Need role/profile for ALE system user

I have created a system user and assigned it to the necessary RFCs in our DEV system.  The RFCs are used to ALE data between our DEV, QAS, and PRD systems.  If I assign profile B_ALE_ALL to the user in the receiving system I do not get IDOCS created in our QAS system.  If I assign SAP_ALL to the user I do get IDOC's created in QAS.  Can anybody recommend another role to assign.  Or a method to troubleshoot this authorization error.  I want to limit this system user in the receiving system to creation of IDOCs only. 
Thanks in Advance, Jay

Hi,
Then I recommend to give sap_all and trace the user in QAS system. Once the data transfers are complete, please anaylyze the trace and see what authorizations it requires. Now build a role with this authorizaiton and remove sap_all.
Since you are transferring applicaiton data, the programs might also check that access as well.
Regards,
Gowrinadh

Similar Messages

  • Roles for the System user

    Hi All,
    Currently, I am working on AII 5.1 Slap and Ship Outbound scenario and got the document from the service marketplace under http://service.sap.com/rfid -> SAP AII 2007.
    Under Activating HTTP Services(Page no: 9 - 9th step) section , we have to provide the System user. May I know what all roles we have to assign for that user?
    Regards
    Sara

    Hi Sara,
               We need to use a System/Communications User in there. Though there is no clear thought on what authorizations are required for the same.
    You can ask your basis guys to give a Systems user for restrictive access. This might be based on the policy of the basis team of what auths are generally given for a System user for a restricted use. You can use the same.
    If this causes problems you can assign the user, the AIN related admin roles mentioned in the same document. This will work.
    I have created a user called ALEREMOTE which is of the type Communications data with profile assigned SAP_ALL. This works for me perfectly.Though if you want you can give in a restricted access to as i have already mentioned.

  • Windows cannot load the user's profile but has logged you on with the default profile for the system.

    My Windows 7  crashed a couple days ago after a windows update, I got this message.
    Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
    I restarted the machine and got this message
    Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.
    DETAIL - The process cannot access the file because it is being used by another process. for C:\Users\TEMP\ntuser.dat
    I checked the event Log I found these .
    Windows cannot load the user's profile but has logged you on with the default profile for the system.
    DETAIL - Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
    Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
    Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile.
     DETAIL - The process cannot access the file because it is being used by another process.
    This is the first error in the event viewer after a successful logon
    The description for Event ID 34 from source ccSvcHst cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
     If the event originated on another computer, the display information had to be saved with the event.
    ccSetMgr
    Windows cannot load the user's profile but has logged you on with the default profile for the system.
    DETAIL - Access is denied.
    Looking at the Logs all I can tell is that after the Desktop Window Manager started if caused this error.
    The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
    then this one
    The Desktop Window Manager has exited with code (0x40010004)
    Then this before it shutdown.
    The User Profile Service has stopped.
    I started up the PC and the first message I got was
    How can I get access to my user profile? do I need to createa new Administrator account? Please help
    The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.

    hi do the following
    1. In Search programs and files (Windows 7) area, type in regedit, and press Enter.
    2. If prompted click yes,
    3.  expand the following HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    4. click the sid that related to your admin profile (if you not sure, click each sid and in turn look to the right hand side of registry editor it will show who that sid is related to one of the registry files should hae in description localhost\admin or
    something similair)
    5. right click the sid and press delete.
    6. restart your machine and log back on with the admin account, this will then rebuild the admin profile... dont worry when it loads and none of your personal settings are saved or files or folders... go to c:\users
    in here you will see two folders for the admin account, one will be just admin and the other most likely admin.localhost
    i cant remember which one is which but just check both, one will still have all your files and folders in it.
    i suggest making a backup of your data before doing this incase something does go wrong, but ive had this happen many times in a domain enviorment and has worked for me everytime.

  • How to change path of Users Terminal Services Profile for multiple AD users on server 2003?

    Hello experts. I am working on a file server migration. All data has been migrated, I am currently working on redirecting users to the new file server. I
    am able to select multiple users at once in ADUC -> right-click -> properties -> profile and here I can change the home folder and roaming profile path for each all users to point towards the new file server. 
    The issue I have run in to is that we have roaming profiles for terminal services users. So, there are hundreds of users that have their terminal services profile
    configured in AD -> Right-click user (one at a time) -> properties -> terminal services profile. Here, the profile path is configured for each user as \\OLDserver\Profiles\%username%
    and I need to change it to \\NEWserver\profiles\%username%. 
    I know that you can configure this path via group policy, I set up a GPO; Computer / Administrative Templates / Windows Components / Terminal Services / “Set Path
    for TS Roaming Profiles” as \\NEWserver\profiles and applied this GPO to an OU containing the TS servers.
    The problem is, the GPO is not working... When I log in to the TS and add a document to My Documents, it is still saving under \\OLDserver\profiles\Username.
    So, the settings in AD are trumping the GPO I believe. What is the best way to accomplish my goal? Thanks in advance!

    > to change it to \\NEWserver\profiles\%username%.
    That is "profile" in opposite to...
    > add a document to My Documents, it is still saving under
    > \\OLDserver\profiles\Username.
    ...this one which is Folder Redirection and has NOTHING to do with
    server based profiles.
    > So, the settings in AD are trumping the GPO I believe.
    No, it isn't. When you do not enable FR and you access "Documents", you
    will never see an UNC path but the local c:\users\xyz\documents folder.
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • In Need of PW for factory set 'user user' account so I can complete update! :)

    I bought a macbook from someone else and before they sold it to me, they set the cpu back to factory settings. I need to do a software update but I need a password for the account 'user user' in order to complete it. I have the MAC OS X Install Disc 1 and 2. Does anyone know the PW and/or know how I can change it I am used to working with pc's and am new to the mac environment so if you could put the instructions in simplest terms. Does anyone know how to get this mess fixed????? Help plz!!!
    <Edited by Host>

    Boot the installation DVD.  From the Utilities menu, you can reset account passwords.
    Or you could just reinstall from scratch using the installation DVDs.
    You could also wipe the disk using the installation DVD Utilities menu -> Disk Utility

  • The download is for Windows.  I have MAC OS X 10.9.1.  I need a download for that system, please.

    The download is for Windows.  I have MAC OS X 10.9.1.  I need a download for that system, please.

    are you using the mac (not windows) serial number?
    if yes, http://helpx.adobe.com/x-productkb/global/my-serial-number-doesnt-work.html

  • Design and Web Premium creates huge profile for each network user.

    Just wondering how I can get around the Adobe Design and Web Premium creating a huge profile for each network user. When a new user logs in on the network a 6 GB Adobe Design and Web Premium folder is created in their profile. With dozens of students logging into each machine that equals dozens of 6GB folders.
    Windows 7 environment.

    Moved to Creative Suite Enterprise Deployment.

  • Solution Manager 4.0 Solution Monitoring User -Roles-Profiles for Satellite

    Hi All,
    I have installed Solution Manager 4.0 (OS -Linux ,Database - DB2) .
    Now i need to connect solution manager to the R/3 4.6C
    Satellite Systems (DEV, QAS ,PRD) for Solution Monitoring
    and Service level Reporting .
    I have read the configuration guide , but unable to get clear idea .
    1) what users (alos type of user -Dialog , Service, Communication etc) do i need create in DEV , and Test in QAS  for solution Monitoring  .
    2) what exact roles /profiles need to be assigned to these users in satellite systems .
    3) what users/roles /profiles needs to be done in SOLMAN system
    i have applied all the required plug ins and support packs
    in satellite systems and solman 40 ..
    Please advice  . Your response will be a great help for me .
    Satish

    Hello Satish,
    Just clarify, if u have meant connecting the satellite systems for EWA reports to be precise. Early watch Reports. If its is the case, then repond so that i can putin my inputs which may be helpful for you in this config.
    Rgds,
    Sri

  • Standred Roles and profiles for OSS Connection User

    Dears,
    We open OSS connections several times for SAP support in which we also provide login credentials to SAP to login in our system.
    Is there any standred roles or profile for this user in QAS and PRD that we can give to maintain our servers confidentiality.
    Please suggest.
    Shivam

    Not really. A note related to your question popped up in a previous discussion:Re: Exclude T-code from SAP all
    > If you take a look at [SAP Note 1118396 - Roles for support activities|https://service.sap.com/sap/support/notes/1118396] you will see this explained nicely...

  • Roles/Profiles for ALEREMOTE

    hi all,
    can anyone let me know all the Roles/Profiles required for the User ALEREMOTE in a production system.
    I understad that the roles sap_all, sap_new , s_bi-wx_rfc and s_bi-whm_rfc can be used in the development and the Quality systems but am told that the roles SAP_ALL & SAP_NEW are not supposed to be used for ALEREMOTE in the Production systems as it would give all authorizations to all the users.
    so, could anyone kindly let me know the various roles/profiles that need to be assigned to the user ALEREMOTE keeping in mind that SAP_ALL & SAP_NEW are not allowed and at the same time all the transactions w.r.t BW3.5 should go through successfully.
    kindly revert back at the earliest as we are in the process of going to the BW Production.
    Thanks & Regards
    Manicks

    hi Manicks,
    check oss note 150315-BW-Authorizations for Remote-User in BW and OLTP. hope this helps.
    Symptom
    1) The ALE user fails security in the BW side
    2) Missing authorizations when executing Customizing of extractors
    3) No IDocs could be sent to the SAP-BW using RFC.
    4) Automatic source system connection failes with error R3220: No RFC-Parameters in source system defined
    5) When collecting content in BW, warning message RSAOLTP035 comes up
    Other terms
    Authorizations, SAP_ALL, S_BI-WX_RFC, S_BI-WHM_RFC, S_RS_ALL, ALEREMOTE, BWREMOTE, RSAOLTP 553, RSAOLTP553
    Reason and Prerequisites
    a) In the BW there exist two user:
       i)  a human administrator, using S_RS_ALL
       ii) a user called BWREMOTE (or similar), used to receive the data from the OLTP, using S_BI-WHM_RFC
    b) In the OLTP there exist also two user:
       i)  a human administrator, needing authorizations to create users and RFC-destinations.
       ii) a user called ALEREMOTE (or similar), used to ...
           1) ... connect the OLTP to the BW
           2) ... extract the data
           3) ... send the data to the BW
           4) ... show monitoring dialogs for tasks 1 to 4, the profile S_BI-WX_RFC is used (<i>however does
    not suffice on some points since some authorizations are
    missing in the delivered profile</i>)
           5) ... make customizing of OLTP extractors
           for this, additionally the authorizations to execute IMG-functionality, to execute Transaction SBIW and to maintain the applications, which shall be customized, must be given during the customizing functionality is used.
    Solution
    1) The profile S_RS_ALL resp. S_BI-WHM_RFC must contain (at least) the following authorizations:
    Profile
    2) The referred functionality is b) i) 5), thus
       the authorizations to execute IMG-functionality,
       to execute Transaction SBIW and to
       maintain the applications, which shall be customized,
       must be temporarily given to ALEREMOTE, if you want to execute the
       functionality from BW-side. The permissions for executing the
       customizing is not included in the profile S_BI-WX_RFC, since
       this is a critcal functionality.
       However there is the possibility to execute the customizing
       in the OLTP by a human administrator by hand, using Transaction
       SBIW.
    3), 4) For sending the Idocs and reading RFC-destinations
       the profile S_BI-WX_RFC is incomplete.
       Please check, if the following authorizations are included:
    Profile
      ---   S_BI-WX_RFC  <PRO> Business Information Warehouse, RFC User
    --   B_ALE_ALL    <PRO> All authorizations for ALE/EDI
    --   S_APPL_LOG_A <PRO> Application log: All
    --   S_BTCH_ADM   <PRO> BC: Batch - Processing authorization
    --   S_BW_RFC     <PRO> BW: Authorization Profile: Other
    --   See above, same sub-profile as in S_BI-WHM_RFC
          ---   S_IDOC_ALL   <PRO> All authorizations for IDoc functions
    - BW AddOn BW-BCT 1.2B:
    These authorizations have been delivered with BW AddOn Patch 2 (see 158489 for the AddOn Patch information), except release 45B. For 45B, the authorizations are delivered with BW AddOn Patch 1.
    - PI2000.1:
    For 4.6B and 4.6C due to delivery errors, this profile also is incorrect. Please transport it from the BW into the Oltp (it is the same in any system and release).
    - PI2000.2:
    For 4.6C due to delivery errors, this profile also is incorrect.
    Please transport it from the BW into the OLTP (it is the same
    in any system and release).
    - PI2001.2:
    For 4.6C due to delivery errors, this profile also is incorrect.
    Please transport it from the BW into the OLTP (it is the same in any system and release).
    Alternatively, import the sapserv* transport BRSK002208 under the directory
    general\R3server\abap\note.0150315 into your OLTP-System.
    For help on the sapserv* transport refer to Note 13719.
    5) If you have PI-Basis 2005.1 in your source system, you need to attach role SAP_RO_BCTRA to your user in the source system. Otherwise, the functionality mentioned in the message is not available. The system continues to function as before, you may ignore the warning.

  • How to use the same Windows-Profile for over 700 Users?

    Dear admins,
    i´d like to use one (1!) shared windows profile to serv over 700 user-accounts in our school. But there is a little complication in the WGM.
    I just tried to check all users and entered the path of the shared profile right in the windows tab.
    For example \\Server\Profiles\oneforallprofile
    Unfortunately the WGM put the user´s shortname behind this path.
    For example: \\Server\Profiles\oneforallprofile\mistersmith
    or \\Server\Profiles\oneforallprofile\sallymiller and so on.
    By changing this preference one by one it works, but of course i need a solution to do that for all users.
    Does anyone know how to set one Profile for all students?
    Thanks for your help!
    Rolf
    XServe G5   Mac OS X (10.4.5)   Educational System Administrator

    Hello Prasad,
    Most likely the user km_admin still has system principal roles assigned, even though you removed the Super Admin role, you should check that this user doesn't have any other admin roles, otherwise it will be considered a System Principal user and will therefore still have access to all content. For more information see http://help.sap.com/saphelp_nw70/helpdata/en/19/56f28fbd4e11d5993b00508b6b8b11/frameset.htm
    Try creating a new user with just read access to the content and you should see that it will not be able to make any changes etc.
    Regards,
    Lorcan.

  • Roles require for BI configuration user

    Hi All,
    I have done BI connection with our PRD ECC 6.0 server successfully , but while making RFC connections i used user with sap_all profile ,
    Now i want to know which exact roles are required for that user to maintain successfull connection and extraction , as i have been asked to remove sap_all from the user which is used by me.
    which are roles i should allocate to the user so that i can gurantee nothing happens to my current configuration.
    Help is really appreciated.
    Best Regards,
    AjitR

    Hi Ajit,
    In SAP <b>BW</b>, you should create a system (not a dialog) user called BWREMOTE.
    BWREMOTE should have the authorization profile S_BI-WHM_RFC.
    Note: S_BI-WHM_RFC is a profile, not a role.
    This profile will give user BWREMOTE the access needed to extract from an
    OLTP system. The profile also provides the access required for staging steps
    to get the data into InfoCubes.
    On <b>ECC</b> system, you should create a system user called BWALEREMOTE. This user should have the authorization profile S_BI-WX_RFC.
    Note: S_BI-WX_RFC is a profile, not a role.
    This profile will give user BWALEREMOTE the access needed to connect and
    send data to the SAP BW system.
    (It is permissible to use a different name for the users BWREMOTE and BWALEREMOTE. What matters is that the user in SAP BW has the profile S_BI-WHM_RFC and the user in the other SAP system has the profile S_BI-WX_RFC.)
    Hope this solves your concern...
    Regards,
    Habeeb
    Assign points if helpful.
    Message was edited by:
            Habeebuddin Mohammed

  • Need Better Profiles for HP B9180

    Hi all,
    Like others, I find that my HP Photosmart Pro B9180 produces prints that are 20-30% darker than the image on my calibrated monitor. I am running CS3 on my Mac OSX Leopard system. I am trying to print on HP's Advanced Photo Glossy paper.
    My color settings are along the lines of those recommended by Scott Kelby (Adobe RGB workspace and prolife; and I allow PS CS3 manage colors and not the printer).
    I've experimented with other printer profiles provided by HP, but nothing delivers a good print. Has anyone found a good ICC profile that will work with this printer/paper combination?
    Thanks, in advance, for any help you can offer.
    Best,
    Tracy S.

    Ok, you caught the typo. I actually went back to his book to find the proper page citation to support my statement, until I realized you were having a bit of fun. Just so the record is clear, I have no knowledge as to whether Mr. Kelby is or is not prolife.
    Anyway, on to your advice....
    "You need to calibrate and profile your particular monitor, then use the resulting profile as your MONITOR PROFILE. (DEVICE DEPENDENT.)"
    Did that, as I mentioned in my original post.
    "Finally, your target profile has to be a specifically calibrated profile for the particular combination of paper, ink and printer. (DEVICE DEPENDENT)."
    Yes, that is the essence of my message in which I am asking for assistance in locating a better ICC profile for my printer (HP B9180) and paper (HP Advanced Photo Glossy) combination. The stock ICC profile from HP is generating poor results. Short of printing off target sheets and sending out for a customized profile, I thought I would see if anyone else has tumbled to a better profile. Others have encountered a similar color and tonal shift in their prints using the same set up as me, so someone may be able to point me in the right direction.
    Also, I did review the site to which you directed me. As Mr. Ballard points out:
    "The problems users have with Photoshop, and color managed applications are:
    1) They break the Color Management System CMS, by attempting to turn it off -- when in fact they can't!
    See: Turn Color Management on And Honor my Embedded Profile, Please gballard.net
    2) They have bad profiles...."
    My problem is precisely the one he identifies as point (2) -- I have a bad output device profile and I wish to correct that.
    Anyone out there with a good HP B9180/Advanced Photo Glossy ICC profile out there??
    TS

  • Roles/profiles for IDoc exchange between ECC & PI

    Hi guys,
    I'm using a IDoc->PI->File scenario and otherwise and I need to set up a communication user between ECC and PI for this IDoc exchange, but I don't want to use sap_all. Can you please tell which roles/profile to assign so the IDoc exchange would work?
    Thank you,
    Olian

    http://help.sap.com/saphelp_nw04/helpdata/en/2b/a48f3c685bc358e10000000a11405a/content.htm
    From Note: 837595
    Authorization object S_RFC
    Field name RFC_TYPE value FUGR
    Field name RFC_NAME value EDIMEXT, SDTX
    Field name ACTVT    value 16
    Authorization object S_IDOCDEFT
    Field name ACTVT   value 03
    Field name EDI_CIM value ' '
    Field name EDI_DOC value TXTRAW01
    Field name EDI_TCD value WE30
    Authorization object S_CTS_ADMI
    Field name CTS_ADMFCT  value TABL
    Authorization object S_TABU_DIS
    Field name ACTVT      value 03
    Field name DICBERCLS  value

  • Pick Up file and remove roles/profiles for the specified ID's

    I am wondering if the following would be possible.
    I want to dump a csv file containing user ID's that are no longer required on a daily basis on a server.  Would it be possible to write a program to go out and retrieve that file and where ever there is a match on ID's, remove all roles and profiles associated with that user and change the user group?
    Sounds very simple from a theoretical standpoint but I'm not sure of it's truely feasibility.  I'm not looking for any coding, just to know whether it could be done.  Any help would be great.

    Hi Martin,
    Very true, but infrastructure folks might not want to manage certificates and OS users (good tip for Chris to check on...)
    Open file shares are out there "in the wild" - which is what I wanted to warn against (in addition to the application authorizations within SAP to run this "interface"...
    If it is running as a job, then a check on system field sy-batch = 'X' is usefull, but blunt only for the online execution.
    Personally I have used an (inaccessible) timestamp execution scheme for such things in DB tables not accessibly to the application transactions before. Have not been able to hack it myself, but tried hard..
    But if the file shares are open or the password is in clear text (in a script, .properties type file, ABAP text, network traffic, etc) then I would not class it as secure.
    Such "identity management" stuff, particularly when you want to intergrate it with HR events, is best taken care of centrally in an "identity store" which you can secure and encryot etc centrally.
    Local batch jobs accessing servers and registering / starting external programs and vise-versa to transfer files etc is decentral spagetti coding and security nightmare... ;-(
    Cheers,
    Julius

Maybe you are looking for