Restricting Tcode using Roles

Dear BW Experts,
I want to create a role to restrict of accessing TCODE : STMS_IMPORT and STMS in Production system. I can able to create a role by adding S_TCODE. While creating the role, inclusion is available but exclution is not available. I want to create a role by restricting tcode STMS and STMS_import. How to achieve this. Please help.
Thanks.

Hi Jalina
but exclution is not available
SAP Security role authorisation concept does not cater for exclusion values or ranges
If you are not a security person, I recommend you look at the ADM940 or help.sap.com for Authorisations Concept or discuss your requirements with your Security contact.
Regards
Colleen

Similar Messages

Restrict displayed data in a query using roles

Hi experts.
i'm writing to you to explain our trouble.
We have an infocube with 2 company codes 'A' & 'B'.
We are trying to display only one of them depending on the user that executes THE SAME query, whitouth using a filter for the company code (0comp_code).
We have done a couple of roles that restrict that infoobject and we have activated de chekbox in the infoobject properties/reporting "authorization relevant".
This doesn´t work as well as we wanted, it restricts the access to the data that we don´t specify in the role, but when the query is executed, we obtain a message which says that the user has not authorization to acces data, here is the main problem, we only want to display a company code, but when we execute the query and tries to acces the data that is not defined in the role for that user, the query crashes and doesn't display anything.
Is there a way to do what we want using role authorizations?
Thanks in advance.

Hi,
Thanks for your answers, but, i am still having the problem.
We are working with the 3.5 version, so we can not do what you say.
In the other hand we have already used the transaction rssm to do that, but we are still having the authorization message when we execute the query whitouth a filter and comes data that is not defined int our roles.
I am not sure, perhaps it is not possible with the 3.5 version.
Thanks.

Oim 11g r2: data access restriction using roles instead of organisations

can i implement data access restriction using roles instead of organisations in oim 11g r2?

in my use case a particular user can be member of more than one organisation. as far as i know oim does not suoport this use case using organisation, so i decide to use roles to represent my "organizations", but now i loose all the data access restrictions (scope).

Restrict some user roles for tocde VA02

Hi All,
Please can any one help on this?
i have to restrict some user roles while rejecting the item in va02 tcode. how to do this.
Thanks,
Ramu

Hi,
There are two ways to do this:
- Make a transaction variant through SHD0 and assign it to your sales doc. While creating the variant you can place non-changeability ticks on specific fields. Next allow those users only to work with your transaction variant but not with the original transaction.
- You could make use of user-exit FORM USEREXIT_FIELD_MODIFICATION in include MV45AFZZ (via authorization objects, which you can assign in role customizing).
Check this link:
http://www.sap-img.com/sap-sd/short-sap-sd-questions-3.htm
Regards
Adil

Can PID (Parameter ID) be set as a default by TCODE or Role Level

Hi, Any one has any idea if PID (Parameter ID) and its value can be set as a default at TCODE or at Role Level?
Thanks in advance.
Syd.
Addendum:
Re: Can PID (Parameter ID) be set as a default by TCODE or Role Level
Posted: Oct 17, 2006 9:38 AM Reply E-mail this post
Thanks for the reply, you have mentioned try creating a Transaction variant or a Transaction parameter.
Here is my question?
1. Can we set a default Parameter ID at TCODE level so, if any user execute a transaction who has access to execute it, he will have Parameter id and its value as a default?
2. Can PID be set as a default for SAP TCODE or Custom TCODE, or can be done for both, if it can be done then, How?
3. Can PID be set as a default for a particular Role or profile?
Message was edited by: Syed Alam
Message was edited by: Syed Alam

Hi JC,
Yes, I agree.
A small disclaimer however is that we dont know which transaction is being refered to.
Creating a transaction variant with the parameter set for it could enable the use to navigate further and back again and in doing so "shed" the screen which the transaction (initially with variant parameter and skip screen) originally gave them.
Using a user-exit to set the parameter can in some cases be closer to the functionality (irrespective of how the user gets there) and be more reliable. But in this case an adventurous user will be likely to trick it anyway if they want to.
If the decision is made to use PIDs in the coding, then it is a decision that the user can influence the value (in my view). If coding makes insecure use of PIDs, then it is a design error in the coding.
Cheers,
Julius

Removal of tcode from role

Hi Experts,
I need to remove tcode from role menu, my requirement is as below
I need to go in a role, search tcode in role menu and if tcode is present in role n times then remove that tcode.
For example tcode SU01 is present in role menu 5 times then I need to remove all these 5 occurenses.
As of now I have developed script using SECATT to remove tcode from role but it is static one, means I already know that tcode is present 3 times then script will search tcode three times and delete and generate profile and come out.
I want this functionality to be dynamic, i.e. I need to enter tcode only once in data input and then script should remove all occurence of that tcode from role.
Looking forward for expert advice and comments, please let me know if my requirement is not clear.
Thanks,
Ashish Mistry

Hello,
1. Check the data base by writing ABAP Query.
2. Get the length of the received data eg. number of record is present in the data base for your Query.
3. Now you know exact number of T-Code so you can delete them.
Regards,
Bhavesh

Need to restrict HR payroll Roles on Payroll area

Hi,
Can anybody pls guide me how can i restrict HR payroll roles on Payroll area Level.As of now system is not checking the payroll area value as authorization relevant.
if the solution is through org key, pls explain the detail process of using org key.
if it is through custom object, pls clarify the implication on the system once we run the standard program.
Secondly i also want to restrict the roles on Personal Sub area level and OM roles on Org.ID level.
appericiate your early response.
Regards,
Ramakrishna

Hi Ramakrishna,
According to the documentation it seems to be possible to check authorizations for the payroll area with the authorization field VDSK1 of the authorization Object P_ORGIN if the feature VDSK1 is mapped to the payroll area. (However, I'm not sure about this because I never have worked with this option myself.)
Online help
[VDSK1 (Organizational Key)|http://help.sap.com/saphelp_470/helpdata/en/17/4bba3b3bf00152e10000000a114084/frameset.htm]
If you use this authorization field VDSK1 this way I suggest to turn it into an "Org. Level" field using report PFCG_ORGFIELD_CREATE, too. This enables you to work with derived roles instead of normal roles. See note [323817 |https://service.sap.com/sap/support/notes/323817] "Creating org.level fields for the Profile Generator" .
Kind regards
Frank Buchholz

Restrict posting using t code FBV0

Hello,
I want to restrict posting using the Tcode FBV0 for transactions parked through FV50.
Please let me know if this is possible.
Thanks and Regards

Dear Chetan,
please be kindly informed that the person who is authorized to park the
documents, should also have the authorisation to post it. In these
ENJOY transactions, all these functionalities are provided like Post,
save, park etc., and normally one person is the key person in the
department.
To segregate the authority to park and to post, I suggest that you
either
- use the exit provided by sap note 361420 to deactivate the posting/
parking button depending on users.
OR
- set up a validation to prevent a users from posting/parking
OR
- Use workflow to release the park documents.
Mauri

Restricting tcode RSA1

Hi Experts!
I am faced with the requirement of restricting tcode RSA1. From my understanding, RSA1 is basically the "BI Admin Control Panel" and as such, calls various other transaction codes and does not have any authorization objects associated with itself.
Has a display RSA1 role been developed before and what is the best way to approach the creation of a display RSA1 role?
Any opinions would greatly help.

Hi Benjamin,
The object S_RS_ADMWB is the most critical object in admininstration security. It is the first object that is checked when you do anything in the Admin Workbench.
- Without S_RS_ADMWB you cannot execute the tcode RSA1. The first thing that would be checked is S_RS_ADMWB RSADMWBOBJ=WORKBENCH;ACTVT=16;
Also, yes as you mentioned without any further authorizations the user is able to get into the transport connections and documents tab. But to perform any sort of activity in these areas the objects S_CTS_ADMI & S_TRANSPRT would be checked in the transport connection tab and the object S_RS_ADMWB will be checked in the documents tab for eg.:
S_RS_ADMWB RSADMWBOBJ=DOC_META;ACTVT=03
S_RS_ADMWB RSADMWBOBJ=INFOOBJECT;ACTVT=23
But, if you want that the user should not be able to get into or even see the tabs then I so not think it is possible via authorizations.
Regards,
Subbu

Data and Dashboard Security using ROLES Variable in OBIEE 11g

Hi all,
I'm currently using OBIEE 11g. I'm wondering how to implement the security for data and dashboard in the 11g.
Below is the sample of how the security matrix requirement when I use the 10g version. In 10g, we usually use GROUP (for the data filter in RPD) and WEBGROUPS (for dashboard objects) variables in my initialization block to read from database. As we have 2 different variables, it is possible to control security separately for data and dashboard.
GROUP | Country
G1 | US
G2 | FR
G3 | UK
WEBGROUPS | Dashboard
WG1 | D1
WG2 | D1
WG3 | D1
WG1 | D2
WG2 | D2
WG1 | D3
WG3 | D3
WG3 | D4
Now, in 11g, the recommendation is to use ROLES variable (for application role). So, how would I apply the required security matrix above in 11g using just ROLES variable? Do I still create G1, G2, G3, WG1, WG2, and WG3 as application roles then only use G1-3 in the RPD to filter the data and only use WG1-3 in the analytics to serve as webgroups?
Any advice on this? Thank you very much.

"...Could you elaborate more?"
I mean that role creation and user->role assignment will be managed outside of to the obiee interface - whether that's via the database, LDAP, fmw etc.
Webgroup creation and assignment is managed within the obiee interface and I think that has a lot of benefits - generally you have people responsible for shared folders and dashboard creation, so having them responsible for webgroups and presentation permissions is preferable for me.
"are you saying that I use the role G1-3 only in the RPD, while using the role WG1-3"
Yes .. I'm assuming you have something like
G1 | US
G2 | FR
G3 | UK
WG1 | Finance
WG2 | Marketing
WG3 | Sales
Which becomes
R1 | US
R2 | FR
R3 | UK
R4 | Finance
R5 | Marketing
R6 | Sales
And John belongs to R1 and R4, Fred belongs to R2 and R4 etc. So you would set your data filters against R1-R3 and use R4-R6 like webgroups in the presentation services.
Regards,
Robert

Company code creation for a BP using Role FLVN00

Hi,
I am trying to create a BP in a company code as part of Customer Vendor Integration.
But when i create a BP using role FLVN00 , and select company code tab, enter company code details and save, company code details are cleared out.
do we have to do any extra setting for that.
thanks
sekhar J

Hi Sekhar,
Can you tell us how this issue got resolved? We are also getting same error while saving BP.
Thanks,
Renu Prasad.

CRM 7.0 - Restrict Available BP Roles in Account Maintenance

Dear Experts,
During BP Maintenance in CRM 7.0 Web UI, how can we restrict the BP role values that are available in the BP Role assignment block i.e. we want to limit only to "Sold-To Party" and "Contact Person."
UI Component: BP_ROLES
View: BP_ROLES/RolesList
Can we achieve this through Security (which object) or Standard Config.
There is a config setting in SPRO for BP role exclusion groups. Is this relevant here?
Thanks!!!
FK
p.s. We attempted a config change to a BP Role Security profile but this only limited SAP GUI not Web UI. Is there a different object to limit the values in the Web UI Assignment Block

Hi Fakhan,
There are two ways to solve your requirement :
1. via authorization
explore authorization object B_BUPA_RLT and CRM_BPROLE. Those authorization objects define which BP roles can be edited.
OR
2. via enhancement
Enhance component BP_Roles/AccountRolesEL. In the context node BUILROLES enhance method GET_V_PARTNERROLE
Do the same in component BP_roles/RolesList context node ROLES method GET_V_PARTNERROLE
Hope it's solve your problem
Cheers,
Lina

How to use Role Menu item in BI 7.0

Hi experts,
From web applications desiger in version 3.5 we can use Role Menu item to access our querys easily.
In version 7.0 this item has been deleted from standard items. How can we manage it ? Thanks a lot
Best regards,
Santi

You can use EP role to have the same functionality.
Another option is to use the 3.X role menu web item after applying note 1075789, in this case role meny web item will display 7.0 objects also.
Thanks.

Error in oim Role creation using Role Manager Service API from Standalone Java client

Hi,
Facing the following error when trying to create Role using Role Manager Service API from a standalone java client .
Tried with the solution of changing ,
Login into the Web Logic Admin Console --> Servers --> OIM Server --> Protocols --> Modify the Maximum Message from 100000000 to 1000000000, but still the problem persists.
Exception in thread "main" org.omg.CORBA.BAD_PARAM:   vmcid: 0x0 minor code: 0 completed: No
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at com.sun.corba.se.impl.protocol.giopmsgheaders.MessageBase.getSystemException(Unknown Source)
at com.sun.corba.se.impl.protocol.giopmsgheaders.ReplyMessage_1_2.getSystemException(Unknown Source)
at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.getSystemExceptionReply(Unknown Source)
at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.processResponse(Unknown Source)
at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.marshalingComplete(Unknown Source)
at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.invoke(Unknown Source)
at org.omg.CORBA.portable.ObjectImpl._invoke(Unknown Source)
at com.sun.org.omg.SendingContext._CodeBaseStub.meta(Unknown Source)
at com.sun.corba.se.impl.encoding.CachedCodeBase.meta(Unknown Source)
at com.sun.corba.se.impl.io.IIOPInputStream.getOrderedDescriptions(Unknown Source)
at com.sun.corba.se.impl.io.IIOPInputStream.inputObjectUsingFVD(Unknown Source)
at com.sun.corba.se.impl.io.IIOPInputStream.simpleReadObject(Unknown Source)
at com.sun.corba.se.impl.io.ValueHandlerImpl.readValueInternal(Unknown Source)
at com.sun.corba.se.impl.io.ValueHandlerImpl.readValue(Unknown Source)
at com.sun.corba.se.impl.encoding.CDRInputStream_1_0.read_value(Unknown Source)
at com.sun.corba.se.impl.encoding.CDRInputStream.read_value(Unknown Source)
at oracle.iam.identity.rolemgmt.api._RoleManager_ogut7n_RoleManagerRemoteRIntf_Stub.createx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
at $Proxy2.createx(Unknown Source)
at oracle.iam.identity.rolemgmt.api.RoleManagerDelegate.create(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at Thor.API.Base.SecurityInvocationHandler$1.run(SecurityInvocationHandler.java:68)
at weblogic.security.subject.SubjectProxy.doAs(SubjectProxy.java:64)
at weblogic.security.subject.SubjectManager.runAs(SubjectManager.java:262)
at weblogic.security.Security.runAs(Security.java:48)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
at Thor.API.Base.SecurityInvocationHandler.invoke(SecurityInvocationHandler.java:79)
at $Proxy3.create(Unknown Source)
at com.idm.role.CreateRole.createRole(CreateRole.java:113)
at com.idm.role.CreateRole.main(CreateRole.java:167)
Thanks In Advance

Hi , I have used OIM 11g R2.
Please find below the code we have used,
package com.idm.role;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Logger;
import javax.security.auth.login.LoginException;
import oracle.iam.identity.exception.NoSuchRoleException;
import oracle.iam.identity.exception.RoleAlreadyExistsException;
import oracle.iam.identity.exception.RoleCreateException;
import oracle.iam.identity.exception.RoleLookupException;
import oracle.iam.identity.exception.RoleModifyException;
import oracle.iam.identity.exception.SearchKeyNotUniqueException;
import oracle.iam.identity.exception.ValidationFailedException;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.authz.exception.AccessDeniedException;
public class CreateRole {
private final static Logger LOGGER = Logger.getLogger(CreateRole.class .getName());
OIMClient oimClient = null;
public OIMClient connectToOIM() {
LOGGER.info("In connectToOIM ");
Hashtable env = new Hashtable();
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
    "weblogic.jndi.WLInitialContextFactory");
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL,
    "t3://V-hydidm1.itig.co.in:14000");
System.setProperty("java.security.auth.login.config",
    "F:\\Projects\\IDM\\Team\\Env_setup\\OIM_Setup\\designconsole\\config\\authwl.conf");
System.setProperty("java.security.policy",
    "F:\\Projects\\IDM\\Team\\Env_setup\\OIM_Setup\\designconsole\\config\\xl.policy");
System.setProperty("OIM.AppServerType", "wls");
System.setProperty("APPSERVER_TYPE", "wls");
System.setProperty("weblogic.Name", "oim_server1");
oimClient = new OIMClient(env);
try {
   oimClient.login("xelsysadm", "Passw0rd".toCharArray());
} catch (LoginException e) {
   e.printStackTrace();
System.out.println("Connected");
return oimClient;
public void readRoleMetadata() {
LOGGER.info("in readRoleMetadata ");
RoleManager roleManagerService = oimClient
    .getService(RoleManager.class);
try {
   Role roleVo = roleManagerService.getDetails(
     RoleManagerConstants.ROLE_DISPLAY_NAME, "API Role1", null);
   Set attributeNameSet = roleVo.getAttributeNames();
   Iterator it = attributeNameSet.iterator();
   while (it.hasNext()) {
    System.out.println("Attribute Name :: " + it.next());
   // roleVo.setAttribute("ADentitlements", "Security Admin access");
   String adEntitlements = "" + roleVo.getAttribute("ADentitlements");
   System.out.println("AD Entitlements :: " + adEntitlements);
   System.out.println("DB Entitlements :: " + ""
     + roleVo.getAttribute("DBEntitlements"));
   System.out.println("Unix Entitlements :: " + ""
     + roleVo.getAttribute("UnixWindows"));
   System.out.println("VPN :: " + "" + roleVo.getAttribute("VPN"));
} catch (SearchKeyNotUniqueException e) {
   e.printStackTrace();
} catch (NoSuchRoleException e) {
   e.printStackTrace();
} catch (RoleLookupException e) {
   e.printStackTrace();
} catch (AccessDeniedException e) {
   e.printStackTrace();
public void createRole() {
LOGGER.info(" in Create role ");
RoleManager roleManagerService = oimClient
    .getService(RoleManager.class);
HashMap<String, Object> roleCreationAttrMap = new HashMap<String, Object>();
roleCreationAttrMap.put(RoleManagerConstants.ROLE_NAME, "API Role1");
roleCreationAttrMap.put(RoleManagerConstants.ROLE_DESCRIPTION,
    "This Role is created using API Role1");
roleCreationAttrMap.put(RoleManagerConstants.ROLE_DISPLAY_NAME,
    "API Role1");
roleCreationAttrMap.put("ADentitlements", "API Role1 AD Entitlements");
roleCreationAttrMap.put("DBEntitlements", "API Role1 DB Entitlements");
roleCreationAttrMap.put("VPN", "No");
roleCreationAttrMap.put("UnixWindows", "API Role1 Unix Entitlements");
Role roleVo = new Role(roleCreationAttrMap);
try {
   System.out.println(" Before Create role *********************************************");
   roleManagerService.create(roleVo);
   System.out.println("Role Created .. ");
} catch (ValidationFailedException e) {
   e.printStackTrace();
} catch (RoleAlreadyExistsException e) {
   e.printStackTrace();
} catch (RoleCreateException e) {
   e.printStackTrace();
} catch (AccessDeniedException e) {
   e.printStackTrace();
public void modifyRole() {
LOGGER.info(" in modifyRole ");
RoleManager roleManagerService = oimClient
    .getService(RoleManager.class);
Role roleVo;
try {
   roleVo = roleManagerService.getDetails(
     RoleManagerConstants.ROLE_DISPLAY_NAME, "API Role1", null);
   String roleKey = roleVo.getEntityId();
   HashMap<String, Object> roleCreationAttrMap = new HashMap<String, Object>();
   roleCreationAttrMap.put("ADentitlements",
     "Updated API Role1 AD Entitlements");
   Set roleKeySet = new HashSet<String>();
   roleKeySet.add(roleKey);
   Role roleVoNew = new Role(roleCreationAttrMap);
   roleManagerService.modify(roleKeySet, roleVoNew);
   System.out.println("Role Modified ..");
} catch (SearchKeyNotUniqueException e) {
   e.printStackTrace();
} catch (NoSuchRoleException e) {
   e.printStackTrace();
} catch (RoleLookupException e) {
   e.printStackTrace();
} catch (AccessDeniedException e) {
   e.printStackTrace();
} catch (ValidationFailedException e) {
   e.printStackTrace();
} catch (RoleModifyException e) {
   e.printStackTrace();
public static void main(String args[]) {
CreateRole miscObj = new CreateRole();
miscObj.connectToOIM();
miscObj.createRole();
//miscObj.readRoleMetadata();
Thanks In Advance .

How to use 'roles' attribute in action-mapping ?

Hi,
Can anybody tell me what are the steps needed to use 'roles' attribute in <action> tag of struts-config.xml file?
I want to provide Action level security.
Also pls post an example if u r having.
Regards
Veeru

Hi,
The RfcAdapter trys to find a Sender Agreement for this RFC call but the lookup failes. The values used for this lookup are:
Sender Party/Sender Service: The values from Party and Service belonging to the sender channel.
Sender Interface: The name of the RFC function module.
Sender Namespace: The fix RFC namespace urn:sap-com:document:sap:rfc:functions
Receiver Party/Receiver Service: These fields are empty. This will match the wildcard
Regards,
Suryanarayana

Restricting Tcode using Roles

Similar Messages

Maybe you are looking for