Role creation and authorization objects in sap

Similar Messages

• Role Mapper and Authorizer

  At one point I posted a forum entry and posted a solution for my entry regarding keeping the app deployments around while recreating/overwriting the domain using WLST offline. Keep App Deployments while recreating the domain in WLST offline
  Things seems to work, except that I noticed that the XACML Role Mapper and Authorizer that were created the first time around (when there is no domain folder) are getting replaced by default Role Mapper and Authorizer (on subsequent runs when the domain folder already exists and we overwrite the domain)
  Basically the first readDomain is causing this. without reading the domain, I cannot get the app list.
  System.setProperty("com.bea.cie.script.throwException","true")
  appdeps={}
  try:
    readDomain('c:/temp/basicWLSDomain')
    cd('/AppDeployments')
    apps=ls(returnMap='true')
    for app in apps:
    appdeps[app]=ls(app,returnMap='true', returnType='a')
  except:
    pass
  try:
    closeDomain()
  except:
    pass
  #=======================================================================================
  # Open a domain template.
  #=======================================================================================
  readTemplate("c:/wls11/wlserver_10.3/common/templates/domains/wls.jar")
  #=======================================================================================
  # Configure the Administration Server and SSL port.
  # To enable access by both local and remote processes, you should not set the
  # listen address for the server instance (that is, it should be left blank or not set).
  # In this case, the server instance will determine the address of the machine and
  # listen on it.
  #=======================================================================================
  cd('Servers/AdminServer')
  set('ListenAddress','')
  set('ListenPort', 7001)
  create('AdminServer','SSL')
  cd('SSL/AdminServer')
  set('Enabled', 'True')
  set('ListenPort', 7002)
  #=======================================================================================
  # Define the user password for weblogic.
  #=======================================================================================
  cd('/')
  cd('Security/base_domain/User/weblogic')
  cmo.setPassword('weblogic11g')
  #=======================================================================================
  # Create a JMS Server.
  #=======================================================================================
  cd('/')
  create('myJMSServer', 'JMSServer')
  #=======================================================================================
  # Create a JMS System resource.
  #=======================================================================================
  cd('/')
  create('myJmsSystemResource', 'JMSSystemResource')
  cd('JMSSystemResource/myJmsSystemResource/JmsResource/NO_NAME_0')
  #=======================================================================================
  # Create a JMS Queue and its subdeployment.
  #=======================================================================================
  myq=create('myQueue','Queue')
  myq.setJNDIName('jms/myqueue')
  myq.setSubDeploymentName('myQueueSubDeployment')
  cd('/')
  cd('JMSSystemResource/myJmsSystemResource')
  create('myQueueSubDeployment', 'SubDeployment')
  #=======================================================================================
  # Create and configure a JDBC Data Source, and sets the JDBC user.
  #=======================================================================================
  cd('/')
  create('myDataSource', 'JDBCSystemResource')
  cd('JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcDriverParams','JDBCDriverParams')
  cd('JDBCDriverParams/NO_NAME_0')
  set('DriverName','com.pointbase.jdbc.jdbcUniversalDriver')
  set('URL','jdbc:pointbase:server://localhost/demo')
  set('PasswordEncrypted', 'PBPUBLIC')
  set('UseXADataSourceInterface', 'false')
  create('myProps','Properties')
  cd('Properties/NO_NAME_0')
  create('user', 'Property')
  cd('Property/user')
  cmo.setValue('PBPUBLIC')
  cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcDataSourceParams','JDBCDataSourceParams')
  cd('JDBCDataSourceParams/NO_NAME_0')
  set('JNDIName', java.lang.String("myDataSource_jndi"))
  cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcConnectionPoolParams','JDBCConnectionPoolParams')
  cd('JDBCConnectionPoolParams/NO_NAME_0')
  set('TestTableName','SYSTABLES')
  #=======================================================================================
  # Target resources to the servers.
  #=======================================================================================
  cd('/')
  assign('JMSServer', 'myJMSServer', 'Target', 'AdminServer')
  assign('JMSSystemResource.SubDeployment', 'myJmsSystemResource.myQueueSubDeployment', 'Target', 'myJMSServer')
  assign('JDBCSystemResource', 'myDataSource', 'Target', 'AdminServer')
  #=======================================================================================
  # Write the domain and close the domain template.
  #=======================================================================================
  setOption('OverwriteDomain', 'true')
  setOption('CreateStartMenu', 'false')
  writeDomain('c:/temp/basicWLSDomain')
  closeTemplate()
  #=======================================================================================
  # Exit WLST.
  #=======================================================================================
  exit()
  So I thought I will create the XACML Authorizer and Role Mapper myself instead of letting the default domain creation process do it. but that is resulting in duplicates on the first run (when the domain folder does not exist) and in the subsequent runs (when the domain folder already exists), I see one XACML and one default.
  cd('/')
  create('base_domain', 'SecurityConfiguration')
  cd('SecurityConfiguration/base_domain/Realm/myrealm')
  ls('a')
  create('XACMLAuthorizer', 'weblogic.security.providers.xacml.authorization.XACMLAuthorizer','Authorizer')
  create('XACMLRoleMapper', 'weblogic.security.providers.xacml.authorization.XACMLRoleMapper','RoleMapper')
  I am going no where with Oracle Support. I am wondering if anyone ran into this before.

  com.oracle.cie.config-wls-schema_10.3.6.0.jar has various SecurityConfiguration XML fragments and the wrong fragment is being used when the domain is recreated.
  I am thinking it is a logic issue in domain creation.

• BAPI for creation of Authorization Objects in BI 7.0

  Hi BW Gurus,
  Greetings!!!
  Is there any BAPI Available for creation of Authorization Objects in BI 7.0.
  The data will be transferred through flatfiles.
  Kindly provide me the info as earliest as possible.
  Best Regards,
  Priya

  Got the Workaround...
  Priya

• Use of default XACML with custom role mapper and authorization provider

  Hi,
  Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
  My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
  Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

  I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
  Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
  The chosen approach depends on where you're getting the role information from.

• Which are client independent and dependent objects in SAP ABAP

  which are client independent and dependent objects in SAP ABAP

  Hello Jagrut
  A special kind of objects are client-<u>dependent </u>repository objects. These objects have to be treated specially in the way that they have to be imported into their specific target client. In contrast, client-independent repository objects can be imported into any client.
  The following list shows the client-dependent repository objects:
  LIMU     FSEL     Field Selection
  LIMU     VARI     Report Program System Variant
  R3TR     COC1     CO: Cost Centers
  R3TR     COC2     CO: Activity Types
  R3TR     FORM     SAPscript form
  R3TR     LODS     HRDSYS: Logical information object client-dep. table E SYST
  R3TR     PCYS     HR: Transport standard personnel calculation rules
  R3TR     PHDS     HRDSYS: physical information object client-dep. table E SYST
  R3TR     SBNL     Logical Information Object for BDS
  R3TR     SBNP     Logical Information Object for BDS
  R3TR     SBNR     BDS: Relationship Between Information Objects
  R3TR     SBPL     Logical Information Object for BDS: Bid Invitation
  R3TR     SBPP     Physical Information Object for BDS
  R3TR     SBPR     BDS: Relationship Between Information Objects
  R3TR     SBRL     Logical Information Object for BDS
  R3TR     SBRP     Physical Information Object
  R3TR     SBRR     BDS: Relationship Between Information Objects
  R3TR     SBSL     Logical Information Object for BDS
  R3TR     SBSP     Physical Information Object
  R3TR     SBSR     BDS: Relationship Between Information Objects
  R3TR     SBTL     Logical Information Object for BDS
  R3TR     SBTP     Physical Information Object
  R3TR     SBTR     BDS: Relationship Between Information Objects
  R3TR     SBWL     Logical information object for BDS
  R3TR     SBWP     Logical information object for BDS
  R3TR     SBWR     BDS: Relationship between information objects
  R3TR     SRHL     SRM: Hierarchical Lists
  R3TR     SRLD     Language-Dependent Client-Specific Retrieval Index Objekt
  R3TR     STYL     SAPscript Style
  Regards
    Uwe

• Problem while loading texts and authorization objects file in RAR

  Hi all,
         i am getting internet explorer error while loading the texts and authorization objects text files in RAR .actually we uploaded rule file before this,does this step causes any error ?if so how to resolve this error.do i need to remove all rules/risks and then load text and authorization files? is there any shortcut to renove all risks generated in one shot? please reply me soon to resolve this.
  Thanks,
  Joseph.

  Hi Joseph,
  Please make sure to convert both the files in UTF-8 encoding format and then try to upload the files again. This should resolve the issue and if not then please paste the logs here.
  Regards
  Harleen

• Idm-Vaau Rbac role creations and mapping

  Hi All,
  I'm working on the integration between Idm and Vaau's Rbacx (role based access control) tool for role creation and provisioning...I've imported the spml.xml and SPMLGetObjectsform.xml into Idm for the SPML calls between Rbacx and Idm.
  The challenge I'm facing is mapping the attributes of Rbacx roles to enable the attributes to be populated in Idm...I'm able to export roles into Idm, but they are not populating with any attributes eg. resource type, resource attribute etc. I'm uncertain as to where I have to map these properties and do any customization for this to work. I would appreciate if anyone who has worked on this or know how to do this, to pls give me some pointers/share your experience. I don't have any documentation to refer to and am doing everything on trial and error basis.
  Any help is greatly appreciated!
  Thank you.

  Hi newbie,
  Were you able to solve this issue? I am facing the same problem while assigning resource attributes for a created role using a custom workflow.
  This is where I set the resource attributes in my workflow:
  <Action id='1'>
  <expression>
       <block trace='true'>
       <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].valueType</s><ref>ADGroupsValueType</ref></set>
       <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].requirement</s><ref>ADGroupsRequirement</ref></set>
       <append><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].value</s><ref>ADGroupsValue</ref></append>
       </block>
  </expression>
  </Action>
  where <ref>ADGroupsValue</ref> contains the attribute value.
  thanks,
  Lokesh

• Authorization object in SAP BI Role

  Hi,
  Currently we had a Z roles in BI that will
  When a power user logins in Query Designer on the Info area tab/button user can access any data target to create a query
  But my requirement is to create a role
  Created a Analysis Authorisation object (S_RS_AUTH) in RECADMIN with the list of all infoproviders that user can access
  How can i create a role so that when user logins in Query Designer on the Info area tab/button user can access only data target  he is authorised to view ( which is maintained in analysis authorization object)  to create a query
  Thanks

  Hi Maxi,
  Creae a zrole and add auth objects and maintain s_rfc and s_tocde
  add s_bds_d,s_bds_ds, s_oc_send with * as auth.
  Now create a zzauth object with required infoproviders  and add this in S_RS_AUTH.
  add on these and give required auth s_rs_comp,s_rs_comp1,s_rs_icube

• SoD Analysis , tables to relate roles, transactions and auth objects

  Hi everyone,
  I am analyzing my company SAP roles in terms of segregation of duties, however I having a problem.
  I need a table/report to give me for each role, every transactions and for each transaction in the role every authorization objects.
  For example I want to know for Role B that have transaction C which have the follow authorization object D with values X and Y.
  Therefore I want to know for each role and respective transactions which are only display or/and execute or/and editable. How can I do that?
  Thanks!

  Hi,
  There is no default report/table which gives you the required information. However, you can achieve this by using SQVI. Join the tables, and create a tcode for the same. Refer the below link:
  Re: SAP Query in SQVI transaction
  Alternatively, you can download all the data into spreadsheet and create Pivots to plot the information.
  The other alternative is to have a custom program built which takes the information from AGR_DEFINE, AGR_AGRS, AGR_1251, AGR_1252, AGR_TCODE tables.
  Hope this helps!!
  Regards,
  Raghu

• Mass role creation and addition of tcodes to role menu

  Hi Folks,
  We've a requirement of building 1000's of single roles for an implementation. Our security matrix is ready with the role names and the list of tcodes to be embedded in each of these roles. What I would like to know is if we can automate a part of the process of role building i.e the following 3 steps only.
  1. Creation of the Role
  2. Addition of the tcodes in the role menu
  3. Save
  I'm aware of Ecatt/LSMW through which we can create the roles but i'm not sure if we can add the tcodes to the menu of the roles since the number of tcodes to be populated in each role will vary.
  Could anyone of you shed some light if it is possible to automate the addition of  tcodes to the role menu taking into consideration that each role will have different number of tcodes to be added to the menu and what's the best possible way to achieve this if there exists one.
  Thanks in advance for your time and suggestions!
  Guest...

  Whilst I agree that there are probably too many roles being built here, which is more of an issue with the role design / strategy, the issue of how to easily create a role for a given list of transactions is something that SAP supports via the import menu from text file option in PFCG.
  Yes you may need to write a script to cycle through all the possible role names, but we have recently had to build some roles based on actual usage, so exported transaction usage history to excel and then formatted the transactions into text files that could be imported to build the role menu.
  You will still then need to ensure any object authorisation object have the correct values set - i.e. not just starred in - but as one of the pains in build a role is getting the menu to look reasonable, I'd suggest having a look at this approach.
  Copy Menus -> Import from File is the function in PFCG in the menu tab for the role you are building
  OSS note 389675 has details of what the text file of transactions for the menu should look like.
  That should answer the question posed, rather than criticising the role design being followed.

• PFCG role creation and input from users

  I know that when you create a new role and add transactions to the menu you will get some default authorization objects in the role.
  After that you will need to fill out activities for transactions;
  For ex: display, create, change
  I also know that during testing when you run /nsu53 you will need to add some additional objects in the role.
  If the user does not know which activites he/she need or even for example for order types
  OR, ZNON, KE
  How can i help if the user does not know what he/she needs.
  The way I'm doing this currently is by giving the user the transactions he/she needs and then have them run /nsu53 and I fix the problem.
  Thanks
  jo

  Jo,
  As I have worked in situtations similar to the one you describe where the user performing the testing doesnt know which activites/values they need access to contribute to productive role build/testing sessions. Some of the things I have done to help them are:
  1) Educate the user on the Authorization Object and Fields. You can typucally hit (F1) for more information related to the object/field.
  2) Tie the object values back to actual SAP Tables with data to show user configuration of the system and values that are options.
  3) Find someone from the process/business side who understands the requirments or has done the configuration to support the process and have an educational/testing session together.
  Thanks.
  Matt

• Creation of Authorization Object

  Dear All,
  Can anyone of you guide me on how to create Authorization Object?
  My Knowledge on this concept:-
  1) Mark required object as Authorization Relevant
  2) Use of T-code RSSM
  3) Select marked Authorization Object
  4) Assign fields to it, for authorization.
  thats all i know.
  There are few more additional settings we need to do for it.
  Request you to provide with step by step procedure for the same.
  Thanks & Rgds,
  Anup

  hi
  To create an authorization object:
  1) Execute transaction SU21
  2) Double-click an Object Class to select a class that should contain
  your new auth object
  3) Click on CREATE (F5)
  4) (If creating custom field) - Click the 'Field Maintenance' button -->
  Click on CREATE (Shift+F1)
  5) Enter the Name for the New Authorization field and the corresponding
  Data Element and SAVE
  6) Confirm the Change Request data for the new Authorization Field
  7) Go back two screens (F3-->F3)
  8) Enter the Authorization field name and document the object:
  9) SAVE and ACTIVATE the documentation
  10) Save the new Authorization Object
  11) Confirm the change request data for the Authorization Object and
  EXIT SU21
  12) Finally, the SAP_ALL profile must be re-generated
  the following link will be helpful
  http://209.85.175.104/search?q=cache:BigTSV4_olEJ:www.gingle.com/glenaccess%255CsdnAuthorizationObjectsimple.docHowtocreatauthorisation+object&hl=en&ct=clnk&cd=10&gl=in
  http://aroundsap.blogspot.com/2008/02/sap-bw-70bi-70-new-authorization.html
  Use of T-code RSSM
  Through BIW Authorizations (TCode RSSM)
  Authorization check log. This gives information on
  missing authorizations for reading data.

• SRM 7 role mapping and authorization queries

  Hi all,
  We are on SRM 7.01.
  Can anyone confirm the folllowing:
  When std SAP roles are copied then does all authorization obejcts get copied ?
  Also if we need to check which authorization objects are getting called for which transaction then how do I check this in SRM 7??In SRM 7,the transaction cannot be run in backend as all the transactions under a role in PFCG are Web dynpro applications.

  Hi If you are trying to build custom roles you have 2 options.
  1. Copy the standard roles into a custom role, all authorization objects get copied. Since you are on SRM 7.01 make sure you copy the EHP1 roles which end with suffix *EHP1.
  2. Build role from scratch. To do this you can ask your security person to give the minimum Human resource related authorizations to a test user ID (so that he can logon into SRM system to start transaction). Then Switch on the security trace while you run the transaction with the test ID on portal. Using the trace the security member can identify the required authorization objects required for the transaction. this will take a number of trial but you have to be careful to execute every action within a particular transaction.
  Hope that helps.
  Regards,
  Hussain

• 0Orgunit(hierarchy) and authorization object display getcell error in Webi

  Hello,
           We are facing with GetCellData error in WebI to SAP BEx Query.
           This works perfectly fine in Bex for a particular test user who has access to particular org unit value.
           But in Webi we are getting this Getcelldata error.
          Tried all the options and message as recommended in sdn group.
          mdxtest returns no value.
          looked at all below messages but no luck.
  GetCellData error in WebI to SAP BEx Query
  Re: SAP BO WebI Report on top of BI Bex Query with Authorization Variable
  in the rsecadmin, we get the same error like mentioned in below message
  Hierarchy Authorization doesn't work for MDX but works for BEx Query.
  Is any authorization required for this user to execute and view the authorized values in Webi?
  or we have to assign any authorization ?(0BI_ALL is not assigned).
  Please find below screenshots of BEx query auth log or Webi auth log (differences)
  Bex auth log:
  The Following Attributes Are Authorized and Thus Are Visible
  0BBPPURGRPX
  0BBPPURORGX
  0BBP_BUYID
  0BBP_ISCOMP
  0BUS_AREA
  0COMP_CODE
  0CO_MST_AR
  0CRMSALGRPX
  0CRMSALOFFX
  0CRMSALORGX
  0CRMSRVTGRP
  0CRM_SALGRP
  0CRM_SALOFF
  0CRM_SALORG
  0CRM_SRVORG
  0LEAVERS
  0LOGSYS
  0MAST_CCTR
  0PERS_AREA
  0PERS_SAREA
  0PLANT
  0PURCH_ORG
  0PUR_GROUP
  0SALESORG
  0SALES_GRP
  0SALES_OFF
  This above log is missing for mdxtest auth log.
  Is this the issue?
  Any quick reponse or help really appreciated.
  Regards,
  Ravi
  Edited by: Ravi Gadicherla on Feb 28, 2010 5:36 PM

  Hi,
      Here is the log of MDXtest:
  Buffering the Authorization Data  
    Buffering for InfoProvider 0PA_C01 and Users HRTEST93  
  InfoObject Properties Defined
  Reading of Directly Assigned Authorizations
  Direct Assignment Does Not Include Universal Authorization 0BI_ALL
  Reading the Indirect Assignments with Authorization Object S_RS_AUTH
  Does user have OBI_ALL?
  No, the User Does Not Have Universal Authorizion 0BI_ALL
  Negative Entry in SU53 Result of Failed Check for 0BI_ALL
  Indirect assignments found; no universal authorization
  Regards,
  Ravikanth

• User creations and authorizations in ECC 6

  Hi,
       how to create users and authorizations? is it necessary to give authorization of SAP_NEW  to  new users?
  regards,
  suresh

  SAP_NEW automatically assigns relevant authorizations to a user in cases where there have been changes to authorizations brought in by support packages or upgrades.  This enables users to carry out their tasks as before even though there may be additional authorization checks required to perform the same task.  SAP_NEW only allows users to execute functions which are permitted by their assigned roles and/or authorization profiles.
  To create users and roles and assign roles to users (or users to roles) you can use transaction codes:
  SU01 - Create / Maintain users
  SU10 - Mass user maintenance
  PFCG - Create roles (which themselves can consist of other roles or authorization profiles)
  Keep in mind that SAP systems are based on a "Positive Authorization Principle" meaning that a user can only perform a certain task if he is specifically assigned that authorization.
  Edited by: Yiannis Petevis on Jan 27, 2009 11:24 PM