Role design issue in regarding SU01 and UserGroups

Similar Messages

• Role creation: SAP ALL with SU01 and PFCG in display only

  hi all,
  I am looking for the easiest way to create a "sap all " like role with SU01 and PFCG in display only.
  i found several solutions, which sound very complicated.
  Thank you in advance,
  Julien

  Hi,
  As per your query there is not profile of SAP to give display authorisation, for this you have to create new profile on module wise and assign to user.
  Anil

• Are there design issues in declined payments and Family Sharing?

  In Family Sharing, the Organizer is responsible for billing.  If a purchase fails due to a billing issue the unpaid balance causes all iTunes to become inaccessible until corrected.  The Organizer is not able to identify the cause and Apple recommends "logging in with other members accounts" to resolve the unpaid balance.  Further, you must verify the billing information via the Organizer card security CVV code through the other members account,
  Is Apple advocating sharing passwords given the need to "see member purchases."  This seems odd because you are sharing the purchases.
  If purchases are billed to the Organizers account, why are they unable to correct an issue within the family?
  Is this the best Apple can offer?

  I did see your other thread, but kept away from it because it seemed to be getting a bit heated. Some points I did notice:
  People suggested that a design involving "thousands" of entities must be bad. This is neither true not nor unusual. An EBS database may have fifty to a hundred thousand entities, no problem. It is not good or bad, just necessary.
  The discussion of "how many partitions" got stuck on whether Oracle really can support thousand of partitions per table. Of course it can - though you may find case studies that if you go over twenty or thirty thousand for a table, performance may degrade (shared pool issues, if I remember correctly).
  There was discussion of how many partitions anyone needs, with people suggesting "not many". Well, if you range partition per hour with 16 hash sub-partitions (not unreasonable in, for example, a telephone system) you have 384 per day which build up quite quickly unless you merge them.
  You own situation has never been fully defined. A few hundred million rows in a few TB is not unusual at all. But when you say "I don't have a specific problem to solve" alarm bells ring: you are trying to solve a problem that does not exist? If you get partitioning right, the benefits can be huge; get it wrong, and it can be a disaster. Don't do it just because you can.  You need to identify a problem and prove, mathematically, that your chosen partitioning strategy will fix it.
  John Watson
  Oracle Certified Master DBA

• Need design issue help regarding database access..

  I have an web application running on tomcat that will have access to a database connection pool. I have found a free java api that provides connection pooling. The code i will be using is:
  ConnectionPool pool = new ConnectionPool("local",
       10,
       30,
       180000, // milliseconds
       url,
       "b_lightyear",
       "BeyondInfinity");
  pool.getConnection();
  I need to put the above code somewhere where all my beans and classes can access it easily. I thought i would create a static class called DBConnector and have a getConnection() method to return a connection from the pool. However i would want the DBConnector class to be initialised on tomcat startup so that all the database pool can be initialised then. I dont see how i can do this? I know i can make a servlet initialised on tomcat startup but if i put the above code in a servlet how will i access it in my beans and java classes. I wont have the request, response objects available.
  Discuss.

  You should not need to 'control' access to the pool via a static method. The pool itself is probably implemented as a Singleton anyway. BTW, what pool are you using? DBCP from Jakarta is popular, stable and free.
  You use the Servlet's init() method for startup tasks and its destroy() method for clean-up tasks. Initialize your pool in the init() method of your Servlet. Simple. Just make sure you don't declare instance variables in your Servlet, can lead to thread-safety issues.
  BTW, love the Toy Story allusion! :^)
  - Saish

• Issue : Info Regarding Apparel and Footwear Solution

  hi,
  in India , which companies has implementes AFS (Apparel and Footwear Solution) in their organization?
  Regards
  Edited by: Sikindar on May 28, 2010 4:04 PM

  Nestlé, Kraft, Unilever, and Procter & Gamble

• Role Design Startegy

  Hi All,
  Any insights are greatly appreciated
  I am  strong believer that SAP Security role design startegy should be simple and  easy to manage with single roles rather than having composites. At current cleint, I tried to sell this idea and tried to avoid composite role design because of problems I have seen after go-live (SODs, maintainence issues, problem analysis effort)
  For some inexplicable reasons, I did not succeed completely now we are building roles with 3 tiers, 1 tier being common access role- single, second being display -single and 3 tier is composite role for each job function , having a combination of different task-based process roles . This is n+1 implementation with global roll out followed by individual markets. There will another tier of roles developed on need basis during blueprint of different market roll-outs
  Can anyone give me inputs if this kind of composite approach combined with 3-tier have been used and what will be potential nightmares after go-live
  Thanks in Advance

  I would suggest that it will depend quite a bit upon the business requirements, but a lot more on how many staff there are; potentially on how many roles would end up being created.
  However, when I set-up our roles, I used only single roles (no composite) and that has worked well (150+ users at the moment, more to be added later, possibly up to 450) There is an arguement for saying that we could easily switch to composite roles now, but we still get quite a bit of role movement and keeping them as single roles has proven to be better. Perhaps in a few years if it settles down we may then look at it again.
  Our roles are based upon job function, but in some cases, we have a "clerk", "supervisor", & "manager" role. The user in the supervisor function would have both "clerk" and "supervisor" role, but not manager. We also have some generic roles e.g. "purchase requisition" which are used by a larger number of people. This allows the specific items to be managed in one role rather than in say 8 or 10 roles.
  Each role can then have different t-codes or authorisations; as they are cumulative, that gives the required access to do the job. It's also fairly easy to test that the role is working as we want it to do.
  It took a while to get it right, but now it seems to be working really well for us. Moving people between job functions is really straight forward and easy to do. It's also very easy to add new users and will prove to be very easy as the new staff get added over the next few years.
  I would suggest that the old axiom is true; the more work you do at the beginning, the less you will have to do afterwards.
  Regards
  Tony

• Route Reflectors Design issue

  Hi,
  I am having this design issue with route reflectors and could use some help.
  I have 18 routers fully meshed in an MP-iBGP session and i am going to introduce route reflectors into the network to minimize the total number of TCP sessions
  My problem is that some of these routers have outboud policies with one another. for example i have a route map on router 1 affecting only router 2 and would like to keep it this way
  is there any way to do that through route reflectors ?
  Thank you
  Hadi

  Hi Riccardo,
  I have 18 routers in a full MP-iBGP mesh topology. Some pairs of these routers have the following policy :
  I have a route-map matching on Route Targets and i am setting the next hop to be different from the rest of the RT for that site.
  This way, the prefixes originating from site A for example will reach site B with different next hops depending on how i set it in my route-map.
  These policies are only between pairs of routers i.e. router#1 needs only to affect router#2
  How can i achieve this using RRs
  Thank you
  Hadi

• Need Role Design for Oil and Gas industry

  Hi All,
  i have a requirement of designing roles for Oil and Gas industry. Could any one share some material/link or overview on the same.
  if not all, Role Design on UOM is also fine
  regards
  Plaban

  Hi Mythily,
  If you already know something about explortion of oil, then you will find PRA (production and revenue acconting) interesting. This module deals with exploration of oil and gas and then distributing the revenue to owners.
  You can find detailed information in help.sap.com. Follow the link given below for PRA help:
  http://help.sap.com/saphelp_oil46csp2/helpdata/en/ec/9d2c3adcc8431be10000000a114084/frameset.htm
  Reading some of the material will give you more clarity whether you like it or not.
  And it is perfectly fine to have ABAP knowledge, that will help in going deep into Oil and gas.
  Rgds,
  Abhishek

• SAP GRC - ERM - Role update issue - Business Process and Subprocess

  Hello Friends:
  We are NOT currently maintaining Business processes or sub processes in GRC 5.3 for all roles. We don't want to maintain them in GRC 10 when we upload the roles. These 2 fields are Mandatory in GRC 10.0 - Can we make them NOT mandatory and leave them blank?? Currently we are facing some issues in uploading the roles
  Please advise.
  Regards
  Ashish

  Dear Ameet:
  I just dislike the idea where SAP has made options for Business Process and Subprocess columns mandatory in uploading the roles as well from backend.
  I am NOT using BRM, but still need to upload the roles for SAP to recognize them to be assigned to the users in GRC 10.0
  I was facing the issues in uploading the roles initially, but now i have made it simple - just assign all the roles without the information of being FI or SD or Mm - to IT00 business process and sub process. So, all the roles are now uploaded to the system. I was just curious to know if they can me made Non-mandatory field by any settings.
  But anyways, thanks for your input.
  Regards
  Ashish Desai

• Stopping of assignment of duplicate role in SU01 and same user in PFCG.

  Hello Experts,
  I have a requirement, wherein I have to restrict assignment of duplicate roles in the user master (SU01) also I should not be able to assign same users twice in the user tab in PFCG.
  Please advise...Thanks in advance.
  Best Regds,
  Suyog Chakot...

  Hi Suyog,
  There are two ways to do it:
  1 - PRGN_COMPRESS_TIMES
  2 - SSM_CUST .
  PRGN_COMPRESS_TIMES has its own limitation, it works perfect in Non-CUA landscape while have lot of issues in R/3 CUA landscape.
  SSM_CUST is universal and I guess it can be used in al landscape. CUA as well as NON CUA. Let us know if you need any more information on this.
  Just search with these two key words and I am sure you will get your reply.
  Edited by: sap.sec.akshay on Dec 30, 2009 6:55 PM

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• SOA Design issues and other politics

  Hi all,
  I have a requirement for live data feed from external system. I am using SOA11g and JDeveloper 11g. There are two designs, one proposed and other I have in mind to achieve this.
  1) The external system sends XML data in a push model to the exposed SOA Web Service (uses one-way messaging mode) at my end. I then store the message in the database
  a) In this design how do we keep track of all messages that are sent are received. Is there a better solution.
  2) The third party is proposing a Web Service at their end. The application being real-time (i.e any changes at their DB end i.e some DB tables, should be propogated across to our web services using XML messages). I will have to keep sending XML requests on a regular basis (say every 5 seconds). Can I achieve such type of Web Service client using SOA 11g?
  a) Here I have a design issue, that the data feed is live, why do the WS client have to keep sending requests at regular intervals. Why can't the third party send data whenever there is an update/insert at their database end. Third party is coming up with advantages like loose coupling and making the Web Service more generic. I doubt all the claims give that the applications are B2B and we are the other ones who will be using their web services for the time being. Their may be other two organizations later on.
  b) If the first request is not yet returned, will the second request after 5 seconds be blocked.
  This designs and solutions are becoming quite political across organizations, and got to do with who will take the blame for data issues. I just want a proper SOA design for live data feed. Please suggest the advantages and disadvantages of both if anybody has been through this path.
  Thanks
  Edited by: user5108636 on 1/09/2010 18:19

  See if wireless isolation is enabled.
  When logged into your WRT1900AC using local access replace the end of the browser URL with:
  /dynamic/advanced-wireless.html
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• Assign biz role through CRM -SU01 and display page at portal

  HI, SDN Fellows.
  I am creating some custom portal roles at portal and mapped it to the custom business roles for some PCUI screens at crmc_blueprint_c --> "Assign Portal Role to Single Role" ("Assignment of CRM Role to Portal Role").
  Currently, our portal UME data source is mapped to CRM system.
  Right now, I have to assign both the CRM Role through SU01(to have access the CRM Object Method at CRM-PCUI application) and Portal Role through User Admin of WAS/portal (to access/display the PCUI iView in the portal).
  My goal is to just assign role through CRM-SU01 and achieve the same output as I described above. Meaning can I just do the role assignment for the CRM role (through SU01) and able to access to the CRM-PCUI application through portal (able to see the pcui screen)?
  Thanks,
  Kent

  What I want is when I assign a role (Sales Manager) said user A in CRM system, userA should able to see the related workset/page/iviews in the portal (without the need to assign the same: Sales Manager role in portal).
  Now, what I have to do is assign the related objects into a single/composite roles in CRM (for backend data access), then I have to assign a portal role (through User Admin of Portal, so that they can see the portal content),
  is that a way we can do it in one step?
  Thanks,
  Kent

• SPM Detailed Role level Reports don't show and other minor usage issues

  We have successfully installed SPM on our DEV and QA boxes and are trying to test our reporting.  We have setup role based firefighter and have got it to work on the ABAP side as well as on the Java side.  However, when I go to the Role Reports in the web UI for SPM, and I run the Log Report, I have a problem.
  The Log Report pulls the role firefighter data from the backend and displays it.  There is an icon at the top right called "Display Detailed Reports", and upon clicking it, it tells me there's no match or conflict found.
  However if I go into the firefighter tcode and then look at the same logs, there is a little more detail which I'd have expected to see in the web based detail report.
  Do you know what I'm missing?  I already checked the trace for any auth failures, and there is no auth failure.
  Thanks,
  Santosh

  Santosh,
  Which traces have you run? I have a few similar issues which may benefit from running a trace.
  The only other authorisations I would check is that the RFC / Connector user has the authorisations to be full logs in both the backend and web versions.
  Simon

• Need Help Regarding Users and Roles

  Hi,
  I have Created a role with Password authentication and in that role only object privilege (SELECT TABLE) and System Privilige (CREATE SESSION)
  Now I created user name abbasi and add above role to it and make that role as its default role.
  Now when I connect above user from SQL*Plus its Connected.
  I want to know since for there is Password Authentication then why during the session databse server not authenticate for role password.
  Actually I want to know real usage of password autheticated role.
  Regards.
  D.abbasi

  See the following demo
  SQL> conn aman/aman
  Connected.
  SQL> create user test identified by test;
  User created.
  SQL> create role test_role ;
  Role created.
  SQL> grant create session to test_role;
  Grant succeeded.
  SQL> create role dangerous identified by danger;
  Role created.
  SQL> grant drop any table to dangerous;
  Grant succeeded.
  SQL> grant dangerous, test_role to test;
  Grant succeeded.
  SQL> alter user test default role test_role;
  User altered.
  SQL> conn test/test
  Connected.
  SQL> select * from session_roles;
  ROLE
  TEST_ROLE
  SQL> select * from session_privs;
  PRIVILEGE
  CREATE SESSION
  SQL> set role dangerous;
  set role dangerous
  ERROR at line 1:
  ORA-01979: missing or invalid password for role 'DANGEROUS'
  SQL> set role dangerous identified by danger;
  Role set.
  SQL> select * from session_roles;
  ROLE
  DANGEROUS
  SQL> select * from session_privs;
  PRIVILEGE
  DROP ANY TABLEYou should not make the roles haivng the passwords as the default roles. Let them be there but not as the default roles. These roles can be enabled by the end user when he needs that. In my example, I have made a user TEST, two roles, TEST_ROLE, Dangerous. Dangerous is password protected and contains a priv drop any table. I have made TESt_role as the default role for the user and it becomes active. But for the dangerous,I need to supply the paswword. If I don't , I get an error like I have shown inthe example.
  HTH
  Aman....