Role maintenance

Similar Messages

• RFC- Bapi - For Role Maintenance (Single and  Composite)

  We are in the process of developing an ASP.NET web application which will be used to raise requests for user and role creations in SAP.
  We will be making use of Sonic ESB to update SAP through IWAY SAP adapter.
  IWAY SAP adapter supports RFC’s, Bapi’s & IDocs.
  We are aware of RFC’s that could be used for user creation, updating and deletion.
  We have NOT come across any RFC’s or Bapi’s for role maintenance
  1) We would need RFC’s for the following requirements:
  1) To create a new role (single or composite role ).Creating a new role would include adding transactions to a role, deriving from an existing role or assigning more than one role to another role.
  2) To update a role
  3) To delete a role.
  4) To get the details of an existing role
  If there are no RFC’s for the above requirement, will we need to create a custom RFC?
  If we need to create a custom RFC, are there any transactions already available for the above requirements so that we could write a RFC wrapper?
  2) Are there any RFC’s that would give us the complete list of roles (single or composite) in an SAP system?
  3) Are there any RFC’s that would give us the complete list of transactions in an SAP system?
  Presently for 2) & 3) , we are making use of RFC_READ_TABLE to read SAP tables to get the list of roles and transactions.
  Thanks for your answers

  Hi,
  check these FM , i dont know it will work for u or not.
  BAPI_USER_ACTGROUPS_ASSIGN     User: Change entire activity group assignment
  BAPI_USER_ACTGROUPS_DELETE     User: Delete entire activity group assignment
  BAPI_USER_CHANGE               Change User
  BAPI_USER_CLONE                Create User with Template in Another System
  BAPI_USER_CREATE
  BAPI_USER_CREATE1              Create a User
  BAPI_USER_DELETE               BAPI to Delete a User
  BAPI_USER_DISPLAY              Display Users
  BAPI_USER_EXISTENCE_CHECK      Check a user exists
  BAPI_USER_GETLIST              Search for Users
  BAPI_USER_GET_DETAIL           Read User Details
  BAPI_USER_INTERNET_CREATE      Create a user in the Internet
  BAPI_USER_LOCACTGROUPS_ASSIGN  Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_LOCACTGROUPS_DELETE  Delete Activity Group Assignments in the Dependent Systems
  BAPI_USER_LOCACTGROUPS_READ    Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_LOCK                 Lock User
  BAPI_USER_LOCPROFILES_ASSIGN   Change Profile Assignment for Dependent Systems from Central System
  BAPI_USER_LOCPROFILES_DELETE   Delete Profile Assignments for Dependent Systems
  BAPI_USER_LOCPROFILES_READ     Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_PROFILES_ASSIGN      User: Assign profiles
  BAPI_USER_PROFILES_DELETE      User: Delete All Profile Assignments
  BAPI_USER_UNLOCK               Unlock user
  Reward points if useful..
  Regards
  Nilesh

• RFC for role maintenance

  We are in the process of developing an ASP.NET web application which will be used to raise requests for user and role creations in SAP.
  We will be making use of Sonic ESB to update SAP through IWAY SAP adapter.
  IWAY SAP adapter supports RFC’s, Bapi’s & IDocs.
  We are aware of RFC’s that could be used for user creation, updating and deletion.
  We have NOT come across any RFC’s or Bapi’s for role maintenance                   
  1) We would need RFC’s for the following requirements:
  1)       To create a new role (single or composite role ).Creating a new role would include adding transactions to a role, deriving from an existing role or assigning more than one role to another role.
  2)       To update a role
  3)       To delete a role.
  4)       To get the details of an existing role
  If there are no RFC’s for the above requirement, will we need to create a custom RFC?
  If we need to create a custom RFC, are there any transactions already available for the above requirements so that we could write a RFC wrapper?
  2) Are there any RFC’s that would give us the complete list of roles (single or composite) in an SAP system?
  3) Are there any RFC’s that would give us the complete list of transactions in an SAP system?
  Presently for 2) & 3) , we are making use of RFC_READ_TABLE to read SAP tables to get the list of roles and transactions.
  Thanks for your answers

  Hi Nicole,
  I think you are in the wrong forum.... For Guided Procedures, this is only about process roles and not roles used in the ABAP Stack.
  Best regards,
  David

• How do we create role maintenance

  hi gurus
  How do we create user role maintenance could any one give me step by step procedure.  It will be helpful for me
  Thanks in advance

  Hello,
  The roles for the users normally created by BASIS by transaction PFCG. If you want ore details about the stepwise procedure, please post the thread in the BASIS forum.
  Prase

• Create folder from role maintenance

  Hi,
  How can I create a folder with the name of my choice from role maintenance? I see the Role Menu from the Menu tab, but I don't see the paper icon to create a folder.
  Thanks

  I think I don't have authorizations. I only see the + sign that says 'Authorization default'  and then the vanilla folder 'Role menu'.
  I just want to create a folder to put queries to the browser for the users to get to instead going through the RRMX.
  Is there another way to do this?
  Thanks.

• Role maintenance of "enabler" design concepts

  hi all,
  which is the correct way of maintaining MAster and enabler rle in SAP GRC.
  As per ma knowledge, T Cdes and activitites we shuld maintain in master role and rest in enabler role. is it right ??
  Edited by: Julius Bussche on Oct 12, 2010 6:08 PM
  Subject title made more meaningfull...

  Hi muskaan,
  I provided some thoughts to you on this question in the [GRC forum|Query], but wanted to echo some of the feedback provided here.  For what it's worth, your best bet in this situation is to discuss your questions and concerns with the other members of your security/GRC team - they will be in much better position to talk through your detailed questions regarding your specific situation than any more generic advice you will get on SDN.
  As you have heard, the enabler and master/derived concept are 2 approaches for localizing your roles. Up until the point of localization your role build approach will be the same under either methodology following the steps Dipanjan laid out above.  Each approach has strengths and weaknesses that must be weighed for your specific SAP environment and your business and security objectives. Without getting into too much detail, I believe the enabler concept yields the greatest value in environments with very deep and fluid/changing organizational security requirements.  In these situations the enabler concept allows you to more efficiently manage your organizational security when the pure economies of managing derived roles across the security landscape become burdensome. Often times managing your roles not only occurs within your SAP application where they are built, and in these cases you must consider how your localization approach will impact the maintenance of traditional composite roles, CUA composite roles, or even more "virtual composite" roles that group SAP access, but sit outside SAP in a role management, IDM, or other provisioning systems.
  Like you have seen, one of the biggest drawbacks of the approach is that it is a non-standard strategy so education, documentation, and knowledge management becomes crucial for its ongoing sustainability. As mohanjani pointed out, it often works out very well when your strategic approach addresses the right business/security concerns and it is implemented in a very structured manner.  On the flip side, it can quickly create numerous headaches if implemented improperly without the correct understanding of the approach or if implemented in an environment where the situational factors do not drive the benefits you wish to achieve from your security design.  As with any security approach, as part of your design and strategy development, it is imperative to not only address the traditional "role build" aspect of SAP security, but also how you anticipate getting those roles to users via your request/provisioning process.
  To address your specific question on what fields need to go into your enabler rolesu2026 that will really all depend on your organizational security requirements and your design/build approach - again this is best addressed by those most familiar with your environment & project.  In general, though I am concerned if I understand your messages correctly that you are planning to create 27 different types of enablers based upon your functional areas - I would usually expect to see the types of enablers aligned to your organizational security demands rather than a process area. I would also echo mohanjani's thought that for any type of enabler you really shouldn't be creating more than a functional and display version of that role. From a sustainability perspective it is critical that you do not over-engineer the roles and end up with an overly confusing and complex situation where maintenance and knowledge management is difficult.
  On a semi-related note, I am intrigued by the role generator tool SAP developed for their DFPS module and has discussed in more detail in their recent authorization publication.  It seems to be an interesting approach to addressing the economic limitations of managing localized roles in complex environments that provides a good balance to the different design methodologies discussed in this thread.  Unfortunately, it seems to suffer from lack of broad knowledge as well, making it somewhat more of a customized approach.
  Best of luck working through your questions and your implementation!

• VL10 batch doesn't allow user role maintenance

  A batch job to create deliveries is desired.
  A user role was created using VL10CUA (copied from 5001).
  Access VL10G to create a variant, but the User Role tab is completely display only.
  According to OSS note 310022, step 2 indicates that user role can be maintained for background processing.
  Currently using ECC 5.0. Why is the user role tab display only? What changes are necessary to create a variant using the new user role?
  I also looked at the screen painter and the fields were "Possible" so that doesn't answer why they are display only when using VL10G.
  Regards,
  Bela

  In VL10CUA, create a new user role from 5001 and click on Chg. Attributes and change F code to 5001.
  Then assign the user role in VL10CUV to VL10 Scenario.
  This will default the user role in VL10. Save the variant and then run VL10BATCH for the variant.

• User role maintenance (TX PFCG) : S_TCODE cannot be changed

  Hello,
  We have the following problem in the transaction code PFCG, when trying to edit the authorizations of a role:
  the tree "S_TCODE" appears as "Standard" and can only be changed, if you set the authorization fields to "*" (full authorization) ,
  please see the printscreen attached.
  Is there a way to modify parts of "S_TCODE" ?
  Thank you in advance.
  Kind regards,
  Noémi Pocsai

  Hi Raymond,
  Thank you for your reply.
  My problem is that, I'd like to change the subtree "Transaction codes" , but it's not possible to edit this... or am I wrong?
  Thank you in advance for an answer.
  Kind regards,
  Noémi

• User and Role Maintenance

  Hi Experts
                 I want to know the interrelationship among Role,Profile,User Master Record,Authorization Profle,Authorization object,Authorization Field,Organizational Level,Company Code,Activity.Please guide me in this topics with definitions.
  Thanks and Regards,
  Gopi Lakshmipathy.
  Edited by: Gopi Lakshmipathy on Feb 20, 2009 10:02 AM

  Did you bother doing some research before posting?... this information is widely available at help.sap.com...
  Read,
  http://help.sap.com/saphelp_nw70/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htm
  http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
  Regards
  Juan

• Role Maintenance Transaction PFCG

  Hi.
  I have a question (as many others in here) regarding transaction PFCG functionallity from an ABAP program.
  I would like to generate derived roles from the master role, and I have made a recording of PFCG and used it as Call Transaction, without any luck, as it is an Enjoy transaction. 
  I have searched for BAPI's, function modules, even tried to build my own program (based on ) and I am stucked - no further ideas. 
  Can you supply me with a BAPI, Function module etc. which does the same as PFCG Generate derived roles?
  Thank you in advance,
  Best Regards.
  Søren Holmen, March IT

  Hi again - I found the solution myself - and wants to share it with you.
      SUBMIT  suprn_regenerate_dependent
        WITH  top_agr  =  gw_agr_time-agr_name
        WITH  gen      =  'X'
        AND   RETURN.
  Standard program "suprn_regenerate_dependent" is perfect for this issue!
  Best regards.

• BP Role Maintenance

  Hi Gurus,
  Can someone tell me the transaction to maintain BP Role? It's been a while and I can't remember it anymore. I tried BUBA, BUPT but none is correct.
  Will award points for your prompt answer!
  Thanks!
  Leon

  Hi Leon,
  It is in SPRO > IMG > Cross-Application Components > SAP Business Partner > Basic Settings > Business Partner Roles.
  Regards,
  Leonardo Furtado da Gama Ferreira

• Measurement unit to estimate job role maintenance effort

  Hi all,
  Can anyone share some ideas or experience in this case:  In system ERP2005, developer provide all job role menu tcode, org level values and authorization object values, job role administrator only need to follow all provided information to create job role, generate profile and create transport.
  The question is what measurement unit should be used to estimate job role administrator effort. My first idea is number of authorization objects, e.g. S_TCODE, S_DEVELOP, S_DATASET....
  Thanks in advance.

  >
  Julius Bussche wrote:
  > How about number of...
  >
  > Standard authorizations.
  > Maintained authorizations.
  > Disabled authorizations.
  > Changed authorizations.
  > Manually authorizations.
  >
  > ... and some sort of premium / penalty for number of:
  >
  > Authorizations are green.
  > Authorizations are yellow.
  >
  > ... with increasing effort in the same order.
  >
  > Just a thought
  > Julius
  Hi Julius,
  Thanks for your suggestion.  In our case, developer knows all the required authorization objects before pass it to job role admin, therefore the effort of admin is minimal.
  Regards,
  Donald

• Role Maintenance - Automatically generated names for authorization objects

  Hello NG,
  I've got a question concerning the mentioned subject.
  Currently I am maintaining the roles/authorizations of a customers system (Rel. 3.0) which has moved to Rel. 7.0.
  When I add an authorization object to a role, the technical name is generated automatically. How can I set up the naming conventions for the authorization objects?
  Thank you very much.
  Regards ..

  Hi SUNIL L,
  I refered to 3.0 but I think that the release version has no relevance for my problem. I think I should try to explain my problem once more:
  When I add an authorization object to a role, a technical name is generated automatically and assigned to it. Is it possible to set any naming conventions for this?
  Regards..

• Tables for maintenance of end users in end user roles

  hi all
  i have a requirement to find out the tables involved in end user role maintenance based on the business process and step for the transaction solar02.
  thanks & regards
  srinivasulu.j

  Hi,
  As i already told you all the user names are coming from user master record which are stored in table
  USR01.
  Go to se11 enter table name USR01,and view its contents.
  Here you can get the list of all the user's present in solman server.
  normally basis team create users using pfcg or su01.
  Please reward points.

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce