Role and auth comparisation

Similar Messages

• APO roles and auth objects

  Hello all,
  Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
  thanks

  I was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
  http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
  There is a list of useful APO transactions here
  http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
  I can't help with the standard roles as I build my own.

• security-role and auth-constraint

  Hi Everybody,
  I want to know the relation between the <role-name> tags defined under <security-role> tag and the <auth-constraint> tag (defined for web-resource-collection).
  Assuming that tomcat is being used, should the <role-name> of <security-role> map to a role defined for tomcat and then the <role-name> of <auth-constraint> map to the <role-name> of <security-role>.
  Or how does it all work ? How are these two <role-name> tags related ?
  Thanks in advance for your time.
  Vikas

  in <security-role> you define the roles, in <auth-contraint> you tell which role is allowed to use the protected resource

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• Maintaining the authorizations for parent role and derived role

  Hi Experts,
  Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
  Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
  1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
  2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
  please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

  I will try to answer both your queries here:
  "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
  The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
  All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
  Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
  Soumya

• SoD Analysis , tables to relate roles, transactions and auth objects

  Hi everyone,
  I am analyzing my company SAP roles in terms of segregation of duties, however I having a problem.
  I need a table/report to give me for each role, every transactions and for each transaction in the role every authorization objects.
  For example I want to know for Role B that have transaction C which have the follow authorization object D with values X and Y.
  Therefore I want to know for each role and respective transactions which are only display or/and execute or/and editable. How can I do that?
  Thanks!

  Hi,
  There is no default report/table which gives you the required information. However, you can achieve this by using SQVI. Join the tables, and create a tcode for the same. Refer the below link:
  Re: SAP Query in SQVI transaction
  Alternatively, you can download all the data into spreadsheet and create Pivots to plot the information.
  The other alternative is to have a custom program built which takes the information from AGR_DEFINE, AGR_AGRS, AGR_1251, AGR_1252, AGR_TCODE tables.
  Hope this helps!!
  Regards,
  Raghu

• Issues with test-all role and browser security

  WLS 10.3.5
  I have a deployed application on Linux using a SQLAuthentication and Authorization - all is well here.
  I have setup all the security (without the test-all role) and I cannot access any of the system.
  If I put the test-all role in - I can access the system.
  I have verified the user has all the roles (I used the example bean to display the user and roles on the menu page) and the test-all role is not in the list.
  I have the menu setup to not display items unless the user has the role (this is working fine - SecurityContext.inRole(rolelist).
  So the context is fine.
  I used jazn-data to set the same roles in the taskflows - this is not working at all unless the test-all role is set - I get authorization errors - not authorized).
  Have I missed something in this?
  I have also noticed that if I close the browser (X) without logging out and come back into the system the authentication is totally bypassed and I go back in as the same user as before.
  Is there some way to destroy the previous context every time the welcome screen is executed.

  Add the following parameters to the Run options for the ViewController project:
  -Djps.auth.debug=true -Djps.auth.debug.verbose=true
  Then restart WebLogic, run the app and watch the console - you'll see all the security evaluations take place which should help you to identify the problem.

• Roles and .wars in WebLogic

            I have a .war file whose web.xml file defines a security role of LoggingRole. No
            matter what I do, I cannot successfully login and access the web-app. I am running
            on WebLogic 7.0 on Windows 2000.
            I tried going into the admin console and defining a role named LoggingRole then
            adding the Administrators group to it. Then I make sure there are some users in
            the Administrators group. Everytime I try to use those users to login, it fails.
            If I delete the secuirty constraints from the web-app it works fine. if I install
            the web-app on other servlet engines wit hthe security, it works. Any ideas?
            Here is the relevant snippet of the web.xml:
                 <security-constraint>
                      <web-resource-collection>
                           <web-resource-name>System Viewer</web-resource-name>
                           <url-pattern>/menu2</url-pattern>
                      </web-resource-collection>
                      <auth-constraint>
                           <role-name>LoggingRole</role-name>
                      </auth-constraint>
                 </security-constraint>
                 <security-role>
                      <role-name>LoggingRole</role-name>
                 </security-role>
            Thanks,
            brian
            

            In WL6, normally you should have something like <security-role-assignment>
            <role-name>developer</role-name>
            <principal-name>developer</principal-name>
            <principal-name>customer</principal-name>
            </security-role-assignment>
            in your weblogic.xml. I never try this in WL7 and hope it will work.
            The alternative is, open your weblogic admin console, following the following
            steps: (Left pane) Deployment->Web Applications->YourWebApplication, then (right
            pane)Edit web application descriptors. On the next screen, (Left pane)Web AppExt->Security
            role assignment->.... If you don't have Web AppExt, you should be able to create
            one when you see this screen. After you assign tghe roles, click persistent and
            a new web.xml and a new weblogic.xml will be generated and you can use them for
            future use.
            "Brian Pipa" <[email protected]> wrote:
            >
            >I have a .war file whose web.xml file defines a security role of LoggingRole.
            >No
            >matter what I do, I cannot successfully login and access the web-app.
            >I am running
            >on WebLogic 7.0 on Windows 2000.
            >
            >I tried going into the admin console and defining a role named LoggingRole
            >then
            >adding the Administrators group to it. Then I make sure there are some
            >users in
            >the Administrators group. Everytime I try to use those users to login,
            >it fails.
            >If I delete the secuirty constraints from the web-app it works fine.
            >if I install
            >the web-app on other servlet engines wit hthe security, it works. Any
            >ideas?
            >
            >Here is the relevant snippet of the web.xml:
            >     <security-constraint>
            >          <web-resource-collection>
            >               <web-resource-name>System Viewer</web-resource-name>
            >               <url-pattern>/menu2</url-pattern>
            >          </web-resource-collection>
            >          <auth-constraint>
            >               <role-name>LoggingRole</role-name>
            >          </auth-constraint>
            >     </security-constraint>
            >
            >     <security-role>
            >          <role-name>LoggingRole</role-name>
            >     </security-role>
            >
            >Thanks,
            >brian
            

• Role and Analysis Authorizations in BI

  Hello allo,
  Since analysis authorizations contains carateritics like infocube, queries, activities., is using role and the PFCG transaction (authorizations object)in BI obsolete ? i.e is Analysis authorizations completely replacing Authorization objects (and PFCG) in BI ?
  thanks !!

  Hatem,
  You have an option to use the old method however it's recommend to use analysis authorizations going forward.
  Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
  Cheers,
  Ben

• Roles and authorisations in SEM BW

  Hi All,
  Our SAP SEM lies in BW, Business Planning and Simulation. I have configured everything, but now i want to create roles and authorisations which point to specific planning folders. How do I do that? I understand we do not use the standard transaction PFCG to create roles in BW SEM, what transaction do I need to use? May I get a little bit of detail from the transaction to the point at which i specify a certain role for a specific planning function or planning folder.
  I will really appreciate your help.
  Regards,
  Tatenda.

  Hi,
  please use the search function and read the great number of threads regarding this topic.
  The SEM-part of SAP has a lot of role-stuff for authorsation (via PFCG) but also BW-authorisation which is done via "rsecadmin". Actually, forget pfcg because you can click on pfcg in the rsecadmin, so you never have to go back to pfcg anyway.
  The BW-authorisation is created via rsecadmin, as i said, and included to a role via pfcg in the object S_RS_AUTH.
  For example someone needs the reporting-auth for one company. You create via rsecadmin a BW-auth-object, call it "comp_01". Include there the infoobject 0COMPANY (if you use that one) and include the special infoobjects (there is a button on the top). Then go in rsecadmin to the tab User and switch there to PFCG.  Select/create a role, put the S_RS_AUTH in there (and maybe if needed the BEx-Query stuff) and then type in that BW-auth-object "comp_01". That's it.
  btw: Roles are only for the application, the BW-Auth is for infocubes, infoareas, infoobjects and so on...
  Best Regards

• User role and Authority-check ?

  Hello,
  Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
  Thanks in advance

  Hello Martin,
  I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
  Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
  @OP:
  The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
  BR,
  Suhas

• Trying to restrict access to Business Partners Roles and Relationships

  In CRM 7.0 I am trying to restict access to creating and maintaining certain Business Partner Roles and Relationships.  Some roles and relationships are brought over from our primary R/3 system and users are not allowed to change these.  However, certain Roles and Relationships exist only in CRM and should be allowed.  I am working with the authorization objects B_BUPA_RLT and B_BUPA_BZT.  The only field that seems to be checked is the Activity.  Even when I put limited BP Roles it seems that this field is not being verified.  My security trace returns the following:  B_BUPA_RLT  ACTVT=02;RLTYP= ;

  Authorization object B_BUPA_RLT as used in SAP GUI can't be used in CRM WebClientUI. In SAPGUI business partners always need to be maintained in a bp role regardless of the update-characteristic of this bp role. As there's no authorization-object to control maintenance of bp in general, auth. object B_BUPA_RLT also was used to restrict visibility of bp (data). The creation of a bp is controlled by assigning authorizations for the maintenance of bp roles. If i.e. no authorization for any bp role is available, the user can't create a bp at all. Authorization object CRM_BPROLE is in CRM WebClient UI used instead of authorization object B_BUPA_RLT.
  For more info about this see the following notes:
  1129682 - Authorization for BP roles in CRM5.2 WebClient UI.
  1259940 - Authority check for accounts depending on roles
  regards.

• Developing security Roles and profiles

  Hi Team,
  Can you guys let me know how to develop security roles and profiles. We are rolling out for a company in Japan, and the congif is completed. We are in the process of developing test cases ans also security roles and profiles for users? Can somebody guide and help me on this?
  Regards,

  Hi,
  Use Tcode = PFCG -->then create any customized roles and profiles for any users on module based.
  user masters: USR01 to 09, UST04,
  profiles: USR10, USR11, UST10S, UST10C,
  authorisations: USR12, USR13, UST12.
  password exceptions USR40.
  History tables(may not be applicable but FYI): users: USH02, USH04,
  profiles: USH10, auths USH12.
  R/3 Security Tcodes
  End User Transaction Code  Menu Path   Purpose
  SU3  System > User Profile> Own Data  Set address/defaults/parameters
  SU53  System > Utilities > Display Authorization Check  Display last authority check that failed
  SU56  Tools --> Administration --> Monitor --> User Buffer  Display user buffer
  Role Administration Transaction Code  Menu Path   Purpose
  PFCG
  Tools --> Administration --> User Maintenance --> Roles  Maintain roles using the Profile Generator
  PFUD   Work on SAP check indicators and field values
  Select: Copy SAP check IDu2019s and field values
  Installation
  1. Initial Customer Tables Fill
  Upgrade
  2a. Preparation: Compare with SAP values
  2b. Reconcile affected transactions
  2c. Roles to be checked
  2d. Display changed transaction codes
  SU24
  Same as for SU25:
  Select: Change Check Indicators > Maintain Check Indicators>Maintain 
  Regards,
  Srini Nookala

• How to find my 'role' and 'profile'?

  When i log into a client as a user, Is there a way for me to find out what my 'role' and 'profile' are? I can't run su01d.
  Edited by: Concoran Fernandez on May 18, 2008 5:28 AM

  Hi,
  No there is no such transaction as far as i know,But you can change your own user data in 'SU3'.
  If your requirement is that you want to see whicch authorization you are missing then use the tcode SU53.It will show you the missing authorization.Then use suim to find out which role or tcode has that authorization so that u can assign the todes and auth using 'SU01' or 'PFCG'.
  Regards,
  Vamshi.

• Server Manager error 0x80070422 - Roles and features are not accesible

  Hi
  I cannot view Roles and Features in Server Manager on my Server 2008 R2 box. The error is:
  Unexpected error refreshing Server Manager: The service cannot be started, either because it is disbaled or because it has no enabled devices assicaited with it (Exception from HResult: 0x80070422)
  I have looked at my services - but don't know what service to look for, everything seems to be in order.
  After some investigation on the net, I understood that I need to setup the win readiness tool, I did and the output in CheckSur file is as follows
  =================================
  Checking System Update Readiness.
  Binary Version 6.1.7601.21645
  Package Version 12.0
  2011-05-31 19:02
  Checking Windows Servicing Packages
  Checking Package Manifests and Catalogs
  (f) CBS MUM Corrupt 0x00000000 servicing\Packages\Package_for_KB2296199_RTM~31bf3856ad364e35~amd64~~6.1.1.1.mum  Expected file name Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum does not match the actual
  file name
  (fix) CBS MUM Corrupt CBS File Replaced Package_for_KB2296199_RTM~31bf3856ad364e35~amd64~~6.1.1.1.mum from Cabinet: C:\Windows\CheckSur\v1.0\windows6.1-servicing-x64-apr29.cab.
  (fix) CBS Paired File CBS File also Replaced Package_for_KB2296199_RTM~31bf3856ad364e35~amd64~~6.1.1.1.cat from Cabinet: C:\Windows\CheckSur\v1.0\windows6.1-servicing-x64-apr29.cab.
  Checking Package Watchlist
  Checking Component Watchlist
  Checking Packages
  Checking Component Store
  Summary:
  Seconds executed: 4058
   Found 1 errors
   Fixed 1 errors
    CBS MUM Corrupt Total count: 1
    Fixed: CBS MUM Corrupt.  Total count: 1
    Fixed: CBS Paired File.  Total count: 1
  Here again, it seems that everything is fine.
  Thanks in advance for your help

  Hi,
  Please try to install Windows Server 2008 R2 Service Pack 1 directly and check the result. Service Pack 1 for Windows Server 2008 R2 includes all the
  previous released Windows Updates and hotfixes.
  If it does not work, you will need to copy these files from another working Windows Server 2008 R2 system to replace the corrupt ones.
  Otherwise, you will need to perform an In-Place upgrade to repair the system.
  Regards,
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.