Restrict creation of BP based on PFCG role

Similar Messages

• Restrict BP search result based on BP role

  Hi experts,
  Is it possible to restrict BP search result list based on the BP role i.e. users should not be able to see BP's with prospect role in the search result list.
  I am able to control create,change,display using auth.objects CRM_BPROLE / B_BUPA_RLT but unable to restrict the search list. Any hints would be really helpful.
  Regards.

  Hi Anup,
  Thanks for the reply. For the time being we are using authorization groups instead as a workaround solution. Haven't tried the BADI though. Thanks again.
  Regards.

• Configuring Accounts Screen Based on BP Roles

  Hi Experts ,
  We have a requirement where we would like to configure the screen based on BP Roles .
  That is ,
                  If we have BP Role as "Prospect " we should be able to display only few fields .
  For other BP roles we should have different screens .
  Can any one let us know how do we approach this ?
  Regards
  VB

  Hi,
         I think that you know how to maintain different configs based on pfcg role, component usage, ui object and sub-object. If that method cannot help you, create dummy ui object types in configuration(SPRO). Next, create different configs using the config tool based on the UI objects. Note: You can also use existing UI objects, with some thought. Next, in the controller class of the view, redefine the method "DO_CONFIG_DETERMINATION" if required and depending on bp role, load different configurations.
  Look at this thread to see how to use this method to load configurations.
  [Changing Screen configuration based on field.;
  Regards,
  Arun Prakash

• Restricting values of a dropdown based on user roles

  Hi,
  Is it possible to restrict the values of a custom metadata dropdown based on the user roles (assuming only 1 role is assigned to each user)? Say, based on the role assigned to a user, he/she should see only 3-4 values out of 10 values in a dropdown on the checkin page. Please suggest.
  Thanks.

  You can get pretty close out of the box using some configuration manager applet voodoo
  1)First off create a Table that will contain the options for your list. Create the columns e.g. label and id and then also create a column called dSecurityGroup
  2)Add a view based on the table you just created, choose the Security tab and select "Use standard document security"
  3)Add some values to your view - make sure that you populate the dSecurityGroup column with real values of security groups
  4)Once it is all published, have a look at the checkin and search screens. You should find that UCM will evaluate the options in the same way it would documents - based on the dSecurityGroup value you applied to the row - e.g. you will see an option on the search screen if you have at least R permissions, you will see an option on a checkin screen if you have at least RW permission
  Try it out :-)

• How to Restrict Search based on the Roles for External crawled sites

  I have a situation where the search results have to be restricted based on role
  When External sites are crawled, how can we restrict the search results based on roles,
  I know that we can restrict the search to a group or set of groups that can contain many users but if the group have different roles and if that group has given access to a web repository search, how can we restrict the document/search access based on roles for the same group?
  For Example an Index that has external site as data source and the permissions were set for a group and that group has 2 roles, lets say <b>"Admin" and "user"</b> and the external site have some documents when searched the documents should come up only for the "Admin" role during search, but should not come up for the "user" role
  Is it possible to achieve this? Is there a solution?
  Any advices are greatly appreciated and awarded
  Thanks,
  kk

  Is it possible to restrict on role based?
  Any suggestions are appreciated
  Thanks
  KK

• Disable the buttons for creation using PFCG roles

  Hi SAP Experts,
     How to disable the buttons for creation using PFCG roles?
  Regards,
  Jaya

  Hi,
  u have to write the code in <b>at selection-screen output</b> event
  AT SELECTION-SCREEN OUTPUT.
    LOOP AT SCREEN.
      IF  <b>P_PRINT</b> = 'X'.  " this is radiobutton
        IF screen-name = 'P_RANGE'.
          SCREEN-INPUT = 0.
        ENDIF.
        modify screen.
      ELSE.
        IF screen-name = 'S_LFDAT-LOW'.
          SCREEN-INPUT = 0.
        ENDIF.
        IF screen-name = 'S_LFDAT-HIGH'.
          SCREEN-INPUT = 0.
        ENDIF.
        IF screen-name = 'S_WERKS-LOW'.
          SCREEN-INPUT = 0.
        ENDIF.
        IF screen-name = 'S_WERKS-HIGH'.
          SCREEN-INPUT = 0.
        ENDIF.
        IF screen-name = 'P_LIFNR'.
          SCREEN-INPUT = 0.
        ENDIF.
        IF screen-name = 'S_BUKRS'.
          SCREEN-INPUT = 0.
        ENDIF.
        modify screen.
      ENDIF.
    ENDLOOP.
  Hope it helps.
  Regards,
  Sonika

• Custom plugin based on user role membership

  Hi all,
  I would like to develope a custom plugin that generates account userid (on process form) with different syntax against role membership.
  With "syntax" I mean name.surname.random_number for employee users and surname.company.random_number for example.
  I'll try to explain the scenario more in details:
  1. I create a user identity through a request
  2. After user identity has created successfully, I assign a role to the user. Since roles are associated with access policies, role assignment triggers provisioning on target system.
  3. The custom plugin that I would like to develope shuold be able to generate proper userid against role membership. For example if I assigned the role "Project Manager" the custom plugin should generate the account userid with name.surname.random_number format; viceversa if I assigned the role "External Reseller" the custom plugin should generate the account userid with surname.company.random_number format.
  Looking for custom plugin based on role membership in forum, I found a couple of threads about this subject:
  - Email notifications after role grant
  - Re: OIM 11g Role Membership Event Handlers.
  I tried to implement what explained in the threads, but I would be sure about what I've done.
  Here what I've done:
  1. created plugin.xml file
  2. created EventHandler.xml metadata file
  3. developed a java calss for testing pourpose
  4. copied the custom plugin class to OIM server for example in $MIDDLEWARE_HOME/OIMPlugins/lib
  NOTE: during this operation I have exactly mantained the same directory structure of custom java package.
  For example custom plugin class is under my.custom.plugin java package and I have copied custom java class under $MIDDLEWARE_HOME/OIMPlugins/lib/my/custom/plugin folder
  5. created a zip file containing custom plugin class (always with its directory structure) and plugin.xml file
  6. copied the zip file to $OIM_HOME/server/plugins
  7. edited ant.properties file (under $OIM_HOME/server/plugin_utility) setting wls.home and oim.home variables
  8. built the wlfullclient.jar (only the first time)
  9. registered the custom plugin
  10. created the custom plugin dataset file
  11. imported it in OIM database using "weblogicImportMetadata" utility
  12. purged cache using "PurgeCache" utility
  NOTE: all the steps above was executed using the system user running OIM process
  test java class
  package com.zeropiu.sky.custom.eventhandlers;
  import java.io.Serializable;
  import java.util.HashMap;
  import com.thortech.util.logging.Logger;
  import oracle.iam.platform.kernel.spi.ConditionalEventHandler;
  import oracle.iam.platform.kernel.spi.PostProcessHandler;
  import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
  import oracle.iam.platform.kernel.vo.BulkEventResult;
  import oracle.iam.platform.kernel.vo.BulkOrchestration;
  import oracle.iam.platform.kernel.vo.EventResult;
  import oracle.iam.platform.kernel.vo.Orchestration;
  import oracle.iam.platform.context.ContextManager;
  import java.util.Set;
  public class TestUserAnonimi implements PostProcessHandler, ConditionalEventHandler {
       private static final Logger logger = Logger.getLogger("com.zeropiu.sky.custom.eventhandlers");
  private static final String className = "TestUserAnonimi";
       @Override
       public void initialize(HashMap<String, String> arg0) {
            // TODO Auto-generated method stub
            String methodName = "initialize";
            System.out.println("###### " + className + " - " + methodName);
       @Override
       public boolean isApplicable(AbstractGenericOrchestration abstractGenericOrchestration) {
            // TODO Auto-generated method stub
            String methodName = "isApplicable";
  System.out.println("###### " + className + " - " + methodName + " - STARTED");
  System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextType(): " + ContextManager.getContextType());
  System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextSubType(): " + ContextManager.getContextSubType());
  System.out.println("###### " + className + " - " + methodName + " - abstractGenericOrchestration.getOperation(): " + abstractGenericOrchestration.getOperation());
  System.out.println("###### " + className + " - " + methodName + " - Printing ContextManager parameters");
  HashMap allContextManagerPairs = ContextManager.getAllValuesFromCurrentContext();
  Set<String> allContextManagerParams = allContextManagerPairs.keySet();
  String[] parameters = allContextManagerParams.toArray(new String[allContextManagerParams.size()]);
  for (int i = 0; i < parameters.length; i++) {
            System.out.println("###### " + className + " - " + methodName + " - Context parameter " + i + ": " + parameters[i] + " - Object type is: " + Utils.getObjectType(ContextManager.getValue(parameters)));
  System.out.println("###### " + className + " - " + methodName + " - ENDED");
  return true;
       @Override
       public boolean cancel(long arg0, long arg1,     AbstractGenericOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "cancel";
            System.out.println("###### " + className + " - " + methodName);
            return false;
       @Override
       public void compensate(long arg0, long arg1, AbstractGenericOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "compensate";
            System.out.println("###### " + className + " - " + methodName);
       @Override
       public EventResult execute(long arg0, long arg1, Orchestration orchestration) {
            // TODO Auto-generated method stub
            String methodName = "Eventresult execute";
            System.out.println("###### " + className + " - " + methodName);
            return null;
       @Override
       public BulkEventResult execute(long arg0, long arg1, BulkOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "BulkEventResult execute";
            System.out.println("###### " + className + " - " + methodName);
            return null;
  plugin.xml file
  <?xml version="1.0" encoding="UTF-8"?>
  <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
  <plugin pluginclass="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" version="1.0" name="TestUserAnonimi">
  </plugin>
  </plugins>
  </oimplugins>
  EventHandler.xml metadata file
  <?xml version='1.0' encoding='UTF-8'?>
  <eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
  <action-handler class="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" entity-type="RoleUser" operation="CREATE" name="TestUserAnonimi" stage="preprocess" order="1007" sync="FALSE" />
  </eventhandlers>When I assign a role to a user through OIM web interface, I can see in OIM log file all System.out.println contained in initialize(), isApplicable() and BulkEventResult execute() methods. Is it correct? Can I implement my custom plugin logic now, or my starting point is wrong?
  ###### TestUserAnonimi - initialize
  ###### TestUserAnonimi - isApplicable - STARTED
  ###### TestUserAnonimi - isApplicable - ContextManager.getContextType(): ADMIN
  ###### TestUserAnonimi - isApplicable - ContextManager.getContextSubType():
  ###### TestUserAnonimi - isApplicable - abstractGenericOrchestration.getOperation(): CREATE
  ###### TestUserAnonimi - isApplicable - Printing ContextManager parameters
  ###### TestUserAnonimi - isApplicable - Context parameter 0: origuser - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 1: oimuser - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 2: RESOLVED_LOCALE - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 3: counter - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 4: TIME_ZONE - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 5: ipaddress - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - ENDED
  ##### TestUserAnonimi - BulkEventResult execute
  Thanks,
  Daniele
  Edited by: 886636 on Jan 24, 2012 2:53 AM
  Edited by: 886636 on Jan 24, 2012 2:53 AM

  Probably I don't explain myself clearly....sorry for that!
  Anyway you are right, the role of the user can change after the user is initially provisioned.
  I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
  1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
  2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
  Is it possible with pre-populate adapter?
  Sorry again for my not very clear explanations.
  Daniele
  Edited by: 886636 on Jan 24, 2012 4:10 AM

• How identify closed accounting period to restrict creation of billing document in sap

  Hi Experts,
  I have a requirement to identify the  closed  periods in sap based on this we need to restrict the creation of billing document .
  Actually we are working for  Brazil  client, there we have notafiscal   which created along with billing document.we are maintaining  periods monthly basis.
  When the periods are closed  accounting document not created and billing document is created  this is working fine . But over scenario along with billing document notafiscal number is also created which  is causing the problem. This notafiscal should not be created without a accounting  document.
  so my client wants to restrict creation of billing document also when these monthly periods are closed.
  Please suggest me a solution.
  Regards
  Ravi

  Helllo Ravinder,
  To check if a period is closed using the FM FI_PERIOD_CHECK.
  First calculate the period of the FI document date.
  DATA: GJAHR LIKE BKPF-GJAHR,
         MONAT LIKE BKPF-MONAT,
         POPER LIKE T009B-POPER.
  CALL FUNCTION 'FI_PERIOD_DETERMINE'
         EXPORTING
              I_BUDAT        = I_BUDAT
              I_BUKRS        = I_BUKRS
  *          I_PERIV        = ' '
  *          I_GJAHR        = 0000
  *          I_MONAT        = 00
  *          X_XMO16        = ' '
         IMPORTING
              E_GJAHR        = GJAHR
              E_MONAT        = MONAT
  *          e_poper        = poper
         EXCEPTIONS
              FISCAL_YEAR    = 1
              PERIOD         = 2
              PERIOD_VERSION = 3
              POSTING_PERIOD = 4
              SPECIAL_PERIOD = 5
              VERSION        = 6
              POSTING_DATE   = 7
              OTHERS         = 8.
  IF SY-SUBRC = 0.
  MOVE MONAT TO POPER.
          CALL FUNCTION 'FI_PERIOD_CHECK'
               EXPORTING
                    I_BUKRS          =  I_BUKRS
  *                I_OPVAR          = ' '
                    I_GJAHR          =  I_GJAHR
                    I_KOART          = '+'
  *                i_konto          =
                    I_MONAT          = POPER
               EXCEPTIONS
                    ERROR_PERIOD     = 1
                    ERROR_PERIOD_ACC = 2
                    OTHERS           = 3.
  ENDIF.
  Tutorial ABAP How to check that posting date belongs to closed period - ABAP Development - SCN Wiki
  I hope you help.

• Business Role - Link to PFCG role

  Dear all,
  When I create a new business role in CRM there is a field called PFCG role ID in which you must provide a PFCG role.
  What is the functionality of this PFCG role in relation to the Business Role?
  When I look into standard SAP business roles and their associated standard SAP PFCG role I see a lot of "external services"/views. Is it possible to create such a role from scratch myself.
  Is there some documentation available that explain this relationship between the PFCG role and the business role.
  Thank you in advance,

  Dear Ivan,
  To start with Business Partner Roles and PFCG roles are different. Though you have an integration that one business partner cannot view the data of other business partner because of the roles that are being maintained in PFCG.
  Lets say you have two customers (BP Role Customer). One customer cannot view the data of other customer because of the role that is being assigned to his user id in SU01. You create the roles in PFCG.
  CRM Business Partner Roles:
  http://help.sap.com/saphelp_glossary/en/dc/926ecf5e1cd511bcbe0800060d9c68/content.htm
  Rights and responsibilities that a business partner can have in various business transactions.
  The assignment of a BP view determines the relevant data sets, so that only a particular part of the BP master data is displayed, depending on the business transaction in question.
  http://www.crmexpertonline.com/archive/Volume_03_(2007)/Issue_04_(May)/v3i4a4.cfm?session=
  Each business partner role contains a predefined set of functions based on the business partner’s relationship to your company. For example, you could have business partner roles such as employee or vendor. The business partner roles determine the fields you have available in the SAP CRM system for the business partner. Business partner role categories sort business partner roles into groups, such as person or company.
  PFCG Roles:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
  The SAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP System, after he or she has logged on to the system and authenticated himself or herself.
  To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
  Hope this will help.
  Regards,
  Naveen.

• Can anyone help me understanding the links between Launchpad roles, PFCG roles, and portal roles!?!

  Hi experts,
  I am looking at the newer EhP5 and EhP6 functionality for ESS and MSS, specifically the WD ABAP portal applications.  I've turned on all the business functions and services I think our team wants, however I'm confused on how to move forward in using them.  For a little tech info, we are on EhP6 for the backend, but our portal is 7.02.
  My first step was to assign the com.sap.pct.erp.ess.wda.Employee_Self_Service_WDA portal role to our test ESS user group in our sandbox environment.  The ESS user got a new ESS tab in the portal and it's linked to the Launchpad role ESS, Instance MENU.  I'm comfortable with ESS at this point, still need to learn more about customizing the menu for different employee groups without creating additional Launchpad or SAP roles.
  Question 1: Correct me if I'm wrong, but is the Launchpad roll ESS, instance menu linked to the PFCG role SAP_EMPLOYEE_ESS_WDA_2?
  Next, I was looking to see if there was a similar portal role for MSS, but it seems I can't find one.  I implemented the MSS Addon 1.0 for ABAP and the portal and got a new MSS portal addon role, but it doesn't seem to be connected to any MSS Launchpad role.
  Question 2: Is there a portal role to assign to users/groups that is linked to one of the MSS Launchpad roles? If yes, what business function or service is it a part of?
  I'd like to use of the existing MSS Launchpad role to test some of the new portal functionality, but I'm not sure how to do it.
  Question 3: How is a Launchpad role assigned to a SAP role in PFCG?  Anyone have some documentation they can point me too?
  Kind regards,
  Garrett Meredith

  Thank you Samuli, this was very helpful in connecting many of the pieces.
  For now I have a very good understanding of how the new ESS is controlled and modified.
  It appears that FPM_LAUNCHPAD_UIBB could be used to develop a similar component to call a custom launchpad role for MSS containing a customized list of WDA applications.
  Is a MSS Launchpad a good way to pursue since we use a SAP enterprise portal?
  I found a PAOC_MSS package containing other MSS embedded packages.
  Could I use one of the embedded packages in there and by creating a Component configuration in the FPM_LAUNCHPAD_UIBB for one of the MSS WD applications?
  Based on the documentation link above, PFCG roles are for NWBC HTML or Desktop versions.
  Kind regards,
  Garrett

• Cannot modify an authorization object in pfcg role for a business role

  Hi Experts,
  I have created two z pfcg roles from the standard business role CRM_UIU_SRV_PROFESSIONAL  lets say by names zagent and zmanager. My requirement is actually to map these two pfcg roles two a service professional agent and service professional manager custom business roles respectively( I have created these custome business roles from standard business role servicepro) . I have identified an authorization object by name CRM_CO_SE which is basically used to check whether the user is authorized to create service contract transactions. So, in the agent pfcg role, I need to de activate or deselect this particular authorization object so that the agent will not be able to create service contract. (This is not a real time requirement, but an internal assignment). When I change this object in the pfcg by deselecting 'Allow' check box and try to generate, it is not getting generated. I have selected all the options from the 'Expert mode for the profile generation' and still the traffic indicator for that authorization object is yellow.  Am I doing anything wrong?
  Please help me.
  Thanks
  Ajith C

  Hi Leon,
  Thanks for helping me, I have restricted the unauthorized user from creating a new order by disabling the 'New' button by checking the business role in  the code. The pfcg configuration, I am skipping it for now.  I have one mnore requirement. When one clicks on any items in the search result for the Service Contracts, it opens the details of that service contract with an 'edit' button. I can disable this button using do_output_preparation method for the some business roles. However, I want to disable this after checking a condition. The condition is that, edit button should be active, only if that service order was created by the employee who has currently logged on. I am relatively new to CRM and I could not figure how I can check it during run time. Could any one please help me with this?
  Thanks,
  Ajith

• Navigating to another component based on business role

  Hello Experts,
  I have a hyperlink created for Lead No to navigate to Lead Overview page from my Z component.
  How do I restrict this navigation based on business role?
  Thanks in advance,
  Regards,
  Surekha.

  Hi Surekha,
  You can get the Business Role of the logged in user using the code in this thread.
  Re: Business Role of logged in user
  Now in the event handler or outbound plug being used for the navigation, determine the business role.Based on this, write an exit statement to restrict navigation. You can give a message to notify the user.
  Regards,
  Masood Imrani S.

• Each purchaser must maintain his PFCG role?

  hi expert
    we use SRM 7.0.
    our organazion strcture include 30 company code , and each of the companies has its purchasing org. There are 4 or 5 purchasing group for one purchasing org.
    If there is not org. level. restriction in PFCG role, the purchaser can edit all companies'  RFx, PO, Contract. It is unreasonable.
    1 must I create  PFCG role with Org . Level for every purchaser?
    2 we need a user who can check all the SC , how to accomplish it?
    regards
      claud

  1 must I create PFCG role with Org . Level for every purchaser?
  Create one role per purchasing org with specific "Responsible Purchasing Organization" (BBP_PURORG) field value. Then assign the users to the role corresponding to his/her purchasing org.
  2 we need a user who can check all the SC , how to accomplish it?
  User who is assigned the role of SRM Administrator should be able to monitor all shopping carts through portal: "SRM Administration" >> "Application Monitor" >> "Shopping Cart Monitor".

• Date-based group or role membership

  Hello,
  For a particular application, using Sun ONE DS 5.2, I'd like to be able to define start and end dates for a users membership of a group or a role. I realise I can do this by using an external program to examine start and end date attributes for a user and then adjusting an attribute that either makes them a member of a dynamic group or a role.
  But is there any way to do it entirely within the Directory Server itself by clever group/role/CoS definitions and comparison of date attributes ?
  Any thoughts / hints / suggestions would be greatly appreciated.

  Probably I don't explain myself clearly....sorry for that!
  Anyway you are right, the role of the user can change after the user is initially provisioned.
  I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
  1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
  2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
  Is it possible with pre-populate adapter?
  Sorry again for my not very clear explanations.
  Daniele
  Edited by: 886636 on Jan 24, 2012 4:10 AM

• PFCG Roles in Favorite menu

  Hi,
  I just learned how to create PFCG roles in R/3.
  Is it possible to place these roles in the favorite menu?
  I hope someone can help me with this one
  tnx
  hans

  Hi,
  " Is it possible to import transactions into a role from somebody's sap Favorites menu"
  I did not understand.
  There are two things
  1. Is it Favourite menu of user transaction(From user/SAP transaction menu)
  2. favourite menu section in PFCG, these are favourite roles but not transactions.
  In second case you can copy role and make new role. But if you are asking for options of making a role based on the transaction  in favourite list of user, there is no such option given by SAP, but you have to do manually if you have access to favourite section of user(I think this is somthing violating security policy).