Reg Authorisation presence in a role

Similar Messages

• Disable an Authorisation object for Multiple roles.

  Hi ,
  I need to Disable an authorisation object F_BKPF_BUP for about 345 roles.Is there any way by which we can make mass changes.Doing it for individual role would take a lot of time.kindly advice.
  Thanks in advance

  Hi,
  1. Go to SE16 --> table  USOBT_C --> put object F_BKPF_BUP in the field "Object" --> execute without restriction. Download the list of TCodes.
  Now go to Table AGR_TCODES --> put the list of TCodes (found with above method) in the field "Extended name" as multiple selection --> execute and download the list of roles.
  Look up your list of 345 roles with this list. After matching, you need to sort out the TCodes present in this list of roles which is checking the object F_BKPF_BUP.
  2. Now go to SU24.. go to option "Authorization Object" and NOT in the Transaction section.
  Put the Object and execute.... go to change mode.... check the proposals for the TCodes you sorted at last step of point 1. Make the proposal Do Not Check where ever it is not so.
  Move the Workbench Transport through Landscape. Your purpose will be done. But you should also keep in mind if the TCodes are present in other roles besides of your 345, those will become vulnerable.
  Regards,
  Dipanjan

• Deletion of Authorisation object from many roles

  Hi Gurus,
  How can we deleted one customized authorisation object included in many roles at once?
  Do it one by one is little bit time consuming. Please help me out.
  Thanks
  Firoz.

  >
  Jurjen Heeck wrote:
  > > You can use CATT/eCATT to record the steps and try it out. While recording you can include a step to click the find button and input the authorization object which you want to delete and then delete it.
  >
  > I do not think ECATT can handle the correct cursor positioning.
  >
  > My question to the original poster is:
  > How many roles are affected? This gives an idea about the amount of investigation which is reasonable to find a workaround.
  I believe it can be done with SECATT using the "find button" to locate the auth object thus addressing the cursor positioning but I will NEVER advise or go the SECATT or ECATT script route for regeneration of roles.  I just do NOT trust a script to automatically regenerate a role unless they number in the thousands or several hundreds.
  To answer your question, I'll do it one at a time.  And as Jurjen pointed out you need to run a query to find out exactly how many roles are affected, you might be pleasantly surprise.  Run SE16->AGR_1251 to find out how many auth objects need to be corrected.
  Good luck!

• Reg:Howq to set Default role on SSO Authentication

  We have a scenario where Default roles should be set to Contributor on SSO Authentication(not using LDAP). I have the below configuration
  SSO_DefaultRoles=contributor
  SSO_ModifyExtraParams=true
  SSO_SetAuthInfo=true
  SSO_IsSimpleAuth=false
  in oraclessopluginfilter_environment.cfg. But on SSO login, I see that users are assigned only guest role because of which they don't have check in option. Can you please help me out with how to set up default roles on SSO authentication.
  Thanks in advance for your time and effort
  Praveen

  Hi Jon,
  For any code changes in bsp components we need it's z-instance and that we get after enhancing the respective entity for eg views, context nodes etc..
  In case you are not familiar with the enhancement, please refer to some thread which explain about the component enhancement concept.
  Coming to this requirement..
  You need to enhance bp_roles component, then enhance rolelist view and roles context node.. redefine the GET_V_PARTNERROLE method.. copy the parent class code and do the necessary changes to manipulate the entries in gt_ddlb_add
  Check the statement at line no 107..
  gr_ddlb_roles->set_selection_table( it_selection_table = gt_ddlb_add ).
  Just before above statment call, manipulate gt_ddlb_add to keep the required role value at index 1..
  Another thing in my test system i can't see any role as "Account" under SPRO customizing "Business Partner Roles" instead "Business Partner (Gen.)" is available, don't know if you are able to see Account Role in the Roles DDLB..
  i would suggest debug the get_v_partnerrole method once at line no 107 see the entries in gt table you will get an idea what you need to change.
  Hope this helps..
  Cheers,
  Sumit Mittal

• Reg: Authorisation difference between BW3.5 & BI 7

  Hi All,
  Please update the security differences between BW3.5 & BI 7.
  Regards,
  Venu

  Dear Venugopal
  Iu2019m going to try help you regarding your question,
  The authorization perspective of 3.X is focused in the authorization object, thatu2019s means that each user needs a group of authorization object to use the BW system, they are grouped in roles. Each authorization object have a specific function, it is to control object access and data access. The control access is defined for each component of BW as InfoObject, InfoProvider, InfoCube, DSO, OHD, Query, BEx Analyzer, BEx application designer, Enterprise Portal, ect. The other is data control access is defined for a set of characteristics relevant of authorization, created in the tcode RSSM where you set up an authorization object.
  The main difference of version 3.X between 7.X is the set up data access. The tcode RSSM was obsoleted and they have released the new tcode RSECADMIN where you can handling whole authorization system, in these tcode you can access to analysis authorization maintence (new concept), instead of reporting authorization object.
  In summary, the strong chancing in the BI 7.0 has been in the data access authorization, with the new concept analysis authorization.
  Other hand, regarding object access there are a some new functionality as portal, open hub destination that are incorporated new authorization object.
  I hope these comments help you about your question,
  Luis

• Reg.Authorisation for Production Order

  Hi all,
  Please tell me that whether Authorisation can be set for Production order Releasing or not.
  My requirement is One person will generate Production But he is not authorised to release it.
  The Other Person who is senior to him is the only person who is authorised to release the Prod.Order.That is once the Prod. order is generated & saved ultimately a message should reach the senior person with the details of prod. order for him to release.
  How to do it.
  Kindly Give solutions .
  Thanks in advance,
  M.Badrinarain.

  Badrinarain,
  You can use user exit PPCO0007 to serve your purpose.
  Regarding the info to reach the senior person, you can talk to your Basis consultant to have the required settings, when any new order is created, it will be informed via mail to the senior person.
  Hope this helps you.
  SmanS

• Reg: Change date of Composite role

  Hi,
  I just need to find out if one of the composite roles in 2 different systems are the same.
  Please let me know how to do this.
  Regards,

  Hi,
  If you go to SUIMComparisons Roles and provide the roles (here you can have option of Single as well as Composite Roles) you will get a cumulative list of all the roles which these both roles consists of.
  If any role is available in both the composite roles, it will have u201CGreenu201D cube in both the columns and if not then a u201CRedu201D start will be shown.
  As logically composite roles are just group of single roles to understand the real comparison you need to compare the single roles which are part of these composite roles.
  Please let me know for any issues,
  <removed_by_moderator>
  Regards
  Suhas
  Edited by: Julius Bussche on Nov 10, 2009 3:03 PM

• Reg authorisation

  Hi all,
           when i login the SBO other than the manager and Super user , i couldn't change the price in AP Invoice . If i login thru manager login , it is possibel.. IF thru other than the manager i can't..
  SO pl help me to set the authorisation..
  i have given the full authorisation for Goods receipt thru PO and AP invoice also..
  Regards
  Suresh R

  Hi nagesh..
     Already i have given full authorisation for item master and even price list also.. But i didn't give full authorisation for full Inventory module.. becaz i need to restrict some transaction..
  so what can i do....
  Regards
  Suresh R

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Assigning Authorisation profile to roles

  Hi All,
  I have created a new authorisation profile by copying from the standard profile and activated the same, I have created a role using  PFCG and assigned it to the user via SU01, but still the user has not  got the required authorisations.
  When i try to assign this  profile to the role via PFCG, i am not able to assign
  Either i have to select  the  transactions from the menu tab and the  system is creating  new authorisation profile and  assigning it to the user,
  can anybody  help me out in assigning the  authorisation profile to the  roles
  Regards
  Venkat

  Hi Venkatesh,
  Short of performing an upgrade step via SU25 to convert the profile to a role (which you really don't want to do!), you can't do this to the best of my knowledge.
  PFCG is called profile generator because it creates the profiles for you based on what you enter into the menu tab and the corresponding auth values that you maintain within the role via PFCG.
  I strongly recommend that you build a role via PFCG and create it with the right combination of menu transactions and auth values.  You can then assign this to the user.  This is the standard way of maintaining authorisations now.
  Alternatively you can assign the profile you have created to the user, however if the role build is role based, I would not recommend this approach at all.

• How to create a new ROLE in BW

  Hi All,
  I would like to create a new ROLE in BI 7.0.
  How to remove a query from a ROLE.
  Thanks in advance

  Roles are created in Tcode PFCG . Here you can restrict  the objects ( Info areas , infoproviders , queries , etc ) and actions ( execute , change , display ) for which you want to give authorisation.
  If authorisation is based on some info object eg company code , we create analysis authorisation in RSECADMIN ( restrict it to auth variable created in Bex ). This auth variable code may refer to a DSO which defines the user and company code relationship ie reads the current user and returns the company codes maintained against that user in DSO .In PFCG , we assign this analysis authorisation to authorisation object  while creating role .
  Role can be assigned to a user using PFCG or SU01 tcode.
  Roles can be modified( removing query as in your case ) in PFCG ---> Give role name ---> Change .

• Authorisation in BW 7.0 with Planning.

  Hi All,
  Have been setting up a new Authoridation object for our planning setup.
  The planning team would like to set up multiple permissions on 4 agregation levels coming off the one multi provider. The new authorisation concept allows you to specify the info-provider as the multi, but does not allow you to specify the aggregation level which we want to limit it to. Most users read off this aggregation level, but there are a few who write to it, and I need to be able to differentiate between them in the Authorisation object, but assigning 02 to one lot, and 03 to another. But these people may not have write access to another aggregation level running off the same multi.
  Is there an authorisation object that I have missed which I can add to specify the aggregation level in the authorisation object?
  Second question is that if you use S_RS_AUTH to assign an Authorisation object to a role, is it only relevant for that role or will it's permissions carry accross to other roles a user might have?
  Thanks for your help..
  regards
  Matt

  Thanks Ravinda for your answer.
  Is this using the new concept of security or the old one?
  Don't you need some type of planning level object or agregation level object within the authorisation object rather than the role? If you authorise in the new security model it will authorise to the muli level, and if you wanted only certain users to view agregates above it they would all have access as the new model gives them access to the multi.
  We are currently prefacing all queries with the agregate level they are giong through and we use this to secure in S_RS_COMP.....was hoping there was an object in the new security model which would allow us to select which Agregation level they were allowed to view so it could be tied up in the same auth object.
  Can you control the planning level from within the new object?

• BEX Selection Screen Authorisations

  Hi all,
  I have developed a new authorisation role for a demand planner in APO. Part of its function is to allow the user to run a BEX report on a remote cube. This is working, apart from the selection screen when running the BEX query does not appear. This is NOT due to personalisation of variables.
  When I grant the same user the SAP_ALL profile, the selection screen appears when repeating this test. I have ran traces and gone through the SAP_ALL profile and ensured that every BW object I could see existed in my new role.
  Sadly I have not reached an answer as to what is missing in my role. Any ideas?
  I appreciate any help you can give on this matter.
  Kind regards,
  Nick

  Hi Ravi,
  There is one characteristic in the query that I've made authorisation relevant, 'Sales Org'. I have added the associated authorisation object to the role and as a test I've also given full access to this object in PFCG. This is why I would still expect it to prompt me with a selection screen.
  Sadly this is not the case. Do you have any other ideas? I do believe it is to do with at least 1 other SAP standard authorisation object, I just can't find which one it is.
  Thanks, Nick

• Creating Roles for Purchase Req. release strategy with classification

  Hi friends,
  Since I have created Purchase req rel strategy where I have four release strategy
  1. For Plant 1 When value <= 5000 (Officer) will release , release code 01 release release strategy r1 and rel code L1
  2 For Plant 1 When value >= 5000 (Manager) will release , release code 01 release release strategy r2and rel code L2
  Now the manager will have 2 release code,if  officer is absent he could release the requisition.
  Same has to be done for plant 2
  The release Group and code needs to be assigned to the Roles , could anybody tell  me  where i could know about roles and will be able to create roles and assign authorisation objects to the Roles , and release group and code to the enduser.
  though its a basis job , since I have no idea , I mean I have never worked with Roles ,as now I have created the Release strategy with classification I need to assign authorisation objects to the Roles as I have four release strategy
  1. For Plant 1 lower value of requisition 1 codeL1(Officer)
  2  For higher value of requisition 2 code say Li and L2(Manager)
  Manager should have 2 codes if  officer is absent he could release
  Same has to be done for Plant 2
  Thanks N Regards
  Siddhartha

  Hii,
  Steps:
  1) Create a Role
  2) Add the authorization Object  M_EINK_FRG by taking the manual option
  3) Assign Release Code and Release Grp
  4) Assign the Role to the User ID which has the authorization of the Release Code and Grp.
  Regards,
  Kumar

• Authorisation of the static resources OAS10g R2

  Hi,
  I have some static resources (folders with html and image files) referenced in the web server of my OAS 10g release 2.
  The alias ‘myalias’ is defined in the oas10gr2/Apache/Apache/conf/httpd.conf
  <IfModule mod_alias.c>
  /myAlias/ “/folder_root/folder_web_ressources/”
  And this alias is secured (SSO – OID – LDAP) in oas10gr2/Apache/Apache/conf/mod_osso.conf
  <IfModule mod_osso.c>
  <Location /myAlias >
  require valid-user
  AuthType Basic
  </Location>
  When I access a file by his URL, the authentification page is display and having a user and a password I can display my page, which is ok.
  Now I need to restrict the access of certain folders to a given role.
  For eg the user accessing www.domain.com/myAlias/customer/c.html must have the CUSTOMER_ROLE and the user accessing www.domain.com/myAlias/owner/c.html must have the OWNER_ROLE.
  All my roles are defined in LDAP, but I don’t know how I can modify my configuration files to make this role verification.
  It is possible to have something like that ?
  <Location /myAlias/customer >
  require valid-user
  AuthType Basic
  PRIVILEGE CUSTOMER_ROLE
  </Location>
  <Location /myAlias/owner >
  require valid-user
  AuthType Basic
  PRIVILEGE OWNER_ROLE
  </Location>
  Thanks for any suggestion,
  Ivat

  Hi again,
  I do it differently:
  In my web application I have created a virtual directory to my static content (which is dynamically updated by another application).
  1. In WEB-INF\orion-web.xml
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <!DOCTYPE orion-web-app PUBLIC "-//Evermind//DTD Orion Web Application 2.3//EN" "http://xmlns.oracle.com/ias/dtds/orion-web.dtd">
  <orion-web-app servlet-webdir="/servlet/" directory-browsing="deny" autoreload-jsp-beans="true" autoreload-jsp-pages="true" persistence-path="./persistence">
  <web-app-class-loader search-local-classes-first="true"/>
  <virtual-directory real-path="/server/folder_root/folder_web_ressources" virtual-path="/resources" />
  </orion-web-app>
  2. This alias is secured (SSO – OID – LDAP) in oas10gr2/Apache/Apache/conf/mod_osso.conf
  <IfModule mod_osso.c>
  <Location MyAppRoot/resources >
  require valid-user
  AuthType Basic
  </Location>
  3. I use a servlet filter where, after the authorisation, I do my ROLE check.
  Web.xml
  <filter>
  <filter-name>Filter_VIRTUAL_DIR</filter-name>
  <filter-class>mydomain.servlet.RoleCheckFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>Filter_VIRTUAL_DIR</filter-name>
  <url-pattern>/ resources/*</url-pattern>
  </filter-mapping>
  This “workaround” do my job. I hope that this can help someone.
  Thanks,
  Ivat