Regarding Roles & Policies

Similar Messages

• Query regarding approval policies for custom Role

  Hi ,
  1.In OIM 11g R2 . I have created a Role named SecurityAdmin. Assigned it to a user named User1.
  Logged in as User1 and searched for another user say User2
  2.Modified its Profile and when clicked on save .Request was created and went to approval process.
  Similar thing happened when i tried to disable the user and assign roles to User2.(Note : I am logged in as User1 not xelsysadm)
  Created two auto approval policies for assign roles and Modify user profile
  Query : Do i have to create approval policy for each process like Disable User, Enable user , etc ?
  Is there any generalized way that i make a policy on high level that if Role is Security admin Request goes to Auto Approval.
  Please help.
  Thanks in advance.

  >
  Query : Do i have to create approval policy for each process like Disable User, Enable user , etc ?You have to create approval policy for each of these request types.
  Is there any generalized way that i make a policy on high level that if Role is Security admin Request goes to Auto Approval.
  Please help.In approval policies you can select Auto Approval checkbox and write a rule Requester.Role Name Equals Security admin

• A question regarding authorisation policies in OIM 11g

  Hi,
  I went through the list of OOTB Authorization policies in OIM 11g, just to know what all permissions were given to the 'ALL USERS' role which will be assigned to any OIM user by default.
  Below two policies are of a bit confusion to me. It would be great if you can put some light and clarify the missing link.
  ::::::::Role Management Role Owner Policy::::::
  This has the permission to delete role, modify role and search role:
  This is applicable to all roles in the system.
  This is assigned to 'ALL USERS' role.
  So as per my understanding, any user who is a member of ALL USERS role, can delete, modify and search role.
  But I can see only search role functionality for the default user. (ie., any user who is a member of 'ALL USERS' role)
  A simple user was not able to delete any kind of role.
  Is my understanding incorrect... Where is the missing link???
  :::::::User Management All Users Policy:::::::
  Permission is view user detail.
  Applicable to All users and assigned to 'ALL USERS' role.
  So any user should be able to view any other user detail.
  But its not happening. A user was not able to view another user's detail
  Is my understanding in correct... Where is the missing link???
  Looking forward to hearing from you,
  Many thanks in advance
  Warm regards,
  818343

  Can u check if role is assignd to user.

• Please help me regarding role upload ?

  Hi All,
     installed CRM business package in portal. took CUA as user base. now assigning of users to roles is a concern for me.
  i.e. CRM 4.0 and BW 3.5 already comes with some predefined roles for portal, for ex : PCCCAMPAIGNMANAGER*
  I assigned an user X in CRM and BW system and I want the same user assignment to be used in portal. so I used "Role upload". i.e. I uploaded CRM user to role assignments to Portal, so I got that under migrated content --> sap component systems --> name of crm system --> under that my role (PCCCAMPAIGNMANAGER).
  Now I added the portal role com.sap.***.CampaignManager (portal specific) to this role by "Add role to role". so now when the user logs in, he will be able to see the worksets assigned.
  please note that we didnt do any user to role assignments in portal.
  so all the users assigned to this role in crm and doing manual "role upload" can login into portal and view the worksets. 
  portal role consists of iviews from both crm and bw. but now we just had the users assigned to role in crm mapped to role in portal, but what about bw iviews?
  i.e. what happens when i assign user x,y,z for this role in CRM and only users x,y in BW, so in portal x,y,z will be assigned to the respective role as we took only crm-portal user to role assignments. then the user Z will get an error obiviously for bw iviews, so how to ensure that CRM and BW roles are in sync with roles in portal.
  is there some concept of role mapping or something like that to solve my problem?
  sorry if my question is not clear, but hope that you can help me in this regard
  Thank you

  could some one please help me regarding this..
  I am in very urgent need..
  Thank you

• Regarding role of business analyst

  Apart from SAP implementation,,
  If  u consider software development services , How a SAP professional can do a job of business analyst??
  I mean to ask, what would be the job profile?
  I am SAP Business one fresher, Kindly guide me.
  Thanks in advance.

  Dear,
  Role of a business analyst is depends on your client what they want to fulfill through you. What reponsibilities to be fulfilled by you, what output expecting from an business analyst during SAP implementation purely depends on clients decision.
  In general, you can find many useful hints from web on role of a business analyst during SAP ERP implementaion. Please find below an extract information which I found and most commonly match with all clients.
  Check this link where explained about BA: http://www.businessgyan.com/content/role_busines
  Regards,
  Syed Hussain.

• Regarding role resolution using evaluation paths in workflow

  hi all,
  Could anybody guide me on the steps needed to configure role resolution using evaluation paths in workflow. IF u could provide me with a sample it would be great.
  Thanks in advance,
  steve

  Hi Steve,
  Why dont you check the Standard rule <b>168</b>. I am sure, that will give you some idea of Agent Determination. I mean, please refer the SWX_GET_MANGER function module.
  In this,you can see RH_STRUC_GET is the function module that determines the required Agent/related Org Object using the Evaluation path(see the parameter - ACT_WEGID), here they have used SAP_TAGT.
  I hope this helps.
  Regards,
  <i><b>Raja Sekhar</b></i>

• Regarding Role Authorisation and Obejcts

  Hello Experts,
  I have requirement from the basis team they want to know the object names for the particular transaction like MMBE and also they have request that they want to restrict to view the stock for plant 1000 for particular user, so they need the Object for Transaction and Object for the Plant to restrict how can I find it? Please it is urgent
  Can you give me list of T.Code to Check User Authorisatiosn and Obects for the Particular Transaction code.
  Regards,
  Sundu

  Hi Sunder,
  You can use PFCG tcode to check the object of particular transaction code.
  Execute PFCG and create temp role. Enter tcode in Menu and go to Authorization and click Change authorization profile and here you will get all the object related to that tcode.
  Hope this will help.
  -Pinkle

• Querry regarding Roles in SRM

  Hi Experts,
  Can anyone tell me the creation of roles in SRM.
  Currently we have role called Z_EBP_OPERA_PURCH_10000
  which means the spend limit of that role is 10000 euros. This way we have multiple roles for different spend limits.
  Now  I have to create a new role with spending limit of 30000 euros. In this case can I copy the existing role i.e from the above one and name it as Z_EBP_OPERA_PURCH_30000. will this is going to work?
  Or additionally do I have to do anything other settings in the system so that the new role works for 30000.
  2  .Also creation of any new role is Job of  whom  SRM Functional consultant or will it be a job of  Security and Administartion team.
  Because what I feel is SRM functional consultant can only assign the roles which are there available in the search list and new roles has to be created by a S&A  am I rt?
  Please suggest me on the above 2 queries
  Regards
  Sairam

  Hi Sai,
  1. The creation of the role should work, but don't forget to change the spending limit in the role.
  2. The depends on the internal functionning. this is different for every project. Your analyse is not wrong but you should ask this question to some project managers.
  Regards,
  Laurent.
  (Oops i think i answered too late for this one...)
  Edited by: laurent touillaud on Jul 24, 2008 4:57 PM

• Regarding roles

  Hi all,
  In system administration i am not able to find "System Configuration" in portal .
  Is it a portal role or r/3 role?
  thanks,
  rameshb.

  Hi Ramesh,
  It is not a R/3 Role.It is a Workset in the SystemAdministration Role..
  You can see this in ->
  Navigate to Content Admin -> Portal Content -> Portal Aministrators -> System Administrators
  Here you can find the System Admin Role
  Open this and Check for System Configuration work set...
  Check the entry point true for this work set.
  Regards,
  Raju Bonagiri.

• Regarding roles and worksets ??

  hi
  is it possible ??
  i  have made 2 roles nd 6 worksets ..in 1 role made the entry point no and made the entry point yes for there worksets....these are shown in tabs ...
        now i want to use the same worksets for a new role  but want to make the role entry point 'yes'..
    and doest not want to show the worksets shown in tab  for 2 nd role ..want that 2nd role will be shown in tabs

  Hi Arpit,
  If I understand you correctly you have a role with worksets inside the role which are entry points (meaning you see them in the 1st level in the TLN).
  Now you have a 2nd role which you want to see in the 1st level TLN, and want the
  2nd level TLN for this role to have the same worksets you used in the other (1st) role.
  In order to do that, just create delta links for the worksets, and add them to the 1st and to 2nd role.
  These will actually be the same worksets. when you make changes to the original worksets, you'll see the changes in both roles.
  Regards,
  Tal.

• Complete data regarding roles

  Hi All,
  I have one problem,actully I need the data of all roles which are in our system(say in development) to make new template.
  So I want that if I can run any report or from some table,I can get all the composite roles with single roles in them as well as all the transactions in that roles.
  Please tell me,is that possible to do that in single attempt, or if so,tell me the name of that table or report as soon as possible.

  Hi,
  Please check the below tables :
  Security Tables
  Table
  Description
  USR02
  Logon data
  USR04
  User master authorization (one row per user)
  UST04
  User profiles (multiple rows per user)
  USR10
  Authorisation profiles (i.e. &_SAP_ALL)
  UST10C
  Composit profiles (i.e. profile has sub profile)
  USR11
  Text for authorisation profiles
  USR12
  Authorisation values
  USR13
  Short text for authorisation
  USR40
  Tabl for illegal passwords
  USGRP
  User groups
  USGRPT
  Text table for USGRP
  USH02
  Change history for logon data
  USR01
  User Master (runtime data)
  USER_ADDR
  Address Data for users
  AGR_1016
  Name of the activity group profile
  AGR_1016B
  Name of the activity group profile
  AGR_1250
  Authorization data for the activity group
  AGR_1251
  Authorization data for the activity group
  AGR_1252
  Organizational elements for authorizations
  AGR_AGRS
  Roles in Composite Roles
  AGR_DEFINE
  Role definition
  AGR_HIER2
  Menu structure information - Customer vers
  AGR_HIERT
  Role menu texts
  AGR_OBJ
  Assignment of Menu Nodes to Role
  AGR_PROF
  Profile name for role
  AGR_TCDTXT
  Assignment of roles to Tcodes
  AGR_TEXTS
  File Structure for Hierarchical Menu - Cus
  AGR_TIME
  Time Stamp for Role: Including profile
  AGR_USERS
  Assignment of roles to users
  USOBT
  Relation transaction to authorization object (SAP)
  USOBT_C
  Relation Transaction to Auth. Object (Customer)
  USOBX
  Check table for table USOBT
  USOBXFLAGS
  Temporary table for storing USOBX/T* chang
  USOBX_C
  Check Table for Table USOBT_C
  Regards
  Sreedhar Reddy

• Regarding Role And Authorisation

  Hello Experts,
  I have got a request today from my help desk asking for , they are having some problem when they use some SD t.codes, they don't ahve authorization, so basis team is asking me to give the objects they can access and they are allowed to change or delete like this, for exp when they want o modify material  they want are not able to see for some pants.
  how can i achive this, how can i make sure the roles of two peopel are same i mean able to access same objects.? pls help urgent
  thanks
  Sundu

  hi,
  u can do this with the use of Tcode su53.
  when the user uses any tcode n he gets an message tht he is not authorised then u go to tcode su 53 immediately after tht transaction, then an Authorisation object appears in tht screen just give the same to ur basis person n tell him to give authorisation of that object to tht user id with the necessary permissions.
  Regds,
  Laxmikant

• Regarding role genration information

  I have  large no of roles in one particukar R/ 3 system .. i want to see whether the roles are properly generated or not .
  Is there any table where i can see is ther any open callings or not properly generated roles .

  Hello,
  Goto SUPC and generate all the roles, if some roles not generated then it will automatically generate all the roles.
  Thanks,
  Biksham

• VPD policies

  I have a couple of generic questions regarding VPD policies :-
  1. If a user has rights to select a record but does not have rights to UPDATE,then clicking SAVE button on my page shows the "record saved" message without saving anything,is there any way I can tell my users "Hey not saving cause you are not authorized !" ? I understand it behaves the same from sqlplus and returns "0 rows updated" but the users will got frustrated cause what they are trying to save is never getting saved and there is nothing which tells them that they do not have the required privileges
  2. what is the benefit of using application contexts ? I have based my VPD policies using an article that appeared in Oracle mag- http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html. This article does not use sys_context.
  tks

  Scott
  I had a think about that and putting a condition on the SAVE button solves this problem but I need to have a streamlined solution, I guess I am moving away from my original question now :-)
  I am trying to design the security for our application and it needs to be defined at two different levels :-
  one which defines the access rights for roles in terms of what pages/tabs/regions a role can see, it would define if a role is allowed to see CREATE or DELETE or SAVE buttons on any page - this would be achieved by authorization schemes.
  And the second which would be controlled by VPD will define which role has S/I/U/D rights for which departments and organisation units.
  I realize both these access rules will need to work together and my security design has to consider both of them but what I am finding hard to work out is that I have an application having abt 35 pages and about 20 tables ; I cannot pass parameters to authorization schemes and if I were to attach security to every component then I will end up with heaps and heaps of authorization schemes. A typical page has 3 buttons and 2 regions - I don't want to have 5 authorization shemes for just this page.
  Do I need to have a repository(table) which records each and every component(button/region) for each and every page and do its ongoing maintenance ?
  Is there a way to call a generic security validation which toggles things here and there the moment user loggs in without having to call a authorization scheme for every component.
  thanks

• Rule Policies

  Hi
  This is regarding Rule policies in CRM2007.
  I have created a rule for distributing Leads based certain condition and I maintained corresponding action also. I am in the role Sales Pro.
  Now when I want to distribute rules using "Rule Based Distribution" method, I am not getting dropdown option to select my earlier created rule.
  Please suggest whether I need to configure more other than creating rule for leads and releasing it before using.
  Thanks in advance for your cooperation.
  Regards,
  Mohan

  Hi All,
  I got answer to my question.
  Its actually about assigning my rule Policy to Sevice Manager Profile created in 'rule based distribution' under Settings for Leads in IMG.
  Regards,
  Mohan