Query related to Authorization profile.
Hi Professionals,
Please help me out as I'm not a BASIS consultant but PP.....
We've created Users profile and assigned them profiles that contain a particular bunch of Transaction codes module wise.
Now we want to to create and assign such a Authorization profile to Users which will contain all Display transaction codes either related to all modules OR that particular module only say PP, MM, FI, CO etc.....
For example
MM03- Display material master
CS03- Display material BOM
CR03- Display work center
ME53N- Display Purchase requisition etc.
Is there any standard profile for that that are already provided by SAP? If it's there, how do we know that are related to what module?
Suppose if we assign such profiles, what will be implications related to future and user discipline?
Thanks & Regards,
Abu Arbab
Hi Abu, don't worry about being a PP consultant, most of us here are not Basis either, rather we focus on security.
There are no standard roles delivered by SAP which give this. There are standard SAP display roles but none will include all the display transactions for a module.
What you should do is get each functional team to list the dispay transactions which are used by the business processes which they have configured. There is no point in creating a display role with 500 transactions if the business processes only requires 30 transactions. Access is more usually required for business processes rather than module so you would often need to combine your modular display roles to cover a single process.
By building the roles to include the transactions you use rather than are available, you also avoid one of the mistakes often seen with using standard SAP roles - users having wider authorisations than they require to perform their job.
Similar Messages
-
ISE - Authorization Profile issue
I'm running a trial of ISE and I'm attempting to create the authorization profile with the following settings:
Name: Posture_Remediation
Access Type: Access_Accept
Common Tools:
Posture Discovery, Enabled
Posture Discovery, ACL ACL-POSTURE-REDIRECT
The documentation says Common Tools, but in the screen shot it shows Common Tasks which is accurate to my install. Doc: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic19
The issue is that I do not see a Posture Discovery option in the Common Tasks area. Can I add these the attributes using the Advanced Attributes settings or is there something I need to enable to display the Posture Discovery option within Common Tasks?
Any help would be appriceated.
AndrewHello Andrew,
As per your query i can suggest you-
Creating a New Authorization Policy
Use this procedure to create a new authorization policy.
To create a new authorization policy, complete the following steps:
Step 1 Choose Policy > Authorization > Standard.
Step 2 Click to select either Insert New Rule Above or Insert New Rule Below.
A new policy entry appears in the position you designated in the Standard panel of the Authorization Policy window.
Step 3 Enter values for the following authorization policy fields:
•Rule Name—You need to define a rule name for the new policy.
•Identity Groups—Choose a name for the identity group that you want associated with the policy.
–Click + ("plus" sign) next to the word "Any" to display a drop-down list of group choices, or choose Any for the policy for this identity group to include all users.
•Condition(s)—Choose the types of conditions or attributes for the identity group associated with the policy. Click + next to Condition(s) to display the following list of condition and attribute choices that you can configure:
–Select a Condition Name option from the drop-down list (Simple Conditions, Compound Conditions, or Time and Date Conditions) as needed.
–Select one of the Attribute options as needed. This displays a list of dictionaries that contain specific attributes related to the dictionary type.
When you select an attribute, you can define it as Equals, Not Equals, or Matches using a pull-down list of operator options, and select an AND or OR directive using a pull-down directive option.
For more information please refer to the link -
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html -
Query related to UPN Suffix in Hierarchical domain architecture in Active Directory deployment
This is regarding a query related to UPN Suffix in Hierarchical domain architecture in Active Directory deployment.
We use LDAP query (filter uPNSuffixes=* for the parent domain DN) to retrieve the upn suffixes configured in the AD Domain. This returns the UpnSuffixes configured for the entire domain tree ( upnsuffixes of parent domain and all the child domains) in the
hierarchy. The AD Domains and Trusts configuration lists all the upnsuffixes as part of the dnsroot domain.
For one of our implementation, we need to distinguish between the UPNsuffixes belonging to the parent and child domain and map the UPN suffixes with the respective domain in the hierarchy. As the upnsuffixes are stored as part of the root domain in the AD
domains and trusts configuration, it was not clear how to retrieve the information specific to each domain in the hierarchy.
It would be helpful if you could provide pointers on how to obtain the above mapping for the upn suffixes in a hierarchical domain setup.
Thank you,
DurgeshBy default, you can use only the domain name as UPN suffix for user accounts you create within the domain. It is possible to add extra UPN suffixes but these are added at the forest level and not specific to a domain.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Create Display Authorization Profile for SAP Transaction SPRO (IMG).
Dear All,
In my current implementation project there is an requirement to create display authorization profile for SPRO. I have tried a lot but was not able to do so.
Any one is having an experience in creating display profile for SPRO (IMG) ? If any one has worked on this issue then please guide me.
Thanks,
AvinashHi
This is security related question. I am not security expert.
But you can check this, Include the following authorization objects in the profile and assign this profile to the target user.
S_IMG_ACTV
S_PROJECT
S_PROJ_AUT
S_PRO_AUTH
and assign activity = 03 (Display).
Hoipe it helps.
regards
Srinivas -
Authorization Profile for attributes into qeries
Hi all,
I've a big problem in a Bex environment.
Some users-id cannot see the kf-type attributes of 0material, but they can see only characteristic-type attributes. In general this happens for all characteristics with kf-type attributes.
Instead with my user-id (sap_all) the query is ok.
I believe the problem depends of the authorization profile.
Every user has a lot of profiles.
How can I do for detecting the restrictions of these users?
Do you know the specific profile that limits the display of the attributes?
Does it exists a t-code to identify the auth.profile used from a query?
Thanks in advance.
ClaHi Claudia,
It seems that key figure authroization has been set up in your system. You need to assign the role that would give the users access to these key figures. You can run the report by any other user's auth, through transaction RSSMQ.
Hope this helps... -
Authorization profile description
hi experts,
In tcode su01, we have authorization profile and its description for a user.
I have a report in which authorization profile has been displayed. I need the <b>authorization profile description</b> next to it. I found the field PTEXT in table USR11 has got the description. However i dont have any relation (key) between USR11 and (usr01, 03, 04). Kindly suggest me some idea to get the description.
Thanks in advance.
Senthilhi Senthil,
Check
UST04 User masters
UST10C User master: Composite profiles
UST10S User master: Single profiles
UST12 User master: Authorizations
USTUD Students
Regards,
Santosh -
How to get all authorization objects for a certain authorization profile
Hi ABAP experts,
I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
So:
- where are these values stored (dictionary table)?
- is there already a FM or a report to read all authoriation values for a certain authorization profile?
Thanks in advance.
Best regards,
OliverHi,
check the following it might useful for you:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
if helpful reward points are appreciated -
Query relating to the creation of Managed Service Accounts
Hi Folks
I am studying for my 70-411 exam and have a query relating to the creation of Managed Service Accounts.
I have successfully created an MSA account named 'MSATest' on a DC using:
new-adserviceaccount -name msatest –dnshostname home-dc-01 -passthru
and
add-AdcomputerServiceAccount -identity home-ap-01 -serviceaccount msatest -passthru
However the guide that I am using now says that I now need to run: Install-ADServiceAccount on the host computer in the domain to install the MSA in order to make available it available for use by services.
So on my member server (home-ap-01) I have installed the Active Directory Module for powershell and ran:
PS C:\Users\administrator.PCECORP> Install-ADServiceAccount -Identity msatest
Install-ADServiceAccount : Cannot install service account. Error Message: 'An
unspecified error has occurred'.
At line:1 char:1
+ Install-ADServiceAccount -Identity msatest
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (msatest:String) [Install-ADServiceA
ccount], ADException
+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:Install
ServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.Insta
llADServiceAccount
PS C:\Users\administrator.PCECORP>
However this errors, Have I misunderstood the purpose of the Install-ADServiceAccount ? or am I doing something wrong?
Thanks in advance for you help.Try using -RestrictToSingleComputer parameter when creating service account with New-ADServiceAccount.
Gleb.
Hi Gleb
Thank you for your help, it is appreciated. That did the trick.
All the best. -
Query related to multiple attachments in mail adapter
Hi,
I have a query related to multiple attachments in receiver mail adapter.
I have successfully configured mail related scenarios but now I have another requirement in which I have multiple source files in one directory and I want to send one mail for multiple files as mail attachment using receiver mail adapter. Can anybody help me how to achieve multiple attachments in reciever mail adapter.
To clarify the requirement more let us take an example
Ex: I have 5 input files in the source which I pick up using additional files option in the sender file adapter, now I want to send those 5 files into one mail with 5 attachments. Can anybody explain how 5 different payload will be sent as multiple attachments in one mail.
For your information I used, options like "keep attachments" , some parameters in module processesors etcs...but not able to find out as how exactly it will be achieved.......I dont want to use BPM collect pattern for this.....
Need your help on this issue. Please suggest the solution as how it can be achieved using receiver mail adapter.
Thanks & Regards
PrabhatHi,
I resolved the issue on my own. Thanks for your help and support.
Thanks & Regards
Prabhat -
Query related to Email adapter
Hi,
I have query related to receiver Email adapter. I am able to run a scenario for 2 attachments in receiver mail adapter scenario.
My scenario is that I am picking up the multiple files using sender file adapter "additonal fiiles" fucntionality and and post the two files as attachments in receiver email adapter. I am picking up two formats: .xml file and PDF and successfully attached to the receiver email adapter.
My query is is related to Standard module processors sequence.
For 3 files in mail attachments(.xml , pdf & .txt) what should be the module processors sequence in receiver email adapter?
Currently I am using the following module processors sequence
1 localejbs/AF_Modules/MessageTransformBean Local Enterprise Bean trans2
2 localejbs/AF_Modules/PayloadSwapBean Local Enterprise Bean swap
3 localejbs/AF_Modules/MessageTransformBean Local Enterprise Bean trans1
4 sap.com/com.sap.aii.adapter.mail.app/XIMailAdapterBean Local Enterprise Bean mail
swap -> swap.keyName -> payload-name
swap> swap.keyValue> file1
trans1> Transform.ContentDescription>file1
trans1> Transform.ContentDisposition>attachment
trans1> Transform.ContentType>application/pdf;name="file1.pdf"
trans2>Transform.ContentDescription>file1
trans2>Transform.ContentDescription>inline
Can any body tell me what should be the sequence of module processors and the associated parameters so that all formats(.xml , pdf & .txt) should go as an attachments in the reciever email adapter.
Thanks & Regards
Prabhatit would be something like this, Try this
1 localejbs/AF_Modules/PayloadSwapBean Local Enterprise Bean swaptxt
2 localejbs/AF_Modules/MessageTransformBean Local Enterprise Bean trans3
3 localejbs/AF_Modules/PayloadSwapBean Local Enterprise Bean swapxml
4 localejbs/AF_Modules/MessageTransformBean Local Enterprise Bean trans2
5 localejbs/AF_Modules/PayloadSwapBean Local Enterprise Bean swappdf
6 localejbs/AF_Modules/MessageTransformBean Local Enterprise Bean trans1
7 sap.com/com.sap.aii.adapter.mail.app/XIMailAdapterBean Local Enterprise Bean mail
swapxml -> swap.keyName -> payload-name
swapxml> swap.keyValue> file2
swappdf -> swap.keyName -> payload-name
swappdf> swap.keyValue> file1
trans1> Transform.ContentDescription>file1
trans1> Transform.ContentDisposition>attachment
trans1> Transform.ContentType>application/pdf;name="file1.pdf"
trans2>Transform.ContentDescription>file2
trans2>Transform.ContentDisposition>attachment
trans2> Transform.ContentType>application/xml;name="file2.xml"
trans3> Transform.ContentDescription>file3
trans3> Transform.ContentDisposition>attachment
trans3> Transform.ContentType>application/txt;name="file3.txt"
mail --> mime.contenttype --> multipart/mixed
I have not tried this myself. but it should work -
Hello All,
We are in process of implementing Exchange 2013 in our Organization and had a Query related to GAL.
Below is our Environment description:
01. We have a Single Forest and Single Domain Architecture.
02. We will have separate Active Directory Sites for all 3 Regions across Global.
03. Exchange 2013 will be installed in each region.
04. In APAC region Exchange 2013 Language pack for Japanese will be installed to support Japanese language.
Our Requirement:
================
01. When a Japanese User tries to browse GAL all the display names have to be displayed in Japanese language and when a user who resides other Region (Europe or AMERICAS) tries to browse GAL the Address list has to be displayed in default English Language.
Can someone guide us on how this can be achieved?
Awaiting for all your suggestions.
Thanks in advance.
Thanks & Regards,
Nagaraj N
Nagaraj NHi Nagaraj,
Here are some requirements that I am still not quite sure. Could you please provide more information about it? Such as:
1. Do you mean one user have two display names: one with Japanese language used for users in Japan, one with English language used for English users? Then we filter address lists with language difference. Based on my knowledge, one email address is generally
involved for one display name.
2. If there are both Japanese users and English Language users in the forest, and you just need Japanese users view users whose name is displayed as Japanese language. We can use
Address book policies (ABPs) to segment users into specific groups to provide customized views of your organization’s global address list (GAL).
To show different GAL for different users, we can specify the CustomAttribute1-15 property to divide your organizations. For example, we can set the CustomAttribute15 property for Japanese users to
Japan. Just like:
Set-Mailbox –Identity JapanUser1 –CustomAttribute15 Japan
Then we can create global address list for Japanese that includes all of the recipients that exists in the address lists and room address list:
New-GlobalAddressList -Name "GAL_Japan" -RecipientFilter {(CustomAttribute15 -eq "Japan")}
For detailed steps about how to create and apply the Address Book Policies, please refer to:
http://technet.microsoft.com/en-us/library/jj657455(v=exchg.150).aspx
Hope it helps.
Regards,
Winnie Liang
TechNet Community Support -
Query related to DataGuard Archicture...
Hi All,
I want to implement DataGuard Archicture in my setup, I'hv one query related to different operating system in my setup, I'hv two server one for primary and the other for standby Database with 10g DB R2. In one server having Linux os and the other own has Solaris, so DataGuard will work on different os or both server os should be same? And if I'hv 2 GB then will it be create any prob?
pl. suggest me.A requirement for standby is both databases must be on the same platform and on the same db version, this requirement applies even if you are on a logical or on a physical dataguard database.
You can verify the Step by Step instructions to create a standby database:
Step-byStep Instructions for Creating a Logical Standby Database
Step-by-Step Instructions for Creating a Physical Standby Database
~ Madrid -
Hi Freinds,
This is mamatha i have a query related to withhold tax .what is diff b/w business place and section code.what is importance of section code.
Regards
S Mamatha
Please, search SDNFor India, witholding tax, you need to create the business place and section code with the same id.
Section code is additional field provided by sap for tds related processig, reports etc.
Regards,
SDNer -
Query related to the transfer of the control to the other controller.
Hi all,
I have a query related to the transfer of the control to the other controller.
I have components A and B .From a view of component A I neeed to open a window which belong to component B.Problem is that ,if I use create_window_for_cmp_usage( ) and the open( ) method and after that there is some code,then that code is getting executed before the window is opening.
I want that the control should be back to the these code after the window is poped up and after clossing the window.
Eg
method ONACTIONOPEN_WINDOW .
DATA lo_window_manager TYPE REF TO if_wd_window_manager.
DATA lo_api_component TYPE REF TO if_wd_component.
DATA lo_window TYPE REF TO if_wd_window.
lo_api_component = wd_comp_controller->wd_get_api( ).
lo_window_manager = lo_api_component->get_window_manager( ).
lo_window = lo_window_manager->create_window_for_cmp_usage(
interface_view_name = 'ZHELLO_WORLD'
component_usage_name = 'USAGE_HELLO'
title =
close_in_any_case = abap_true
message_display_mode = if_wd_window=>co_msg_display_mode_selected
lo_window->open( ).
data a type i.
data b type i.
a = 2.
b = 3.
a = a + b.
endmethod.
In this case I am calling ONACTIONOPEN_WINDOW method.But before opening the window the a iscalculated here.I want that after popuping the window the calculations should be done .
How will I achieve this.
Thanks in advance.
Edited by: vaibhav nirmal on Nov 25, 2008 6:42 AMHi,
You will have to do your calculation as an event in your new window, or capture the closing of the new window as an event in your currenbt view and do your calculations in the event.
Regards,
Shruthi R -
Query related to User License.
Hi all,
I have some query related to User License.
If we have 250 no of user license( with one developer),
can we use them individually on DEV, QAS & PRD ?
can we use them individually on differrent clients?
what abt users on 000 client. Is they should different license or come under same group.
Regards,
shanContact you SAP Account Manager.
Regards
Juan
Maybe you are looking for
-
What is the recommended way to obtain tracking data from carriers post XSI
We currently run an old version of SAP Business Connector. We are in the process of migrating all interfaces off BC onto PI. The one remaining interface we have problems is the XSI (Express Delivery Interface) interface we have with ECC06 and UPS via
-
Crop mark on image when exporting to PDF
When I export my INDD file to PDF, crop marks appear on one of the images (an EPS file) in the converted document. The crop marks do not appear in the INDD file, nor are they part of the original EPS file. Any idea what's happening and how to get rid
-
Screen goes blank - need help!
Some weeks ago the screen on my iMac started to go blank. The only way to recover was to re-boot. The problem got worse until the machine became un-usable. I tried everything I knew, including switching off and unplugging to reset the pram as suggest
-
Grant permission to all packages in another schema
Is there a way I can grant access to all the packages in another user's schema? Please guide me. Thanks!
-
OSX 10.9 update removed java - how to fix that?
After updating to OS 10.9 I could no longer us my most important app PHPStorm because it relies on java and the OSX 10.9 installer sabotaged it. When I type java on the console it now says No Java runtime present, requesting install. request, hu? ***