PFCG role creation
Security Guys,
My requirement is creation of role for an ABAPER who should run all the Z reports but not exactly the report RSDU_EXEC_SQL_PROGRAM ( meaning no SAP Standadrd reports ). Is there a way to achieve this ?
Thanks / Arunkumar P
Hi,
that role should be for production only environment or development as well? If it's for development then I assume that ABAPER can write a custom programs so there is no chance to prevent this user from running RSDU_EXEC_SQL_PROGRAM. If it's for production environment then all those custom reports should have transaction codes assigned to them. In that case you can create a role for all of them plus some read only debugging authorization.
Cheers
Similar Messages
-
Program for PFCG Role Creation
Hi Guys,
I have a requirement for creating a program that will automate the Role Creation (Transaction PFCG)
I have the following Questions.
Is it Really possible via Program.
The expectation is in selection screen user will give the Standard and Derived Role after execution he expect the role to be created.
If anybody have experience in the same scenario kindly share me.
Regards,
Vijay.Try with PFCG_START_PFCG
G. Lakshmipathi -
PFCG role creation and input from users
I know that when you create a new role and add transactions to the menu you will get some default authorization objects in the role.
After that you will need to fill out activities for transactions;
For ex: display, create, change
I also know that during testing when you run /nsu53 you will need to add some additional objects in the role.
If the user does not know which activites he/she need or even for example for order types
OR, ZNON, KE
How can i help if the user does not know what he/she needs.
The way I'm doing this currently is by giving the user the transactions he/she needs and then have them run /nsu53 and I fix the problem.
Thanks
joJo,
As I have worked in situtations similar to the one you describe where the user performing the testing doesnt know which activites/values they need access to contribute to productive role build/testing sessions. Some of the things I have done to help them are:
1) Educate the user on the Authorization Object and Fields. You can typucally hit (F1) for more information related to the object/field.
2) Tie the object values back to actual SAP Tables with data to show user configuration of the system and values that are options.
3) Find someone from the process/business side who understands the requirments or has done the configuration to support the process and have an educational/testing session together.
Thanks.
Matt -
Restrict creation of BP based on PFCG role
Hi Experts,
We are implementing CRM 7.0. In the IC AGENT business role we would like to restrict the user to only create contacts using the PFCG role SAP_CRM_UIU_IC_AGENT. We tried using authorisation object B_BUPA_RLT and CRM_BPROLE. But it did not work. Do you know if we are missing anything else? FYI..We are not using ACE.
Best regards,
DavidIn our system we had a similar problem but with Accounts or Prospects creation. This is how we resolved it: In CRM 7.0 each Customer/ Prospect BP Record has a field Employee responsible on it. This is set automatically on the BP creation page, if the User ID of the user creation the record is assigned to an Employee record. If the user does not have access to create Employee relationships (BUR011) it will fail to complete the customer creation process. Authorization Object B_BUPR_BZT (Business Partner Relationships: Relationship Categories) controls this. You will need to add BUR011 to u201CRELTYP_fromu201D
-
Disable the buttons for creation using PFCG roles
Hi SAP Experts,
How to disable the buttons for creation using PFCG roles?
Regards,
JayaHi,
u have to write the code in <b>at selection-screen output</b> event
AT SELECTION-SCREEN OUTPUT.
LOOP AT SCREEN.
IF <b>P_PRINT</b> = 'X'. " this is radiobutton
IF screen-name = 'P_RANGE'.
SCREEN-INPUT = 0.
ENDIF.
modify screen.
ELSE.
IF screen-name = 'S_LFDAT-LOW'.
SCREEN-INPUT = 0.
ENDIF.
IF screen-name = 'S_LFDAT-HIGH'.
SCREEN-INPUT = 0.
ENDIF.
IF screen-name = 'S_WERKS-LOW'.
SCREEN-INPUT = 0.
ENDIF.
IF screen-name = 'S_WERKS-HIGH'.
SCREEN-INPUT = 0.
ENDIF.
IF screen-name = 'P_LIFNR'.
SCREEN-INPUT = 0.
ENDIF.
IF screen-name = 'S_BUKRS'.
SCREEN-INPUT = 0.
ENDIF.
modify screen.
ENDIF.
ENDLOOP.
Hope it helps.
Regards,
Sonika -
Hello,
I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.
It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
Please tell me if I'm wrong.
HMHM,
The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
The below statement is wrong.
It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
Regards,
Alpesh -
Hello all,
I noticed that by default GRC AC doesn´t have a Request Type for Role Creation. Normally how this is done? I mean, if someone realizes that a new role is necessary, how can this person report the need for a new role creation? What are my option here?
Regards,
SAP LegendHi SAP Legend,
You can not request a new role to be created via an Access Request workflow. You still need a business governance strategy where someone has to raise a request outside of the GRC system for the new roles through the right channels deemed fit in your company to get the new role made. Maybe you have a support ticketing system in place or some SAP security department you can raise the formal requests to.
The BRM Role creation/maintenance workflow runs separately from the Access Request workflow. Further more, the definition and creation process of roles via GRC should only involve and be used by Business Process Owners/Role Owners and the Authorisation security team only, i.e. not general end users.
A role build methodology will have to be set up and then the underlying approval workflows (based in MSMP technology also, like the AR workflow).
Once the role has been built (either via back end PFCG) or via GRC using the BRM methodology and approval flows, the role will be available to the end user to request via AR.
Hope that helps. -
Hi all,
I am new to CRM 7.0 Can someone explain What is a Business Role in CRM 7.0 and what is the relationship between Business role and PFCG role. What is the transaction Code to create a Business role.
And also I heard that there is no PCUI in CRM 7.0. Is it true and if so what is used in place of the PCUI
Thanks.
Neha.Neha,
Next time please do a search in this forum on business roles, and you would find many topics discussing this information more completely. I'm locking this thread due to it fact that this question has been asked many times before by many different people.
These threads explain the topic in more detail:
Re: Reg: Business Role
Assignment pfcg-role to user and assignment pfcg-role to business role
Thank you,
Stephen -
Request Number is not generated for BRM "new" role creation
Hello Gurus,
I have configured BRM in SAP GRC AC 10, along with the workflow .
I have selected the following methodology
Define Role --> Maintain Auth >Analyze & Access Risk>Request Approval>Generate Roles>Maintain Test Cases
Role name : Y_TEST_BRM_FUNCTIONALITY
So i do the following steps and assign
1) Role approver as Mr. ABC & Alternate approver as Mr. QRS
2) Assign the Required transactions and do the RAR i.e i am done till step 3 of methodology
When i click "Initiate Approval request"
The approval triggers , and goes to the 1st stage as configured in MSMP
1) Power User Approval .
Here the Power User : EFG , open his workflow and see the request as
Role approval required for role Y_TEST_BRM_FUNCTIONALITY
The approver approves the request and then the request all together vanishes.
Unfortunately i am not able to search the request for that role from NWBC -->Search request by
Process Id : Role Approver Workflow
It gives blank !!
Hence neither i am able to find the request no able to do any debugging of it using
GRFNMW_DBGMONITOR_WD
Please note that the Request Id is created for any request in CUP.
Is it that i have to create a number range for BRM request ??
If so will you please let me know the objectHello All,
I was wrong in posting the cause of problem.
Please note no "Request number" is generated for Role creation Request.
The problem was i was unable to search the Role Request approval status from "Search Request" via Process Id
It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
My Issues is Resolved.
Thank You.
Regards,
Victor -
Hi gurus,
I have just upgraded my GRC 10.0 to SP18 and when I access to create a new role in the NWBC, the button is in grey, I mean, I can not start the creation of it. However, I can modify the roles without problems.
Any idea of what can be happening?
Thanks,
Regards,Hello All,
I was wrong in posting the cause of problem.
Please note no "Request number" is generated for Role creation Request.
The problem was i was unable to search the Role Request approval status from "Search Request" via Process Id
It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
My Issues is Resolved.
Thank You.
Regards,
Victor -
BAPI or Function Module to change PFCG role of an User from Background
Hello Experts,
I have a requirement to change PFCG role assigned in User from background and I need a BAPI , FM or any other method to do the same, I have gone through BAPI_BUPA_ROLE_REMOVE and BAPI_BUPA_ROLE_ADD_2 but as per my understanding , these are related to business role not PFCG.
Please help!!!
regards,
Arnab.Resolved by myself.
regards.
arnab -
How to raise role creation/modification request in AC 10
We are implementing AC10. I have issue more related to the process followed than technical. Please suggest from your experience.
We found that we can raise the request for new user account, role assignment to user, etc in Acess Request(formerly CUP), but we cannot raise the request for role creation, role modification. This is directly done in Role management. My question is, how the security admin will recieve the requests for creating or maintaining the roles. Is it necessary to use ticketing tool for users to raise the request for role creation and modification.
Thanks everyone for your valuable solutions.Dear Ashish,
Whatever you have mentioned is correct to have the common platform for every request, either for user creation or role creation.
But what we decided earlier, that the end users can raise the request in CUP directly, rather than involving security admin. But after realizing that there is no request type for role creation, I think we have to use our ticketing tool as a common platform.
Request will come to security admin from the ticketing tool and than he will create the request in CUP, thereafter it will follow the approval workflow. Only problem I see in this, it goes to the manager twice, once in ticketing tool and than through CUP workflow. i think we need to take out the manager stage from the workflow. -
Indirect pfcg role assignment - no roles in SU01
Hi experts,
I would like to assign PFCG roles via indirect assignment, this means i would assign roles with the organisational model (transation ppomw).
I did the assignment and i executed the transaction pfud for user master data reconciliation. But the pfcg roles are not assigned to the user (see roles in transaction SU01). Usually the roles should be displayed (in blue and with xflag for indirect assignment).
Are there any customizing configurations i have to keep in mind?
Hope you can help as fast as possible.
Thanks a lot and best regards,
NataliRun PFUD if this is still an issue.
-
Hi,
We can assign 1 PFCG role to BR. But If user has 3-4 PFCG roles assigned to it in SU01 and only 1 of them is assigned to BR then will it affect the functioning of user in Web UI?
How does 1 PFCG role take care of all functions which user need to be done? Do we need too add all required authorization objects in single PFCG role?
Regards,
NikhilNikhil,
The functioning of user in Web UI is guided by SU01's 'Parameters' tab. The 'parameter value' for the 'Parameter ID' dictates the role and subsequent authorizations of the logged in user.
Ideally speaking, each business role should have a corresponding PFCG role containing only those authorization objects needed to fulfill the task being part of the Business Role. However, we may even skip this assignment. So a business role may not be assigned a PFCG role. Instead if the user is attached to multiple PFCG roles, all those authorizations would hold for the user.
Hope this helps.
Amar. -
Business Role - Link to PFCG role
Dear all,
When I create a new business role in CRM there is a field called PFCG role ID in which you must provide a PFCG role.
What is the functionality of this PFCG role in relation to the Business Role?
When I look into standard SAP business roles and their associated standard SAP PFCG role I see a lot of "external services"/views. Is it possible to create such a role from scratch myself.
Is there some documentation available that explain this relationship between the PFCG role and the business role.
Thank you in advance,Dear Ivan,
To start with Business Partner Roles and PFCG roles are different. Though you have an integration that one business partner cannot view the data of other business partner because of the roles that are being maintained in PFCG.
Lets say you have two customers (BP Role Customer). One customer cannot view the data of other customer because of the role that is being assigned to his user id in SU01. You create the roles in PFCG.
CRM Business Partner Roles:
http://help.sap.com/saphelp_glossary/en/dc/926ecf5e1cd511bcbe0800060d9c68/content.htm
Rights and responsibilities that a business partner can have in various business transactions.
The assignment of a BP view determines the relevant data sets, so that only a particular part of the BP master data is displayed, depending on the business transaction in question.
http://www.crmexpertonline.com/archive/Volume_03_(2007)/Issue_04_(May)/v3i4a4.cfm?session=
Each business partner role contains a predefined set of functions based on the business partners relationship to your company. For example, you could have business partner roles such as employee or vendor. The business partner roles determine the fields you have available in the SAP CRM system for the business partner. Business partner role categories sort business partner roles into groups, such as person or company.
PFCG Roles:
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
The SAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP System, after he or she has logged on to the system and authenticated himself or herself.
To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
Hope this will help.
Regards,
Naveen.
Maybe you are looking for
-
Iphone apps show up in itunes but do not sync
I just downloaded and installed the new IOS 7.0.2 update and after the install, there are several apps that no longer show up on my iphone. They were there before I installed the update, and they disappeared after the install. I have synched 3 diff
-
Whenever I print something from online or from a document, I do not have an option to change from landscape back to portrait. I also have miniscule print that is all squished to the left margin and printed on landscape. I cannot use this in business
-
Procedure of exit from sleep mode and hibernation
Hi, When my Qosmio X500-10W (windows 7 x64) is in sleep mode or hibernation mode, I can't get out of the sleep mode or hibernation mode. Please, which is the procedure? Thank you for your reply.
-
3.1.3 is not activating my phone
Hi I bought an iPhone factory unlocked in Italy from TIM if I'm not wrong. Today I did restore to 3.1.3 and I'm stuck with the iTunes screen "Your SIM is not recognized". The thing is I have updated with iTunes since OS 2.1 and it always did activate
-
Repeat message - I have downloaded the FlashPlayer upgrade (now 10 times), in Security - no pop-ups are checked, the "allow Java" and "allow other other plug-ins" are both checked. I have re-booted after the Flash-Player upgrades - still "pop=ups bl