name. and specify time range. (note DB rewrites)
then export to CSV. Select the Identity_Store and Authorization_Policy along with user, times, etc.
Sort CSV by empty identity_store or default Authorization_Policy (default).
Thanks Justin @TAC
Scott -
Authorization profile description
hi experts,
In tcode su01, we have authorization profile and its description for a user.
I have a report in which authorization profile has been displayed. I need the <b>authorization profile description</b> next to it. I found the field PTEXT in table USR11 has got the description. However i dont have any relation (key) between USR11 and (usr01, 03, 04). Kindly suggest me some idea to get the description.
Thanks in advance.
Senthilhi Senthil,
Check
UST04 User masters
UST10C User master: Composite profiles
UST10S User master: Single profiles
UST12 User master: Authorizations
USTUD Students
Regards,
Santosh -
Need steps to create: Users, and then allocate authorization profiles.
Hello,
I have set up release procedures using a how to doc which was posted an sap123.com. It doesnt go through how to do this, only gives a screen shot. The SAP environment is a test environment for training. We have maybe 4 users existing in system. I would like to know how to first create a user, then go through PFCG and create and allocate authorization profiles. They need to be able to approve PR's/ PO's using the two release codes and release groups I have set up. The steps I followed are posted here: http://www.sap123.com/showthread.php?t=59.
Thanks for any help.Thanks. I do have authorization to create users/ roles & such. I have created 3 specifically to test the workflow I am trying to set up that contains release procedures.
In PFCG - I created a new role MATMGT. On the Menu tab, Assign Transactions screen, could someone please tell me what the Transaction Code would be so that, when I goto the Authorizations tab and click on the Change Authorization Data button, I get a "Materials Management: Purchasing" row displayed in the Change Role: Authorizations screen. I am following http://www.sap123.com/showthread.php?t=59 - and am stuck at the "Create and allocate authorisation profiles" section, as there are no steps detailing the usage of PFCG. -
Authorization object assigning to user profile
Hi all,
Wht are the steps involved in assigning authorization object S_GUI with activity 60 (S_GUI ACTVT=60) to the users profile.
Thanksyou can assign authorization profile to user through Role..
goto PFCG, either create a new role or change an existing role(which the user has)
go to authorization tab, change authorization, click manually button,
add S_GUI and then click on values, select 60.. save the role, generate it..
if it is new role that you have created, then go to SU01 - roles, add it.. save user.. -
ICC profiles assigned to text?
CS5 (patched to 7.03), Mac OS 10.6.7
Hi Everyone,
My production coordinator made a PDF of my magazine for the printer yesterday and when he ran it through PitStop, several errors turned up to the effect of text having an ICC profile assigned to it. The text was several instances of periods and commas, the color was [Black] 100%, Adobe Caslon font, same as the rest of the text on the page and throughout the magazine that didn't get dinged as an error. Retyping the offending characters fixed the problem, but how can something like this happen? Or rather, How can it be detected from within InDesign rather than in PitStop?
We import Word docs styled with Word styles into InDesign to lay out the magazine.
PDFs are created by printing to ps file then distilled with the joboptions the printer provided.
I admit I know very little about color management (we don't use profiles, per printer request, so I've had limited exposure) but I thought it was only for images and profiles couldn't get assigned to individual characters of text.
Thanks for your insight!Hi,
Please check the following note:
[Note 7312 - Client 066 for EarlyWatch|https://websmp230.sap-ag.de/sap%28bD1lbiZjPTAwMQ==%29/bc/bsp/spn/sapnotes/index2.htm?numm=7312]
EARLYWATCH user:
Profile (in Basis rel 40*-46D)
o S_SDCC_READN Read authorization
o S_SDCC_SERVN Collect and send data
o S_SDCC_ADM_N Admin authorization *
Roles (as of Basis Release 6.10)
o SAP_SDCCN_DIS Read authorization
o SAP_SDCCN_EXE Collect and send data
o SAP_SDCCN_ALL Admin authorization
http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm
Also check the following SAP notes:
[Note 91488 - SAP Support Services - Central preparatory note|https://websmp130.sap-ag.de/sap%28bD1lbiZjPTAwMQ==%29/bc/bsp/spn/sapnotes/index2.htm?numm=91488]
[ote 863362 - Security checks in the SAP Early Watch Alert|https://websmp130.sap-ag.de/sap%28bD1lbiZjPTAwMQ==%29/bc/bsp/spn/sapnotes/index2.htm?numm=863362] --- this will give overview of Required Authorizations.
Regards,
Dipanjan
Edited by: Dipanjan Sanpui on Jul 16, 2009 2:30 PM -
Change the status profile assigned to the line item from PROFA TO PROFB
Hi Experts,
The issue we are having relates more to the fact that the code we have written is changing the item category, however the status profile has already been retrieved from configuration based on the original item category and therefore the status selection that we are getting is incorrect.
Item Category A -> Status Profile PROFA
Item Category B -> Status Profile PROFB
For example we have a line item and item category A is determined through config, this then retrieves its associated status profile PROFA. However we have then coded the system to change item category A to item category B. However the status profile still remains PROFA.
We need to find a way to change the status profile assigned to the line item from PROFA to PROFB.
any quick inputs from any one please......
Thanks in advance
hemanthHi
There is perform which moves the values to VBAP field.
This PRCTR field is stored in VBAP (i.e., SO line item table)
USEREXIT_MOVE_FIELD_TO_VBAP
Hope it works.
VVR -
Query related to Authorization profile.
Hi Professionals,
Please help me out as I'm not a BASIS consultant but PP.....
We've created Users profile and assigned them profiles that contain a particular bunch of Transaction codes module wise.
Now we want to to create and assign such a Authorization profile to Users which will contain all Display transaction codes either related to all modules OR that particular module only say PP, MM, FI, CO etc.....
For example
MM03- Display material master
CS03- Display material BOM
CR03- Display work center
ME53N- Display Purchase requisition etc.
Is there any standard profile for that that are already provided by SAP? If it's there, how do we know that are related to what module?
Suppose if we assign such profiles, what will be implications related to future and user discipline?
Thanks & Regards,
Abu ArbabHi Abu, don't worry about being a PP consultant, most of us here are not Basis either, rather we focus on security.
There are no standard roles delivered by SAP which give this. There are standard SAP display roles but none will include all the display transactions for a module.
What you should do is get each functional team to list the dispay transactions which are used by the business processes which they have configured. There is no point in creating a display role with 500 transactions if the business processes only requires 30 transactions. Access is more usually required for business processes rather than module so you would often need to combine your modular display roles to cover a single process.
By building the roles to include the transactions you use rather than are available, you also avoid one of the mistakes often seen with using standard SAP roles - users having wider authorisations than they require to perform their job. -
BADI or User Exit for role/profile assignment SU01/PFCG
Hi ABAP gurus,
I need a way, BADI, UserExit to do some verifications over a role or a profile before is assigned in the Tcode: SU01 and PFCG.
These verifications prevent the assigment of critical roles, transacction or access to tables.
Any information about this topic it would be very helpful...
thanks...Hi RAFAEL ,
Only one exit is available for this Tcode SU01.No Exits available for PFCG
Enhancement SUSR0001 User exit after logon to SAP System
For SU01 we can check the profile assignment in program MS01CU10 and some AUTHORITY-CHECK:
AuthCheck MS01CC10 S_DEVELOP AUTHORITY-CHECK ABAP Workbench
AuthCheck MS01CU10 S_TCODE AUTHORITY-CHECK Transaction Code Check at Transaction Start
AuthCheck MS01CC10 S_USER_AUT AUTHORITY-CHECK User Master Maintenance: Authorizations
AuthCheck MS01CC10 S_USER_GRP AUTHORITY-CHECK User Master Maintenance: User Groups
AuthCheck MS01CC10 S_USER_PRO AUTHORITY-CHECK User Master Maintenance: Authorization Profile
AuthCheck MS01CC10 S_USER_SYS AUTHORITY-CHECK User Master Maintenance: System for Central User Maintenance
In the same way PFCG contains some AUTHORITY-CHECK:
AuthCheck LSUPRNU18 S_USER_TCD AUTHORITY-CHECK Authorizations: Transactions in Roles
AuthCheck LSUPRNU27 S_USER_PRO AUTHORITY-CHECK User Master Maintenance: Authorization Profile
AuthCheck LSUPRNU23 S_TCODE AUTHORITY-CHECK Transaction Code Check at Transaction Start
AuthCheck LPRGN_TREEI0O S_USER_AGR AUTHORITY-CHECK Authorizations: Role Check
I hope this may helpfull.
Thank you,
Thanks,
AMS -
ISE Authorization Profile Question
Hi,
We are implementing ISE at a university and using dynamic VLAN allocation to segment the traffic into vlans of a manageable size - we do not want to use geographically based vlans for a number of reasons. However there is one scenario which I am struggling with.
A number of students will be living in university owned houses which are not directly connected to the university network. In these houses an ISP will provide an ADSL circuit. These ADSL circuits will be aggregated back at the university data centre and will connect down one piece of wire to the university network. I haven't completed my testing yet but the general theory is that we can use multi-auth to allow them on to the network and apply appropriate access restrictions (these restrictions will differ from those applied to those applied when they connect "on campus") . However, in order to do this, I will need to create an authorization policy based on where they are coming from (ie what switch and what port). I can see how I can use Identity Groups to identify which switch the traffic is coming from but for the life of me I have no idea how I would identify the port.
Anyone have any ideas how I might achieve my goal?
Thanks
AlanHi
Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources. The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.
An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request and can include:
• A profile name
• A profile description
• An associated DACL
• An associated VLAN
• An associated SGACL
• Any number of other dictionary-based attributes -
To read an authorization profile.
Hi,
I am trying to provide authorization in a HR report. An administrative person can execute the report. At this momet, a user can see the information of all employees. Instead, the users should be restricted for a group of employees whos organizational key has been assigned in his authorization profile. I am trying this with P_ORGIN authorization object. I can use P_orgin with single static organizational key. But, in this report, I have different sets of organization key for different administrative users. Fot this reason, I will need to read the users authorization profile to get the set of organizational key. Can anyone tell me how can I read the authorization profile for a particular user who is using the sytem so that the program can check the set of organizational key. I am using R/3 version 4.6C.Or more generally (for multiple users:
REPORT ztest NO STANDARD PAGE HEADING LINE-SIZE 255.
TABLES: usref,
usr11.
DATA: BEGIN OF itab OCCURS 0.
INCLUDE STRUCTURE usref.
DATA: END OF itab.
DATA: BEGIN OF itab1 OCCURS 0.
INCLUDE STRUCTURE usref.
DATA: END OF itab1.
DATA: BEGIN OF itab2 OCCURS 0,
user LIKE usref-user,
profile LIKE usref-profile,
ptext LIKE usr11-ptext,
END OF itab2.
DATA: old_prof LIKE usref-profile,
prof_desc LIKE usr11-ptext.
itab-user = sy-uname.
APPEND itab.
itab-user = 'USERNAME'.
APPEND itab.
CALL FUNCTION 'SUSR_GET_PROFILES_OF_USER'
TABLES
users = itab
profiles = itab1.
SORT itab1 BY profile.
LOOP AT itab1.
IF itab1-profile <> old_prof.
SELECT SINGLE ptext INTO prof_desc
FROM usr11
WHERE langu = sy-langu
AND profn = itab1-profile
AND aktps = 'A'.
old_prof = itab1-profile.
ENDIF.
itab2-user = itab1-user.
itab2-profile = itab1-profile.
itab2-ptext = prof_desc.
APPEND itab2.
ENDLOOP.
SORT itab2 BY user profile.
LOOP AT itab2.
WRITE: /001 itab2-user, itab2-profile, itab2-ptext.
ENDLOOP.
Rob -
How to create and allocate authorization profiles?
How to create and allocate authorization profiles? please issue step by step and usage of TC:PFCG.
Hi Srinivas,
I would like to try to explain how to create an authorization profile.
1. you have to create a user with the Tcode SU01 at first
2. run Tcode /nPFCG.
3. enter a name for the role (naming convention is here very important) which you want to create and then click on "create Role".
4. enter a short description for the role and then click on Authorization tab.
5. now you are required to save the role. Click on it and continue.
6. click on the tab "change authorization data" and select the authorization template what you need.
7.change the authorization field value.
8.click on button "Generate".
9.click on button Back
10. click on Tab user to assign the role to the user which you created in step one
11.click on button User comparison and then complete comparison
Hope this helps -
Authorization Profile for attributes into qeries
Hi all,
I've a big problem in a Bex environment.
Some users-id cannot see the kf-type attributes of 0material, but they can see only characteristic-type attributes. In general this happens for all characteristics with kf-type attributes.
Instead with my user-id (sap_all) the query is ok.
I believe the problem depends of the authorization profile.
Every user has a lot of profiles.
How can I do for detecting the restrictions of these users?
Do you know the specific profile that limits the display of the attributes?
Does it exists a t-code to identify the auth.profile used from a query?
Thanks in advance.
ClaHi Claudia,
It seems that key figure authroization has been set up in your system. You need to assign the role that would give the users access to these key figures. You can run the report by any other user's auth, through transaction RSSMQ.
Hope this helps... -
Generate authorization profile with RSSM
Hi,
I have a problem with the central User Management.
We have the Central User Management in a CRM-System.
1) In BW we generate an authorization profile with the transaction RSSM. Automatically the system assign the profile to an user.
2)When we additionally assign a BW-role from Central User Management (CRM-System) to the same user, the authorization profile which is generated in BW (Transaction RSSM) is deleted.
Unfortunately we can not forego to the functionalty in rssm.
Thanks for any ideas in advanceTHX for your answers,
I have twist and turn this problem and I see no way around it. It seems like it going to be a lot of configuration in ACS but it is only for one time. It better to do that job with the installation rather than troubleshoot every time the PC administrators type the wrong vlan name.
As Bastien wrote in his answer:
"so basically create an internal group, add user to this group, and create an access-policy that match this group and apply an authorization profile with the vlan you want"
Thx again for your input.
///A.hed -
Hi,
We are using R/3 4.7, LSO 2.0
The purpose is that some user should be allowed to view/book only certain courses. This is done by the Course creator. For this he is using Authorization Profile. Is there anyother way other than this.
We have course groups and course subgroups created. We have created an authorization profile which stores the ID of the Group objects and saves. It is then assigned to the user.
The issue is this has to be done in production server. The server is set to not modifiable. For this we need to copy all the object type & ID from the production server and then create a new profile and then move using Transport Request to the production server from development server.
Do any one have idea that would have the same authorization profiles without breaking the client modifiable lock or transport request from development server.
Thank you,
Regards,
BoobalanHi,
If you don't have authorization for the transaction 'IL01', enter this transaction and in another window open transaction SU53. This will display the authorization check failed details. From there you can find out the the authorization object checked.
Regards,
Soumya.
Maybe you are looking for
-
After I installed the recent Apple security patch, I can no longer save PDFs when using Safari. And Firefox no longer can open website PDFs. Any suggestions?
-
I really want to transfer all my content of my iTunes library like apps for my iPhone and also music to my new library on my new PC computer. Is there any way that I can do this?
-
How to change the entry screen for Fast entry
Hi, My scenario is that I want to allow my user to enter the cost assignment as well for infotype 14, 15 and 2010 in the fast entry. I noticed that there is actually a screen in the module pool mp001400, mp001500 and mp200000 which include those 'cos
-
Multiple templates one document
How do I insert multiple templates in a single document?
-
2 weeks after activation date and still waiting fo...
Hi, My activation date was supposed to be the 20th of January and what a surprise I am still waiting for the magic broadband light to come on. Calling the 0800 800 151 gets you know where. I have phoned 5 times only to be told that it will be activat