Personas and PFCG Roles

Hello community,
I am working with a team to help deploy Personas for our production systems.  I was wondering if there was a way to provide access through PFCG roles in SAP?  I know about the admin transaction and how to give access there, but we are trying to make gaining access to personas an automated process.  Could there be a way to automically give access to everyone in SAP without ever having to look at the /persos/admin_ui transaction?
If both answers are no, here is one more thought: Could personas access be given through automatic user provisoning in IDM?

hi terrance,
Using PFCG roles, you can create groups (under mass Group Maintenance) and then provide PERSONAS authorization to that group.
For sync-up of users in that role on regular basis, check Tamas reply above.
Best Regards,
Sushant
Sorry, my update over assigning personas role directly to a group was incorrect.
Message was edited by: Sushant Priyadarshi

Similar Messages

  • Business Role and PFCG Role

    Hi all,
        I am new to CRM 7.0 Can someone explain  What is a Business Role in CRM 7.0 and what is the relationship between Business role and PFCG role. What is the transaction Code to create a Business role.
       And also I heard that there is no PCUI in CRM 7.0. Is it true and if so what is used in place of the PCUI
    Thanks.
    Neha.

    Neha,
    Next time please do a search in this forum on business roles, and you would find many topics discussing this information more completely.  I'm locking this thread due to it fact that this question has been asked many times before by many different people.
    These threads explain the topic in more detail:
    Re: Reg: Business Role
    Assignment pfcg-role to user and assignment pfcg-role to business role
    Thank you,
    Stephen

  • BP created with category Person and BP Role Consumer is not replicated

    Hello Gurus,
    I have created a BP with Category Person and BP Role Consumer but after saving my BP is not getting
    replicated to ERP, though in the Clasification Tab i could see consumer is being selected and the Account
    group 0170 - Consumer showing up. 
    I have also checked in PIDE transaction in ERP system this Account group has clasification E which is Consumer.person,and as numbe range is assigned to this Account group 
    i have checked in middleware there is an error message which says "BP XXXX doesnt not exist as customer,change not possible" and aslo one more message which says "no classification is assigned to BP"
    any customizing is missing in CRM system, or only customiaing required is in ERP only?
    Thanks and Regards
    chandu

    Hi,
    With respect to your question on below link.
    Re: BP created with category Person and BP Role Consumer is not replicated
    Please find the below path in ECC
    SPRO>Logistic General>Business Partner>Customer>Define Account Groups and Field Selection for Customers.
    Select 0170 Consumer account grp and click on details. You will see the Number range in General Data.
    Copy that number range and goto below path and check if the number range is internal or external.
    SPRO>Logistic General>Business Partner>Customer>Define and Assign Customer Number ranges. The popup will appear and select Define Number ranges for customer master. Click on display intervals. You will see the number range is mainatined internal or external.
    Hope this helps.
    Regards,
    Chandrakant
    Edited by: Chandrakant A on Dec 15, 2009 7:41 PM

  • Assignment pfcg-role to user and assignment pfcg-role to business role

    Hello, Gurus!
    What is the difference between direct assignment pfcg-role to user and assignment pfcg-role to business role? What is the effect from assignment pfcg-role to business role?
    As  I see authrizations from pfcg-role assigned to business role have no effect to user...
    Best regards,
    Artuк Litvinov.

    Artur,
    The business role assignment does not give a user that PFCG role.  Instead it is just a mapping table and does nothing more. 
    Therefore that UIU_COMP auth object must exist in the PFCG roles assigned to the user in order for them to use the webclient.  In your scenario let's do the following:
    You have pfcg roles:
    RA
    RB
    You a have business role
    B1
    You have users:
    Joe
    Jack
    Business Role B1 is assigned to role RA which contains UIU_COMP.
    User Joe gets business role B1 and roles RB which does not have UIU_COMP.  This will not let him use the webclient.
    User Jack gets business role B1 and pfcg role RA.  This will work because everything is there.
    This means you need both the correct PFCG plus business role setup to make it work properly.
    Take care,
    Stephen

  • Business Role - Link to PFCG role

    Dear all,
    When I create a new business role in CRM there is a field called PFCG role ID in which you must provide a PFCG role.
    What is the functionality of this PFCG role in relation to the Business Role?
    When I look into standard SAP business roles and their associated standard SAP PFCG role I see a lot of "external services"/views. Is it possible to create such a role from scratch myself.
    Is there some documentation available that explain this relationship between the PFCG role and the business role.
    Thank you in advance,

    Dear Ivan,
    To start with Business Partner Roles and PFCG roles are different. Though you have an integration that one business partner cannot view the data of other business partner because of the roles that are being maintained in PFCG.
    Lets say you have two customers (BP Role Customer). One customer cannot view the data of other customer because of the role that is being assigned to his user id in SU01. You create the roles in PFCG.
    CRM Business Partner Roles:
    http://help.sap.com/saphelp_glossary/en/dc/926ecf5e1cd511bcbe0800060d9c68/content.htm
    Rights and responsibilities that a business partner can have in various business transactions.
    The assignment of a BP view determines the relevant data sets, so that only a particular part of the BP master data is displayed, depending on the business transaction in question.
    http://www.crmexpertonline.com/archive/Volume_03_(2007)/Issue_04_(May)/v3i4a4.cfm?session=
    Each business partner role contains a predefined set of functions based on the business partner’s relationship to your company. For example, you could have business partner roles such as employee or vendor. The business partner roles determine the fields you have available in the SAP CRM system for the business partner. Business partner role categories sort business partner roles into groups, such as person or company.
    PFCG Roles:
    http://help.sap.com/saphelp_nw2004s/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
    The SAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP System, after he or she has logged on to the system and authenticated himself or herself.
    To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
    Hope this will help.
    Regards,
    Naveen.

  • Issues with New PFCG role

    Hi Experts,
    I have created a new Business role ZBP_MKT_MAN and PFCG role ZSAP_CRM_UIU_MKT_PROFESSIONAL. However the authorisations are not getting copied from SAP_CRM_UIU_MKT_PROFESSIONAL to ZSAP_CRM_UIU_MKT_PROFESSIONAL properly. Can someone guide me with the same.
    Thanks
    Leela

    Hi Maikel,
    Sorry type the infor incorrectly, i have creared a BP role ZBP_MKT_MAN for which i have created a PFCG role ZBP_MKT_MANAGER to the add the same to it. However, the new PFCG role ZBP_MKT_MANAGER is not getting displayed in the PFCG roles list and i am not able to add the same to the BP role ZBP_MKT_MAN. Can you plz let me know how to proceed further.
    Thanks
    Leela

  • Relation between OOSB and a PFCG Role?

    Hi folks,
    Is there a link between OOSB and a PFCG role?
    I would like to avoid inputting a person through OOSB. Basically, my aim is to link a profile created in OOSP to a profile (or role) created in PFCG.
    The final objective is to assign Admin people in a single role and, depending their company codes assigned in the org. struc., see only the people from those companies when using BBPUSERMAINT transaction.
    Any feedback or others solution?
    Thanks
    Regards - chris

    Hi
    Which SRM version are you using ?
    I have not tried this ever yet... so difficult to comment on this.
    Anyways, I guess, this will affect to all levels down the line wherever inherited. Be careful while doing this.
    <b>Please go through the related links  -></b>
    Re: SRM 4.0 Security Concept
    Re: Manager is not able to change attribute
    SRM 4.0 & structural authorizations
    Do let me know.
    Regards
    - Atul

  • Multiple PFCG Roles to a user and one business role

    Hello SAP CRM Experts,
    we are facing a problem then I need your help.
    The external user can access the CRM through three distinct business roles.
    However, for each of these business roles, there are specific access
    rules configured in three different PFCG profiles.
    In the registration of the user (SU01), are assigned the three profiles
    PFCG because the user must have access to three different business roles.
    However, for one of the profiles the ability to modify the document
    service order is blocked and for the other is allowed to modify this
    document.
    Is there a customizing where I can associate the PFCG role to the
    business role, and then, when the user logs into the system, it
    identified the business role that he accessed the PFCG profile associated.
    However, this configuration is not working, and did not solve the problem.
    It seems to me that there is a merge of all the permissions that the user
    has, and is not being considered the PFCG role associated with the
    specific business role.
    This is really correct? The merge permissions occurs?
    Best regards,
    Diogo Lupinari

    Yes, thatu2019s correct.  When user is assigned multiple PFCG roles, all authorizations are in play.

  • Can anyone help me understanding the links between Launchpad roles, PFCG roles, and portal roles!?!

    Hi experts,
    I am looking at the newer EhP5 and EhP6 functionality for ESS and MSS, specifically the WD ABAP portal applications.  I've turned on all the business functions and services I think our team wants, however I'm confused on how to move forward in using them.  For a little tech info, we are on EhP6 for the backend, but our portal is 7.02.
    My first step was to assign the com.sap.pct.erp.ess.wda.Employee_Self_Service_WDA portal role to our test ESS user group in our sandbox environment.  The ESS user got a new ESS tab in the portal and it's linked to the Launchpad role ESS, Instance MENU.  I'm comfortable with ESS at this point, still need to learn more about customizing the menu for different employee groups without creating additional Launchpad or SAP roles.
    Question 1: Correct me if I'm wrong, but is the Launchpad roll ESS, instance menu linked to the PFCG role SAP_EMPLOYEE_ESS_WDA_2?
    Next, I was looking to see if there was a similar portal role for MSS, but it seems I can't find one.  I implemented the MSS Addon 1.0 for ABAP and the portal and got a new MSS portal addon role, but it doesn't seem to be connected to any MSS Launchpad role.
    Question 2: Is there a portal role to assign to users/groups that is linked to one of the MSS Launchpad roles? If yes, what business function or service is it a part of?
    I'd like to use of the existing MSS Launchpad role to test some of the new portal functionality, but I'm not sure how to do it.
    Question 3: How is a Launchpad role assigned to a SAP role in PFCG?  Anyone have some documentation they can point me too?
    Kind regards,
    Garrett Meredith

    Thank you Samuli, this was very helpful in connecting many of the pieces.
    For now I have a very good understanding of how the new ESS is controlled and modified.
    It appears that FPM_LAUNCHPAD_UIBB could be used to develop a similar component to call a custom launchpad role for MSS containing a customized list of WDA applications.
    Is a MSS Launchpad a good way to pursue since we use a SAP enterprise portal?
    I found a PAOC_MSS package containing other MSS embedded packages.
    Could I use one of the embedded packages in there and by creating a Component configuration in the FPM_LAUNCHPAD_UIBB for one of the MSS WD applications?
    Based on the documentation link above, PFCG roles are for NWBC HTML or Desktop versions.
    Kind regards,
    Garrett

  • Role creation: SAP ALL with SU01 and PFCG in display only

    hi all,
    I am looking for the easiest way to create a "sap all " like role with SU01 and PFCG in display only.
    i found several solutions, which sound very complicated.
    Thank you in advance,
    Julien

    Hi,
    As per your query there is not profile of SAP to give display authorisation, for this you have to create new profile on module wise and assign to user.
    Anil

  • Pfcg and business roles

    hi all,
    we have the requirement where we have to create 4 businessroles and out of 4 a manager  rolerequires authrization for all 4and customer rep requires authrization . for 3
    how to achieve that?
    i have crated 4 pfcg id s for 4 roles and assigned it to a business role(manager) which is copied from the standard.
    since manager requires 4 roles i  created 4 manager roles and assigned 4 pfcg ids
    is this the correct approach?
    please help out as i was new to crm 2007
    thanks
    madhuri

    The business role is user for customazion of web ui screens, while authorization roles are used for security reasons. So you need 4 business roles only if you need to maintan 4 different types of screens. If not, use just one.
    On the other hand I guess you need 4 authorization roles because you want to give 4 different types of authorizations to users.
    So, if you need just one type of screen, create one business role and assign it to users simply by using parameter CRM_UI_PROFILE. and authorization role assign via pfcg.
    But if you need 4 b roles and 4 a roles that are always in corelation 1:1 then you can do it also as you wrote.

  • Pfcg roles behind ic webclient profiles

    Hi,
    Can anybody tell what are PFCG roles behind for each IC Webclient profiles like SALES B2B, SALES B2C, SERVICE.... (tx: crmc_ic_main)
    thanks
    Tim

    Hi Tim,
    Again, PFCG roles are a combination of authorisations, that define what the person linked to the role can do.
    e.g. An authorisation is defined that th role can create/change/read sales orders. Within the same role there is an authorisation that indicates that the role cannot create Service Contracts. and so on...
    These are standard authorisations that are used by the system.
    Hope this is clear now.
    ps. Don't forget to reward points if the answers are usefull and when you question is answered reward points and put the question to answered.
    Kind regards,
    Micha

  • Send to a Particular Person in the Role

    Hi,
    I would like to implement sending the task to a particular person in the role. Currently, GP will send the request to all the personal in the Role.
    How do I control in such a way that there is only a task send to a particular person of concern of that Role.
    For example,
    The Role - ApprovingOfficer consisting User : user A, user B and user C
    If I am from dept A I should send my request to user A, rather than also sending to user B and user C (which is what the current GP is )
    how to I do that? can advise?
    thank you.

    Hi,
    Do you have any sample or guideline on how do I dynamically input the particular to "Filled from context Parameter" ?
    As there are a few users can be of the same role. But depend on who I select the users dynamically from the WD UI, the task will be route to the particular user for action. (instead of all user of that Role now).
    thank you in advance.

  • Security-role and security-role-assignment not working in WL7.0

    Hello all..
    Some EJB components that worked fine in WebLogic 6.1 no longer work in
    WL7.0. It has to do with the security-role and security-role-assignment
    descriptor elements no longer allowing anonymous users to be included in the
    authorization for a bean.
    For example, in WL6.1 placing these items in ejb-jar.xml:
    <assembly-descriptor>
    <security-role>
    <role-name>Employees</role-name>
    </security-role>
    <method-permission>
    <role-name>Employees</role-name>
    <method>
    <ejb-name>CustomerEJB</ejb-name>
    <method-name>*</method-name>
    </method>
    </method-permission>
    and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
    <security-role-assignment>
    <role-name>Employees</role-name>
    <principal-name>guest</principal-name>
    <principal-name>system</principal-name>
    </security-role-assignment>
    worked fine for clients creating their context using a simple
    InitialContext() constructor without specifying SECURITY_PRINCIPAL or
    SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
    the security-role-assignment element above told WebLogic that "guest" was in
    the Employees role for purposes of this EJB archive.
    Worked in WL6.1, no longer works in WL7.0. Client receives typical
    permission exception:
    java.rmi.AccessException: Security violation: insufficient permission to
    access method 'create'
    If I explicity connect as "system" things are fine, or I can create a new
    user in the default realm in WebLogic, put a matching <principal-name>
    element in the section above, and connect as that user. Note that if I leave
    off the <security-role> section completely, or set the required role name to
    "everyone", the anonymous access works fine. Apparently the anonymous user
    is a member of "everyone" behind the scenes even though "everyone" does not
    appear in the realm list of groups or roles.
    So, my question boils down to this: Is there a "magic" username in WL7 like
    "guest" was in WL6.1 that can be mapped to the required role name, or must
    every client connection use a true weblogic-created user with appropriate
    role assignments used to map it to the required role name.
    -Greg
    P.S. Note that none of the EJB examples provided with WL used
    <security-role>..
    Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
    www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

    Below are the screen shots for PFCG:

  • BAPI or Function Module to change PFCG role of an User from Background

    Hello Experts,
    I have a requirement to change PFCG role assigned in User from background and I need a BAPI , FM or any other method to do the same, I have gone through BAPI_BUPA_ROLE_REMOVE and BAPI_BUPA_ROLE_ADD_2 but as per my understanding , these are related to business role not PFCG.
    Please help!!!
    regards,
    Arnab.

    Resolved by myself.
    regards.
    arnab

Maybe you are looking for