Personas and PFCG Roles
Hello community,
I am working with a team to help deploy Personas for our production systems. I was wondering if there was a way to provide access through PFCG roles in SAP? I know about the admin transaction and how to give access there, but we are trying to make gaining access to personas an automated process. Could there be a way to automically give access to everyone in SAP without ever having to look at the /persos/admin_ui transaction?
If both answers are no, here is one more thought: Could personas access be given through automatic user provisoning in IDM?
hi terrance,
Using PFCG roles, you can create groups (under mass Group Maintenance) and then provide PERSONAS authorization to that group.
For sync-up of users in that role on regular basis, check Tamas reply above.
Best Regards,
Sushant
Sorry, my update over assigning personas role directly to a group was incorrect.
Message was edited by: Sushant Priyadarshi
Similar Messages
-
Hi all,
I am new to CRM 7.0 Can someone explain What is a Business Role in CRM 7.0 and what is the relationship between Business role and PFCG role. What is the transaction Code to create a Business role.
And also I heard that there is no PCUI in CRM 7.0. Is it true and if so what is used in place of the PCUI
Thanks.
Neha.Neha,
Next time please do a search in this forum on business roles, and you would find many topics discussing this information more completely. I'm locking this thread due to it fact that this question has been asked many times before by many different people.
These threads explain the topic in more detail:
Re: Reg: Business Role
Assignment pfcg-role to user and assignment pfcg-role to business role
Thank you,
Stephen -
BP created with category Person and BP Role Consumer is not replicated
Hello Gurus,
I have created a BP with Category Person and BP Role Consumer but after saving my BP is not getting
replicated to ERP, though in the Clasification Tab i could see consumer is being selected and the Account
group 0170 - Consumer showing up.
I have also checked in PIDE transaction in ERP system this Account group has clasification E which is Consumer.person,and as numbe range is assigned to this Account group
i have checked in middleware there is an error message which says "BP XXXX doesnt not exist as customer,change not possible" and aslo one more message which says "no classification is assigned to BP"
any customizing is missing in CRM system, or only customiaing required is in ERP only?
Thanks and Regards
chanduHi,
With respect to your question on below link.
Re: BP created with category Person and BP Role Consumer is not replicated
Please find the below path in ECC
SPRO>Logistic General>Business Partner>Customer>Define Account Groups and Field Selection for Customers.
Select 0170 Consumer account grp and click on details. You will see the Number range in General Data.
Copy that number range and goto below path and check if the number range is internal or external.
SPRO>Logistic General>Business Partner>Customer>Define and Assign Customer Number ranges. The popup will appear and select Define Number ranges for customer master. Click on display intervals. You will see the number range is mainatined internal or external.
Hope this helps.
Regards,
Chandrakant
Edited by: Chandrakant A on Dec 15, 2009 7:41 PM -
Assignment pfcg-role to user and assignment pfcg-role to business role
Hello, Gurus!
What is the difference between direct assignment pfcg-role to user and assignment pfcg-role to business role? What is the effect from assignment pfcg-role to business role?
As I see authrizations from pfcg-role assigned to business role have no effect to user...
Best regards,
Artuк Litvinov.Artur,
The business role assignment does not give a user that PFCG role. Instead it is just a mapping table and does nothing more.
Therefore that UIU_COMP auth object must exist in the PFCG roles assigned to the user in order for them to use the webclient. In your scenario let's do the following:
You have pfcg roles:
RA
RB
You a have business role
B1
You have users:
Joe
Jack
Business Role B1 is assigned to role RA which contains UIU_COMP.
User Joe gets business role B1 and roles RB which does not have UIU_COMP. This will not let him use the webclient.
User Jack gets business role B1 and pfcg role RA. This will work because everything is there.
This means you need both the correct PFCG plus business role setup to make it work properly.
Take care,
Stephen -
Business Role - Link to PFCG role
Dear all,
When I create a new business role in CRM there is a field called PFCG role ID in which you must provide a PFCG role.
What is the functionality of this PFCG role in relation to the Business Role?
When I look into standard SAP business roles and their associated standard SAP PFCG role I see a lot of "external services"/views. Is it possible to create such a role from scratch myself.
Is there some documentation available that explain this relationship between the PFCG role and the business role.
Thank you in advance,Dear Ivan,
To start with Business Partner Roles and PFCG roles are different. Though you have an integration that one business partner cannot view the data of other business partner because of the roles that are being maintained in PFCG.
Lets say you have two customers (BP Role Customer). One customer cannot view the data of other customer because of the role that is being assigned to his user id in SU01. You create the roles in PFCG.
CRM Business Partner Roles:
http://help.sap.com/saphelp_glossary/en/dc/926ecf5e1cd511bcbe0800060d9c68/content.htm
Rights and responsibilities that a business partner can have in various business transactions.
The assignment of a BP view determines the relevant data sets, so that only a particular part of the BP master data is displayed, depending on the business transaction in question.
http://www.crmexpertonline.com/archive/Volume_03_(2007)/Issue_04_(May)/v3i4a4.cfm?session=
Each business partner role contains a predefined set of functions based on the business partners relationship to your company. For example, you could have business partner roles such as employee or vendor. The business partner roles determine the fields you have available in the SAP CRM system for the business partner. Business partner role categories sort business partner roles into groups, such as person or company.
PFCG Roles:
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
The SAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP System, after he or she has logged on to the system and authenticated himself or herself.
To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
Hope this will help.
Regards,
Naveen. -
Hi Experts,
I have created a new Business role ZBP_MKT_MAN and PFCG role ZSAP_CRM_UIU_MKT_PROFESSIONAL. However the authorisations are not getting copied from SAP_CRM_UIU_MKT_PROFESSIONAL to ZSAP_CRM_UIU_MKT_PROFESSIONAL properly. Can someone guide me with the same.
Thanks
LeelaHi Maikel,
Sorry type the infor incorrectly, i have creared a BP role ZBP_MKT_MAN for which i have created a PFCG role ZBP_MKT_MANAGER to the add the same to it. However, the new PFCG role ZBP_MKT_MANAGER is not getting displayed in the PFCG roles list and i am not able to add the same to the BP role ZBP_MKT_MAN. Can you plz let me know how to proceed further.
Thanks
Leela -
Relation between OOSB and a PFCG Role?
Hi folks,
Is there a link between OOSB and a PFCG role?
I would like to avoid inputting a person through OOSB. Basically, my aim is to link a profile created in OOSP to a profile (or role) created in PFCG.
The final objective is to assign Admin people in a single role and, depending their company codes assigned in the org. struc., see only the people from those companies when using BBPUSERMAINT transaction.
Any feedback or others solution?
Thanks
Regards - chrisHi
Which SRM version are you using ?
I have not tried this ever yet... so difficult to comment on this.
Anyways, I guess, this will affect to all levels down the line wherever inherited. Be careful while doing this.
<b>Please go through the related links -></b>
Re: SRM 4.0 Security Concept
Re: Manager is not able to change attribute
SRM 4.0 & structural authorizations
Do let me know.
Regards
- Atul -
Multiple PFCG Roles to a user and one business role
Hello SAP CRM Experts,
we are facing a problem then I need your help.
The external user can access the CRM through three distinct business roles.
However, for each of these business roles, there are specific access
rules configured in three different PFCG profiles.
In the registration of the user (SU01), are assigned the three profiles
PFCG because the user must have access to three different business roles.
However, for one of the profiles the ability to modify the document
service order is blocked and for the other is allowed to modify this
document.
Is there a customizing where I can associate the PFCG role to the
business role, and then, when the user logs into the system, it
identified the business role that he accessed the PFCG profile associated.
However, this configuration is not working, and did not solve the problem.
It seems to me that there is a merge of all the permissions that the user
has, and is not being considered the PFCG role associated with the
specific business role.
This is really correct? The merge permissions occurs?
Best regards,
Diogo LupinariYes, thatu2019s correct. When user is assigned multiple PFCG roles, all authorizations are in play.
-
Hi experts,
I am looking at the newer EhP5 and EhP6 functionality for ESS and MSS, specifically the WD ABAP portal applications. I've turned on all the business functions and services I think our team wants, however I'm confused on how to move forward in using them. For a little tech info, we are on EhP6 for the backend, but our portal is 7.02.
My first step was to assign the com.sap.pct.erp.ess.wda.Employee_Self_Service_WDA portal role to our test ESS user group in our sandbox environment. The ESS user got a new ESS tab in the portal and it's linked to the Launchpad role ESS, Instance MENU. I'm comfortable with ESS at this point, still need to learn more about customizing the menu for different employee groups without creating additional Launchpad or SAP roles.
Question 1: Correct me if I'm wrong, but is the Launchpad roll ESS, instance menu linked to the PFCG role SAP_EMPLOYEE_ESS_WDA_2?
Next, I was looking to see if there was a similar portal role for MSS, but it seems I can't find one. I implemented the MSS Addon 1.0 for ABAP and the portal and got a new MSS portal addon role, but it doesn't seem to be connected to any MSS Launchpad role.
Question 2: Is there a portal role to assign to users/groups that is linked to one of the MSS Launchpad roles? If yes, what business function or service is it a part of?
I'd like to use of the existing MSS Launchpad role to test some of the new portal functionality, but I'm not sure how to do it.
Question 3: How is a Launchpad role assigned to a SAP role in PFCG? Anyone have some documentation they can point me too?
Kind regards,
Garrett MeredithThank you Samuli, this was very helpful in connecting many of the pieces.
For now I have a very good understanding of how the new ESS is controlled and modified.
It appears that FPM_LAUNCHPAD_UIBB could be used to develop a similar component to call a custom launchpad role for MSS containing a customized list of WDA applications.
Is a MSS Launchpad a good way to pursue since we use a SAP enterprise portal?
I found a PAOC_MSS package containing other MSS embedded packages.
Could I use one of the embedded packages in there and by creating a Component configuration in the FPM_LAUNCHPAD_UIBB for one of the MSS WD applications?
Based on the documentation link above, PFCG roles are for NWBC HTML or Desktop versions.
Kind regards,
Garrett -
Role creation: SAP ALL with SU01 and PFCG in display only
hi all,
I am looking for the easiest way to create a "sap all " like role with SU01 and PFCG in display only.
i found several solutions, which sound very complicated.
Thank you in advance,
JulienHi,
As per your query there is not profile of SAP to give display authorisation, for this you have to create new profile on module wise and assign to user.
Anil -
hi all,
we have the requirement where we have to create 4 businessroles and out of 4 a manager rolerequires authrization for all 4and customer rep requires authrization . for 3
how to achieve that?
i have crated 4 pfcg id s for 4 roles and assigned it to a business role(manager) which is copied from the standard.
since manager requires 4 roles i created 4 manager roles and assigned 4 pfcg ids
is this the correct approach?
please help out as i was new to crm 2007
thanks
madhuriThe business role is user for customazion of web ui screens, while authorization roles are used for security reasons. So you need 4 business roles only if you need to maintan 4 different types of screens. If not, use just one.
On the other hand I guess you need 4 authorization roles because you want to give 4 different types of authorizations to users.
So, if you need just one type of screen, create one business role and assign it to users simply by using parameter CRM_UI_PROFILE. and authorization role assign via pfcg.
But if you need 4 b roles and 4 a roles that are always in corelation 1:1 then you can do it also as you wrote. -
Pfcg roles behind ic webclient profiles
Hi,
Can anybody tell what are PFCG roles behind for each IC Webclient profiles like SALES B2B, SALES B2C, SERVICE.... (tx: crmc_ic_main)
thanks
TimHi Tim,
Again, PFCG roles are a combination of authorisations, that define what the person linked to the role can do.
e.g. An authorisation is defined that th role can create/change/read sales orders. Within the same role there is an authorisation that indicates that the role cannot create Service Contracts. and so on...
These are standard authorisations that are used by the system.
Hope this is clear now.
ps. Don't forget to reward points if the answers are usefull and when you question is answered reward points and put the question to answered.
Kind regards,
Micha -
Send to a Particular Person in the Role
Hi,
I would like to implement sending the task to a particular person in the role. Currently, GP will send the request to all the personal in the Role.
How do I control in such a way that there is only a task send to a particular person of concern of that Role.
For example,
The Role - ApprovingOfficer consisting User : user A, user B and user C
If I am from dept A I should send my request to user A, rather than also sending to user B and user C (which is what the current GP is )
how to I do that? can advise?
thank you.Hi,
Do you have any sample or guideline on how do I dynamically input the particular to "Filled from context Parameter" ?
As there are a few users can be of the same role. But depend on who I select the users dynamically from the WD UI, the task will be route to the particular user for action. (instead of all user of that Role now).
thank you in advance. -
Security-role and security-role-assignment not working in WL7.0
Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.comBelow are the screen shots for PFCG:
-
BAPI or Function Module to change PFCG role of an User from Background
Hello Experts,
I have a requirement to change PFCG role assigned in User from background and I need a BAPI , FM or any other method to do the same, I have gone through BAPI_BUPA_ROLE_REMOVE and BAPI_BUPA_ROLE_ADD_2 but as per my understanding , these are related to business role not PFCG.
Please help!!!
regards,
Arnab.Resolved by myself.
regards.
arnab
Maybe you are looking for
-
I lost my ipad and i need the serial number and IMEI , please help me how?
i lost my ipad and i need the serial number and IMEI , please help me how?
-
Shockwave Adobe Flash 10.2.152.32 only plays in one 'user account'
Shockwave Adobe Flash 10.2.152.32 won't play anything imbedded using *my* User Account in WinXP SP3(for ex.: items on HuffPost/none of Hulu/no streaming radio stations' broadcasts listening functions, eg, 'radioplayer' and 'mediaplayer' in these sit
-
I cant use my nano in itunes why
im trying to use my nano in itunes for some reason i suddenly cant
-
IF command does not work on the value of a global variable
Dear all! I created a global variable &CurQ, assigned it to my application and my current database and assigned a value "Q3" to it. Then I created a simple business rule: Forecast (IF (&CurQ==Q1) Forecast=Actual; ELSE Forecast=Plan; ENDIF;). "Forecas
-
Fixed header in FIORI like app!!
Hello All, I am building a Fiori like app. I want to have a fixed header for this app and the header would be the company logo and a stretched image. I have implemented this but the problem I am facing is that the, when I run the application on IPad,