Role Profile Generation in BW

Similar Messages

• Role Expert Profile generation error

  Hi All,
  I am getting the following error in Role Expert Profile Generation tab.
  When i click Generate tab, I am geting "Name or Password is incorrect(Repeat Login)" Can any body explain what user id is generally triggered when generate profile using role expert?
  Thanks,
  Chandra

  Hi there,
  to be more precise. You have to use the password from the account which you use to maintain the roles in the system you want to generate the role.
  Kind regards,
  Richard

• Profile generation in child role

  Hi all,
  Im a beginner in Basis....I created a parent role . After that , i made a child role for this ....
  Do I need to generate profile seperately for child and parent  or only for parent is enough ??
  For me , the properties are not getting reflected when i do it only for parent ??
  Thanks ,
  Anil

  Question:
  > Do I need to generate profile seperately for child and parent  or only for parent is enough ??
  Answer:
  > For me , the properties are not getting reflected when i do it only for parent ??
  Well done. You just found an easter egg
  => Take a look at transaction SUPC. There is also a menu path to it in PFCG when you have completed the parent role. Look for "Mass Profile Generation".
  Cheers,
  Julius

• Max roles & Profiles in user?

  How many roles can we assign to the user? What is the maximum limit of  the roles and profiles for the user?? *

  Dear Praveen,
  You can assign <b>300</b> authorization profiles to a user (see SAP Note <b>410993</b>).
  Note 410993:
  You would like to know the maximum number of:
  profiles per user
  authorizations per profile
  authorization values per authorization
  Reason and Prerequisites
  All maintenance transactions work with the USR04, USR10 and USR12 tables.
  Solution
  As of Release 4.6A, the structure of the database tables used, and not the kernel, causes some restrictions:
  1. Table USR04: Profile assignments for users
                This table contains both information about the change status of a user as well as the list of profile names that were assigned to the user.
                The PROFS field is used to save the change indicator (C = User created, M = User changed) and the name of the profiles assigned to the user.
  The field is defined with a length of 3,750 characters. Since the first two characters are for the change indicator, 3,748 characters are still available for the list of profile names per user. Since the maximum length for each profile name is 12 characters, the maximum number of profiles per user is 312. Note 841612 delivered a solution for increasing the number of usable profiles per user from 300 to the maximum value of 312.
                Possible enhancements:
  When you use roles exclusively, the number of profiles per user can only be doubled by assigning a reference user.
  If you also use manual profiles, you can combine these to form collective profiles.
                Caution: In principle, we must advise against using these options. Reason:
  Enhancements of this type increase the risk of an unwanted summation of authorizations. On the other hand, the number of entries also increases in the user buffer for authorizations (table USRBF2), which may result in longer runtimes when you perform authorization checks.
  2. Table USR10: Authorizations or subprofiles per profile
                Due to the length of the AUTHS field (3,750 characters), you can enter the following maximum values in the manual profile maintenance (transaction SU02):
  300 subprofiles    per collective profile or
  150 authorizations   per single profile
  Of course, the maximum value of 150 authorizations applies to the profiles generated in transactions PFCG or SUPC. Therefore, after you exceed this threshold, a new profile is automatically created.
  3. Table USR12: Authorization values per authorization
                To save the authorization values, you use the VALS field, which is 3,750 characters long (just like the PROFS field in the USR04 table). Since the values can have different lengths, the number of values per authorization also varies. If you are unsure about whether VALS can accept all of the values that you maintain, you can check the length of the character string using the following formula:
  NSTRING =
  3 + 18*NFLDS +
  NNORM(    1)(MAXLEN(    1)+1) + NGENE(    1)(MAXLEN(    1)+3) +
  NNORM(    2)(MAXLEN(    2)+1) + NGENE(    2)(MAXLEN(    2)+3) +
  ...                                                            +
  NNORM(NFLDS)(MAXLEN(NFLDS)+1) + NGENE(NFLDS)(MAXLEN(NFLDS)+3)
  What the parameters mean:
  NSTRING   = Total length of the character string in VALS
  NFLDS    = Number of fields in the authorization object (10 = maximum)
  MAXLEN(I) = Number of characters in the longest value in field I
  NNORM(I)  = Number of normal (not generic) values in field I
  NGENE(I)  = Number of generic values in field I
  I = 1, ..., NFLDS
  The absolute maximum length of an authorization value is 40 characters. NNORM(I) and NGENE(I) are the total number of values maintained in the 'From' and 'To' columns in field I.
  Example:
  The following authorization (chosen at random) for the S_USER_AUT object demonstrates how to apply the above formula:
  Field No.  Field Name   From Value          To Value
     1       ACTVT        03
                          08
    2      AUTH         TESTFIAUTH00        TESTFIAUTH10
                          Z*
    3       OBJECT       F_KNA1*
                          F_BKPF*
                          F_KNKK_BED
  The variables have the following values:
  NFLDS = 3
    I       MAXLEN(I)    NNORM(I)    NGENE(I)
    1          2           2          0
    2          12          2           1
    3          10          1          2
  This results in the following value for the length of the characterstring in the VALS table field:
  NSTRING = 3 + 18*3 +
            2( 2 + 1) + 0( 2 + 3) +
            2(12 + 1) + 1(12 + 3) +
            1(10 + 1) + 2(10 + 3)   = 141
  Further explanations:
  If NSTRING is greater than 3,750, the authorization cannot be activated or generated, which means that the values must be distributed across several authorizations. Exception: The profile generator can automatically divide authorizations in roles (activity groups) with just one field (example: the S_TCODE object) into up to 100 generated authorizations.
  If profile generation fails because a role contains too many values for an organisation level, you cannot use additional authorizations to solve the problem. Due to the cross-object validity of organizational levels, their values would automatically be copied to the new authorizations. In this case, you only have the option to distribute values across several roles.
  Hope this will help.
  Regards,
  Naveen.

• User, Role, Profile Synchronization Job Fails

  Hi Gurus,
  When I am scheduling a job the User, Role, and Profile Sync. job fails giving an error
  "Cannot assign a java.lang.String object of length 53 to host variable 5 which has JDBC type VARCHAR(40)."
  This happens when the synchronization happens with a portal system. We dont have a ruleset for the portal system, So if I put in a "*", it includes this system and results in the error, If I manually select all other system, it works fine. Is there any way to remove this error so that I can schedule the jobs without having to select every system manually.
  Regards,
  Chinmaya

  Hi,
  As per my knowledge, in the Portal system, you should perform only user sync. Roles/profile sync will not work since portal will have workset roles.
  Please refer SAP Note 1168120, which may help you to understand the limitations
  Hope this helps!!
  Rgds,
  Raghu
  Edited by: Raghu Boddu on Nov 4, 2010 7:39 PM

• Solution Manager 4.0 Solution Monitoring User -Roles-Profiles for Satellite

  Hi All,
  I have installed Solution Manager 4.0 (OS -Linux ,Database - DB2) .
  Now i need to connect solution manager to the R/3 4.6C
  Satellite Systems (DEV, QAS ,PRD) for Solution Monitoring
  and Service level Reporting .
  I have read the configuration guide , but unable to get clear idea .
  1) what users (alos type of user -Dialog , Service, Communication etc) do i need create in DEV , and Test in QAS  for solution Monitoring  .
  2) what exact roles /profiles need to be assigned to these users in satellite systems .
  3) what users/roles /profiles needs to be done in SOLMAN system
  i have applied all the required plug ins and support packs
  in satellite systems and solman 40 ..
  Please advice  . Your response will be a great help for me .
  Satish

  Hello Satish,
  Just clarify, if u have meant connecting the satellite systems for EWA reports to be precise. Early watch Reports. If its is the case, then repond so that i can putin my inputs which may be helpful for you in this config.
  Rgds,
  Sri

• What are the roles/profiles required in solman and satilite system.....

  Hi All,
  What are the list of roles/profiles (for SOLMAN and Satellite system) required to create logical instance etc... for monitoring and tasks.
  Regards.
  kumar

  Hello Kumar,
  please have a look at the Configuration Guide for SolMan on the SAP Marketplace. ALso for information on required documentation, see SAP Note 1088980.
  Best regards,
  Annett

• Trying to understand "User/Role/Profile Synchronization" and Batch Analysis

  Hello,
  Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job. 
  I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile  to be included to the full and incremental jobs?
  How the incremental analysis logic is built ?
  br Janne

  Janne,
  In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
  The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
  In terms of CC tables:
  VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
  VIRSA_CC_GENOBJ >> User, Role and Profile master data
  VIRSA_CC_GENACT >> User-action, role-action and profile-action data
  VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
  VIRSA_CC_SAPOBJ >> Action-permission
  VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
  Hope this helps.
  Regards,
     Imanol

• Table used for storing roles/profiles assignment in CUA lansscape

  Hi,
  following is my cua setup
  master client - 999 of SRM 4.0
  child client - 101 of ECC 5.0
  child client - 202 of SCM 4.1
  in cua all distribution works on its logical name assign to respective client.
  here is my question
  lets say user 'XYZ' in master client assign single as well as composite role and composite profiles assigned in the master as well as child system.
  please tell me in which table this relationship is maintain in sap that Composite roles/profile is from which cua client.
  from my finding the tables which store the role and profiles from master and child system are i.e. USRSYSACT & USRSYSPRF.
  but i am not able to find table which store the roles to user and user to profiles assigment in CUA setup,can someone please help me.
  Thanks,
  John.

  Hi Check the tables
  <b>USR10  -role definition
  AGR_PROF   -Profile for Roles
  AGR_TEXTS  - Role descriptions
  AGR_USERS  - Assignment of roles to users
  AGR_DEFINE - Auth profiles</b>
  if needed see other tables with USR* and AGR_*
  Reward points if useful
  Regards
  Anji

• Critical Action and Role/Profile Analysis

  Hi,
  I want to know the purpose of the Batch Risk Analysis back ground job "Critical Action and Role/Profile Analysis" in RAR 5.3.
  I'm assuming that I need not run this job if I do not want the critical roles/profiles like SAP_ALL to be analysed which were defined to be critical in rule architect.
  Please let me know if there is any other purpose to run the BG job "Critical Action and Role/Profile Analysis".
  Thank you,
  Partha

  Hello Partha,
    You got this right. It will analyze the defined critical actions/roles/profiles.
  Regards, Varun

• GRC AC10 RAR :"Ignore Critical Roles/Profile" option not available in

  Hello Gurus,
  I have configured RAR and the reports are working as usual , but i observed that i could not see two things
  1) Option to select "IGNORE CRITICAL ROLES/PROFILE" during Role/User ANALYSIS under "Reports & Analytic" tab.
  I checked in SPRO>GRC>AC-->Maintain Config Settings
  There is a parameter "Ignore Critical  Roles/ Profiles" which i first set to "Yes" and then checked in NWBC , i was unable to see the option under "Additional Option".
  Later i changed SPRO setting to "NO" , then again it did not show me .
  Where can i find this option , so that if i upload say 10 roles which are assigned to firefighter ID they should not be analyzed for RAR ??
  2) I also could not find any option to upload "DEFAULT roles" which need to be assigned to any "NEW USER" request coming through CUP ??
  Where can we make this setting, so that the basic roles can get assigned to the user when any new user request comes in.
  Will you please put some light on this area ?
  Thanks in advance.
  Regards,
  Victor

  Hi Johanna
  Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
  Regards
  Swarna

• Roles/Profiles for ALEREMOTE

  hi all,
  can anyone let me know all the Roles/Profiles required for the User ALEREMOTE in a production system.
  I understad that the roles sap_all, sap_new , s_bi-wx_rfc and s_bi-whm_rfc can be used in the development and the Quality systems but am told that the roles SAP_ALL & SAP_NEW are not supposed to be used for ALEREMOTE in the Production systems as it would give all authorizations to all the users.
  so, could anyone kindly let me know the various roles/profiles that need to be assigned to the user ALEREMOTE keeping in mind that SAP_ALL & SAP_NEW are not allowed and at the same time all the transactions w.r.t BW3.5 should go through successfully.
  kindly revert back at the earliest as we are in the process of going to the BW Production.
  Thanks & Regards
  Manicks

  hi Manicks,
  check oss note 150315-BW-Authorizations for Remote-User in BW and OLTP. hope this helps.
  Symptom
  1) The ALE user fails security in the BW side
  2) Missing authorizations when executing Customizing of extractors
  3) No IDocs could be sent to the SAP-BW using RFC.
  4) Automatic source system connection failes with error R3220: No RFC-Parameters in source system defined
  5) When collecting content in BW, warning message RSAOLTP035 comes up
  Other terms
  Authorizations, SAP_ALL, S_BI-WX_RFC, S_BI-WHM_RFC, S_RS_ALL, ALEREMOTE, BWREMOTE, RSAOLTP 553, RSAOLTP553
  Reason and Prerequisites
  a) In the BW there exist two user:
     i)  a human administrator, using S_RS_ALL
     ii) a user called BWREMOTE (or similar), used to receive the data from the OLTP, using S_BI-WHM_RFC
  b) In the OLTP there exist also two user:
     i)  a human administrator, needing authorizations to create users and RFC-destinations.
     ii) a user called ALEREMOTE (or similar), used to ...
         1) ... connect the OLTP to the BW
         2) ... extract the data
         3) ... send the data to the BW
         4) ... show monitoring dialogs for tasks 1 to 4, the profile S_BI-WX_RFC is used (<i>however does
  not suffice on some points since some authorizations are
  missing in the delivered profile</i>)
         5) ... make customizing of OLTP extractors
         for this, additionally the authorizations to execute IMG-functionality, to execute Transaction SBIW and to maintain the applications, which shall be customized, must be given during the customizing functionality is used.
  Solution
  1) The profile S_RS_ALL resp. S_BI-WHM_RFC must contain (at least) the following authorizations:
  Profile
  2) The referred functionality is b) i) 5), thus
     the authorizations to execute IMG-functionality,
     to execute Transaction SBIW and to
     maintain the applications, which shall be customized,
     must be temporarily given to ALEREMOTE, if you want to execute the
     functionality from BW-side. The permissions for executing the
     customizing is not included in the profile S_BI-WX_RFC, since
     this is a critcal functionality.
     However there is the possibility to execute the customizing
     in the OLTP by a human administrator by hand, using Transaction
     SBIW.
  3), 4) For sending the Idocs and reading RFC-destinations
     the profile S_BI-WX_RFC is incomplete.
     Please check, if the following authorizations are included:
  Profile
    ---   S_BI-WX_RFC  <PRO> Business Information Warehouse, RFC User
  --   B_ALE_ALL    <PRO> All authorizations for ALE/EDI
  --   S_APPL_LOG_A <PRO> Application log: All
  --   S_BTCH_ADM   <PRO> BC: Batch - Processing authorization
  --   S_BW_RFC     <PRO> BW: Authorization Profile: Other
  --   See above, same sub-profile as in S_BI-WHM_RFC
        ---   S_IDOC_ALL   <PRO> All authorizations for IDoc functions
  - BW AddOn BW-BCT 1.2B:
  These authorizations have been delivered with BW AddOn Patch 2 (see 158489 for the AddOn Patch information), except release 45B. For 45B, the authorizations are delivered with BW AddOn Patch 1.
  - PI2000.1:
  For 4.6B and 4.6C due to delivery errors, this profile also is incorrect. Please transport it from the BW into the Oltp (it is the same in any system and release).
  - PI2000.2:
  For 4.6C due to delivery errors, this profile also is incorrect.
  Please transport it from the BW into the OLTP (it is the same
  in any system and release).
  - PI2001.2:
  For 4.6C due to delivery errors, this profile also is incorrect.
  Please transport it from the BW into the OLTP (it is the same in any system and release).
  Alternatively, import the sapserv* transport BRSK002208 under the directory
  general\R3server\abap\note.0150315 into your OLTP-System.
  For help on the sapserv* transport refer to Note 13719.
  5) If you have PI-Basis 2005.1 in your source system, you need to attach role SAP_RO_BCTRA to your user in the source system. Otherwise, the functionality mentioned in the message is not available. The system continues to function as before, you may ignore the warning.

• RAR v5.3 - Ignore Critical Roles & Profiles = No is not Working

  Hello everyone,
  I have SAP_ALL and SAP_NEW configured as critical profiles in Rule Architect.  I changed the Ignore Critical Roles & Profiles option to "No" to see the delta.  Yet, when I run the risk analysis (ad hoc or batch) against users with SAP_ALL, it still says No Conflicts found even though I changed the config to look at SAP_ALL users.
  Do I have to restart the server for the new Config to take effect?  It doesn't say it in the option like some of the other Config options do, but It's the only thing that I can think of.
  Thank you,
  Johonna

  Hi Johanna
  Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
  Regards
  Swarna

• Function module to modify the user roles & profiles

  Hi All,
  I am working on user maintenance and i need a function module to modify the user roles & profiles.
  Thanks in Advance.
  Phani.

  i used the below fms
  BAPI_USER_ACTGROUPS_ASSIGN for assigning the roles.
  delete the profiles of the user qnd assign the profiles to the user:
  BAPI_USER_PROFILES_DELETE
  BAPI_USER_PROFILES_ASSIGN
  i used the above FMs for my requirement.
  Regards,
  Phani.

• How to add profiles to critical roles & profiles table in GRC RAR

  Hello,
  As per Note# 1034117, it says Add "SAP_ALL" type security roles and the SAP profiles, see list below for profiles, to the Critical Roles and Critical Profiles table.
  SAP_ALL All Authorizations For The SAP System
  SAP_NEW All Authorizations For Newly Created Objects
  S_A.ADMIN Basis Operator
  How do we add the profiles, to the Critical Roles and Critical Profiles table in RAR.
  Thanks,

  Hi,
  I configured the critical roles & profiles in rule architect.
  But when I schedule the background job for batch risk analysis, it is taking all the users, roles & profiles.
  Is there a way to exclude users, roles & profiles? (I have already configured the excluded users, roles and profiles in exclude option), but still when I schedule the background job and say show parameter, it shows the User Range as '*'. It is not showing the excluded users.
  Can you please update how to exclude the list of users, from the batch risk analysis?
  Thanks,