Role maintenance
Hello Experts,
In BP Creation, when I maintain the role Sold-to-party the system automatically maintain the other roles like ship-to-party,Bill-to-party,payer etc.
Like that for ex If I create the roles calles R1,R2,R3.
If I slect the role R1, the remaining roles also maintained automatically.
please help me how to configure this.
thanks
Hello Anwer,
It depends. If the requirement is that only one set of users should create customers for one plant,another set should be able to change and another set should be able to only display then 24 roles is needed.
However I think you can also club create/change and display into single roles thus creating 8 roles and then create 8 more role just for display.Thus total will be 16. I dont think auditors mind too much if people who have create authorizations also have change authorizations.
Regards.
Ruchit.
Similar Messages
-
RFC- Bapi - For Role Maintenance (Single and Composite)
We are in the process of developing an ASP.NET web application which will be used to raise requests for user and role creations in SAP.
We will be making use of Sonic ESB to update SAP through IWAY SAP adapter.
IWAY SAP adapter supports RFCs, Bapis & IDocs.
We are aware of RFCs that could be used for user creation, updating and deletion.
We have NOT come across any RFCs or Bapis for role maintenance
1) We would need RFCs for the following requirements:
1) To create a new role (single or composite role ).Creating a new role would include adding transactions to a role, deriving from an existing role or assigning more than one role to another role.
2) To update a role
3) To delete a role.
4) To get the details of an existing role
If there are no RFCs for the above requirement, will we need to create a custom RFC?
If we need to create a custom RFC, are there any transactions already available for the above requirements so that we could write a RFC wrapper?
2) Are there any RFCs that would give us the complete list of roles (single or composite) in an SAP system?
3) Are there any RFCs that would give us the complete list of transactions in an SAP system?
Presently for 2) & 3) , we are making use of RFC_READ_TABLE to read SAP tables to get the list of roles and transactions.
Thanks for your answersHi,
check these FM , i dont know it will work for u or not.
BAPI_USER_ACTGROUPS_ASSIGN User: Change entire activity group assignment
BAPI_USER_ACTGROUPS_DELETE User: Delete entire activity group assignment
BAPI_USER_CHANGE Change User
BAPI_USER_CLONE Create User with Template in Another System
BAPI_USER_CREATE
BAPI_USER_CREATE1 Create a User
BAPI_USER_DELETE BAPI to Delete a User
BAPI_USER_DISPLAY Display Users
BAPI_USER_EXISTENCE_CHECK Check a user exists
BAPI_USER_GETLIST Search for Users
BAPI_USER_GET_DETAIL Read User Details
BAPI_USER_INTERNET_CREATE Create a user in the Internet
BAPI_USER_LOCACTGROUPS_ASSIGN Change Activity Group Assignment for Dependent Systems from Central Sy
BAPI_USER_LOCACTGROUPS_DELETE Delete Activity Group Assignments in the Dependent Systems
BAPI_USER_LOCACTGROUPS_READ Change Activity Group Assignment for Dependent Systems from Central Sy
BAPI_USER_LOCK Lock User
BAPI_USER_LOCPROFILES_ASSIGN Change Profile Assignment for Dependent Systems from Central System
BAPI_USER_LOCPROFILES_DELETE Delete Profile Assignments for Dependent Systems
BAPI_USER_LOCPROFILES_READ Change Activity Group Assignment for Dependent Systems from Central Sy
BAPI_USER_PROFILES_ASSIGN User: Assign profiles
BAPI_USER_PROFILES_DELETE User: Delete All Profile Assignments
BAPI_USER_UNLOCK Unlock user
Reward points if useful..
Regards
Nilesh -
We are in the process of developing an ASP.NET web application which will be used to raise requests for user and role creations in SAP.
We will be making use of Sonic ESB to update SAP through IWAY SAP adapter.
IWAY SAP adapter supports RFCs, Bapis & IDocs.
We are aware of RFCs that could be used for user creation, updating and deletion.
We have NOT come across any RFCs or Bapis for role maintenance
1) We would need RFCs for the following requirements:
1) To create a new role (single or composite role ).Creating a new role would include adding transactions to a role, deriving from an existing role or assigning more than one role to another role.
2) To update a role
3) To delete a role.
4) To get the details of an existing role
If there are no RFCs for the above requirement, will we need to create a custom RFC?
If we need to create a custom RFC, are there any transactions already available for the above requirements so that we could write a RFC wrapper?
2) Are there any RFCs that would give us the complete list of roles (single or composite) in an SAP system?
3) Are there any RFCs that would give us the complete list of transactions in an SAP system?
Presently for 2) & 3) , we are making use of RFC_READ_TABLE to read SAP tables to get the list of roles and transactions.
Thanks for your answersHi Nicole,
I think you are in the wrong forum.... For Guided Procedures, this is only about process roles and not roles used in the ABAP Stack.
Best regards,
David -
How do we create role maintenance
hi gurus
How do we create user role maintenance could any one give me step by step procedure. It will be helpful for me
Thanks in advanceHello,
The roles for the users normally created by BASIS by transaction PFCG. If you want ore details about the stepwise procedure, please post the thread in the BASIS forum.
Prase -
Create folder from role maintenance
Hi,
How can I create a folder with the name of my choice from role maintenance? I see the Role Menu from the Menu tab, but I don't see the paper icon to create a folder.
ThanksI think I don't have authorizations. I only see the + sign that says 'Authorization default' and then the vanilla folder 'Role menu'.
I just want to create a folder to put queries to the browser for the users to get to instead going through the RRMX.
Is there another way to do this?
Thanks. -
Role maintenance of "enabler" design concepts
hi all,
which is the correct way of maintaining MAster and enabler rle in SAP GRC.
As per ma knowledge, T Cdes and activitites we shuld maintain in master role and rest in enabler role. is it right ??
Edited by: Julius Bussche on Oct 12, 2010 6:08 PM
Subject title made more meaningfull...Hi muskaan,
I provided some thoughts to you on this question in the [GRC forum|Query], but wanted to echo some of the feedback provided here. For what it's worth, your best bet in this situation is to discuss your questions and concerns with the other members of your security/GRC team - they will be in much better position to talk through your detailed questions regarding your specific situation than any more generic advice you will get on SDN.
As you have heard, the enabler and master/derived concept are 2 approaches for localizing your roles. Up until the point of localization your role build approach will be the same under either methodology following the steps Dipanjan laid out above. Each approach has strengths and weaknesses that must be weighed for your specific SAP environment and your business and security objectives. Without getting into too much detail, I believe the enabler concept yields the greatest value in environments with very deep and fluid/changing organizational security requirements. In these situations the enabler concept allows you to more efficiently manage your organizational security when the pure economies of managing derived roles across the security landscape become burdensome. Often times managing your roles not only occurs within your SAP application where they are built, and in these cases you must consider how your localization approach will impact the maintenance of traditional composite roles, CUA composite roles, or even more "virtual composite" roles that group SAP access, but sit outside SAP in a role management, IDM, or other provisioning systems.
Like you have seen, one of the biggest drawbacks of the approach is that it is a non-standard strategy so education, documentation, and knowledge management becomes crucial for its ongoing sustainability. As mohanjani pointed out, it often works out very well when your strategic approach addresses the right business/security concerns and it is implemented in a very structured manner. On the flip side, it can quickly create numerous headaches if implemented improperly without the correct understanding of the approach or if implemented in an environment where the situational factors do not drive the benefits you wish to achieve from your security design. As with any security approach, as part of your design and strategy development, it is imperative to not only address the traditional "role build" aspect of SAP security, but also how you anticipate getting those roles to users via your request/provisioning process.
To address your specific question on what fields need to go into your enabler rolesu2026 that will really all depend on your organizational security requirements and your design/build approach - again this is best addressed by those most familiar with your environment & project. In general, though I am concerned if I understand your messages correctly that you are planning to create 27 different types of enablers based upon your functional areas - I would usually expect to see the types of enablers aligned to your organizational security demands rather than a process area. I would also echo mohanjani's thought that for any type of enabler you really shouldn't be creating more than a functional and display version of that role. From a sustainability perspective it is critical that you do not over-engineer the roles and end up with an overly confusing and complex situation where maintenance and knowledge management is difficult.
On a semi-related note, I am intrigued by the role generator tool SAP developed for their DFPS module and has discussed in more detail in their recent authorization publication. It seems to be an interesting approach to addressing the economic limitations of managing localized roles in complex environments that provides a good balance to the different design methodologies discussed in this thread. Unfortunately, it seems to suffer from lack of broad knowledge as well, making it somewhat more of a customized approach.
Best of luck working through your questions and your implementation! -
VL10 batch doesn't allow user role maintenance
A batch job to create deliveries is desired.
A user role was created using VL10CUA (copied from 5001).
Access VL10G to create a variant, but the User Role tab is completely display only.
According to OSS note 310022, step 2 indicates that user role can be maintained for background processing.
Currently using ECC 5.0. Why is the user role tab display only? What changes are necessary to create a variant using the new user role?
I also looked at the screen painter and the fields were "Possible" so that doesn't answer why they are display only when using VL10G.
Regards,
BelaIn VL10CUA, create a new user role from 5001 and click on Chg. Attributes and change F code to 5001.
Then assign the user role in VL10CUV to VL10 Scenario.
This will default the user role in VL10. Save the variant and then run VL10BATCH for the variant. -
User role maintenance (TX PFCG) : S_TCODE cannot be changed
Hello,
We have the following problem in the transaction code PFCG, when trying to edit the authorizations of a role:
the tree "S_TCODE" appears as "Standard" and can only be changed, if you set the authorization fields to "*" (full authorization) ,
please see the printscreen attached.
Is there a way to modify parts of "S_TCODE" ?
Thank you in advance.
Kind regards,
Noémi PocsaiHi Raymond,
Thank you for your reply.
My problem is that, I'd like to change the subtree "Transaction codes" , but it's not possible to edit this... or am I wrong?
Thank you in advance for an answer.
Kind regards,
Noémi -
Hi Experts
I want to know the interrelationship among Role,Profile,User Master Record,Authorization Profle,Authorization object,Authorization Field,Organizational Level,Company Code,Activity.Please guide me in this topics with definitions.
Thanks and Regards,
Gopi Lakshmipathy.
Edited by: Gopi Lakshmipathy on Feb 20, 2009 10:02 AMDid you bother doing some research before posting?... this information is widely available at help.sap.com...
Read,
http://help.sap.com/saphelp_nw70/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
Regards
Juan -
Role Maintenance Transaction PFCG
Hi.
I have a question (as many others in here) regarding transaction PFCG functionallity from an ABAP program.
I would like to generate derived roles from the master role, and I have made a recording of PFCG and used it as Call Transaction, without any luck, as it is an Enjoy transaction.
I have searched for BAPI's, function modules, even tried to build my own program (based on ) and I am stucked - no further ideas.
Can you supply me with a BAPI, Function module etc. which does the same as PFCG Generate derived roles?
Thank you in advance,
Best Regards.
Søren Holmen, March ITHi again - I found the solution myself - and wants to share it with you.
SUBMIT suprn_regenerate_dependent
WITH top_agr = gw_agr_time-agr_name
WITH gen = 'X'
AND RETURN.
Standard program "suprn_regenerate_dependent" is perfect for this issue!
Best regards. -
Hi Gurus,
Can someone tell me the transaction to maintain BP Role? It's been a while and I can't remember it anymore. I tried BUBA, BUPT but none is correct.
Will award points for your prompt answer!
Thanks!
LeonHi Leon,
It is in SPRO > IMG > Cross-Application Components > SAP Business Partner > Basic Settings > Business Partner Roles.
Regards,
Leonardo Furtado da Gama Ferreira -
Measurement unit to estimate job role maintenance effort
Hi all,
Can anyone share some ideas or experience in this case: In system ERP2005, developer provide all job role menu tcode, org level values and authorization object values, job role administrator only need to follow all provided information to create job role, generate profile and create transport.
The question is what measurement unit should be used to estimate job role administrator effort. My first idea is number of authorization objects, e.g. S_TCODE, S_DEVELOP, S_DATASET....
Thanks in advance.>
Julius Bussche wrote:
> How about number of...
>
> Standard authorizations.
> Maintained authorizations.
> Disabled authorizations.
> Changed authorizations.
> Manually authorizations.
>
> ... and some sort of premium / penalty for number of:
>
> Authorizations are green.
> Authorizations are yellow.
>
> ... with increasing effort in the same order.
>
> Just a thought
> Julius
Hi Julius,
Thanks for your suggestion. In our case, developer knows all the required authorization objects before pass it to job role admin, therefore the effort of admin is minimal.
Regards,
Donald -
Role Maintenance - Automatically generated names for authorization objects
Hello NG,
I've got a question concerning the mentioned subject.
Currently I am maintaining the roles/authorizations of a customers system (Rel. 3.0) which has moved to Rel. 7.0.
When I add an authorization object to a role, the technical name is generated automatically. How can I set up the naming conventions for the authorization objects?
Thank you very much.
Regards ..Hi SUNIL L,
I refered to 3.0 but I think that the release version has no relevance for my problem. I think I should try to explain my problem once more:
When I add an authorization object to a role, a technical name is generated automatically and assigned to it. Is it possible to set any naming conventions for this?
Regards.. -
Tables for maintenance of end users in end user roles
hi all
i have a requirement to find out the tables involved in end user role maintenance based on the business process and step for the transaction solar02.
thanks & regards
srinivasulu.jHi,
As i already told you all the user names are coming from user master record which are stored in table
USR01.
Go to se11 enter table name USR01,and view its contents.
Here you can get the list of all the user's present in solman server.
normally basis team create users using pfcg or su01.
Please reward points. -
Analysis Authorization (Role, Profile and Direct Assignments)
<b>Analysis Authorization Question:</b>
1) In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
2) Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign Reporting Authorizations as per the process defined in BW 3.x system.
3) Customer sometime have 100 + Roles to have 3.X Reporting Authorizations. This is Managed, assigned, approved using role concept.
<b>
Migration Options:</b>
1) New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned Like Company code 1100 not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
2) Analysis Migration Tool - RSEC_MIGRATION does not update ROLES. It creates or changes PROFILES.
3) Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
<b>Questions</b>
a) This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
b) Does any one use direct assignment to Users? It is good business practice?
c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
Just want to check how other folks have done migration that can be supported going forward.
Pankaj GuptaHey Pankaj,
In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce
Maybe you are looking for
-
SAP IDES R/3 4.7e performance problem
I have successfully loaded ides 4.7e. I found that it took a long time for me to open up an instance. I checked the physical ram available when SAP was running and found that I only have about 10-20% of physical RAM memory. Currently I have 1GB of RA
-
Why can't I create a document in my Facebook group on my iPad. It won't let me input any text into the text box field after I create a new document. Thanks.
-
itunes could not back up the iphone becasue the backup was corrupt or not compatiable with the iphone... what do i do please
-
Custom Report in PDF output, blurred after printing in concurrent
Hi, We have a customized report which is the output is in PDF. We tried to print it in concurrent, but the output is blurred and not clear enough. The following are the setup made. 1. Server OS -> Linux 5(OEL5) 2. Printer -> EPSON, Dot Matrix 3. Driv
-
Web Part specific DOM Manipulation. Two identical Script Editor Web Part code blocks.
We have a script editor web part with javascript that references some jquery libraries. The code creates web part properties and hides DIV tag in the web part based on some conditions. It works great until I try to place the same exact web part /