Role Profile Generation in BW
Hi,
I created a Role in PFCG with some Authorization Objects like S_RS_COMP1,S_RS_HIER ,S_RS_ICUBE & S_RS_IOBJu2026etc
I generated the profile and tested the role everything is working as expected.
Now I raised a transport for this role and imported that to Test system successfully.
In the Test system the profile which I generated and active in Dev is became inactiveu2026.I re-generated it again and working again
Question is why the Profile is becoming inactive any transported and do I need to Re generate in each system when I import the transport.
Thanks
Question:
> Do I need to generate profile seperately for child and parent or only for parent is enough ??
Answer:
> For me , the properties are not getting reflected when i do it only for parent ??
Well done. You just found an easter egg
=> Take a look at transaction SUPC. There is also a menu path to it in PFCG when you have completed the parent role. Look for "Mass Profile Generation".
Cheers,
Julius
Similar Messages
-
Role Expert Profile generation error
Hi All,
I am getting the following error in Role Expert Profile Generation tab.
When i click Generate tab, I am geting "Name or Password is incorrect(Repeat Login)" Can any body explain what user id is generally triggered when generate profile using role expert?
Thanks,
ChandraHi there,
to be more precise. You have to use the password from the account which you use to maintain the roles in the system you want to generate the role.
Kind regards,
Richard -
Profile generation in child role
Hi all,
Im a beginner in Basis....I created a parent role . After that , i made a child role for this ....
Do I need to generate profile seperately for child and parent or only for parent is enough ??
For me , the properties are not getting reflected when i do it only for parent ??
Thanks ,
AnilQuestion:
> Do I need to generate profile seperately for child and parent or only for parent is enough ??
Answer:
> For me , the properties are not getting reflected when i do it only for parent ??
Well done. You just found an easter egg
=> Take a look at transaction SUPC. There is also a menu path to it in PFCG when you have completed the parent role. Look for "Mass Profile Generation".
Cheers,
Julius -
Max roles & Profiles in user?
How many roles can we assign to the user? What is the maximum limit of the roles and profiles for the user?? *
Dear Praveen,
You can assign <b>300</b> authorization profiles to a user (see SAP Note <b>410993</b>).
Note 410993:
You would like to know the maximum number of:
profiles per user
authorizations per profile
authorization values per authorization
Reason and Prerequisites
All maintenance transactions work with the USR04, USR10 and USR12 tables.
Solution
As of Release 4.6A, the structure of the database tables used, and not the kernel, causes some restrictions:
1. Table USR04: Profile assignments for users
This table contains both information about the change status of a user as well as the list of profile names that were assigned to the user.
The PROFS field is used to save the change indicator (C = User created, M = User changed) and the name of the profiles assigned to the user.
The field is defined with a length of 3,750 characters. Since the first two characters are for the change indicator, 3,748 characters are still available for the list of profile names per user. Since the maximum length for each profile name is 12 characters, the maximum number of profiles per user is 312. Note 841612 delivered a solution for increasing the number of usable profiles per user from 300 to the maximum value of 312.
Possible enhancements:
When you use roles exclusively, the number of profiles per user can only be doubled by assigning a reference user.
If you also use manual profiles, you can combine these to form collective profiles.
Caution: In principle, we must advise against using these options. Reason:
Enhancements of this type increase the risk of an unwanted summation of authorizations. On the other hand, the number of entries also increases in the user buffer for authorizations (table USRBF2), which may result in longer runtimes when you perform authorization checks.
2. Table USR10: Authorizations or subprofiles per profile
Due to the length of the AUTHS field (3,750 characters), you can enter the following maximum values in the manual profile maintenance (transaction SU02):
300 subprofiles per collective profile or
150 authorizations per single profile
Of course, the maximum value of 150 authorizations applies to the profiles generated in transactions PFCG or SUPC. Therefore, after you exceed this threshold, a new profile is automatically created.
3. Table USR12: Authorization values per authorization
To save the authorization values, you use the VALS field, which is 3,750 characters long (just like the PROFS field in the USR04 table). Since the values can have different lengths, the number of values per authorization also varies. If you are unsure about whether VALS can accept all of the values that you maintain, you can check the length of the character string using the following formula:
NSTRING =
3 + 18*NFLDS +
NNORM( 1)(MAXLEN( 1)+1) + NGENE( 1)(MAXLEN( 1)+3) +
NNORM( 2)(MAXLEN( 2)+1) + NGENE( 2)(MAXLEN( 2)+3) +
... +
NNORM(NFLDS)(MAXLEN(NFLDS)+1) + NGENE(NFLDS)(MAXLEN(NFLDS)+3)
What the parameters mean:
NSTRING = Total length of the character string in VALS
NFLDS = Number of fields in the authorization object (10 = maximum)
MAXLEN(I) = Number of characters in the longest value in field I
NNORM(I) = Number of normal (not generic) values in field I
NGENE(I) = Number of generic values in field I
I = 1, ..., NFLDS
The absolute maximum length of an authorization value is 40 characters. NNORM(I) and NGENE(I) are the total number of values maintained in the 'From' and 'To' columns in field I.
Example:
The following authorization (chosen at random) for the S_USER_AUT object demonstrates how to apply the above formula:
Field No. Field Name From Value To Value
1 ACTVT 03
08
2 AUTH TESTFIAUTH00 TESTFIAUTH10
Z*
3 OBJECT F_KNA1*
F_BKPF*
F_KNKK_BED
The variables have the following values:
NFLDS = 3
I MAXLEN(I) NNORM(I) NGENE(I)
1 2 2 0
2 12 2 1
3 10 1 2
This results in the following value for the length of the characterstring in the VALS table field:
NSTRING = 3 + 18*3 +
2( 2 + 1) + 0( 2 + 3) +
2(12 + 1) + 1(12 + 3) +
1(10 + 1) + 2(10 + 3) = 141
Further explanations:
If NSTRING is greater than 3,750, the authorization cannot be activated or generated, which means that the values must be distributed across several authorizations. Exception: The profile generator can automatically divide authorizations in roles (activity groups) with just one field (example: the S_TCODE object) into up to 100 generated authorizations.
If profile generation fails because a role contains too many values for an organisation level, you cannot use additional authorizations to solve the problem. Due to the cross-object validity of organizational levels, their values would automatically be copied to the new authorizations. In this case, you only have the option to distribute values across several roles.
Hope this will help.
Regards,
Naveen. -
User, Role, Profile Synchronization Job Fails
Hi Gurus,
When I am scheduling a job the User, Role, and Profile Sync. job fails giving an error
"Cannot assign a java.lang.String object of length 53 to host variable 5 which has JDBC type VARCHAR(40)."
This happens when the synchronization happens with a portal system. We dont have a ruleset for the portal system, So if I put in a "*", it includes this system and results in the error, If I manually select all other system, it works fine. Is there any way to remove this error so that I can schedule the jobs without having to select every system manually.
Regards,
ChinmayaHi,
As per my knowledge, in the Portal system, you should perform only user sync. Roles/profile sync will not work since portal will have workset roles.
Please refer SAP Note 1168120, which may help you to understand the limitations
Hope this helps!!
Rgds,
Raghu
Edited by: Raghu Boddu on Nov 4, 2010 7:39 PM -
Solution Manager 4.0 Solution Monitoring User -Roles-Profiles for Satellite
Hi All,
I have installed Solution Manager 4.0 (OS -Linux ,Database - DB2) .
Now i need to connect solution manager to the R/3 4.6C
Satellite Systems (DEV, QAS ,PRD) for Solution Monitoring
and Service level Reporting .
I have read the configuration guide , but unable to get clear idea .
1) what users (alos type of user -Dialog , Service, Communication etc) do i need create in DEV , and Test in QAS for solution Monitoring .
2) what exact roles /profiles need to be assigned to these users in satellite systems .
3) what users/roles /profiles needs to be done in SOLMAN system
i have applied all the required plug ins and support packs
in satellite systems and solman 40 ..
Please advice . Your response will be a great help for me .
SatishHello Satish,
Just clarify, if u have meant connecting the satellite systems for EWA reports to be precise. Early watch Reports. If its is the case, then repond so that i can putin my inputs which may be helpful for you in this config.
Rgds,
Sri -
Hi All,
What are the list of roles/profiles (for SOLMAN and Satellite system) required to create logical instance etc... for monitoring and tasks.
Regards.
kumarHello Kumar,
please have a look at the Configuration Guide for SolMan on the SAP Marketplace. ALso for information on required documentation, see SAP Note 1088980.
Best regards,
Annett -
Trying to understand "User/Role/Profile Synchronization" and Batch Analysis
Hello,
Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job.
I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile to be included to the full and incremental jobs?
How the incremental analysis logic is built ?
br JanneJanne,
In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
In terms of CC tables:
VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
VIRSA_CC_GENOBJ >> User, Role and Profile master data
VIRSA_CC_GENACT >> User-action, role-action and profile-action data
VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
VIRSA_CC_SAPOBJ >> Action-permission
VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
Hope this helps.
Regards,
Imanol -
Table used for storing roles/profiles assignment in CUA lansscape
Hi,
following is my cua setup
master client - 999 of SRM 4.0
child client - 101 of ECC 5.0
child client - 202 of SCM 4.1
in cua all distribution works on its logical name assign to respective client.
here is my question
lets say user 'XYZ' in master client assign single as well as composite role and composite profiles assigned in the master as well as child system.
please tell me in which table this relationship is maintain in sap that Composite roles/profile is from which cua client.
from my finding the tables which store the role and profiles from master and child system are i.e. USRSYSACT & USRSYSPRF.
but i am not able to find table which store the roles to user and user to profiles assigment in CUA setup,can someone please help me.
Thanks,
John.Hi Check the tables
<b>USR10 -role definition
AGR_PROF -Profile for Roles
AGR_TEXTS - Role descriptions
AGR_USERS - Assignment of roles to users
AGR_DEFINE - Auth profiles</b>
if needed see other tables with USR* and AGR_*
Reward points if useful
Regards
Anji -
Critical Action and Role/Profile Analysis
Hi,
I want to know the purpose of the Batch Risk Analysis back ground job "Critical Action and Role/Profile Analysis" in RAR 5.3.
I'm assuming that I need not run this job if I do not want the critical roles/profiles like SAP_ALL to be analysed which were defined to be critical in rule architect.
Please let me know if there is any other purpose to run the BG job "Critical Action and Role/Profile Analysis".
Thank you,
ParthaHello Partha,
You got this right. It will analyze the defined critical actions/roles/profiles.
Regards, Varun -
GRC AC10 RAR :"Ignore Critical Roles/Profile" option not available in
Hello Gurus,
I have configured RAR and the reports are working as usual , but i observed that i could not see two things
1) Option to select "IGNORE CRITICAL ROLES/PROFILE" during Role/User ANALYSIS under "Reports & Analytic" tab.
I checked in SPRO>GRC>AC-->Maintain Config Settings
There is a parameter "Ignore Critical Roles/ Profiles" which i first set to "Yes" and then checked in NWBC , i was unable to see the option under "Additional Option".
Later i changed SPRO setting to "NO" , then again it did not show me .
Where can i find this option , so that if i upload say 10 roles which are assigned to firefighter ID they should not be analyzed for RAR ??
2) I also could not find any option to upload "DEFAULT roles" which need to be assigned to any "NEW USER" request coming through CUP ??
Where can we make this setting, so that the basic roles can get assigned to the user when any new user request comes in.
Will you please put some light on this area ?
Thanks in advance.
Regards,
VictorHi Johanna
Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
Regards
Swarna -
Roles/Profiles for ALEREMOTE
hi all,
can anyone let me know all the Roles/Profiles required for the User ALEREMOTE in a production system.
I understad that the roles sap_all, sap_new , s_bi-wx_rfc and s_bi-whm_rfc can be used in the development and the Quality systems but am told that the roles SAP_ALL & SAP_NEW are not supposed to be used for ALEREMOTE in the Production systems as it would give all authorizations to all the users.
so, could anyone kindly let me know the various roles/profiles that need to be assigned to the user ALEREMOTE keeping in mind that SAP_ALL & SAP_NEW are not allowed and at the same time all the transactions w.r.t BW3.5 should go through successfully.
kindly revert back at the earliest as we are in the process of going to the BW Production.
Thanks & Regards
Manickshi Manicks,
check oss note 150315-BW-Authorizations for Remote-User in BW and OLTP. hope this helps.
Symptom
1) The ALE user fails security in the BW side
2) Missing authorizations when executing Customizing of extractors
3) No IDocs could be sent to the SAP-BW using RFC.
4) Automatic source system connection failes with error R3220: No RFC-Parameters in source system defined
5) When collecting content in BW, warning message RSAOLTP035 comes up
Other terms
Authorizations, SAP_ALL, S_BI-WX_RFC, S_BI-WHM_RFC, S_RS_ALL, ALEREMOTE, BWREMOTE, RSAOLTP 553, RSAOLTP553
Reason and Prerequisites
a) In the BW there exist two user:
i) a human administrator, using S_RS_ALL
ii) a user called BWREMOTE (or similar), used to receive the data from the OLTP, using S_BI-WHM_RFC
b) In the OLTP there exist also two user:
i) a human administrator, needing authorizations to create users and RFC-destinations.
ii) a user called ALEREMOTE (or similar), used to ...
1) ... connect the OLTP to the BW
2) ... extract the data
3) ... send the data to the BW
4) ... show monitoring dialogs for tasks 1 to 4, the profile S_BI-WX_RFC is used (<i>however does
not suffice on some points since some authorizations are
missing in the delivered profile</i>)
5) ... make customizing of OLTP extractors
for this, additionally the authorizations to execute IMG-functionality, to execute Transaction SBIW and to maintain the applications, which shall be customized, must be given during the customizing functionality is used.
Solution
1) The profile S_RS_ALL resp. S_BI-WHM_RFC must contain (at least) the following authorizations:
Profile
2) The referred functionality is b) i) 5), thus
the authorizations to execute IMG-functionality,
to execute Transaction SBIW and to
maintain the applications, which shall be customized,
must be temporarily given to ALEREMOTE, if you want to execute the
functionality from BW-side. The permissions for executing the
customizing is not included in the profile S_BI-WX_RFC, since
this is a critcal functionality.
However there is the possibility to execute the customizing
in the OLTP by a human administrator by hand, using Transaction
SBIW.
3), 4) For sending the Idocs and reading RFC-destinations
the profile S_BI-WX_RFC is incomplete.
Please check, if the following authorizations are included:
Profile
--- S_BI-WX_RFC <PRO> Business Information Warehouse, RFC User
-- B_ALE_ALL <PRO> All authorizations for ALE/EDI
-- S_APPL_LOG_A <PRO> Application log: All
-- S_BTCH_ADM <PRO> BC: Batch - Processing authorization
-- S_BW_RFC <PRO> BW: Authorization Profile: Other
-- See above, same sub-profile as in S_BI-WHM_RFC
--- S_IDOC_ALL <PRO> All authorizations for IDoc functions
- BW AddOn BW-BCT 1.2B:
These authorizations have been delivered with BW AddOn Patch 2 (see 158489 for the AddOn Patch information), except release 45B. For 45B, the authorizations are delivered with BW AddOn Patch 1.
- PI2000.1:
For 4.6B and 4.6C due to delivery errors, this profile also is incorrect. Please transport it from the BW into the Oltp (it is the same in any system and release).
- PI2000.2:
For 4.6C due to delivery errors, this profile also is incorrect.
Please transport it from the BW into the OLTP (it is the same
in any system and release).
- PI2001.2:
For 4.6C due to delivery errors, this profile also is incorrect.
Please transport it from the BW into the OLTP (it is the same in any system and release).
Alternatively, import the sapserv* transport BRSK002208 under the directory
general\R3server\abap\note.0150315 into your OLTP-System.
For help on the sapserv* transport refer to Note 13719.
5) If you have PI-Basis 2005.1 in your source system, you need to attach role SAP_RO_BCTRA to your user in the source system. Otherwise, the functionality mentioned in the message is not available. The system continues to function as before, you may ignore the warning. -
RAR v5.3 - Ignore Critical Roles & Profiles = No is not Working
Hello everyone,
I have SAP_ALL and SAP_NEW configured as critical profiles in Rule Architect. I changed the Ignore Critical Roles & Profiles option to "No" to see the delta. Yet, when I run the risk analysis (ad hoc or batch) against users with SAP_ALL, it still says No Conflicts found even though I changed the config to look at SAP_ALL users.
Do I have to restart the server for the new Config to take effect? It doesn't say it in the option like some of the other Config options do, but It's the only thing that I can think of.
Thank you,
JohonnaHi Johanna
Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
Regards
Swarna -
Function module to modify the user roles & profiles
Hi All,
I am working on user maintenance and i need a function module to modify the user roles & profiles.
Thanks in Advance.
Phani.i used the below fms
BAPI_USER_ACTGROUPS_ASSIGN for assigning the roles.
delete the profiles of the user qnd assign the profiles to the user:
BAPI_USER_PROFILES_DELETE
BAPI_USER_PROFILES_ASSIGN
i used the above FMs for my requirement.
Regards,
Phani. -
How to add profiles to critical roles & profiles table in GRC RAR
Hello,
As per Note# 1034117, it says Add "SAP_ALL" type security roles and the SAP profiles, see list below for profiles, to the Critical Roles and Critical Profiles table.
SAP_ALL All Authorizations For The SAP System
SAP_NEW All Authorizations For Newly Created Objects
S_A.ADMIN Basis Operator
How do we add the profiles, to the Critical Roles and Critical Profiles table in RAR.
Thanks,Hi,
I configured the critical roles & profiles in rule architect.
But when I schedule the background job for batch risk analysis, it is taking all the users, roles & profiles.
Is there a way to exclude users, roles & profiles? (I have already configured the excluded users, roles and profiles in exclude option), but still when I schedule the background job and say show parameter, it shows the User Range as '*'. It is not showing the excluded users.
Can you please update how to exclude the list of users, from the batch risk analysis?
Thanks,
Maybe you are looking for
-
Which is the right enhancement to trigger a mail automatically in pa40
hi... i am working with pa40 (personal actions).. so here in 2000 screen ... if i click on save button, one mail should be triggered and sent it to that corresponding pernr mail id while i was updating the start date of pernr .. so can any body hel
-
1.Is it compulsory to use all the events in Reports? 2.What transactions do you use for data analysis? 3.What are selection texts? 4.When a program is created and need to be transported to prodn does selection texts always go with it? If not how do y
-
When you double click on psd new instance of Photoshop opens but it doesn't open the file
Just updated to new version of Photoshop and when I double click on a psd, a new instance of Photoshop opens but it doesn't open the file. Any way to fix this?
-
J2EE Status info unavailable disp+work.exe
Hi Experts, I have an critical error in our NW2004s. i installed a dualstack abapjava epcore and ep. the installation was succesfull. But till last week i have the error with the java part. It would not come up. message of dispwork.exe: running, mess
-
Warner/superior electric's SS2000PCi motion controller interfacing with LabVIEW 6i
Sir, In our application, we are controlling the movement of X-Y arm on the X-Y table. For this we are using superior electric products: (a) Slo-Syn SS2000PCi Programmable Step Motor Controller (b) MD808 Motor Drive We are using two such controllers a