Reg :Composite role

Similar Messages

• Reg derived roles combination into composite role

  Dear All,
  We have a role called GR Clerk. This will be available across all stores and DC for our retail customer. We have devised a strategy wherein we will create one global role with * in org level for site. Then we will
  create derived roles for individual DC and stores (from global role) and maintain site for each derived role.
  Now our customer wants following:
  Example: Store 1's GR clerk shall have required authorizations on transaction for Store 1, plus, one
  additional authorization/transaction for Store2.
  What we initially though that we will create two individual global roles: One for all authorizations and
  second for additional authorization.
  Global GR Clerk role: GRC
  Transactions: t1, t2, t3          
  Global GR Clerk role: GRC_additional
  Transactions: t4
  Derived Roles
  for GRCStore1:     
  1. GRCStore1 with org level Site= Store1     
  2.GRCStore1_additional with org level Site= Store2
  Now I will assign both derived roles to user who is GR Clerk on Store1.
  Is this approach correct?
  Also, customer wants that only one role should be assigned to user. So shall I create a composite role out of 2 derived roles?
  Will the respective site org levels be maintained after combining derived roles into composite one?
  Thanks for your time in advance.
  regards, Sean.

  Hi,
  Regarding the transaction roles and authorization roles, it is also a good approach, however, you would still have to consider the above point in case the authorization objects overlaps and make sure that both are restricted to appropriate "stores".
  Whether it's a good approach or not, per me, depends on the overall scenario and the fact that how much maintenance would be required in long term.
  Like say, if it is a case that the transaction codes (t1,t2 and t3) are for specific stores and transaction t4 is like display activity of other store and not just store 2. Then creating a common role for transaction t4 and including it in the composite role apart with the store specific role with tcodes (t1,t2 and t4) would also be a good approach.
  ZZZ:STORE_CLERK_STORE1             (Composite Role)
  ZZS_STORE_CLERK_STORE1                      transaction code t1, t2 and t3
  ZZZ_STORE_CLERK_STANDARD                  transaction code t4 (Either no org level restriction or all store access)
  ZZZ_STORE_CLERK               (Parent Role)
  ZZS_STORE_CLERK_STORE1                  Org level Restricted to Store 1
  ZZS_STORE_CLERK_STORE2                  Org level restricted to Store 2
  and so on
  PS: Naming convention are for illustration only
  Cheers !!
  Zaheer

• Reg: Change date of Composite role

  Hi,
  I just need to find out if one of the composite roles in 2 different systems are the same.
  Please let me know how to do this.
  Regards,

  Hi,
  If you go to SUIMComparisons Roles and provide the roles (here you can have option of Single as well as Composite Roles) you will get a cumulative list of all the roles which these both roles consists of.
  If any role is available in both the composite roles, it will have u201CGreenu201D cube in both the columns and if not then a u201CRedu201D start will be shown.
  As logically composite roles are just group of single roles to understand the real comparison you need to compare the single roles which are part of these composite roles.
  Please let me know for any issues,
  <removed_by_moderator>
  Regards
  Suhas
  Edited by: Julius Bussche on Nov 10, 2009 3:03 PM

• Add a single role to different composite roles in one step

  Hello everybody,
  I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
  Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
  I don't want to believe that there is no easier way. Any ideas?
  Thank you
  Flo

  Hi Soma,
  great to find a place to be welcome..Thanks
  What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
  The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
  And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
  -> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
  or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
  -> Which again... our security manager disallowed me...
  So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
  And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
  Comments?
  Cheers
  Florian

• Post EhP4 Upgrade - SUIM does not show Composite Role report

  Hi
  I'm having trouble in SUIM after we upgraded to EhP4. Specifically in the Roles by complex criteria selection.
  When a list of single roles is displayed, I select a role and click on Contained in Composite roles (3-arrow button)
  Instead of showing me the list of comp role that selected single role is found in, I get a collective list of all the single roles that are located in the same composite roles as the selected single role is found in.
  Any help out there?
  Regards,
  Yergat

  Hi,
  Refer the below SAP Notes:
  SAP Note 1393940 - SUIM| Incorrect results when searching for profile and roles.
  SAP Note 1543140 - SUIM|RSUSR070 long text, USER_COMMAND_AGR
  Regards,
  Raghu
  Added a new SAP note, which is also relevant

• Get child users of composite role

  Hello
  There is FM (ESS_USERS_OF_ROLE_GET ) which bring all user of roles but what i want it's more complicated
  IF there is composite role i want to get all the user that in the roles under the composite role .
  Let say i have composite role with two roles inside (in the role tree ) .
  Composite role
  user1"this is the users of the composite role
  user2
  user3
  Role number  1
  user4
  user7
  user9
  Role number 2
  user 8
  user 5
  user7
  user6
  What i want is to get all the users of the composite role  and the child  role (which is parent ) .
  which is .
  users 1 - 9.
  I read some previous post on this issue in the forum but what I need is to use just this FM without access  to the DB
  table such as T_AGR_AGRS and COLL_ACTGROUPS_GET_ACTGROUPS ,
  What i need to do is recursive call on  the FM ESS_USERS_OF_ROLE_GET  .
  Regards
  Joy
  Edited by: Joy Stpr on Aug 23, 2009 8:50 AM

  Hello Joy,
  How is it possible to use just function module ESS_USERS_OF_ROLE_GET to get data without DB access?
  I mean this function module takes input as Simple/Composite ROLE so you have to have some list maintained
  which will be input for this function module.
  I think you can load composite and simple role in table and loop at it to make calls to function module ESS_USERS_OF_ROLE_GET to get users for compsite/simple roles.
  Some input has to be there, That's what I feel.
  Check if this helps!
  Thanks,
  Augustin.

• Stopping user compare when saving composite roles in 4.6c basis pack 25?

  One of the environments I look after is a 4.6c system with basis pack 25 – they can’t upgrade as it breaks a great deal of very heavy customisation in that system.
  We have encountered an issue with the saving of composite roles in that system - when a role is saved we must sit through a very long period of “user distribution in role XXX” while the system performs a user compare of every singular role in that composite role.  This is very painful as it can take nearly half an hour simply to save the composite role – we then need to rebuild the menu and compress it (we use the composite role’s menu structure).  The odd thing is that this behaviour wasn’t apparent for many years – it suddenly started happening about 2-3 years ago to a previous administrator but he wasn’t aware of any changes going through, it just began to force these lengthy compares on him when saving composites.
  I’ve tried in vain to disable this forced compare on every save – I’ve tried the PRGN_CUST modifications including adding the lines “AUTO_USERCOMPARE” with a value of “NO” and “USRCOMPARE_PFUD” with a value of “YES” to try and stop the profile generator from doing this but to no avail.  Unless these settings need a restart of the system to take effect (do they?) I’m at a loss to find any other options.
  The menu setting in the profile generator of “automatic user master adjustment when saving role” is switched off – though setting “auto_usercompare” seems to have broken the ability to bring up the “settings: role maintenance” dialogue box anyway.
  We have a very large number of roles to modify and would be grateful if anyone could offer any advice here.
  Thanks
  DT

  the problem with your issue is that none of use can reproduce that phenomenon, since none of use has that combination of primal release/support package level at hand any longer (at least i think so). so there's only two options left to you:
  first: update this special application until the problem goes away - do so by adding note after note on the very subject, like the one i mentioned plus [905924|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=905924&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] plus [662484|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=662484&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] and stop only when you hit one that is not implementable using SNOTE but only by implementing a support-package -> this will obviously be the point where you're stuck then.
  (and yes - for the sake of rob burbank: there are several other ways to implement corrections aside from SNOTE).
  second: open a call with SAP. mind you, this might become a lenghty one since they will also give you note after note ...
  as i said, i'm pretty sure no one in here can help you doing a proper analysis anymore (but maybe i'm wrong).
  anyone - any other (better) suggestions?

• CUA problem with composite role

  Hello experts, I have a problem with a composite role in my CUA parent system. If you look at the roles tab you will see one of the child roles has a name of child CUA system in the 'target sys' column. the rest all have 'user system'. Can anyone explain how this 'target sys' column is defined?
  Thanks
  Dave Wood

  I do not know if you have solved this issue, but the target system is defined within your single role on you menu tab.
  No what happens is that in transaction SM30 table SSM_RFC you define system variable linked to your logical system.
  This variable determines that when you import roles from another system by means of transaction PFCG > Read from other system from RFC and you select your variable the system will automatically default in the target system field the system it is suppose to go back to.
  So this way when you distibute the roles it will only go back to that particular target system, and you do not need to specify and guess where the role came from.
  Try removing that table entry in SM30 SSM_RFC and see if that way you will be able to remove the target system from the role.
  However it is not a bad thing to have activated. If you are working with position base authorizations and you have more than 1 system, you define 1 composite role for all the roles, for all the systems and you will be able to see where the composite resides by means of the target value.
  Hope this makes sense.
  Regards
  Sonja

• Indirect Role Assignment: Composite roles

  Can anyone shed some light regarding the following scenario:
  We have a user previously assigned to a managerial position and this position is attached to a MSS-composite role in PO13 (thorugh the AG relationship). Now this user has been delimited from that managerial position, and is now assigned to a new position as a normal staff, so he shouldn't have the MSS-composite role anymore. We updated the run in PFUD with HR Org-assignment reconcilation, but we still find the Composite role for Managers in his user master record in SU01.
  What might be wrong?

  > Items to check for before running RHPROFL0:
  > PA Records info for the User
  > ==================
  > 1.  Was the HR check pointer on when the position was delimited?
  > 2.  Is the position truly delimited
  > 3.  Does the IT105/ST0001 match the person's user ID
  > 4.  How many position does this person hold in the PA record
  > 5.  Check if the new position have the correct roles for this person, it might actually have the MSS composite role you are trying to remove access from the user.
  Hi John, thanks for your response to this thread.
  We have not scheduled RHPROFL0 to run. Correct me if I'm wrong, isn't this is only needed when PD-profile is used? We are not assigning structural profile though PD-profile in PO13, we do it manuall instead in OOSB. Besides, I am not able to run that program anyway, because we have the CUA set to Global, and no indirect role asssignment is possible. We can only do the comparison via the HR-org assignment reconciliation in PFUD. Can this be the main reason somehow?
  I also found out that our PRGN_CUST has no entries in it: HR_ORG_ACTIVE is not on. <<--- Does this only need to be switch-on if our CUA is set Local? Do I need this?
  Then, my answers below to your questions:
  1. Do you mean the "pink-arrow-up" icon from the old position? Then the answer is yes.
  2. Then position itself it not delimited, only the user assignment is. In PPOSE, it shows that the person is assigned to this old position from 01.04.2007 until 31.01.2008. So I guess in that sense, it tells that the position is truly delimited.
  3. Yes
  4. In PA records I can see many records under different validity dates, but they are all records of the new position. The earliest record (the one at the end of the list) was a record attached to a default position and without any organization assignment. Then, in PA > List Organizational Assignment screen, there is a system message that says "Employee has more than one position". --> Does this refer to the non-listed old position? or default position + new position in PA record?
  5. No. The new position is just an ordinary employee without any indirect role assigment.
  We also tried to remove the MSS-composite role from the old position in PO13, but it doesn't make any difference to the user master record in SU01.
  For your reference as well, this is how our US_ACTGR looks like:
  40 > AG > A > 007 >  S
  50 > AG > A > 007 > US
  60 > AG > A > 007 > P
  70 > P > B > 208 > US
  110 > S > A > 008 > *
  Hope this information tells something.
  I appreciate your time and many thanks in advance for your help!

• Profile for a composite role

  Hello Experts,
  We are having a problem dealing with a composite role.
  Whenever we add the composite role to a user master; a profile appears for each of the single roles (which is normal) BUT we also get a profile for the composite role.
  We verified in the table AGR_1016  and found that there is a profile asocited to the composite role.
  We tried the clean-up option of the transaction PFUD which did not work in our case.
  We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
  Any answer is most welcome!
  Thanks & Reagards

  > We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
  Sounds to me as if there has been an import of a composite role overwriting a single role with the same name. The pfcg import facility has very few checks in them so something unwantend could have happened. I think it is not possible to change a role from single to composite with the PFCG or other tools. What does table AGR_PROF say about this role?
  I would suggest to copy the composite to a new name (without copying the singles) and see how that looks. If it is OK you can delete the corrupted role, check wether it is completely gone and copy the new role back to it's original name.

• Assign single role to composite role with alternate logsys assignments

  Dear gurus,
  In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
  Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
  But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
  Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
  Cheers,
  Julius

  Hi Martin and others,
  I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
  While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
  Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
  You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
  There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
  That is a bit of a bummer because it means that you also cannot ever test anything...
  Did anyone ever try to actually use this?
  Cheers,
  Julius

• What is the need of workflow tab in composite role.

  I have created one composite role. For that i have assigned two user defined roles. By clicking those roles it is showing one extra tab called workflow. Then what is the need of this workflow tab in a role and what it contains.

  Hello Kumar,
  Check these links for this
  http://help.sap.com/saphelp_nw04s/helpdata/en/07/5430fbdb39fb4d9abb56754e039d0d/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/ab/e70538389511d5974400a0c930dcc1/content.htm
  Award points if helpful,
  Regards,
  Raju.

• CUP 5.3, Risk test of all roles in a Composite Role - possible?

  We want to use a Function (Dummy) Role in CUP, that shall have Composite Roles connected in CUP.
  But when I do this - I only see the composite role when I make a SoD / Risk check in my cup WF.
  Can I somehow also check the single roles in the composite roles?
  Thank you
  Kristian

  Hi Kristen,
  It should definitely be possible to analyse the composite role via GRC.
  Either through simulation of the assignment of the additional single role into the composite or by the assignment of the composite role into the user's authorisations.
  The composite role itself will not have any authorisations but it should read through the single roles contained within it as it is those authorisations which end up with the user.
  Have you tried analysing the composite role directly in RAR to isolate it away form the CUP functionality as a unit test? If that works, you should then be able to prove that the risk analysis is indeed working. Then you can concentrate on the configuration of the workflow processes through CUP without being distracted from primary objective.
  Simon

• Adding transactions in a composite role menu

  Hello All,
  I want to add transactions in the menu for a composite role. but I do not see the option to add it. Please guide how would it be possible. Do I need to create single roles and merge the menus for them or can I create aa separate menu for the composite role?
  Thanks in advance.
  Regards,
  Anju

  Hi There,
  No first of all you cant add transactions to the menu of a composite role as a composite role is a collection of several single roles.
  What you can do is create a single role, make addition/ deletions of tcodes inside the single role which will automatically reflect in the menu tab of single role and then you can add this single role to the composite role.
  If you want to make changes to the tcodes from the menu tab you need to go to the single role and make changes which will reflect automatically, but thru composite role its not possible to make changes to the menu tab simply because the composite role takes all the tcodes from the single roles contained within it.
  Hope this answers your query
  Best ,
  Suchitra

• Single or composite role, which table to check ?

  Hello,
  I'm currently trying to find out in which AGR_* table is stored the flag that indicates whether a role is a composite or a single one.
  I try AGR_DEFINE but it seems that there is no flag to determine whether the role is single or composite. I can't look in AGR_AGRS because i'm trying to determine composite role without any single role associated and therefore there is no entry in AGR_AGRS.
  Do you have any idea ?
  Thank you very much for your help !
  Jerome.

  You can use the VIEW : V_AGR_COLL
  If you go to se11 and look at the join conditions for this view you can see that in orde to have a composite rol, you should look at agr_flags for these conditions
  AGR_FLAGS     FLAG_TYPE     EQ     'COLL_AGR'     
  AND
  AGR_FLAGS     FLAG_VALUE     EQ     'X'     
  <edit>
  i'm sorry, JC already said this, I missed that
  </edit>
  Message was edited by:
          Dries Horions