Regarding Authorizations and Roles
Hi All,
Can anyone explain me about Authorizations and Roles ,in detail.
regards,
Ali
Links for Learning about Authorizations:
http://help.sap.com/saphelp_nw70/helpdata/en/44/599b3c494d8e15e10000000a114084/frameset.htm
http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm
http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
http://help.sap.com/saphelp_nw04/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
Links to learn about Roles:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
Assign points if helpful,
Venkat
Similar Messages
-
MSS (non-webdynpro) Authorizations and Roles
Do you know the MSS 60.1 business package authorizations and roles that are required for the backend R/3 system? I noticed an SAP note exists for the webdynpro version (#798967) but didn't see a note for the old package.
Umair,
I know this auth object is required for webdynpros in new business package but does it apply for old traditional java MSS package too?
Thanks, John -
Hi all!!
Im creating an authorization object; for restrict some key figures of infocube.
I want to restrict only four or five key figures for one cube and the user can see all the characteristics; is possible to do this??
I found this way; but really is not that I want:
I created an authorization object; that contains for example: 0material and Key fig.
In transaction PFCG in the role; i go the authorization and include the object that I created and put the values * for material and the key figure that I want to see.
But I want that the user can see all the chars; no necessarily 0material and hide some key figures.
Thanks for the answer,
Greetings,
MonicaHi!!
Thanks for the answer
When I do this; and execute the query; I can see all the key figures; (they are in the area of columns) and for example I dont want to see one of them.
Im not sure If Im doing something wrong.
I followed this steps:
1. I created in RSSM and authorization object with only 1KYFNM
2. In PFCG I added to the role the object that I have created and put in the values of ratio; the ratios that I want to see.
3. I actualizated the roles for the user.
Then I executed the query and I see all the KF; I dont have any authorization variable in the query because I want that applied for all the chars.
Thanks again,
Mónica -
Authorizations and role maintainance
Please tell me that How are the authorizations in a role maintained?
ThanksHi,
For Role and authorization Maintenance T.code is PFCG.
1. Identify the users what kind of Role and authorization needs to be given,
you can divide the role like PA , OM, TIME and Payoll.
2. There are 2 kinds of role - a) Single Role and b) Composite Role.
3. In the Role - give a name and click on create single role.
then you will find differnt tabs - 1) description, 2) Menu,3)Authorization and user.
You can define according to the requirement or you can copy from the standard role and assign to this.
Thanks
Sethu -
Check users authorizations and role
Hello!
How can I check the authorizations of
Web Dynpro application users and also his role.
Thanks
rgds
sasHI,
Pl go through Following link
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/wd%20java/web%20dynpro%20security.pdf
https://help.sap.com/javadocs/index.html
use the method isMemberOfRole.
Regards
Ayyapparaj -
End User Authorizations and Roles
Hi,
What all the authorizations i need to give to an End User, who uses the device.
Is it necessary for the userid to be same in <b>MI Client, MI server, Backend</b> systems.
Let me explain wat an end user does
>logs into MI client
>performs first synchronization
>Executes Mobile Application assigned
>and performs synchronization at the end of the day
rgds,
KiranHi Kiran
Probably I wanst clear with my reply. You need to assign both the above mentioned authorizations to the same user who is performing a sync from the MI Client. S_ME_SYNC is required for the user to perform a sync from MI Client to MI server. S_RFC is required for the same user so that the data can be transferred from MI server to SAP backend and vise versa.
Hope I am clear now
Best Regards
Sivakumar -
BI 7.0 authorizations and roles
Hi,
It's possible to use only old authorization profiles like in version 3.5 in BI 7.0 ?
I mean , i don't want to use the new authorizations that BI 7.0 has.
I wan to use the old authorizations like in BI 3.5.
I just wan to use PFCG.
I don't want to use the transactions like: rsecadmin,rsu01,RSA1,rsd1
It's possible ?
Thank's a lot.Hi,
SAP strongly recommend to use the new Analysis Authorizations in SAP NetWeaver 7.0. The Authorizations will not be further developed (enhanced). Pls chk this link;
http://help.sap.com/saphelp_nw04s/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm -SAP Service Marketplace /bifaq
You can use the Reporting Authorizations which are still the same in both.
S_RS_COMP and S_RS_COMP1 are the auth objects which controls the reporting parameters.
Authorizations to Work with a Query
http://help.sap.com/saphelp_nw04/helpdata/en/80/1a68b4e07211d2acb80000e829fbfe/content.htm
Example for Reporting Authorizations -
http://help.sap.com/saphelp_nw04/helpdata/en/41/05453caff4f703e10000000a114084/content.htm
Regards
CSM Reddy -
Need Help Regarding Users and Roles
Hi,
I have Created a role with Password authentication and in that role only object privilege (SELECT TABLE) and System Privilige (CREATE SESSION)
Now I created user name abbasi and add above role to it and make that role as its default role.
Now when I connect above user from SQL*Plus its Connected.
I want to know since for there is Password Authentication then why during the session databse server not authenticate for role password.
Actually I want to know real usage of password autheticated role.
Regards.
D.abbasiSee the following demo
SQL> conn aman/aman
Connected.
SQL> create user test identified by test;
User created.
SQL> create role test_role ;
Role created.
SQL> grant create session to test_role;
Grant succeeded.
SQL> create role dangerous identified by danger;
Role created.
SQL> grant drop any table to dangerous;
Grant succeeded.
SQL> grant dangerous, test_role to test;
Grant succeeded.
SQL> alter user test default role test_role;
User altered.
SQL> conn test/test
Connected.
SQL> select * from session_roles;
ROLE
TEST_ROLE
SQL> select * from session_privs;
PRIVILEGE
CREATE SESSION
SQL> set role dangerous;
set role dangerous
ERROR at line 1:
ORA-01979: missing or invalid password for role 'DANGEROUS'
SQL> set role dangerous identified by danger;
Role set.
SQL> select * from session_roles;
ROLE
DANGEROUS
SQL> select * from session_privs;
PRIVILEGE
DROP ANY TABLEYou should not make the roles haivng the passwords as the default roles. Let them be there but not as the default roles. These roles can be enabled by the end user when he needs that. In my example, I have made a user TEST, two roles, TEST_ROLE, Dangerous. Dangerous is password protected and contains a priv drop any table. I have made TESt_role as the default role for the user and it becomes active. But for the dangerous,I need to supply the paswword. If I don't , I get an error like I have shown inthe example.
HTH
Aman.... -
Regarding user and role batch input
hi freinds:
Our Portl project are the final stage, we are going to batch input roles and Users,could
you please tell me the professional way to do it? I searched on google and SDN, it seems UME
is the solution, I am not sure about this, to be cautious, I have to put a thrad here,
could you please give provide a solution and its detailed steps?
thank you very muchHi,
You can use import feature in useradmin to create mulitple users along with the roles.
Create an excel with the following headers
uid
last_name
country
role
and fill in with the values you need.
Open your microsoft word Go to Tools-->Letters and mailings --> Mail merge.
Choose the following .
Letters --> Next >Next>Use an existing list>Next>Choose the excel you created > Choose the sheet> ok -->
Next(Write your letter)--> Type uid= > then on the right hand side click on 'More items'> Database fields> choose 'uid'> Click on 'Insert'--> Click on close.
In the same way do for last_name,country,role. It should be like this.
uid = «uid»
last_name=«last_name»
country=«country»
role=«role»
Click on 'Next'> Click on Next(Complete the merge)> click on 'Edit Individual letters'> Choose 'All'>One record will be created in one page. Delete the spaces and copy the text.
go to http://:/useradmin
login and click on 'Import'
Paste your text over there.Click on 'upload'.
Then you can create users.
Export one user to see how to maintain the data in the excel.
Hope this helps.
Best Wishes'
Idhaya R -
Authorization or roles assign?
Hi All,
I have installed Xi 3.0 on windows server 2003.but my users are getting this error not able to create a product. Its says "You
are not authorized to view the requested resource 403 forbidden".
What all the authorizations and roles i need to set for every user.
Regards,
RohitError: HTTP 403 Forbidden
Description: The server understood the request, but is refusing to fulfill it
Possible Tips:
Path sap/xi/engine not active
HTTP 403 during cache refresh of the adapter framework - Refer SAP Note -751856
Because of Inactive Services in ICF Go to SICF transaction and activate the services. Refer SAP Note -517484
Error in RWB/Message Monitoring- because of J2EE roles Refer SAP Note -796726
Error in SOAP Adapter - "403 Forbidden" from the adapter's servlet. Because of the URL is incorrect or the adapter is not correctly deployed.
<i>From
/people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
Regards,
Prateek -
ACS - ASA Authorization and Accounting
Hi
I have some questions regarding authorization and accounting on ASA via ACS server
when I enable the command "aaa authorization command " to control SSH users commands I get locked out on console then i have to configure the console , telnet , and enable to be authenticated via tacacs too , is there any way to authorize SSH via tacacs while keeping Console and telnet authenticated locally or even no authentication ?
i issued accounting command "aaa accounting command TAC" on ASA but i noticed that the ACS just logs commands in configuration mod "privilege 15 " not any show command or privilege 1 , is there any way to fix this ?
does RADIUS support SHELL authorization ?
thanks for your support1.] Unfortunately, there currently isn't any way to exclude command authorization from the serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.
2.] When you configure the aaa accounting command command, each command other than show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html
Regards,
Jatin
Do rate helpful posts- -
Authorization Object And Roles For Functional Consultant
Dear Expert,
What kind of respective Authorization Object And Roles would be provided to Functional Consultant (FI,MM, SD, PM, PS, CO, HR )at the time of implementation ?
Thanx in advance
PavelThanks Juan,
We now already have it here and in the NW IDM forum a few times as well...
Cheers,
Julius -
Regarding Prepayments,Authorization and capture of funds
Hi..
I have questions regarding the authorization and capture of funds in 11.5.10.2 when the Prepayment concept is used. I have read in OM manual that the authorization and capture happens in AR while creating a receipt.So how can I know that they happen immediately one after other in AR ??? i mean can I look into any columns of particular tables gets populated when authorization happens and some particular field is populated when capturing happens???
Mainly when prepayments are used does the authorization and capture happen in AR only one after other immediately?????
Can some one please help me....
Thanks...Hi,
when you create the batch-input session, you could set a user-name with the good authorization.
You could ask anybody to call your batch-input in SM35, the authorization of the transaction inside your batch is check with the username set in the batch.
So how did you create your batch-input session ??
Fred -
Background job fails for BDC profile creation and role assignment
Hi Experts,
I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
Below is the process of job
1. ZMIS_AUTH_OBJECT_CREATE
Variant : auth-create
2. ZMIS_AUTH_ASSIGN_TO_ROLE
Variant : auth-assign
The problem is in second program, runs in foreground but fails in background.
Code which i have written in my second program
***BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
***Generation of Profile created
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14 .
Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
Regards,
ChetanHi Praveen,
Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
To achieve this i have written two programs
1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
"" Creation of Authorization Object
CALL FUNCTION 'ZAUTHOBJ'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
g_authname_001 = 'ZDUMMY_MIS'
g_targetauth_002 = wa_tab-auth
g_authtxt_003 = wa_tab-short_desc
g_authtxtmd_004 = wa_tab-med_desc
marked_04_005 = 'X'
g_authtxt_006 = wa_tab-short_desc
g_authtxtmd_007 = wa_tab-med_desc
tctiobjnm_04_008 = 'ZBUS_UNIT'
g_authtxt_009 = wa_tab-short_desc
g_authtxtmd_010 = wa_tab-med_desc
marked_05_011 = ''
opt_01_012 = 'EQ'
low_01_013 = wa_tab-bu
g_authtxt_014 = wa_tab-short_desc
g_authtxtmd_015 = wa_tab-med_desc
marked_04_016 = 'X'
g_authtxt_017 = wa_tab-short_desc
g_authtxtmd_018 = wa_tab-med_desc
tctiobjnm_04_019 = 'ZCONTRCT'
g_authtxt_020 = wa_tab-short_desc
g_authtxtmd_021 = wa_tab-med_desc
marked_05_022 = ''
opt_01_023 = 'EQ'
low_01_024 = lv_contract
g_authtxt_025 = wa_tab-short_desc
g_authtxtmd_026 = wa_tab-med_desc
g_authtxt_027 = wa_tab-short_desc
g_authtxtmd_028 = wa_tab-med_desc
g_authname_029 = wa_tab-auth
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
"" Creation of role
LOOP AT it_role INTO wa_role.
CLEAR wa_text.
wa_text-text = wa_role-desc.
wa_text-langu = 'E'.
APPEND wa_text TO it_text.
wa_jobrole-agr_name = wa_role-role_name.
wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
wa_method-usmethod = 'CHANGE'.
CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
EXPORTING
jobrole = wa_jobrole
parent = wa_parentrole
method = wa_method
TABLES
* RETURN =
shorttext = it_text
* LONGTEXT =
* MENU_NODES =
* MENU_TEXTS =.
ENDLOOP.
2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
""*BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message .
COMMIT WORK AND WAIT.
""*Generation of Profile created
LOOP AT it_role INTO wa_role.
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
ENDLOOP.
For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
Regards,
Chetan -
BAPI to get all user lists for input object,authorizations, and profiles
Hi Experts,
BAPI to get all user lists for input specific object, authorizations, profiles and values?
Any useful answer will be rewarded with suitable points.
Thanks,
RohanHi
use the fun module/Bapi's
BAPI_USER_GET_DETAIL
BAPI_USER_LOCPROFILES_ASSIGN
BAPI_USER_LOCPROFILES_DELETE
BAPI_USER_LOCPROFILES_READ
BAPI_USER_PROFILES_ASSIGN
BAPI_USER_PROFILES_DELETE
SUSR_BAPI_USER_PROFILES_ASSIGN
SUSR_BAPI_USER_PROFILES_DELETE
also you can use the tables UST12 for user based authorizations
AGR_USERS -roles assignment for users
AGR_PROF - Profile data for roles
AGR_DEFINE - Auth Profiles for users
See the AGR_* and US* tables further
Reward points if useful
Regards
Anji
Message was edited by:
Anji Reddy Vangala
Maybe you are looking for
-
I downloaded and bought a movie from iTunes on my iPad and now want the same movie on my MacBook Pro but its not offering me to download it, it giving me the options of buying it which I already did. How I get the movie onto my MacBook?
-
Mail replying to me when using reply all
When I receive an email from multiple people and hit the "reply all" button to respond, Mail includes my email in the response. It didn't used to do this. How can I make it stop?
-
Why I can`t import media file to my second disk?
I install ssd on my mbp as startup disk,when I try to import media,I can`t select my HDD as save path? What should I do?
-
Error message occurs during CS5 Master Collection Trial Install.
I downloaded the trial version of CS5 Master Collection from the Adobe site. Everything works until after I enter my password to start installation an error message comes up saying: The Setup encountered and error(-1) during install. Please restart t
-
I've done just about everything I know how to do... but NetRestore via System Image Utility always fails. Here's what I get in the log. I thought it was a permissions issue, but I fixed perms and did the "get info/apply to enclosed items" trick and