Restricting results for Roles

Similar Messages

• Restrict F4 search results for specific plants / sales org / purchasing org

  Hello All,
  We have a project where a particular plant / sales org / purchasing org needs to be restricted because of the top secret data for that business.  We would like to be able to restrict the search results that are displayed based on sales org / plant / purchasing org in the F4 help.  If a user does not have access to the data / documents related a plant / sales org / purchasing org, we do not want the user to be able to see doc numbers, ship-to's, material numbers etc... My question is where do we restrict F4 results for the Sales and Distribution, Finance, Materials Management, Production Planning, Logistics, etc... modules?  Thanks in advance for the help.
  Jordan

  We can set authorization for specific plants and other organization levels,contact the basis team and discuss about the authorization

• Restrict some user roles for tocde VA02

  Hi All,
  Please can any one help on this?
  i have to restrict some user roles while rejecting the item in va02 tcode. how to do this.
  Thanks,
  Ramu

  Hi,
  There are two ways to do this:
  - Make a transaction variant through SHD0 and assign it to your sales doc. While creating the variant you can place non-changeability ticks on specific fields. Next allow those users only to work with your transaction variant but not with the original transaction. 
  - You could make use of user-exit FORM USEREXIT_FIELD_MODIFICATION in include MV45AFZZ (via authorization objects, which you can assign in role customizing). 
  Check this link:
  http://www.sap-img.com/sap-sd/short-sap-sd-questions-3.htm
  Regards
  Adil

• Error while updating a custom Windows Azure Diagnostics configuration xml from powershell. "Invalid update to extension reference for role"

  I am attempting to upload a manually edited WADConfig xml to my VM. The WAD service is functioning correctly, I needed to add some custom WinEventLogs. The prescribed steps result in an error.
  What am I overlooking?
  I am following these instructions:
  Step 5: Remotely install Diagnostics on your Azure Virtual Machine
  azure.microsoft.com/en-in/documentation/articles/cloud-services-dotnet-diagnostics/#virtual-machine
  $storage_name = "wadexamplevm"
  $key = "<StorageAccountKey>"
  $config_path="c:\users\<user>\documents\visual studio 2013\Projects\WadExampleVM\WadExampleVM\WadExample.xml"
  $service_name="wadexamplevm"
  $vm_name="WadExample"
  $storageContext = New-AzureStorageContext
  -StorageAccountName $storage_name -StorageAccountKey $key
  $VM1 = Get-AzureVM
  -ServiceName $service_name -Name $vm_name
  $VM2 = Set-AzureVMDiagnosticsExtension
  -DiagnosticsConfigurationPath $config_path
  -Version "1.*"
  -VM $VM1 -StorageContext $storageContext
  $VM3 = Update-AzureVM
  -ServiceName $service_name -Name $vm_name
  -VM $VM2.VM
  Unfortunately, I am receiving this error:
  Update-AzureVM : BadRequest: Invalid update to extension reference for role: XXXXXX and reference: IaaSDiagnostics.
  What's missing from the above script?

  Hi,
  Since Azure SDK 2.5 uses the extension model the diagnostics extension, the configuration and the connection string to the diagnostic storage are no longer part of the deployment package and cscfg. All the diagnostics configuration is contained within the
  wadcfgx. The advantage with this approach is that diagnostics agent and settings are decoupled from the project and can be dynamically enabled and updated even after your application is deployed. 
  Due to this change some existing workflows need to be rethought – instead of configuring the diagnostics as part of the application that gets deployed to each environment you can first deploy the application to the environment and then apply the diagnostics
  configuration for it.  When you publish the application from Visual Studio this process is done automatically for you. However if you were deploying your application outside of VS using PowerShell then you have to install the extension separately through
  PowerShell.
  There PowerShell cmdlets for managing the diagnostics extensions on a Cloud Service are -
  Set-AzureServiceDiagnosticsExtension
  Get-AzureServiceDiagnosticsExtension
  Remove-AzureServiceDiagnosticsExtension
  You can use the Set-AzureServiceDiagnosticsExtension method to enable diagnostics extension on a cloud service. One of the parameters on this cmdlet is the XML configuration file. This file is slightly different from the diagnostics.wadcfgx file. You can
  create this file from scratch by either following the article that you are referring to or  you can modify the wadcfgx file and pass in the modified file as a parameter to the powershell cmdlet.
  To modify the wadcfgx file –
  Make a copy the .wadcfgx.
  Remove the following elements from the Copy:
  <DiagnosticsConfiguration xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfiguration">
     <PrivateConfig xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfiguration">
       <StorageAccount name=" " endpoint="https://core.windows.net/" />
     </PrivateConfig>
     <IsEnabled>false</IsEnabled>
  </DiagnosticsConfiguration>
  Make sure the top of the file still has xml version and encoding –
     <?xml version="1.0" encoding="utf-8"?>
  Effectively you are stripping down the Wadcfgx to only contain the <PublicConfig> section and the <?xml> header. You can then call the PowerShell cmdlet along with the appropriate parameters for the staging slots and roles:
  $storage_name = ‘
  <storagename>’
  $key= ‘<key>’
  $service_name = '<servicename>'
  $public_config = '<thepublicconfigfrom_diagnostics.wadcfgx>'
  $storageContext = New-AzureStorageContext –StorageAccountName $storage_name –StorageAccountKey $key
  Set-AzureServiceDiagnosticsExtension -StorageContext $storageContext -DiagnosticsConfigurationPath $public_config –ServiceName $service_name -Slot ‘Staging’ -Role ‘WebRole1’
  Hope this helps !
  Regards,
  Sowmya

• CRM 7.0 - Restrict Available BP Roles in Account Maintenance

  Dear Experts,
  During BP Maintenance in CRM 7.0 Web UI, how can we restrict the BP role values that are available in the BP Role assignment block i.e. we want to limit only to "Sold-To Party" and "Contact Person."
  UI Component: BP_ROLES
  View: BP_ROLES/RolesList
  Can we achieve this through Security (which object) or Standard Config. 
  There is a config setting in SPRO for BP role exclusion groups.  Is this relevant here?
  Thanks!!!
  FK
  p.s. We attempted a config change to a BP Role Security profile but this only limited SAP GUI not Web UI.  Is there a different object to limit the values in the Web UI Assignment Block

  Hi Fakhan,
  There are two ways to solve your requirement :
  1. via authorization
  explore authorization object B_BUPA_RLT and CRM_BPROLE. Those authorization objects define which BP roles can be edited.
  OR
  2. via enhancement
  Enhance component BP_Roles/AccountRolesEL. In the context node BUILROLES enhance method GET_V_PARTNERROLE
  Do the same in component BP_roles/RolesList context node ROLES method GET_V_PARTNERROLE
  Hope it's solve your problem
  Cheers,
  Lina

• Restricting Authorization for a specific Info-object

  Dear All,
  I have a scenario where I have to restrict the account managers by specific channels.
  I have 2 info-objects, Sold-to party and Sales Channel. Sales Channel is defined as attribute of the the Sold-To Part info-object.
  I was exploring the BI authorizations concept in SCM 2007.
  I created a authorization called "Test" and assigned the info-object Sales Channel in the authorization and restricted it for one value. This authorization along with 0BI_ALL I have added to the role under BI authorizations.
  However in interactive demand planning, I cannot restrict by the sales channel. It allows me to load data for all the channels.
  If I remove 0BI_ALL object, then I cannot load anything in interactive planning.
  Does anyone have a step by step proceedure for using the BI authorization concept?
  Regards,
  Kedar

  Yes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).
  Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.
  Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.
  You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".
  Things to consider:
  1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.
  2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.
  3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom  authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.
  4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.
  This is probably enough to get you going, reply back if you have specific questions or issues.
  I've been thru this in a painful way, sometimes the best things learned are learned the hard way

• To restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.

  Hi,
  We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
  Presently we can restrict authorization at Purchasing organization level but not at Plant level.
  Any pointer please!
  Regards,
  Chetan

  First of all, this is not the right forum to post such a question.  Coming to the requirement, this can be achieved by creating a role in PFCG where you can restrict plant and assign this role to each user id.  Your basis team can do this.
  thanks
  G. Lakshmipathi

• Initiater for Role removal.

  Hi,
     I need some update/input w.r.t Role removal Initiator. While configuring the role removal is it possible to use the role status in the initiator?    If not how to identify this role is only for the role removal.
  Normally we use to put only one stage for Role removal. In the config, no where we are having automatic check for the request is only for the Role removal. So we have to trust that particular stage owners. As per the CUP automation check is it possible to validate this?
  Thanks in advance.
  Regards,
  Vasantha Kumar.

  Hi Justin
  I'm assuming you are involved in or victim of a security access review. I'm usually one of those security guys asking for role or transaction removal and you are the main contact in the business coordinating the changes.
  The process of remediation will possibly consist of checking which transactions are causing segregation of duties conflict, if they are used or not and removing one side of the conflict by removing an unused transaction.
  It shouldn't require the entire contents of a role to be removed - rather swapping role A for role B without a transaction or two.
  Removing transactions that aren't used can have more subtle implications which hopefully are found during UAT but is usually missed until used in anger. This what support is for after go live.
  Saying all that and depending on your time and skills, you could ask for access to the security person's test user in dev or qas where they are working to run transaction SUIM on transaction for user following the proposed changes and compare that to the actual access of the real affected user in prod. If you can get access to the informer tab in virsa you can use the standard simulation reports to also check the resulting conflicts which will help you talk to the business and advise on actions available. There should be role owners involved in all this as they have to owner the result: expect a request for these for CUP later on
  If you can retain control and approval of the (controlled) changes being made to users you will have a better understanding of what is happening, catch potential errors and mediate between security and the business - you have an important task!
  Ask for some basic training in standard SAP reports - the security team should be more than grateful for your input
  Crikey that was hard typing on an iPhone!
  Cheers
  Edited by: David Berry on Jan 11, 2011 8:17 PM

• OBI 11.1.1.6-Restrict visible application roles while sharing customization

  Hi,
  I am trying to test the security around share customizations functionality accessed through (any)Dashboard -> Page Options -> Save Current Customization -> Save for Others -> Set Permissions -> (+)Add Roles/groups -> Search Application Roles
  While searching for the Application roles, user gets to see all Application Roles and can assign the customization to any role. The search should have shown only the Application roles assigned to the user else irrelevant customization can be assigned to other application roles which cannot see the data for the selected filters in the customization
  Is there some configuration setting somewhere to restrict the application roles seen in the search option while saving customizations for others?

  896267 wrote:
  Nope. Manage Privileges -> Save Customization feature just provides access to save the customization for the defined role(s).
  The question is related to Saving customization for others through the Set Permission dialog box.There is no such setting as the list of application roles and catalog groups are directly sourced from system-jazn-data.xml file and the catalog. In the user trianing, you could probably let the users know to prefix the application role name for that set of filters.
  Thanks,
  -Amith.

• Need to restrict HR payroll Roles on Payroll area

  Hi,
  Can anybody pls guide me how can i restrict HR payroll roles on Payroll area Level.As of now system is not checking the payroll area value as authorization relevant.
  if the solution is through org key, pls explain the detail process of using org key.
  if it is through custom object, pls clarify the implication on the system once we run the standard program.
  Secondly i also want to restrict the  roles on Personal Sub area level and OM roles on Org.ID level.
  appericiate your early response.
  Regards,
  Ramakrishna

  Hi Ramakrishna,
  According to the documentation it seems to be possible to check authorizations for the payroll area with the authorization field VDSK1 of the authorization Object P_ORGIN if the feature VDSK1 is mapped to the payroll area. (However, I'm not sure about this because I never have worked with this option myself.)
  Online help
  [VDSK1 (Organizational Key)|http://help.sap.com/saphelp_470/helpdata/en/17/4bba3b3bf00152e10000000a114084/frameset.htm]
  If you use this authorization field VDSK1 this way I suggest to turn it into an "Org. Level" field using report PFCG_ORGFIELD_CREATE, too. This enables you to work with derived roles instead of normal roles. See note [323817 |https://service.sap.com/sap/support/notes/323817] "Creating org.level fields for the Profile Generator" .
  Kind regards
  Frank Buchholz

• Define AttributeCondition for roles

  How can I define a AttributeCondition which returns a list o roles where
  (a) Approver is one of a list of selected approvers or
  (b) Owners is one of a list of selected owners
  In a workflow I need to query for roles given the name of an approver or name of an owner. I tried the definition of various AttributeConditions for the Query Objects work flow service but neither of these has worked:
  Query 1:
  <Action application='com.waveset.session.WorkflowServices'>
      <Argument name='op' value='queryObjects'/>
      <Argument name='type' value='Role'/>
      <Argument name='attributes'>
          <list>
              <new class='com.waveset.object.AttributeCondition'>
                  <s>Approvers</s>
                  <s>isOneOf</s>
                  <list>
                      <s>myapprover</s>
                  </list>
              </new>
          </list>
      </Argument>
      <Return from='queryResult' to='queryResult'/>
  </Action>Query 2:
  <Action application='com.waveset.session.WorkflowServices'>
      <Argument name='op' value='queryObjects'/>
      <Argument name='type' value='Role'/>
      <Argument name='attributes'>
          <list>
              <new class='com.waveset.object.AttributeCondition'>
                  <s>Approvers</s>
                  <s>is one of</s>
                  <list>
                      <s>myapprover</s>
                  </list>
              </new>
          </list>
      </Argument>
      <Return from='queryResult' to='queryResult'/>
  </Action>Does anyone know how to formulate a the AttributeCondition?
  Thanks.

  In case someone needs to do something similar: Thanks to Paul's contribution I finally worked out how to define my attribute condition to get the desired result:
  Orginally I passed in the accountId of user as a value of the attribute i.e.
  <list>
       <s>myapprover</s>
  </list>This is wrong. The value has to be the fully qualified id of the user object i.e.
  <list>
       <s>#ID#User:myapprover</s>
  </list>So the correct query is:
  <Action application='com.waveset.session.WorkflowServices'>
       <Argument name='op' value='queryObjects'/>
       <Argument name='type' value='Role'/>
       <Argument name='attributes'>
           <list>
               <new class='com.waveset.object.AttributeCondition'>
                   <s>role_approvers</s>
                   <s>is one of</s>
                   <list>
                       <s>#ID#User:myapprover</s>
                   </list>
               </new>
           </list>
       </Argument>
       <Return from='queryResult' to='queryResult'/>
  </Action>

• UAR Approvals for roles with multiple owners

  Hi All,  We have in many cases, two role owners for roles defined in CUP. When running the UAR, both owners are notified.
  However, when one of the owners submits the approved/removals UAR request, the request closes out and the other owner does not have the opportunity to validate the request also.
  Any suggestions how to be able to accomodate both owners?
  The UAR CAD option is out of scope since it makes no sense to upload and maintain 4000 roles in the CAD.
  Thanks! -Dylan

  FYI, We were not able to find an acceptable workflow solution but decided to restrict access via authorization. We will allow the role primary Role Owner to make the UAR line item updates but not allow the Role Owner to submit the UAR.
  The Secondary Role Owner will be allowed to Submit final version of the UAR.
  Role makeup:
  ZAE_UAR_ROLE_OWNER (UAR Role Owner Approver)
  AE.ViewAccessEnforcer
  AE.ViewRemoveAccess
  AE.ViewApprove
  AE.ViewSaveRequest
  ZAE_UAR_QUARTERLY_OWNER (UAR Quarterly Owner Approver)
  AE.ViewAccessEnforcer
  AE.ViewSubmitRequest
  Hopefully, more workflow flexibility is will be built-in to the UAR just like with normal CUP requests.
  Best Regards, Dylan

• Restricting Authorisations for different controlling areas

  Hi SAP Gurus,
  I am facing a problem in restricting authorisations for CO Transactions in different controlling ares. We have a new controlling area started recently. But the CO user in this new controlling area is able to create master data in a differnt controlling area (i.e. the old existing controlling area). we have already maintained the new controlling area as org. unit for the relevant company code.
  Giving below an example.
  For t.code KAH1 & KAH2, we have maintained authorization object K_CCA for New Cont Area  with Cost Center group X (Where X is standard hierarchy). Even after that user is able to make changes in KAH2 for another controlling area. We also tried to put value of profit centers instead of "*". This too is not helping.
  Similarly the user is able to create master data in Tr. Codes KO01 / 02, KE51 / 52, KCH2 etc where this user in new controlling area is able to create / change master data from exising old controlling area.
  Can anyone help me please ?
  Thanks.

  Dear Prasad,
  Create a new Role using T Code PFCG and assign the new controlling area and the other relevant
  details and you can assign it to the users.
  I think in your case that particular user is assigned many roles where he has got * value and its allowing
  to make changes on some other controlling area.
  Regards
  Mangalraj.S

• HT201304 I forgot the restriction password for my iphone4. What to do

  I forgot the restriction password for my iphone4. What to do

  If You Are Locked Out Or Have Forgotten Your Passcode
  iTunes 10 for Mac- Update and restore software on iPod, iPhone, or iPad
  iPhone, iPad, iPod touch: Wrong passcode results in red disabled screen
  iOS- Understanding passcodes
  A Complete Guide to Recover Your iDevice if You Forget Your Passcode
  If you cannot remember the passcode, you will need to restore your device using the computer with which you last synced it. This allows you to reset your passcode and resync the data from the device (or restore from a backup). If you restore on a different computer that was never synced with the device, you will be able to unlock the device for use and remove the passcode, but your data will not be present. Refer to Updating and restoring iPhone, iPad and iPod touch software.
  Try restoring the iOS device if backing up and erasing all content and settings doesn't resolve the issue. Using iTunes to restore iOS devices is part of standard isolation troubleshooting. Restoring your device will delete all data and content, including songs, videos, contacts, photos, and calendar information, and will restore all settings to their factory condition.
  Before restoring your iOS device, Apple recommends that you either sync with iTunes to transfer any purchases you have made, or back up new data (data acquired after your last sync). If you have movie rentals on the device, see iTunes Store movie rental usage rights in the United States before restoring.
  Follow these steps to restore your device:
       1. Verify that you are using the latest version of iTunes before attempting to update.
       2. Connect your device to your computer.
       3. Select your iPhone, iPad, or iPod touch when it appears in iTunes under Devices.
       4. Select the Summary tab.
       5. Select the Restore option.
       6. When prompted to back up your settings before restoring, select the Back Up
           option (see in the image below). If you have just backed up the device, it is not
           necessary to create another.
       7. Select the Restore option when iTunes prompts you (as long as you've backed up,
           you should not have to worry about restoring your iOS device).
       8. When the restore process has completed, the device restarts and displays the Apple
           logo while starting up:
             After a restore, the iOS device displays the "Connect to iTunes" screen. For updating
            to iOS 5 or later, follow the steps in the iOS Setup Assistant. For earlier versions of
            iOS, keep your device connected until the "Connect to iTunes" screen goes away or
            you see "iPhone is activated."
       9. The final step is to restore your device from a previous backup.
  If you can not restore your device then you will need to go to recovery mode.
  Placing your device into recovery mode:
  Follow these steps to place your iOS device into recovery mode. If your iOS device is already in recovery mode, you can proceed immediately to step 6.
       1. Disconnect the USB cable from the iPhone, iPad, or iPod touch, but leave the other end
           of the cable connected to your computer's USB port.
       2. Turn off the device: Press and hold the Sleep/Wake button for a few seconds until the
           red slider appears, then slide the slider. Wait for the device to turn off.
            If you cannot turn off the device using the slider, press and hold the Sleep/Wake
            and Home buttons at the same time. When the device turns off, release the Sleep/Wake
            and Home buttons.
       3. While pressing and holding the Home button, reconnect the USB cable to the device.
           The device should turn on. Note: If you see the screen pictured below, let the device
           charge for at least ten minutes to ensure that the battery has some charge, and then
           start with step 2 again.
       4. Continue holding the Home button until you see the "Connect to iTunes" screen.
           When this screen appears you can release the Home button.
       5. If necessary, open iTunes. You should see the following "recovery mode" alert:
       6. Use iTunes to restore the device.
  If you don't see the "Connect to iTunes" screen, try these steps again. If you see the "Connect to iTunes" screen but the device does not appear in iTunes, see this article and its related links.
  Additional Information:
  Note: When using recovery mode, you can only restore the device. All user content on the device will be erased, but if you had previously synced with iTunes on this computer, you can restore from a previous backup. See this article for more information.

• Batch Characteristic not updating with result for linked MIC

  Hi,
  I have created a MIC and linked to a batch characteristic i.e. potency and included the characteristic in a specific batch class. This MIC is part of the inspection plan for a certain material.
  If I generate a lot of origin 01 and 09 for the material and record a result for the MIC and apply a UD, the batch characteristic is not updated with the result recorded in the batch master record..
  If I generate a lot origin 89 for the same material, when the result is recorded for the MIC and apply a UD the batch characteristic is updated with the mic value in the batch master record.
  Can you help regards?

  Ok. I am a little bit further.
  I put a trace (ST05) on the result recording and I find a difference between 4.7 and ECC6.0.
  In ECC6.0 I've an deletion in table "AUSP". This deletion isn't performed in the 4.7 system.
  Hope that this can help to solve my problem.
  Regards,
  René
  @ Mayank
  Above, all the master data and customizing is mentioned to transfer the result to the batch classification
  Edited by: Rene Fuhner on Jul 30, 2010 7:03 PM