Role creation and authorization objects in sap
Hi
i want to know the full relationship between creation of roles , authorization objects ,authorizations in web as abap
Please explain the process in detail the use of PFCG and all its options and how to create Z roles
Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
- Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
- The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
For e.g. If a user wants to create a PO we can restrict him on:
u2022 Activity : Create/Change/Display
u2022 Org elements like Company Code, Plant, Purchase Organization etc
u2022 Document type etc.
- Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
- Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
- An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
- Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
- Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM
Similar Messages
-
At one point I posted a forum entry and posted a solution for my entry regarding keeping the app deployments around while recreating/overwriting the domain using WLST offline. Keep App Deployments while recreating the domain in WLST offline
Things seems to work, except that I noticed that the XACML Role Mapper and Authorizer that were created the first time around (when there is no domain folder) are getting replaced by default Role Mapper and Authorizer (on subsequent runs when the domain folder already exists and we overwrite the domain)
Basically the first readDomain is causing this. without reading the domain, I cannot get the app list.
System.setProperty("com.bea.cie.script.throwException","true")
appdeps={}
try:
readDomain('c:/temp/basicWLSDomain')
cd('/AppDeployments')
apps=ls(returnMap='true')
for app in apps:
appdeps[app]=ls(app,returnMap='true', returnType='a')
except:
pass
try:
closeDomain()
except:
pass
#=======================================================================================
# Open a domain template.
#=======================================================================================
readTemplate("c:/wls11/wlserver_10.3/common/templates/domains/wls.jar")
#=======================================================================================
# Configure the Administration Server and SSL port.
# To enable access by both local and remote processes, you should not set the
# listen address for the server instance (that is, it should be left blank or not set).
# In this case, the server instance will determine the address of the machine and
# listen on it.
#=======================================================================================
cd('Servers/AdminServer')
set('ListenAddress','')
set('ListenPort', 7001)
create('AdminServer','SSL')
cd('SSL/AdminServer')
set('Enabled', 'True')
set('ListenPort', 7002)
#=======================================================================================
# Define the user password for weblogic.
#=======================================================================================
cd('/')
cd('Security/base_domain/User/weblogic')
cmo.setPassword('weblogic11g')
#=======================================================================================
# Create a JMS Server.
#=======================================================================================
cd('/')
create('myJMSServer', 'JMSServer')
#=======================================================================================
# Create a JMS System resource.
#=======================================================================================
cd('/')
create('myJmsSystemResource', 'JMSSystemResource')
cd('JMSSystemResource/myJmsSystemResource/JmsResource/NO_NAME_0')
#=======================================================================================
# Create a JMS Queue and its subdeployment.
#=======================================================================================
myq=create('myQueue','Queue')
myq.setJNDIName('jms/myqueue')
myq.setSubDeploymentName('myQueueSubDeployment')
cd('/')
cd('JMSSystemResource/myJmsSystemResource')
create('myQueueSubDeployment', 'SubDeployment')
#=======================================================================================
# Create and configure a JDBC Data Source, and sets the JDBC user.
#=======================================================================================
cd('/')
create('myDataSource', 'JDBCSystemResource')
cd('JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
create('myJdbcDriverParams','JDBCDriverParams')
cd('JDBCDriverParams/NO_NAME_0')
set('DriverName','com.pointbase.jdbc.jdbcUniversalDriver')
set('URL','jdbc:pointbase:server://localhost/demo')
set('PasswordEncrypted', 'PBPUBLIC')
set('UseXADataSourceInterface', 'false')
create('myProps','Properties')
cd('Properties/NO_NAME_0')
create('user', 'Property')
cd('Property/user')
cmo.setValue('PBPUBLIC')
cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
create('myJdbcDataSourceParams','JDBCDataSourceParams')
cd('JDBCDataSourceParams/NO_NAME_0')
set('JNDIName', java.lang.String("myDataSource_jndi"))
cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
create('myJdbcConnectionPoolParams','JDBCConnectionPoolParams')
cd('JDBCConnectionPoolParams/NO_NAME_0')
set('TestTableName','SYSTABLES')
#=======================================================================================
# Target resources to the servers.
#=======================================================================================
cd('/')
assign('JMSServer', 'myJMSServer', 'Target', 'AdminServer')
assign('JMSSystemResource.SubDeployment', 'myJmsSystemResource.myQueueSubDeployment', 'Target', 'myJMSServer')
assign('JDBCSystemResource', 'myDataSource', 'Target', 'AdminServer')
#=======================================================================================
# Write the domain and close the domain template.
#=======================================================================================
setOption('OverwriteDomain', 'true')
setOption('CreateStartMenu', 'false')
writeDomain('c:/temp/basicWLSDomain')
closeTemplate()
#=======================================================================================
# Exit WLST.
#=======================================================================================
exit()
So I thought I will create the XACML Authorizer and Role Mapper myself instead of letting the default domain creation process do it. but that is resulting in duplicates on the first run (when the domain folder does not exist) and in the subsequent runs (when the domain folder already exists), I see one XACML and one default.
cd('/')
create('base_domain', 'SecurityConfiguration')
cd('SecurityConfiguration/base_domain/Realm/myrealm')
ls('a')
create('XACMLAuthorizer', 'weblogic.security.providers.xacml.authorization.XACMLAuthorizer','Authorizer')
create('XACMLRoleMapper', 'weblogic.security.providers.xacml.authorization.XACMLRoleMapper','RoleMapper')
I am going no where with Oracle Support. I am wondering if anyone ran into this before.com.oracle.cie.config-wls-schema_10.3.6.0.jar has various SecurityConfiguration XML fragments and the wrong fragment is being used when the domain is recreated.
I am thinking it is a logic issue in domain creation. -
BAPI for creation of Authorization Objects in BI 7.0
Hi BW Gurus,
Greetings!!!
Is there any BAPI Available for creation of Authorization Objects in BI 7.0.
The data will be transferred through flatfiles.
Kindly provide me the info as earliest as possible.
Best Regards,
PriyaGot the Workaround...
Priya -
Use of default XACML with custom role mapper and authorization provider
Hi,
Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
The chosen approach depends on where you're getting the role information from. -
Which are client independent and dependent objects in SAP ABAP
which are client independent and dependent objects in SAP ABAP
Hello Jagrut
A special kind of objects are client-<u>dependent </u>repository objects. These objects have to be treated specially in the way that they have to be imported into their specific target client. In contrast, client-independent repository objects can be imported into any client.
The following list shows the client-dependent repository objects:
LIMU FSEL Field Selection
LIMU VARI Report Program System Variant
R3TR COC1 CO: Cost Centers
R3TR COC2 CO: Activity Types
R3TR FORM SAPscript form
R3TR LODS HRDSYS: Logical information object client-dep. table E SYST
R3TR PCYS HR: Transport standard personnel calculation rules
R3TR PHDS HRDSYS: physical information object client-dep. table E SYST
R3TR SBNL Logical Information Object for BDS
R3TR SBNP Logical Information Object for BDS
R3TR SBNR BDS: Relationship Between Information Objects
R3TR SBPL Logical Information Object for BDS: Bid Invitation
R3TR SBPP Physical Information Object for BDS
R3TR SBPR BDS: Relationship Between Information Objects
R3TR SBRL Logical Information Object for BDS
R3TR SBRP Physical Information Object
R3TR SBRR BDS: Relationship Between Information Objects
R3TR SBSL Logical Information Object for BDS
R3TR SBSP Physical Information Object
R3TR SBSR BDS: Relationship Between Information Objects
R3TR SBTL Logical Information Object for BDS
R3TR SBTP Physical Information Object
R3TR SBTR BDS: Relationship Between Information Objects
R3TR SBWL Logical information object for BDS
R3TR SBWP Logical information object for BDS
R3TR SBWR BDS: Relationship between information objects
R3TR SRHL SRM: Hierarchical Lists
R3TR SRLD Language-Dependent Client-Specific Retrieval Index Objekt
R3TR STYL SAPscript Style
Regards
Uwe -
Problem while loading texts and authorization objects file in RAR
Hi all,
i am getting internet explorer error while loading the texts and authorization objects text files in RAR .actually we uploaded rule file before this,does this step causes any error ?if so how to resolve this error.do i need to remove all rules/risks and then load text and authorization files? is there any shortcut to renove all risks generated in one shot? please reply me soon to resolve this.
Thanks,
Joseph.Hi Joseph,
Please make sure to convert both the files in UTF-8 encoding format and then try to upload the files again. This should resolve the issue and if not then please paste the logs here.
Regards
Harleen -
Idm-Vaau Rbac role creations and mapping
Hi All,
I'm working on the integration between Idm and Vaau's Rbacx (role based access control) tool for role creation and provisioning...I've imported the spml.xml and SPMLGetObjectsform.xml into Idm for the SPML calls between Rbacx and Idm.
The challenge I'm facing is mapping the attributes of Rbacx roles to enable the attributes to be populated in Idm...I'm able to export roles into Idm, but they are not populating with any attributes eg. resource type, resource attribute etc. I'm uncertain as to where I have to map these properties and do any customization for this to work. I would appreciate if anyone who has worked on this or know how to do this, to pls give me some pointers/share your experience. I don't have any documentation to refer to and am doing everything on trial and error basis.
Any help is greatly appreciated!
Thank you.Hi newbie,
Were you able to solve this issue? I am facing the same problem while assigning resource attributes for a created role using a custom workflow.
This is where I set the resource attributes in my workflow:
<Action id='1'>
<expression>
<block trace='true'>
<set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].valueType</s><ref>ADGroupsValueType</ref></set>
<set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].requirement</s><ref>ADGroupsRequirement</ref></set>
<append><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].value</s><ref>ADGroupsValue</ref></append>
</block>
</expression>
</Action>
where <ref>ADGroupsValue</ref> contains the attribute value.
thanks,
Lokesh -
Authorization object in SAP BI Role
Hi,
Currently we had a Z roles in BI that will
When a power user logins in Query Designer on the Info area tab/button user can access any data target to create a query
But my requirement is to create a role
Created a Analysis Authorisation object (S_RS_AUTH) in RECADMIN with the list of all infoproviders that user can access
How can i create a role so that when user logins in Query Designer on the Info area tab/button user can access only data target he is authorised to view ( which is maintained in analysis authorization object) to create a query
ThanksHi Maxi,
Creae a zrole and add auth objects and maintain s_rfc and s_tocde
add s_bds_d,s_bds_ds, s_oc_send with * as auth.
Now create a zzauth object with required infoproviders and add this in S_RS_AUTH.
add on these and give required auth s_rs_comp,s_rs_comp1,s_rs_icube -
SoD Analysis , tables to relate roles, transactions and auth objects
Hi everyone,
I am analyzing my company SAP roles in terms of segregation of duties, however I having a problem.
I need a table/report to give me for each role, every transactions and for each transaction in the role every authorization objects.
For example I want to know for Role B that have transaction C which have the follow authorization object D with values X and Y.
Therefore I want to know for each role and respective transactions which are only display or/and execute or/and editable. How can I do that?
Thanks!Hi,
There is no default report/table which gives you the required information. However, you can achieve this by using SQVI. Join the tables, and create a tcode for the same. Refer the below link:
Re: SAP Query in SQVI transaction
Alternatively, you can download all the data into spreadsheet and create Pivots to plot the information.
The other alternative is to have a custom program built which takes the information from AGR_DEFINE, AGR_AGRS, AGR_1251, AGR_1252, AGR_TCODE tables.
Hope this helps!!
Regards,
Raghu -
Mass role creation and addition of tcodes to role menu
Hi Folks,
We've a requirement of building 1000's of single roles for an implementation. Our security matrix is ready with the role names and the list of tcodes to be embedded in each of these roles. What I would like to know is if we can automate a part of the process of role building i.e the following 3 steps only.
1. Creation of the Role
2. Addition of the tcodes in the role menu
3. Save
I'm aware of Ecatt/LSMW through which we can create the roles but i'm not sure if we can add the tcodes to the menu of the roles since the number of tcodes to be populated in each role will vary.
Could anyone of you shed some light if it is possible to automate the addition of tcodes to the role menu taking into consideration that each role will have different number of tcodes to be added to the menu and what's the best possible way to achieve this if there exists one.
Thanks in advance for your time and suggestions!
Guest...Whilst I agree that there are probably too many roles being built here, which is more of an issue with the role design / strategy, the issue of how to easily create a role for a given list of transactions is something that SAP supports via the import menu from text file option in PFCG.
Yes you may need to write a script to cycle through all the possible role names, but we have recently had to build some roles based on actual usage, so exported transaction usage history to excel and then formatted the transactions into text files that could be imported to build the role menu.
You will still then need to ensure any object authorisation object have the correct values set - i.e. not just starred in - but as one of the pains in build a role is getting the menu to look reasonable, I'd suggest having a look at this approach.
Copy Menus -> Import from File is the function in PFCG in the menu tab for the role you are building
OSS note 389675 has details of what the text file of transactions for the menu should look like.
That should answer the question posed, rather than criticising the role design being followed. -
PFCG role creation and input from users
I know that when you create a new role and add transactions to the menu you will get some default authorization objects in the role.
After that you will need to fill out activities for transactions;
For ex: display, create, change
I also know that during testing when you run /nsu53 you will need to add some additional objects in the role.
If the user does not know which activites he/she need or even for example for order types
OR, ZNON, KE
How can i help if the user does not know what he/she needs.
The way I'm doing this currently is by giving the user the transactions he/she needs and then have them run /nsu53 and I fix the problem.
Thanks
joJo,
As I have worked in situtations similar to the one you describe where the user performing the testing doesnt know which activites/values they need access to contribute to productive role build/testing sessions. Some of the things I have done to help them are:
1) Educate the user on the Authorization Object and Fields. You can typucally hit (F1) for more information related to the object/field.
2) Tie the object values back to actual SAP Tables with data to show user configuration of the system and values that are options.
3) Find someone from the process/business side who understands the requirments or has done the configuration to support the process and have an educational/testing session together.
Thanks.
Matt -
Creation of Authorization Object
Dear All,
Can anyone of you guide me on how to create Authorization Object?
My Knowledge on this concept:-
1) Mark required object as Authorization Relevant
2) Use of T-code RSSM
3) Select marked Authorization Object
4) Assign fields to it, for authorization.
thats all i know.
There are few more additional settings we need to do for it.
Request you to provide with step by step procedure for the same.
Thanks & Rgds,
Anuphi
To create an authorization object:
1) Execute transaction SU21
2) Double-click an Object Class to select a class that should contain
your new auth object
3) Click on CREATE (F5)
4) (If creating custom field) - Click the 'Field Maintenance' button -->
Click on CREATE (Shift+F1)
5) Enter the Name for the New Authorization field and the corresponding
Data Element and SAVE
6) Confirm the Change Request data for the new Authorization Field
7) Go back two screens (F3-->F3)
8) Enter the Authorization field name and document the object:
9) SAVE and ACTIVATE the documentation
10) Save the new Authorization Object
11) Confirm the change request data for the Authorization Object and
EXIT SU21
12) Finally, the SAP_ALL profile must be re-generated
the following link will be helpful
http://209.85.175.104/search?q=cache:BigTSV4_olEJ:www.gingle.com/glenaccess%255CsdnAuthorizationObjectsimple.docHowtocreatauthorisation+object&hl=en&ct=clnk&cd=10&gl=in
http://aroundsap.blogspot.com/2008/02/sap-bw-70bi-70-new-authorization.html
Use of T-code RSSM
Through BIW Authorizations (TCode RSSM)
Authorization check log. This gives information on
missing authorizations for reading data. -
SRM 7 role mapping and authorization queries
Hi all,
We are on SRM 7.01.
Can anyone confirm the folllowing:
When std SAP roles are copied then does all authorization obejcts get copied ?
Also if we need to check which authorization objects are getting called for which transaction then how do I check this in SRM 7??In SRM 7,the transaction cannot be run in backend as all the transactions under a role in PFCG are Web dynpro applications.Hi If you are trying to build custom roles you have 2 options.
1. Copy the standard roles into a custom role, all authorization objects get copied. Since you are on SRM 7.01 make sure you copy the EHP1 roles which end with suffix *EHP1.
2. Build role from scratch. To do this you can ask your security person to give the minimum Human resource related authorizations to a test user ID (so that he can logon into SRM system to start transaction). Then Switch on the security trace while you run the transaction with the test ID on portal. Using the trace the security member can identify the required authorization objects required for the transaction. this will take a number of trial but you have to be careful to execute every action within a particular transaction.
Hope that helps.
Regards,
Hussain -
0Orgunit(hierarchy) and authorization object display getcell error in Webi
Hello,
We are facing with GetCellData error in WebI to SAP BEx Query.
This works perfectly fine in Bex for a particular test user who has access to particular org unit value.
But in Webi we are getting this Getcelldata error.
Tried all the options and message as recommended in sdn group.
mdxtest returns no value.
looked at all below messages but no luck.
GetCellData error in WebI to SAP BEx Query
Re: SAP BO WebI Report on top of BI Bex Query with Authorization Variable
in the rsecadmin, we get the same error like mentioned in below message
Hierarchy Authorization doesn't work for MDX but works for BEx Query.
Is any authorization required for this user to execute and view the authorized values in Webi?
or we have to assign any authorization ?(0BI_ALL is not assigned).
Please find below screenshots of BEx query auth log or Webi auth log (differences)
Bex auth log:
The Following Attributes Are Authorized and Thus Are Visible
0BBPPURGRPX
0BBPPURORGX
0BBP_BUYID
0BBP_ISCOMP
0BUS_AREA
0COMP_CODE
0CO_MST_AR
0CRMSALGRPX
0CRMSALOFFX
0CRMSALORGX
0CRMSRVTGRP
0CRM_SALGRP
0CRM_SALOFF
0CRM_SALORG
0CRM_SRVORG
0LEAVERS
0LOGSYS
0MAST_CCTR
0PERS_AREA
0PERS_SAREA
0PLANT
0PURCH_ORG
0PUR_GROUP
0SALESORG
0SALES_GRP
0SALES_OFF
This above log is missing for mdxtest auth log.
Is this the issue?
Any quick reponse or help really appreciated.
Regards,
Ravi
Edited by: Ravi Gadicherla on Feb 28, 2010 5:36 PMHi,
Here is the log of MDXtest:
Buffering the Authorization Data
Buffering for InfoProvider 0PA_C01 and Users HRTEST93
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
No, the User Does Not Have Universal Authorizion 0BI_ALL
Negative Entry in SU53 Result of Failed Check for 0BI_ALL
Indirect assignments found; no universal authorization
Regards,
Ravikanth -
User creations and authorizations in ECC 6
Hi,
how to create users and authorizations? is it necessary to give authorization of SAP_NEW to new users?
regards,
sureshSAP_NEW automatically assigns relevant authorizations to a user in cases where there have been changes to authorizations brought in by support packages or upgrades. This enables users to carry out their tasks as before even though there may be additional authorization checks required to perform the same task. SAP_NEW only allows users to execute functions which are permitted by their assigned roles and/or authorization profiles.
To create users and roles and assign roles to users (or users to roles) you can use transaction codes:
SU01 - Create / Maintain users
SU10 - Mass user maintenance
PFCG - Create roles (which themselves can consist of other roles or authorization profiles)
Keep in mind that SAP systems are based on a "Positive Authorization Principle" meaning that a user can only perform a certain task if he is specifically assigned that authorization.
Edited by: Yiannis Petevis on Jan 27, 2009 11:24 PM
Maybe you are looking for
-
Two Separate Billing Documents created in the collec Billing through VF04
Dear Forum Friends, I am doing the collective Billing through VF04 for two deliveries (80015032 and 80015034) of the same day. When I am finding in VF05 it has been observed that Two Billing documents instead of one billing document have been create
-
Lock the progress bar in the playbar (Captivate 8)
I'm looking for a way to lock the progress bar in the playbar in Captivate 8. This has come up a few times in regards to older versions of Captivate, but I haven't seen anything for 7 or 8 yet. I've tried this: Captivate 6 Help me Lock the Progress B
-
Time Machine Full! Need help!
I have a FireLite hard disk backup connected via Time Machine and a USB port. I have been informed that the FireLite is full. I'd like to make room by deleting, say, half the earlier backups to make space for new ones. Is there a way to do this?
-
Lenovo Tab2 A7-30F (US) bricked
While Lenovo calls it an A3000, apparently there are at least SOME difference between the US and non-US versions (at least as far as the firmware goes). While the hardware is practically identical to the international GC, it cannot use its firmware
-
Xcode 3.1 WSMakeStubs missing
Hello, WSMakeStubs seems to be missing, I am running Xcode 3.1 and selected everything during the install. Anyone know if it is no longer included with the developer tools? Or is there a new method of generating the stubs off of WSDL? Thanks!