Profile for a composite role

Similar Messages

• Users have more than one profile for the same role

  Hello,
  As I said in my earlier post I'm rather new to SAP.
  I'm doing now the security audit of my SAP system. In particular, I'm checking whether business users have access to DEBUG functionality.
  I have run report 'Users by complex selection criteria' and found certain number of such users. Then I looked further and discover that all these users have role X assigned to them. The profile P2 of the role X displayed in PFCG has DEBUG functionality deactivated. After second look I discovered that all these users have earlier profile P1 for the same role X assigned to these users. This profile P1 contains the functionality in question.
  I solved the issue by revoking the role X from the users and assigning it again. Both P1 and P2 profiles were removed from the users and only P2 was reassigned again.
  I used to think that role may have only the profile that is displayed in PFCG? Also, I used to think that if the role profie is regenerated the newly generated profile automatically replace the old one assigned to users. Am I wrong?

  Hi Pavel
  In simple and short ..
  Role contains authorization objects..
  Maximum limit of authorization objects for a role is 150 .
  So a role can accommodate 150 authorization objects.
  New Profile ABC is created , when ever you create a new role. 1-1 relation.
  But if a role has more than 150 authorization objects .. then automatically a new profile ABC01 will be created and it will also be aligned to that role .
  if role has 400 auth objects, then profiles will be ABC ,ABC01 ,and ABC02
  i hope this helps you
  Cheers
  Pavan M

• ERM - composite role is requiring profile name

  I am configuring ERM (AC 5.3 SP8) and have imported all single and composite roles.  I have naming standards set up for all Single roles, composite roles, derived roles, and profile names.  However, when I try to create or change a composite role, it thinks a profile needs to be there (I blank it out on the create).  Composite roles don't require profile names.
  If I delete the naming standard for profile, it doesn't require a profile for composite.  But then when I create a single role, it isn't there either.  I really want to maintain a naming standard for profiles for single and derived roles.  How can I do this without needing it for my composite roles?
  Thanks!

  It is a bug with SAP.
  You can have naming standards for profiles as long as you have ENFORCED=disabled.  So, basically, as long as you don't enforce your (profile) naming standards you can delete the profile name when you are creating a composite role.  It sort of defeats the purpose of enforcing naming standards but at least it's a work around.  SAP has this in development right now and it is being looked at.
  Regards,
  Peggy

• Adding transactions in a composite role menu

  Hello All,
  I want to add transactions in the menu for a composite role. but I do not see the option to add it. Please guide how would it be possible. Do I need to create single roles and merge the menus for them or can I create aa separate menu for the composite role?
  Thanks in advance.
  Regards,
  Anju

  Hi There,
  No first of all you cant add transactions to the menu of a composite role as a composite role is a collection of several single roles.
  What you can do is create a single role, make addition/ deletions of tcodes inside the single role which will automatically reflect in the menu tab of single role and then you can add this single role to the composite role.
  If you want to make changes to the tcodes from the menu tab you need to go to the single role and make changes which will reflect automatically, but thru composite role its not possible to make changes to the menu tab simply because the composite role takes all the tcodes from the single roles contained within it.
  Hope this answers your query
  Best ,
  Suchitra

• Not able to assign Composite Role to Position

  Hello All,
             I am facing following problems.
  1) The user is Not able to see Create Report Links, when i checked the Composite Role in PFCG i found that the in USER Tab Organizational Tab was yellow, i did Indirect Reconcillatin in Organizational Tab and then it went GREEN, then i did User Comparision.
  I got this Message
  "You do not need to perform Prfile Comparision for role " Role Name".
  and the Position was removed.
  2) Now i am Trying to assing the Role to Position, i am not even able to assign it and the User id is not coming under User id  list.
  Please suggest.
  Thanks,
  CB

  @Point#1: It could be that user master is already compared for your composite role and no further comparison is required. To double check you might just run the comparison again via tcode PFUD or report RHAUTUPD_NEW
  @Point#2: For indirect assigment to position make sure organization management is active in your system (the switch HR_ORG_ACTIVE is set in the table PRGN_CUST to YES).
  Thanks
  Sandipan

• Comparison Required for the large role with multiple profiles

  Hello,
  We are small SAP team of only several people. I have created a large functional role for our functional person. Everything was fine for a while, but now whenever I need to add/remove code from the role and push it over to production I get an unusable role (in red) and some type of "Comparison Required" message.  I am not sure how to do this Comparison so I have to remove this role (and underlying profiles) from user than add it again to the user's profile.  This fixes the issue of an unusable role, but raises auditing questions.
  I tried to address the issue via transaction SUC but it seems I am not using it properly.  Please, advise.
  Thanks in advance
  Galina

  Yes you should schedule it at least once a day, in my systems it's running around midnight.
  Use transaction PFUD or schedule a background job with one of this reports:
  PFCG_TIME_DEPENDENCY (this is the old report)
  RHAUTUPD_NEW (this is the new version of report) <- I'm using this in R/3 4.7 and Netweaver 7.0
  Short text
  User Master Data Reconciliation
  Description
  This report runs the user master comparison for roles you have selected. For single roles you can also start the user master comparison in transaction PFCG.
  You can either execute it with the single processing types in dialog mode or schedule it as a complete reconciliation in the background.
  To run only specific processing types in the background, schedule a variant of program RHAUTUPD_NEW.
  You can choose the following processing types:
  Profile Comparison
  />: Start the profile comparison directly after the profiles have been generated or imported. Provided you are using time-dependent role assignments, we recommend you schedule daily background jobs. The authorization profiles will then be reconciled with the user master data. Profiles no longer current will be deleted from the user master records and the current profiles will be entered.
  Composite Role Comparison : Start the composite role comparison, if you want to make changes to a composite role definition  (that is, add to or delete single roles from a composite role) or if you want to import a change. Single role assignments will then be reconciled with the composite role assignments for the user. If you want to include single roles in the composite role, the single roles are assigned to those users who are assigned to the composite role. Conversely, the single roles assigned to users are deleted, if the single role is removed from the composite role.
  HR Comparison : Start the HR comparison, if you want to make changes to the HR Org Model, which affect the indirect role assignment. You can only select this processing type, if HR Org is active. The switch HR_ORG_ACTIVE in table PRGN_CUST must be set to YES.
  Cleanups: Carry out a cleanup, if  you want to generate or import profiles. Generated profiles that do not have any roles are deleted.
  Further options:
  Issuing error messages: In dialog mode all error mesasges are displayed on the screen.
  Replicating local HR assignments centrally (You can only select this option, if this client is an active child system of a CUA group and HR org. Role assignments in the child system that have arisen from links in the local HR Org model are replicated for information in the central system
  Thanks,
  Adrian

• Error in generating Profile for Child Role

  Hi Experts,
  My requirement is to chnage profile for child roles created. I'm using FM 'PRGN_AUTO_GENERATE_PROFILE_NEW' to generate the Profile for child role. However it gives an error saying "Open authorizations or org. levels in role & => no profile generated"
  when I execute it.  Infact the same error occurs when i run it for parent role also.
  But prior to attaching the child role to parent role, profile gets generated with no issues.
  Kindly help.
  Regards,
  Anjali

  Hello All/Experts,
  I am also getting same error. how to resolve this?
  regards
  A

• SAP Security Report for single and composite roles

  Hi
    I have a requirement to create a cutomize report in SAP Security.
  I have to display Composite roles,corresponding single roles,the tcodes assigned to those single roles and the description of t- codes. The selection screen has composite roles,single role and T-code which are optional.User can enter selection in any of the selection critreria.How should I go on this?If user gives only composite roles on the selection for e.g 'TEST'. for this role I get suppose 3 child roles 'TEST1' 'TEST2' 'TEST3' from table AGR_AGRS.Now to get the tcodes i go to table 'AR_1251' and I get the tcodes.
  But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.for e.g, 'TEST' 'SAP1' 'SAP2' etc..Now if go to get the tcodes for this single role in AGR_1251,I will ceatainly get the tcodes for eg MM01,FB01,etc.But then how would I know whether MM01 belongs to composite role 'TEST' SAP1' or SAP2' for the single role 'TEST2'.
  Please advise.
  Thanks
  Edited by: Julius Bussche on Aug 13, 2009 4:52 PM
  Subject title improved

  I though of seperate selection options for singles and composites, but you also said:
  > But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.
  My suggestion would be to build better single roles, but that is just me...
  Cheers,
  Julius

• Standred Roles and profiles for OSS Connection User

  Dears,
  We open OSS connections several times for SAP support in which we also provide login credentials to SAP to login in our system.
  Is there any standred roles or profile for this user in QAS and PRD that we can give to maintain our servers confidentiality.
  Please suggest.
  Shivam

  Not really. A note related to your question popped up in a previous discussion:Re: Exclude T-code from SAP all
  > If you take a look at [SAP Note 1118396 - Roles for support activities|https://service.sap.com/sap/support/notes/1118396] you will see this explained nicely...

• Role prefix for custom composite/single roles

  We have custom composite roles which start with TI_XI_* and contain single SAP roles (SAP_) and single custom roles (AAW:). Are we forced to use a certain role naming standard at the composite and single role levels due to Java authorizations?
  Thanks,
  Brad

  Just transport it rather than upload it.  The generated profiles will be carried through with their existing convention.
  If you need to have different profile names due to the naming constraints then LSMW or SECATT will let you do this easily.  If you are not familiar with the tools then 1. Take time to learn one of them (they are very useful) or 2. Do it manually.  60 profiles can be named in 30 minutes or less if you already have created the profile names in a spreadsheet, text file etc.

• Post EhP4 Upgrade - SUIM does not show Composite Role report

  Hi
  I'm having trouble in SUIM after we upgraded to EhP4. Specifically in the Roles by complex criteria selection.
  When a list of single roles is displayed, I select a role and click on Contained in Composite roles (3-arrow button)
  Instead of showing me the list of comp role that selected single role is found in, I get a collective list of all the single roles that are located in the same composite roles as the selected single role is found in.
  Any help out there?
  Regards,
  Yergat

  Hi,
  Refer the below SAP Notes:
  SAP Note 1393940 - SUIM| Incorrect results when searching for profile and roles.
  SAP Note 1543140 - SUIM|RSUSR070 long text, USER_COMMAND_AGR
  Regards,
  Raghu
  Added a new SAP note, which is also relevant

• Stopping user compare when saving composite roles in 4.6c basis pack 25?

  One of the environments I look after is a 4.6c system with basis pack 25 – they can’t upgrade as it breaks a great deal of very heavy customisation in that system.
  We have encountered an issue with the saving of composite roles in that system - when a role is saved we must sit through a very long period of “user distribution in role XXX” while the system performs a user compare of every singular role in that composite role.  This is very painful as it can take nearly half an hour simply to save the composite role – we then need to rebuild the menu and compress it (we use the composite role’s menu structure).  The odd thing is that this behaviour wasn’t apparent for many years – it suddenly started happening about 2-3 years ago to a previous administrator but he wasn’t aware of any changes going through, it just began to force these lengthy compares on him when saving composites.
  I’ve tried in vain to disable this forced compare on every save – I’ve tried the PRGN_CUST modifications including adding the lines “AUTO_USERCOMPARE” with a value of “NO” and “USRCOMPARE_PFUD” with a value of “YES” to try and stop the profile generator from doing this but to no avail.  Unless these settings need a restart of the system to take effect (do they?) I’m at a loss to find any other options.
  The menu setting in the profile generator of “automatic user master adjustment when saving role” is switched off – though setting “auto_usercompare” seems to have broken the ability to bring up the “settings: role maintenance” dialogue box anyway.
  We have a very large number of roles to modify and would be grateful if anyone could offer any advice here.
  Thanks
  DT

  the problem with your issue is that none of use can reproduce that phenomenon, since none of use has that combination of primal release/support package level at hand any longer (at least i think so). so there's only two options left to you:
  first: update this special application until the problem goes away - do so by adding note after note on the very subject, like the one i mentioned plus [905924|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=905924&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] plus [662484|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=662484&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] and stop only when you hit one that is not implementable using SNOTE but only by implementing a support-package -> this will obviously be the point where you're stuck then.
  (and yes - for the sake of rob burbank: there are several other ways to implement corrections aside from SNOTE).
  second: open a call with SAP. mind you, this might become a lenghty one since they will also give you note after note ...
  as i said, i'm pretty sure no one in here can help you doing a proper analysis anymore (but maybe i'm wrong).
  anyone - any other (better) suggestions?

• Indirect Role Assignment: Composite roles

  Can anyone shed some light regarding the following scenario:
  We have a user previously assigned to a managerial position and this position is attached to a MSS-composite role in PO13 (thorugh the AG relationship). Now this user has been delimited from that managerial position, and is now assigned to a new position as a normal staff, so he shouldn't have the MSS-composite role anymore. We updated the run in PFUD with HR Org-assignment reconcilation, but we still find the Composite role for Managers in his user master record in SU01.
  What might be wrong?

  > Items to check for before running RHPROFL0:
  > PA Records info for the User
  > ==================
  > 1.  Was the HR check pointer on when the position was delimited?
  > 2.  Is the position truly delimited
  > 3.  Does the IT105/ST0001 match the person's user ID
  > 4.  How many position does this person hold in the PA record
  > 5.  Check if the new position have the correct roles for this person, it might actually have the MSS composite role you are trying to remove access from the user.
  Hi John, thanks for your response to this thread.
  We have not scheduled RHPROFL0 to run. Correct me if I'm wrong, isn't this is only needed when PD-profile is used? We are not assigning structural profile though PD-profile in PO13, we do it manuall instead in OOSB. Besides, I am not able to run that program anyway, because we have the CUA set to Global, and no indirect role asssignment is possible. We can only do the comparison via the HR-org assignment reconciliation in PFUD. Can this be the main reason somehow?
  I also found out that our PRGN_CUST has no entries in it: HR_ORG_ACTIVE is not on. <<--- Does this only need to be switch-on if our CUA is set Local? Do I need this?
  Then, my answers below to your questions:
  1. Do you mean the "pink-arrow-up" icon from the old position? Then the answer is yes.
  2. Then position itself it not delimited, only the user assignment is. In PPOSE, it shows that the person is assigned to this old position from 01.04.2007 until 31.01.2008. So I guess in that sense, it tells that the position is truly delimited.
  3. Yes
  4. In PA records I can see many records under different validity dates, but they are all records of the new position. The earliest record (the one at the end of the list) was a record attached to a default position and without any organization assignment. Then, in PA > List Organizational Assignment screen, there is a system message that says "Employee has more than one position". --> Does this refer to the non-listed old position? or default position + new position in PA record?
  5. No. The new position is just an ordinary employee without any indirect role assigment.
  We also tried to remove the MSS-composite role from the old position in PO13, but it doesn't make any difference to the user master record in SU01.
  For your reference as well, this is how our US_ACTGR looks like:
  40 > AG > A > 007 >  S
  50 > AG > A > 007 > US
  60 > AG > A > 007 > P
  70 > P > B > 208 > US
  110 > S > A > 008 > *
  Hope this information tells something.
  I appreciate your time and many thanks in advance for your help!

• ESS Composite Role Adjustment

  Hi Experts,
  I have been trying to modify the Composite role SAP_EMPLOYEE_ERP for some functionality on portal. In tx OOAC, P_PERNR switch is activated (changed to 1) before this. First of all, I do not know whether the switch should be activated for ESS. But activation worked for me, and was able to get rid of one error. I followed this document for activating <a href="http://help.sap.com/saphelp_erp2005/helpdata/en/94/b8b83b5b831f3be10000000a114084/frameset.htm">P-PERNR</a>.
  I followed the guide lines in the help link, and made some changes in the
  <b>HR Master Data – Personal number Check</b> in the role Z_SAP_ESSUSER_ERP. I added the following profile:
  <b>Authorization Level: W (write access)
  INFOTYPE: 167 (Health plans)
  Interpretation of Assigned Authorization: E (excludes the right access)
  Subtype: BMER</b>
  I feel that should do trick: the user should not edit the Health Plan BMER on portal. Is it the right approach? It should overwrite the standard profile
  <b>Authorization Level: *
  INFOTYPE: 0002, 0005, .............., <b><i>0167</i></b>, 0168, 0169, ......
  Interpretation of Assigned Authorization: I
  Subtype: *</b>
  Any suggestions will be greatly appreciated.
  Thanks!

  Christopher,
  Ok.
  I managed to achieve the requirement. I am keeping the thread here as I do not know how to move threads.
  This is what I did.
  1. Authorization Level: W (write access)
  INFOTYPE: 167 (Health plans)
  Interpretation of Assigned Authorization: E (excludes the right access)
  Subtype: BMER
  2. Authorization Level: *
  INFOTYPE: 0002, 0005, .............., 0167, 0168, 0169, ......
  Interpretation of Assigned Authorization: I
  Subtype: *
  Profile 2 is overwriting the profile 1. What i did was in profile 2
  I removed the 0167 under INFOTYPE. made the profile 1 as follows.
  <b>Final </b>
  <b>1. Authorization Level:R (read access)
  INFOTYPE: 167 (Health plans)
  Interpretation of Assigned Authorization: I (incldue )
  Subtype: BMER
  </b>
  I did the trick. The user is able to view the benefit plan not edit. the system throws a message "you are not authorized to do this" if he tries to edit. However it is one way of restricting the user. might be not elegant. but quick.<i></i>

• User Composite Role History

  Hi Experts,
  Do you know if it is possible to track the history of composite roles that have been assigned to a user.
  For single roles there is a table ush04 which shows a history of assigned roles but I have not seen a similar table for composite roles only.

  Table USH04 shows the history of profile assignments which are stored in table USR04 and UST04. Assignements of single roles are somehow visible, too, because of their corresponding profiles.
  But role assignments are stored in another place:
  Table AGR_USERS (actual assignments)
  Table USLA04 (actual assignments in a CUA central system)
  The history of role assignments is stored in standard change documents.
  Use the SUIM report RSSCD100_PFCG for viewing change documents of roles.
  (The list shows all role assignments but does not mark the assignments for composite roles in a special way.)
  However you need at least the Support Packages as describesd in note <a href="https://service.sap.com/sap/support/notes/621720">621720</a> and <a href="https://service.sap.com/sap/support/notes/606636">606636</a>
  Kind regards
  Frank Buchholz