Organization level control on Role

Similar Messages

• Adding the organization level to one Role

  Hi Experts,
                  I have one role in PFCG, this role contains
  some authorizations.
  These role maintain the role.organization level values also.
  now i want to include one organization level  to this role
  for example
                     company code----
  > *
                     purchasing group------> *
                     division----
  > *
    now i want to add "Work center"        
  how can i include? is there any option is there?
  Thanks is advance
  sundar.c

  Thanks for the Doc. This will be my Plan B.
  I am still researching on How to Directly publish to Portal. I was able to do that from Query Designer using Publish to Portal and the report shows up as an iview in a PCD folder in the Portal. The Endusers have only Business Explorer Role and all they can see is the the Busineess Explorer tab of the Portal. So, I need to figure out a way to assign the iview to End user role.
  In one of the threads,
  Prakash Darji suggested
  "The "publish into Role" from WAD saves to BI Roles which doesn't help you in web deployment, so I typically don't use this. I usually "Publish to Portal" and then will add my iView on the portal to a portal role that users are assigned to. This would make these iViews available to users on the portal. "
  I am going to assign points for your suggestion though.

• Changing Organization level for derived roles

  Dear All,
  Below is my query:
  When there is any requirement to change the organization level of a derived role, we go to the role and change the organization level manually.
  We have derived our roles, based on the units(company codes).
  Now we have a scenario, where we need to add one unit in a particular derivation of all roles.
  Please suggest if there is any way of updating the organization level in mass for a specific derivation.
  Regards,
  Reshma Vijayan.

  Colleen Lee wrote:
  At least with this option you are using the PFCG functionality and not hitting the tables directly
  Hi Reshma, Colleen,
  Some additional warnings about manipulating the downloads:
  The downloadfile is a fixed record length text file, do not mess up the data positions.
  Be aware of case (upper/lower) when manipulating the file.
  Make sure you do a unicode download to preserve special characters in the menu texts.
  There are very, very few checks done on the file contents when uploading again. It will allow you to pollute your AGR* tables in such a way you'll need an ABAP-er or SQL-savvy colleague to clean up the mess. It is very close to manipulating the tables directly.
  I once managed to get entries into AGR_1251 which didn't show up in PFCG and wouldn't even disappear from the tables after I had deleted the roles in question.
  And yes, I still use this method, but I won't advise it to anyone I cannot personally train to be aware of the pitfalls ;-)
  Jurjen

• TEMPLATE FOR ORGANIZATION LEVEL ROLE

  HI.
  I HAVE MYSAP ERP VER 5.1 . BUT I DONT HAVE HR OR IDM IN MY SYSTEM.
  I  CREATED A ROLE FOR TRANSACTION FK01 AND FK02. IN THE AUTHORIZATION OBJECTS PUT VALUES 01 AND 02 FOR ACTIVITIES FIELDS AND ORGANIZATION LEVEL WERE LEFT WITH BLANKS.
  I CREATED OTHER ROLE WITH THE SAME AUTHORIZATION OBJECTS CREATED MANUALLY WITH ORG LEVEL IVALUES IN THE AUTHORIZATION OBJECT AND NO VALUES IN ACTIVITIES FIELD
  THE OBJETIVE IS MERGE BOTH ROLES WITH ADDITIVE EFFECT IN A USER ACCOUNT TO REDUCE THE NUMBER OF DERIVED ROLES.
  BUT THIS DESIGN IS NOT WORKING PROPERLY. I NEED TO NOW WHY?

  Hi,
  As per your query you create a new role and assign to these objects value in the new one.
  Anil

• GRC Access Control 5.3 Organizational Levels - logical AND - OR changed

  Hello GRC Community,
  We are working with Access Control 5.3 SP 12 and we are setting up organization levels for the risk analysis.
  The setup is loaded with a flat file, and the configurations seems to be loaded in the right way.
  Doing the configuration on the RAR portal, openning the tab "rule architect" then "organization rules" and "create", we have this information:
  Organization Rule: Z001
  Description: TEST
  Risk             Organization Level     from            to             search type     Status
  F001*     BUKRS               PRE0                  AND                  Enabled
  F001*     EKORG               PR00                 OR                  Enabled
  F001*     EKORG               PR01                 OR                  Enabled
  F001*     EKORG               RP00                 AND                  Enabled
  F001*     VKORG               RP00                 OR                  Enabled
  F001*     VKORG               RP01                 OR                  Enabled
  F001*     VKORG               RP02                 AND                  Enabled
  F001*     WERKS               SV00                 OR                  Enabled
  F001*     WERKS               VS00                 OR                  Enabled
  Finally save button.
  When we want to edit an organization rule or add new one with the screen of organization rules, after saving we have the next result when load the rule again:
  In the case of the same organization rule (Z001), the RAR returns this info:
  Organization Rule: Z001
  Description: TEST
  Risk             Organization Level     from            to             search type     Status
  F001*     BUKRS               PRE0                  AND                  Enabled
  F001*     EKORG               PR00                 OR                  Enabled
  F001*     EKORG               PR01                 OR                  Enabled
  F001*     EKORG               RP00                 OR                  Enabled
  F001*     VKORG               RP00                 OR                  Enabled
  F001*     VKORG               RP01                 OR                  Enabled
  F001*     VKORG               RP02                 OR                  Enabled
  F001*     WERKS               SV00                 OR                  Enabled
  F001*     WERKS               VS00                 OR                  Enabled
  So the RAR has changed the logical AND for OR.
  Why is it happening?  This effect doesnt happen if i made an upload from a ftlat file of organizational rules.
  We already tryed this symptom doing the same exercise with RAR SP 14 with the same issue.
  Thanks in advance for all your comments
  Regards,
  Alejandro
  Edited by: Alejandro Acuña Acosta on Jun 3, 2011 8:53 AM

  Hi,
  >
  > 1. The Addons HR and NonHR are installed on the erp?
  >
  Yes.
  > 2. The GRC could be an stand alone java server?
  >
  It should be on separate server.
  > 3.  The Spro config for process control is configured on the ERP or the grc server?
  >
  ERP server.
  Thanks
  Sunny

• "Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run se

  Team,
  I am trying to Install Exchange on my Lab, getting below error
  message.
  The Schema Role is installed on Root Domain and trying to install
  exchange on Child domain.
  1 Root Domain - 1 Child domain. both are located on single site.
  “Setup encountered a problem while validating
  the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter and wait for
  replication to complete.”
  Followed below articles:
  http://support.risualblogs.com/blog/2012/02/21/exchange-2010-sp2-upgrade-issue-exchange-organization-level-objects-have-not-been-created-and-setup-cannot-create-them-because-the-local-computer-is-not-in-the-same-domain-and-site-as-the-sche/
  http://www.petenetlive.com/KB/Article/0000793.htm
  transferred the schema roles to different server on root domain, still no luck.
  can someone please help me.
  regards
  Srinivasa k
  Srinivasa K

  Hi Srinivasa,
  I guess, you didn't completed the initial setup schemaprep and adprep before starting the installation. You can do it as follows:
  1. Open command Prompt as administrator and browse to the root of installation cd and run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
  After finishing this,
  2. Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms
  3. To prepare all domains within the forest run Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms. If you want to prepare a specific domain run Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms
  4. Once you complete all of the 3 steps, install the pre-requisities for Exchange 2013
  5. Finally, run the setup program
  Hope this will help you
  Regards from Visit ExchangeOnline |
  Visit WindowsAdmin

• Need organization level object

  HI,
  I am want to insert organization level in this S_ALR_87012294 report,
  but in PFCG->Authorization->authorization change show no organization level,
  is there any authorization object for giving organization level.
  Best Regards
  Dilip Pasila

  The note says that you can apply it as a "download" via SNOTE ahead of the Support Pack (level), or apply the whole Support Packs up to that level (which will include the "corrections), or you can install a brand new ERP system on the highest current release and SP stack.... but in all cases the checks are not performed against these objects until you modify the code in a SAP standard include program to activate the check.
  I can understand backward compatibility with existing role concepts, however a "normal" procedure to not perform such new checks is an approach something like the default values of PRGN_CUST are used for, where you can activate the checks via customizing views (for each of the three objects independently) when you need them or discover the gap. Then in some higher release you can switch the defaults to "ON" if the requirement / opportunity is there.
  It also makes it easier to implement, transport and perform cross system comparisons of settings.
  Forcing customers to make a modification to the standard system at each installation to close a security hole is about as elegant a software logistics solution as a frontal lobotomy is to peace of mind...
  I will add this to the [Security Functionality Wishlist in the Wiki|https://wiki.sdn.sap.com/wiki/display/Security/SecurityFunctionalityWishlist-Topics] and suggest you check your systems to see whether your F_BKPF_BE* object security has a hole in the bottom of the bucket.
  For me it is self-explanatory that this should be changed, but the inventors of it wanted to know whether it is just me or possibly a whole mob out there wanting it (and possibly not knowing about it either).
  Cheers,
  Julius

• Basic Information about Organizational Level & Org. level value.

  Hello Experts,
    I am new to the field of SAP and security. I have the following questions:
  1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
  2. What is a derived role and what is its usage?
  I appreciate your help regarding this. If you could point me to some documentation regarding this that will be very helpful.
  Regards, Ben

  Ben,
  I am new to the field of SAP and security. I have the following questions:
  1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
  if you want to restrict on region vice (best use org level & values (plant,company code, sales org)
  In role u will notice them in red color
  2. What is a derived role and what is its usage?
  Derived role inherits menu struture and the function from the parent role. Derived role do not differ in their functionalities(identical menu & trans) but have different characterticts with regard to Org levels.
  Eg1; Master role
  PFCG -> role name -> create->menu->enter tcodes-.Auth tab->export mode->read old status and merge with new data->Pop for org levels (give a full access)->see to that everything is green->generate it.
  http://e-mory.blogspot.com/2007/12/sap-pfcg-create-role.html
  Eg2: Derived role
  pfcg->role name->create->in describtion  tab towards right  enter the master role name->Auth tab->export mode->read old status and merge with new data->you will get a pop for org levels (here you can restrict on plant lvel,purchasing group,company code....)
  ->let say for plant : 1000 ->generated / user comparssion
  Once the role is added to the user. User will be albe to see only those plant related details (1000) (i.e he will have access to only plant 1000)
  suppose if the user enters 2000,he will get a error message saying no access to 2000
  NOTE: Any changes to the role should be done in master role (like adding tcodes)
  .http://www.rssfeeddirectory.org/directory/items/346239.aspx
  https://cw.sdn.sap.com/cw/docs/DOC-12021
  http://help.sap.com/saphelp_wp/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm
  Re: Authorization error after transport
  Thanks,
  Sri

• Authorizations....Sales organization level

  Hi all
  I want to create the authorizations for the sales organization level. I have made the Sales Organization Object authorization relevant. After that i created an authorization object based on the Sales org object. I created a roles and created a profile based on the authorization object which i created. i assigned the role to the user.
  Now when i execute my query in web it is saying that
  'No Authorization (Or Everything is Filtered Out)'
  On the top of the query execution it is giving me a message as
  'You do not have authorizations for component 0CRM_OPMO_Q001'
  Now i would like to know, when we create profile in the role, do we need to add any other authorization objects apart from the one which we created. If so, what options do i need to give.
  And second when we create a test user for the authorizations testing, what roles we need to give him, one would be the one which we generated. And what are the other roles the user will have.
  Please help
  answers would be rewarded
  regards
  vijaykumar

  If sounds like you have another authorization object
  "checked" on the infocube/ODS.
  To check this, you have two options.
  (1)RSSMQ, with the user id. Execute the query, then back up (using the green arrow). One page on the back up operation with give you what authorization objects are checked.
  (2) Go to transaction: RSSM and enter the infoprovider. Uncheck the authorizations you don't want to have verified.
  Also, you on the variable for the authorization object (query) you must enter a value here if you do not have an "*" object.
  Cheers!
  /smw

• Organization Admin control in OIM 11gR2

  Hi,
  I was trying to configure Organization Admin control in OIM 11gR2. Our requirement is to configure roles having read access of organization (members of this role can only see the members of the organization but cannot update it), roles having admin control on organization (where members of this roles can read/write/execute member access). There should be different set of roles having access on different organization where members from one role cannot access the members of the other organization. I tried to configure these security models but the only thing i could find in organization is Admin Roles which also i couldn't able to configure very well :(. Can someone point me to the correct documentation or procedure/tool which we should use to achieve such functionality (These functionalities are very easily available in OIM 10g but couldn't find in 11gR2 :( )

  If you add the members of a role to the Admin Roles of a given Organization (Specifically OrclOIMOrgViewer Admin Role). The users will be able to see the users in that organization.
  A few things to consider:
  Only xelsysadm or a users in the System Administrator Admin Role can assign users to Admin Roles within the scope of an Organization.
  Here is a piece of code that you can use to programmatically add users to the Admin Role OrclOIMOrgViewer:
  public List getScopedAdminRoleMemberships() {   // This one gets the list of all admin roles scoped by Organization
  Hashtable env = new Hashtable();
  env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
  env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://<oim server host>:<oim port>");
  OIMClient oimClient = new OIMClient(env);
  try {
  oimClient.login("xelsysadm", "<XELSYSADM Password>".toCharArray());
  } catch (LoginException e) {
  throw new RuntimeException(e.getMessage(), e);
  AdminRoleService adminRoleSvc = oimClient.getService(AdminRoleService.class);
  return adminRoleSvc.getScopedAdminRoles();
  public AdminRoleMembership addAdminRoleMembershipFor(String userId, AdminRole role, String scopeId) {  // This method adds the user identified by userId (pass usr_key not usr_login) to the Admin Role in Org whose key (act_key) is
  // passed as a parameter in the scopeId.
  AdminRoleMembership membership = new AdminRoleMembership();
  membership.setAdminRole(role);
  membership.setUserId(userId);
  membership.setScopeId(scopeId);
  Hashtable env = new Hashtable();
  env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
  env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://<oim server host>:<oim port>");
  OIMClient oimClient = new OIMClient(env);
  try {
  oimClient.login("xelsysadm", "<XELSYSADM Password>".toCharArray());
  } catch (LoginException e) {
  throw new RuntimeException(e.getMessage(), e);
  AdminRoleService adminRoleSvc = oimClient.getService(AdminRoleService.class);
  return adminRoleSvc.addAdminRoleMembership(membership);
  This should give you what you need. Remember, the API's work with act_key and usr_key values don't use Org Names or User Logins.
  Hope this helps.
  Regards
  Alex Lopez

• P_ORGIN object - converting VDSK1  field to Organizational Level field

  Hi there,
  SAP ECC 6.0  SAP_BASIS     701     0007     SAPKB70107     SAP Basis Component
  Looking for input on changind the VDSK1 field in P_ORGIN object to Organizational Level field to use Role Master and subroles(derived) concept. We currently maintain a separate role for each set of Cost Centers and infotypes. On occasion the infotypes
  change but means a great deal of manual changes for each P_ORGIN defined role. Our approach is all within the P_ORGIN object - no structural auth in place. Any input or experience appreciated.  We separate the functional part of the HR acess in one role tcodes/other objects and separate the master data access p_orgin in another role - which is different for each user.
  Thanks !

  Dan,
  I hope you already heard about PFCG_ORGFIELD_CREATE, using this we can convert auth field into a org field.
  There are snotes aswell on this. Please do a search in SMP.
  Thanks,
  Brahmeshwar.

• Version Control for Roles

  Does anyone know of any good tools (3rd party or SAP) that allow version control of roles?
  The issue we're facing is the ability to go back to a previous version of a given role (from 2 months or more ago).
  My background is a developer (Microsoft toolset not SAP) turned SAP security admin and I'm missing the toolsets that used to be second nature for a developer.  It appears that the ABAP development environment in SAP has similar types of functionality, but this functionality is missing for security roles.

  A few of the suggestions provided are good and will be helpful.
  1) Downloading / Archiving the role before making any changes - Good concept and provides for some level of version control, but is a manual step the must be followed by everyone to ensure consistency.
  2) Importing prior transport into SBX system - Good concept and we already do one transport / role so this is a workable option.  Something I hadn't thought of.
  3) Change logs - Good for indentifying who / when a change was made, but after doing security for 2.5 years it's very apparent that the change logs don't do a good job of telling the before / after picture.  Anyone that uses this on a regular basis realizes that these entries aren't very good for addition of auth objects because they don't tell you what the initial values are in these cases.
  The primary use of a versioning tool isn't necessarily to roll back to a prior version (i.e. over-writing the current version), but to look at a prior version and see exactly how it was at a certain point in time.  Change logs can be reverse engineered to some degree to work back into a past point in time, but having the snapshot in time tells you exactly and doesn't require the reverse engineering.

• Modify Organizational Levels screen appereance depending on selected views

  Hi!!
           I need to modify the appereance of the organizational levels screen depending on which views had the user selected when creating/updating a material (for some views I need to use the standard screen and for others I need to show a new one with the standard appereance and some other fields).
    I've been checking forums but i'm not very sure about which solution i should implement. It seems to be the one which uses the SPRO process explained in SPRO -> IMG Activity -> Logistics General -> Material Master -> Configuring Material Master -> Create a program for sub screen, but this seems to be for creating new views more than to modify the standard flow for organizational levels.
    Otherwise, if the solution is correct, in that case, how can i choose which of the both screen show up in each case? I've read also about changing view sequences, but i haven't found anythig that was dependant on which views had the user selected.
  Regards.
  DTZ.

  Hello Rajesh
  I do no think so because we are dealing here with a control, namely the calendar control. 
  If you want to change the F4 for a  date field in a <b>customer</b> program where you can realise the search help dialog yourself then you could have a look at CL_...CALENDAR... classes or function modules CALENDAR and check if the interfaces might allow to implement your requirements.
  Regards
    Uwe

• DIR Authorization by Organizational Level

  Hi fellows!
  I would like to know if it is possible restrict access of DIR by organizational levels?
  Example: I need that if User A from plant 1234, creates a DIR type AAA number 0001, the User B from plant 4567 shouldn't have to access this DIR type AAA number 0001. I want that the users only can access the DIRs created by the plant which they have access.
  In the master roles of DMS I didn't find any object to help me in this scenario. I dont want to use the ACL to restrict the access of the documents. I want that this restriction has to be done by authorizations rules as in other areas.
  Can someone help me with some idea or case about this?
  Best Regards!
  Daniel
  Edited by: D Quintal on Nov 25, 2010 5:43 PM

  Hi Daniel,
  Its quite possible to achieve your requirement.
  There is a field called 'Authorization group' in a DIR if you have observed.This enables you to restrict authorization at Document level in addition to authorizations at Document Type and Status level.Suggest you create Authorization Groups like Plant1234,Plant4567 and so on with the help of your ABAPer.Now assign the required users to these Authorization groups.
  Once implemented,whenever a DIR is created and specific Authorization group is assigned, only those users part of this Authorization group will be able to process/access this DIR.Hope this addresses your requirement.
  For details on implementing Authorization group in DMS,refer link,
  http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
  Regards,
  Pradeepkumar Haragoldavar

• Storage location on basis of Plant in organization level in MM01

  Hello,
  Here is the scenario.. I select a material in mm01 and click on the 'Organization Level' tab. In this tab(on the basis of view selection, i get Plant and Storage Location) , i give in a Plant, lets say suppose 1000. Now if i press F4 on the Storage location, instead of displaying all the location, can it display the stor.location of the specific plant, i.e 1000. Is this possible and if yes and then how to do it ?
  Help Needed Big time.
  Thanks,
  Shehryar Dahar

  HI,
  yes it is possible.
  use "F4IF_INT_TABLE_VALUE_REQUEST"..
  example
  FORM f_get_str_value .
    SELECT lgort from MARD
      where werks = <your valuewerks>
  into <IT_table>.
    CALL FUNCTION 'F4IF_INT_TABLE_VALUE_REQUEST'
      EXPORTING
        retfield         =  l_c_fieldname
        dynpprog         = sy-cprog
        dynpnr           = sy-dynnr
        dynprofield      = l_c_dynprofld
        window_title     = text-078
        value_org        = 'S'
        callback_program = sy-cprog
      TABLES
        value_tab        = <IT_table>
      EXCEPTIONS
        parameter_error  = 1
        no_values_found  = 2
        OTHERS           = 3.
    IF sy-subrc <> 0.
  MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
          WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
    ENDIF.
  ENDFORM.                
  regards,
  nazeer
  reward if useful