Role and auth comparisation
hey,
how to compare roles of 16 users?
by suim i can do it two by two which is noo gooood
Regards
sanchodur panzadurma
Hello Sancho,
Please see this document
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/12320898-0301-0010-1abb-91770fb41b24
hope this helps
Thanks
Chandran
Similar Messages
-
Hello all,
Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
thanksI was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
There is a list of useful APO transactions here
http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
I can't help with the standard roles as I build my own. -
security-role and auth-constraint
Hi Everybody,
I want to know the relation between the <role-name> tags defined under <security-role> tag and the <auth-constraint> tag (defined for web-resource-collection).
Assuming that tomcat is being used, should the <role-name> of <security-role> map to a role defined for tomcat and then the <role-name> of <auth-constraint> map to the <role-name> of <security-role>.
Or how does it all work ? How are these two <role-name> tags related ?
Thanks in advance for your time.
Vikasin <security-role> you define the roles, in <auth-contraint> you tell which role is allowed to use the protected resource
-
Job role design - transaction role and auth object role
Hi all, please kindly comment following job role design:
(1) transaction role:
Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA. CO: maintain cost center, internal order HR: maintain org structure, personnel management.
The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
(2) authorization role
Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role. Objects of HR in HR role.
Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
User will be assigned transaction role + auth object role. For example, user of company A to perform MM and CO functions will be assigned
with MM transaction role + company A MM role + company A CO role.
Please let me know the pros and cons of above design. Thanks.
Regards,
Donald
* I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization roleBrent Van Dyck wrote:
Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
But splitting cube / characteristics / key figures or infotype / personel group / auth code into different roles can only go wrong.
Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
Cheers,
Julius -
Maintaining the authorizations for parent role and derived role
Hi Experts,
Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
Currently we have created the 700 role in our regionally organization and we want to dervie the roles for each country
1 ) we want to do the Auth field (activity level) settings in parent role and Org levels in the derived role .
2) But one my collegue says do the default Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level one)I will try to answer both your queries here:
"my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
Soumya -
SoD Analysis , tables to relate roles, transactions and auth objects
Hi everyone,
I am analyzing my company SAP roles in terms of segregation of duties, however I having a problem.
I need a table/report to give me for each role, every transactions and for each transaction in the role every authorization objects.
For example I want to know for Role B that have transaction C which have the follow authorization object D with values X and Y.
Therefore I want to know for each role and respective transactions which are only display or/and execute or/and editable. How can I do that?
Thanks!Hi,
There is no default report/table which gives you the required information. However, you can achieve this by using SQVI. Join the tables, and create a tcode for the same. Refer the below link:
Re: SAP Query in SQVI transaction
Alternatively, you can download all the data into spreadsheet and create Pivots to plot the information.
The other alternative is to have a custom program built which takes the information from AGR_DEFINE, AGR_AGRS, AGR_1251, AGR_1252, AGR_TCODE tables.
Hope this helps!!
Regards,
Raghu -
Issues with test-all role and browser security
WLS 10.3.5
I have a deployed application on Linux using a SQLAuthentication and Authorization - all is well here.
I have setup all the security (without the test-all role) and I cannot access any of the system.
If I put the test-all role in - I can access the system.
I have verified the user has all the roles (I used the example bean to display the user and roles on the menu page) and the test-all role is not in the list.
I have the menu setup to not display items unless the user has the role (this is working fine - SecurityContext.inRole(rolelist).
So the context is fine.
I used jazn-data to set the same roles in the taskflows - this is not working at all unless the test-all role is set - I get authorization errors - not authorized).
Have I missed something in this?
I have also noticed that if I close the browser (X) without logging out and come back into the system the authentication is totally bypassed and I go back in as the same user as before.
Is there some way to destroy the previous context every time the welcome screen is executed.Add the following parameters to the Run options for the ViewController project:
-Djps.auth.debug=true -Djps.auth.debug.verbose=true
Then restart WebLogic, run the app and watch the console - you'll see all the security evaluations take place which should help you to identify the problem. -
Roles and .wars in WebLogic
I have a .war file whose web.xml file defines a security role of LoggingRole. No
matter what I do, I cannot successfully login and access the web-app. I am running
on WebLogic 7.0 on Windows 2000.
I tried going into the admin console and defining a role named LoggingRole then
adding the Administrators group to it. Then I make sure there are some users in
the Administrators group. Everytime I try to use those users to login, it fails.
If I delete the secuirty constraints from the web-app it works fine. if I install
the web-app on other servlet engines wit hthe security, it works. Any ideas?
Here is the relevant snippet of the web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>System Viewer</web-resource-name>
<url-pattern>/menu2</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>LoggingRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>LoggingRole</role-name>
</security-role>
Thanks,
brian
In WL6, normally you should have something like <security-role-assignment>
<role-name>developer</role-name>
<principal-name>developer</principal-name>
<principal-name>customer</principal-name>
</security-role-assignment>
in your weblogic.xml. I never try this in WL7 and hope it will work.
The alternative is, open your weblogic admin console, following the following
steps: (Left pane) Deployment->Web Applications->YourWebApplication, then (right
pane)Edit web application descriptors. On the next screen, (Left pane)Web AppExt->Security
role assignment->.... If you don't have Web AppExt, you should be able to create
one when you see this screen. After you assign tghe roles, click persistent and
a new web.xml and a new weblogic.xml will be generated and you can use them for
future use.
"Brian Pipa" <[email protected]> wrote:
>
>I have a .war file whose web.xml file defines a security role of LoggingRole.
>No
>matter what I do, I cannot successfully login and access the web-app.
>I am running
>on WebLogic 7.0 on Windows 2000.
>
>I tried going into the admin console and defining a role named LoggingRole
>then
>adding the Administrators group to it. Then I make sure there are some
>users in
>the Administrators group. Everytime I try to use those users to login,
>it fails.
>If I delete the secuirty constraints from the web-app it works fine.
>if I install
>the web-app on other servlet engines wit hthe security, it works. Any
>ideas?
>
>Here is the relevant snippet of the web.xml:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>System Viewer</web-resource-name>
> <url-pattern>/menu2</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>LoggingRole</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-role>
> <role-name>LoggingRole</role-name>
> </security-role>
>
>Thanks,
>brian
-
Role and Analysis Authorizations in BI
Hello allo,
Since analysis authorizations contains carateritics like infocube, queries, activities., is using role and the PFCG transaction (authorizations object)in BI obsolete ? i.e is Analysis authorizations completely replacing Authorization objects (and PFCG) in BI ?
thanks !!Hatem,
You have an option to use the old method however it's recommend to use analysis authorizations going forward.
Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
Cheers,
Ben -
Roles and authorisations in SEM BW
Hi All,
Our SAP SEM lies in BW, Business Planning and Simulation. I have configured everything, but now i want to create roles and authorisations which point to specific planning folders. How do I do that? I understand we do not use the standard transaction PFCG to create roles in BW SEM, what transaction do I need to use? May I get a little bit of detail from the transaction to the point at which i specify a certain role for a specific planning function or planning folder.
I will really appreciate your help.
Regards,
Tatenda.Hi,
please use the search function and read the great number of threads regarding this topic.
The SEM-part of SAP has a lot of role-stuff for authorsation (via PFCG) but also BW-authorisation which is done via "rsecadmin". Actually, forget pfcg because you can click on pfcg in the rsecadmin, so you never have to go back to pfcg anyway.
The BW-authorisation is created via rsecadmin, as i said, and included to a role via pfcg in the object S_RS_AUTH.
For example someone needs the reporting-auth for one company. You create via rsecadmin a BW-auth-object, call it "comp_01". Include there the infoobject 0COMPANY (if you use that one) and include the special infoobjects (there is a button on the top). Then go in rsecadmin to the tab User and switch there to PFCG. Select/create a role, put the S_RS_AUTH in there (and maybe if needed the BEx-Query stuff) and then type in that BW-auth-object "comp_01". That's it.
btw: Roles are only for the application, the BW-Auth is for infocubes, infoareas, infoobjects and so on...
Best Regards -
User role and Authority-check ?
Hello,
Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
Thanks in advanceHello Martin,
I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
@OP:
The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
BR,
Suhas -
Trying to restrict access to Business Partners Roles and Relationships
In CRM 7.0 I am trying to restict access to creating and maintaining certain Business Partner Roles and Relationships. Some roles and relationships are brought over from our primary R/3 system and users are not allowed to change these. However, certain Roles and Relationships exist only in CRM and should be allowed. I am working with the authorization objects B_BUPA_RLT and B_BUPA_BZT. The only field that seems to be checked is the Activity. Even when I put limited BP Roles it seems that this field is not being verified. My security trace returns the following: B_BUPA_RLT ACTVT=02;RLTYP= ;
Authorization object B_BUPA_RLT as used in SAP GUI can't be used in CRM WebClientUI. In SAPGUI business partners always need to be maintained in a bp role regardless of the update-characteristic of this bp role. As there's no authorization-object to control maintenance of bp in general, auth. object B_BUPA_RLT also was used to restrict visibility of bp (data). The creation of a bp is controlled by assigning authorizations for the maintenance of bp roles. If i.e. no authorization for any bp role is available, the user can't create a bp at all. Authorization object CRM_BPROLE is in CRM WebClient UI used instead of authorization object B_BUPA_RLT.
For more info about this see the following notes:
1129682 - Authorization for BP roles in CRM5.2 WebClient UI.
1259940 - Authority check for accounts depending on roles
regards. -
Developing security Roles and profiles
Hi Team,
Can you guys let me know how to develop security roles and profiles. We are rolling out for a company in Japan, and the congif is completed. We are in the process of developing test cases ans also security roles and profiles for users? Can somebody guide and help me on this?
Regards,Hi,
Use Tcode = PFCG -->then create any customized roles and profiles for any users on module based.
user masters: USR01 to 09, UST04,
profiles: USR10, USR11, UST10S, UST10C,
authorisations: USR12, USR13, UST12.
password exceptions USR40.
History tables(may not be applicable but FYI): users: USH02, USH04,
profiles: USH10, auths USH12.
R/3 Security Tcodes
End User Transaction Code Menu Path Purpose
SU3 System > User Profile> Own Data Set address/defaults/parameters
SU53 System > Utilities > Display Authorization Check Display last authority check that failed
SU56 Tools --> Administration --> Monitor --> User Buffer Display user buffer
Role Administration Transaction Code Menu Path Purpose
PFCG
Tools --> Administration --> User Maintenance --> Roles Maintain roles using the Profile Generator
PFUD Work on SAP check indicators and field values
Select: Copy SAP check IDu2019s and field values
Installation
1. Initial Customer Tables Fill
Upgrade
2a. Preparation: Compare with SAP values
2b. Reconcile affected transactions
2c. Roles to be checked
2d. Display changed transaction codes
SU24
Same as for SU25:
Select: Change Check Indicators > Maintain Check Indicators>Maintain
Regards,
Srini Nookala -
How to find my 'role' and 'profile'?
When i log into a client as a user, Is there a way for me to find out what my 'role' and 'profile' are? I can't run su01d.
Edited by: Concoran Fernandez on May 18, 2008 5:28 AMHi,
No there is no such transaction as far as i know,But you can change your own user data in 'SU3'.
If your requirement is that you want to see whicch authorization you are missing then use the tcode SU53.It will show you the missing authorization.Then use suim to find out which role or tcode has that authorization so that u can assign the todes and auth using 'SU01' or 'PFCG'.
Regards,
Vamshi. -
Server Manager error 0x80070422 - Roles and features are not accesible
Hi
I cannot view Roles and Features in Server Manager on my Server 2008 R2 box. The error is:
Unexpected error refreshing Server Manager: The service cannot be started, either because it is disbaled or because it has no enabled devices assicaited with it (Exception from HResult: 0x80070422)
I have looked at my services - but don't know what service to look for, everything seems to be in order.
After some investigation on the net, I understood that I need to setup the win readiness tool, I did and the output in CheckSur file is as follows
=================================
Checking System Update Readiness.
Binary Version 6.1.7601.21645
Package Version 12.0
2011-05-31 19:02
Checking Windows Servicing Packages
Checking Package Manifests and Catalogs
(f) CBS MUM Corrupt 0x00000000 servicing\Packages\Package_for_KB2296199_RTM~31bf3856ad364e35~amd64~~6.1.1.1.mum Expected file name Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum does not match the actual
file name
(fix) CBS MUM Corrupt CBS File Replaced Package_for_KB2296199_RTM~31bf3856ad364e35~amd64~~6.1.1.1.mum from Cabinet: C:\Windows\CheckSur\v1.0\windows6.1-servicing-x64-apr29.cab.
(fix) CBS Paired File CBS File also Replaced Package_for_KB2296199_RTM~31bf3856ad364e35~amd64~~6.1.1.1.cat from Cabinet: C:\Windows\CheckSur\v1.0\windows6.1-servicing-x64-apr29.cab.
Checking Package Watchlist
Checking Component Watchlist
Checking Packages
Checking Component Store
Summary:
Seconds executed: 4058
Found 1 errors
Fixed 1 errors
CBS MUM Corrupt Total count: 1
Fixed: CBS MUM Corrupt. Total count: 1
Fixed: CBS Paired File. Total count: 1
Here again, it seems that everything is fine.
Thanks in advance for your helpHi,
Please try to install Windows Server 2008 R2 Service Pack 1 directly and check the result. Service Pack 1 for Windows Server 2008 R2 includes all the
previous released Windows Updates and hotfixes.
If it does not work, you will need to copy these files from another working Windows Server 2008 R2 system to replace the corrupt ones.
Otherwise, you will need to perform an In-Place upgrade to repair the system.
Regards,
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Maybe you are looking for
-
Validate application server file
Hi, I have to validate the application server file path on selection screen. I am using following code : form VALID_APP_FILEPATH using p_filpath TYPE FILENAME-FILEINTERN. data : l_fname(60). CALL FUNCTION 'FILE_GET_NAME' EXPORTING
-
How do I get my music off my iPod onto a new PC? The old PC which held my iTunes account has broken and is inaccessible.
-
Hi! I have a database (mysql) and a field called article where I upload my articles where I load it into my webpage dynamically. However, the paragraphs in my field do not appear in my webpage - my articles just appear as one large block of text. Her
-
I want to make a DCOM,I have bought several books about DCOM,but only large quantities of theory in these books,although also have several samples,it made me so angry because none of these samples can be implemented.I need a simple sample which inclu
-
I have a problem and need help
Hi everyone, I am a flash noob and I have a problem I hope you can help me with. I have a interactive haunted house im working on (www.chuckies.webs.com) and I have a script (actionscript 2) that works with the mouse. it scrolls the screen left and r