No authorization for transporting role PW1_BW_Developer1_menu

How to fix this error message which getting while collecting reports and web templates in transport
Thanks
MK

I just need to collect queries and templates but when i selected grouping in data flow afterwards it is collectiong specific query, query elements, infocube or multiprovider and template. In front of infocube or multiprovider it says it is required and i dont see any roles .
And also not sure if i m supposed to collect infocube or multiprovider as it is saying it is required.
Thanks
MK

Similar Messages

Need FM which create authorization for a Role

Hi,
i neeed to create authorization for the roles. can anybody tell me , is there any FM to create authorization for a Role.
it is done through PFCG transaction.
i need a FM which creates authorization for a Role.
Thanks in advance

Hi Sami
Try this link.
Re: Programatically create Security Profiles via BAPI/FM in R/3?
Regards
Neha

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

HR ABAP authorizations for Nakisa roles

Hi there,
We have just started to plan for ORG chart and Talent planning systems by naksia. Wondering if there are any
standard HR authorizations that the standard nakisa roles use and if anyone can elaborate if IT 008 (Basic Pay) really comes in to play with this as it is very sensitive. The project team has presented these user types:
Everyone, Executive,Assistant,HR(Human Resources), Manager
We are not using Structural auths but auth by PLOG, P_ORGIN
Any direction appreciated. Thanks !

Hi Dan,
For OrgChart are you using Live or Staged?
There are no special auths required for OrgChart. A SAP role needs to be mapped to an ORgChart role in order for users to see certain data. No PA0008 data is shown by default in OrgChart, although obviously if you want to show it you'll need to make configuration changes to restrict display, depending if you are using Live or Staged. The roles you mention are standard OrgChart roles that come pre-defined out of the box.
For SuccessionPlanning (assuming you are on ECC6 EhP4) you need to have the Talent Management Specialist role (SAP_TMC_TALENT_MANA_SPECIALIST) assigned to each user and an Area of Responsbility assigned in HRTMC_PPOM. This is between the Position of the user and the OrgUnit of each area they are responsible for. No configuration is required in the application because, for SuccessionPlanning, it is really just an interface between the user and ECC data and leverages ECC security etc.
I hope that helps!
Luke

Maintaining the authorizations for parent role and derived role

Hi Experts,
Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
Currently we have created the 700 role in our regionally organization and we want to dervie the roles for each country
1 ) we want to do the Auth field (activity level) settings in parent role and Org levels in the derived role .
2) But one my collegue says do the default Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level one)

I will try to answer both your queries here:
"my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
Soumya

Transport roles and analysis authorization with user assigned

Hi expert,
I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
Thanks for your time,
Luis

Hi,
In role administration, you have the following options for transporting roles:
You can download the roles from one system and upload them into another
You can import the role from a remote system using RFC
You can transport the roles with the transport function.
Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
Transporting Roles with the Role Transport Function
       1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
       2.      Enter the role to be transported and choose Transport Role.
The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
For more information go thrpugh the below link
http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
Regards,
Marasa.

Transported Roles not Visible for the User Log-in

I have three roles in the development system. These roles show up in the top level navigation for the users in the dev system. All these roles and the underlying BSPs are transported to QA successfully. I could assign them to users without any problems, but when the users log-in they can not see any of these roles at the top level navigation (In fact, they just get a blank screen). "Entry Point" setting and "Sort Priority" is maintained for all the three roles.
As a test, I created a new role with the same BSP links in QA itself and assigned it to the users. This shows up in the top level navigation for the users. I am wondering what's wrong with the transported roles! If someone could help me here that would be great and I will assign points to helpful replies. I have a very basic knowledge in portal.

After applying SP12 in the portal landscape (EP 6.0), the role transports only work in our test environment, but not in production. Even the manual corrections suggested in OSS note 1002832 didn't help. I can preview all the iviews in the roles with my user id (admin id), but as soon as I log-in with the end user id nothing shows up [Not even the top level navigation tabs show up]. The following is the portal authorization methodology I chose.
1. I assign users to the user groups
2. I assign user groups to the roles
I want to emphasize that all is well in our test environment, it is the production environment that shows inconsistency. Let me know if anyone has any pointers.

Open Authorization Objects in role after role Transport

Hi All,
I have transported a R/3 (ECC6, support) role from Dev to QA and Dev (Multiple clients). After transport, Role has authorization tab with status (green) but when i display authorization data i found one new open authorization object (yellow).
I already have generated profile before tranporting. Role is also okay in Dev other clients (We have multiple clients in Dev) with status green and no open authorizations (yellow)
Any feedback/suggestions ?
Thanks in advance
Khasim.

This happens when PFUD runs at the same time as you are generating the role. Refer to this note: 355030 - Loss of authorizations after profile generation. Another remote reason could be if your source (DEV) and target (QA) systems use different characters sets. (Note #535554).
If it is the former case, re-transporting your role may just be the solution for you. Just re-generate the role in DEV and initiate a new transport.
Hope this helps.
Ashutosh

How to track the transport request number for the Role/Composit Role

Hi,
How to track the transport request number for the Role/Composit Role.
Thanks,
Ravi

Use transaction SE03 Transport Organizer Tools
Execute "Search for Objects in Requests/Tasks" with objects of types:
R3TR ACGR Role
R3TR ACGT Role - User assignment
Regards

Portal Run time error when created a seperate role for Transport package.

Hi Experts,
I have created a seperate role for Transport Package(import/export iviews).
Normally we have transport package functionality in system admin.
Below steps i followed for creating the new role(trans admin)
1.Copied SAP provided system admin role to a seperate folder.
2.Deleted reamining portal objects(like UWL, portal display etc ..) except transport packege workset.
3.Renamed the role to trans admin.
I have assigned that role to my self, it is working fine to me when i clcik on export and import.I have super admin role.
when i assign this role to some portal users, Export is not working.
when user clicks on Export role they are getting below error.
Portal Runtime Error
An exception occurred while processing a request for :
iView : N/A
Component Name : N/A
Access denied (Object(s): com.sap.portal.system/security/sap.com/NetWeaver.Portal/medium_safety/com.sap.portal.appdesigner.contentcatalog/components/Framework).
Exception id: 12:10_31/08/09_0031_21763550
See the details for the exception ID in the log file
By looking into exception iD also, same error access denied it is showing.
Please Advice.
Thanks
Sony.

Hi Raghu,
Thanks for the reply.
I have given full permissions to all users to this trans admin role before itself.
Thanks in advance.
Sony.
Edited by: ambica sony on Aug 31, 2009 1:53 PM

Transport-Cockpit: No authorization for using the vehicle-resource

Hi everyone
In my planning profile I determined a sprinter as vehicle resource. As soon as I start the Transport Cockpit the freight orders appear, indeed, but TM claims that there's no authorization for my sprinter. The sprinter does not appear in the frame "resource". Selecting this vehicle manually TM post the message: vehicle not found. As far as I can estimate my master data are correct assigned.
Does anyone of you has been confronted with this problem?
Thank's for your help.
Michael

Hello Mike
I created the vehicle under Master Data / Resources / Define Resource.
Resource Category: T
Time Zone: CET
Means of Transport: 4 (the same number as I choosed in the freight order)
Planning Parameters: Finite Scheduling
Owner: the carrier of my freight order
Auth. Resource: the same carrier above mentioned
Template: Resource Template, Means of Transport: 4
Resource Validity: 1.1.1970 to 31.12.9999
Physical Properties: Mass = 1.000 kg, Volume = 4,5 m3
Time-cont. Capacity = 3 Pal (it does not make sense but I have not opportunity to change this value)
The other fields don't have any values.
In the forwarding order or rather freight order I determined the vehicle which is suitable to the selected carrier. I assume that there is a connection between the error message and the planning profile. I define in my planning profile the sprinter as vehicle:
Planning Profile / Capacity
VEHICLERES_ID inclusive = [and my vehicle]
I tried, too:
OWNER inclusive = [and my carrier]
What Transportation Cockpit is doing now, is EXCLUDING exact that vehicle (or rather carrier) I want to dispatch. It seems to work vice versa.
A sprinter is just another name for a small bus. I linked you to a photo of mercedes. Sprinter or long truck - regardless of which of them I use: the error remains.
Regards,
Michael

Roles & Authorizations for Web Reports...

Hello Experts,
We are newly implementing Web Reports in our organization. I need your great thoughts regarding implementing Authorizations for users to access the reports.
We are using a report menu page that contain links to all the reports. The page opens by clicking on a link on the portal. The individual reports are basically accessed from this page by clicking on the corresponding button (links a URL ).
I wonder if there is any way to look into the menu page (XHTML code of that web page/application) when ever the users click on the reports link and disable those buttons that the users are not allowed to access depending on the roles users are assigned to. Otherwise is there any better way to do it.
And also how to call a function from web applications.
This is a kind of urgent issue any quick ideas would be greatly appreciated.

I apologize for the difficulty in reading this I will repost.
We have had no training or received any documenation on WAD. The below was created from internet research. Hence there may be WAD functionality that would allow easier maintenance, however; this is what we use.
With our dashboard, I have a web template that contains hyperlinks for our reports. I will call this HeaderTemplate1. For each web page I have report templates. These report templates have the HeaderTemplate1 mentioned above as well as the report tables, charts, text elements, tabs, etc.
The JavaScript logic for accessing the urls of the specific report templates is contained within our HeaderTemplate1.
Below is how our setup was tested. Keep in mind, this was only for testing basic functionality. If this is something we use I will most likely create a master data table that houses the user ID and an attribute for the header type. Thus, any report menu changes can be altered quickly without changing the javascript of each report template. Also this will accomodate the few thousand users we have.
To add the functionality of different 'menus', I created another header template with the same hyperlinks of HeadertTemplate1 with the exception of one or two hyperlinks. This, HeaderTemplate2, was added to each report template just below HeaderTemplate1. Note that both HeaderTemplate1 and HeaderTemplate2 were set as visible on each report template.
Also, on each report template I added a text element. The 'List of Text Elements'property was set as such; Element Type = General Text Sympol, Element ID = SYUSER. This Text Element was linked to a query or view from BEx via the dataprovider. On the HTML side, I surrounded this Text Element with

Each Report template has this javascript function, fnRepOnLoad, which is triggered at the OnLoad event.
[<SCRIPT language = "JAVASCRIPT">
function fnRepOnLoad()
 var user_ID=document.getElementById("UserID").innerHTML;
 if (user_ID=='USER123')
 document.all["HEADTMPLT1"].style.visibility = 'hidden';
 document.all["HEADTMPLT1"].style.position = 'absolute';
 else
 document.all["HEADTMPLT2"].style.visibility = 'hidden';
 document.all["HEADTMPLT2"].style.position = 'absolute';
</script>
The function results as this. If the user is USER123, HeaderTemplate1 is hidden, leaving only HeaderTemplate2 visible. Otherwise HeaderTemplate2 is invisible leaving on HeaderTemplate1 visible.
We do not use buttons as our global leaders prefer hyperlinks but buttons can be enabled or disabled similarly.
As mentioned before, if this method is implemented, I will create a reportable master data table. Create a customer exit variable to retrieve the header template required for the user. This header template variable value will then be pulled by a text element on each report template. The script function will act as follows. If many report headers are necessary I may use a case statement.
Var User_template=document.getElementById("UserTmplt").innerHTML;
If UserTmplt = HeaderTemplate1
--> make all header templates other than HeaderTemplate1 invisible
else
--> make all header templates other than HeaderTemplate2 invisible
etc...
I hope this helps. Please keep me posted with your solution. I am very interested to learn what others are doing.
Best Regards,
Larry

"Low-level" authorizations for accessing BW reports - add users to role

Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.

Hi!
i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
with regards
ashwin
PS n: Assigning point to the helpful answers is the way of saying thanks in SDN. you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.

Role authorization for CJ88 T Code

SAP Gurus
can any one tell me control the CJ88 T code, my client is having 4 business areas but, so in one business area employee will not access the other business area WBS element, can any one tell me how can i control
thanks in adv
venkat

You could get with your Basis group to add the authorization object: F_BKPF_GSB - Accounting Document: Authorization for Business Areas to the CJ88 transaction and set it to be checked at execution. Then you could create different roles for each business area and set them to the different values for BA. You can use TCode SU24 to see that there are no authorization objects in CJ88 for checking BA in SAP standard.
Alternately, you could find another role that already has this object and limit it by each area, but this would take multiple, nearly identical roles.
Regards

Authorization S_RS_AUTH in role PFCG for Analyzer

Hi folks,
I have a doubt in PFCG role for BEx Analyzer workbooks.
For restricting roles and authorizations, we are working with PFCG roles, and RSECADMIN authorizations, as we have many different users who have different authorizations.
In that way, we have created a role in PFCG, it doesn't contain S_RS_AUTH in Production as authorizations are managed in RSECADMIN as I explained (lots of different users). When a user executes the workbook (RRMX), everything works fine. However, if we execute those workbooks in Development system, without S_RS_AUTH in PFCG role, workbook doesn't show the selection screen, so it doesn't work. If I add S_RS_AUTH in Development, workbooks (RRMX) works well, but we cannot restrict with different authorizations as we have so many that we do it through RSECADMIN.
I was following this article: AUTHORIZATION FOR BI REPORTING - Business Intelligence (BusinessObjects) - SCN Wiki
Does anyone know why it works in Production and no in Development? How can I do for making it work in Development without restricting S_RS_AUTH in the role?
Thanks!

Yes, it's the same patch level (recently upgraded indeed).
Moreover, I've discover than even putting S_RS_AUTH, it doesn't work well. I mean, if I put * or 0BI_ALL, it works, if I put any other authorization for restricting, workbook doesn't work well (it doesn't show the selection screen pop-up)
It's being a nasty problema as we cannot do tests.

No authorization for transporting role PW1_BW_Developer1_menu

Similar Messages

Maybe you are looking for