Role/Profile to see restrcited data

Similar Messages

• Trying to understand "User/Role/Profile Synchronization" and Batch Analysis

  Hello,
  Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job. 
  I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile  to be included to the full and incremental jobs?
  How the incremental analysis logic is built ?
  br Janne

  Janne,
  In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
  The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
  In terms of CC tables:
  VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
  VIRSA_CC_GENOBJ >> User, Role and Profile master data
  VIRSA_CC_GENACT >> User-action, role-action and profile-action data
  VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
  VIRSA_CC_SAPOBJ >> Action-permission
  VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
  Hope this helps.
  Regards,
     Imanol

• Roles/Profiles for ALEREMOTE

  hi all,
  can anyone let me know all the Roles/Profiles required for the User ALEREMOTE in a production system.
  I understad that the roles sap_all, sap_new , s_bi-wx_rfc and s_bi-whm_rfc can be used in the development and the Quality systems but am told that the roles SAP_ALL & SAP_NEW are not supposed to be used for ALEREMOTE in the Production systems as it would give all authorizations to all the users.
  so, could anyone kindly let me know the various roles/profiles that need to be assigned to the user ALEREMOTE keeping in mind that SAP_ALL & SAP_NEW are not allowed and at the same time all the transactions w.r.t BW3.5 should go through successfully.
  kindly revert back at the earliest as we are in the process of going to the BW Production.
  Thanks & Regards
  Manicks

  hi Manicks,
  check oss note 150315-BW-Authorizations for Remote-User in BW and OLTP. hope this helps.
  Symptom
  1) The ALE user fails security in the BW side
  2) Missing authorizations when executing Customizing of extractors
  3) No IDocs could be sent to the SAP-BW using RFC.
  4) Automatic source system connection failes with error R3220: No RFC-Parameters in source system defined
  5) When collecting content in BW, warning message RSAOLTP035 comes up
  Other terms
  Authorizations, SAP_ALL, S_BI-WX_RFC, S_BI-WHM_RFC, S_RS_ALL, ALEREMOTE, BWREMOTE, RSAOLTP 553, RSAOLTP553
  Reason and Prerequisites
  a) In the BW there exist two user:
     i)  a human administrator, using S_RS_ALL
     ii) a user called BWREMOTE (or similar), used to receive the data from the OLTP, using S_BI-WHM_RFC
  b) In the OLTP there exist also two user:
     i)  a human administrator, needing authorizations to create users and RFC-destinations.
     ii) a user called ALEREMOTE (or similar), used to ...
         1) ... connect the OLTP to the BW
         2) ... extract the data
         3) ... send the data to the BW
         4) ... show monitoring dialogs for tasks 1 to 4, the profile S_BI-WX_RFC is used (<i>however does
  not suffice on some points since some authorizations are
  missing in the delivered profile</i>)
         5) ... make customizing of OLTP extractors
         for this, additionally the authorizations to execute IMG-functionality, to execute Transaction SBIW and to maintain the applications, which shall be customized, must be given during the customizing functionality is used.
  Solution
  1) The profile S_RS_ALL resp. S_BI-WHM_RFC must contain (at least) the following authorizations:
  Profile
  2) The referred functionality is b) i) 5), thus
     the authorizations to execute IMG-functionality,
     to execute Transaction SBIW and to
     maintain the applications, which shall be customized,
     must be temporarily given to ALEREMOTE, if you want to execute the
     functionality from BW-side. The permissions for executing the
     customizing is not included in the profile S_BI-WX_RFC, since
     this is a critcal functionality.
     However there is the possibility to execute the customizing
     in the OLTP by a human administrator by hand, using Transaction
     SBIW.
  3), 4) For sending the Idocs and reading RFC-destinations
     the profile S_BI-WX_RFC is incomplete.
     Please check, if the following authorizations are included:
  Profile
    ---   S_BI-WX_RFC  <PRO> Business Information Warehouse, RFC User
  --   B_ALE_ALL    <PRO> All authorizations for ALE/EDI
  --   S_APPL_LOG_A <PRO> Application log: All
  --   S_BTCH_ADM   <PRO> BC: Batch - Processing authorization
  --   S_BW_RFC     <PRO> BW: Authorization Profile: Other
  --   See above, same sub-profile as in S_BI-WHM_RFC
        ---   S_IDOC_ALL   <PRO> All authorizations for IDoc functions
  - BW AddOn BW-BCT 1.2B:
  These authorizations have been delivered with BW AddOn Patch 2 (see 158489 for the AddOn Patch information), except release 45B. For 45B, the authorizations are delivered with BW AddOn Patch 1.
  - PI2000.1:
  For 4.6B and 4.6C due to delivery errors, this profile also is incorrect. Please transport it from the BW into the Oltp (it is the same in any system and release).
  - PI2000.2:
  For 4.6C due to delivery errors, this profile also is incorrect.
  Please transport it from the BW into the OLTP (it is the same
  in any system and release).
  - PI2001.2:
  For 4.6C due to delivery errors, this profile also is incorrect.
  Please transport it from the BW into the OLTP (it is the same in any system and release).
  Alternatively, import the sapserv* transport BRSK002208 under the directory
  general\R3server\abap\note.0150315 into your OLTP-System.
  For help on the sapserv* transport refer to Note 13719.
  5) If you have PI-Basis 2005.1 in your source system, you need to attach role SAP_RO_BCTRA to your user in the source system. Otherwise, the functionality mentioned in the message is not available. The system continues to function as before, you may ignore the warning.

• Authorization,roles,profiles

  i want to know how authorization and roles and profiles will be created...
  and the hirearchy of above 3 (authorization,roles,profiles)
  can anyone help me in getting the documens

  Hi,
  The common used t-code for the above is
  PFCG to create the Role.Here we can assign the role to user also.
  You can see the same in SU01 t-code.
  IN PFCG we create the role and it will ask for profile name.
  Basically it contain the  authorization object.
  In BW we hade rssm t-code,now we have RSECADMIN in BI.
  RSECADMIN is basically used to create the auth object.
  For Example: If you want to restrict the user to see their
  company code data then you need to crete auth object for company code
  and give access to user according to therir requirement ie
  you need to add this auth object to their respetive role.
  Thanks,
  Saveen Kumar
  Edited by: saveen kumar on Jan 10, 2011 7:47 AM

• Final user's can not see the data due to limited authorization.

  We have created a InfoSet with three info Objects, 0Account, 0Costcenter and 0COMP_CODE. 0Costcenter have an attribute retail location  0RT_LOCATIO.
  0RT_LOCATIO is an authorization relevant object. We as consultants can execute the infoset properly, but final user's with limited authorizations can not see the data because of authorization failier
  We hae several options to solve the issue, deleselect the auth. flag in the infoobject; delete the infoobject from the attributes of the cost center or create an authorization object and assign it to the final user's profile. But we don't want to go that way.
  My question is, is there any way to avoid including this attribute in the infoset definition? We are not using it in the query and we don't need it, so if we could delete it from the infoset (in the same way you add or delete infoobjects from an Infocube) without changing the cost center aster data, we will have our problem solved.
  Does anyone how to do this (if possible)?
  Thanks in advance!

  Just do two things to find the authorization check failed for that user.
  1. Execute SU53 output and find out the authoirzation check failed. If yes, please send that to BASIS Team.
  2. Next one, switch on the authorization trace in ST01 and ask that user to see that data. if the user is failed with authorization issue. switch off the trace in ST01 and find out the issue.
  Do this way, if it is not successful you can go for any other alternate way.
  Hope this would help you.

• What are the roles/profiles required in solman and satilite system.....

  Hi All,
  What are the list of roles/profiles (for SOLMAN and Satellite system) required to create logical instance etc... for monitoring and tasks.
  Regards.
  kumar

  Hello Kumar,
  please have a look at the Configuration Guide for SolMan on the SAP Marketplace. ALso for information on required documentation, see SAP Note 1088980.
  Best regards,
  Annett

• Table used for storing roles/profiles assignment in CUA lansscape

  Hi,
  following is my cua setup
  master client - 999 of SRM 4.0
  child client - 101 of ECC 5.0
  child client - 202 of SCM 4.1
  in cua all distribution works on its logical name assign to respective client.
  here is my question
  lets say user 'XYZ' in master client assign single as well as composite role and composite profiles assigned in the master as well as child system.
  please tell me in which table this relationship is maintain in sap that Composite roles/profile is from which cua client.
  from my finding the tables which store the role and profiles from master and child system are i.e. USRSYSACT & USRSYSPRF.
  but i am not able to find table which store the roles to user and user to profiles assigment in CUA setup,can someone please help me.
  Thanks,
  John.

  Hi Check the tables
  <b>USR10  -role definition
  AGR_PROF   -Profile for Roles
  AGR_TEXTS  - Role descriptions
  AGR_USERS  - Assignment of roles to users
  AGR_DEFINE - Auth profiles</b>
  if needed see other tables with USR* and AGR_*
  Reward points if useful
  Regards
  Anji

• GRC AC10 RAR :"Ignore Critical Roles/Profile" option not available in

  Hello Gurus,
  I have configured RAR and the reports are working as usual , but i observed that i could not see two things
  1) Option to select "IGNORE CRITICAL ROLES/PROFILE" during Role/User ANALYSIS under "Reports & Analytic" tab.
  I checked in SPRO>GRC>AC-->Maintain Config Settings
  There is a parameter "Ignore Critical  Roles/ Profiles" which i first set to "Yes" and then checked in NWBC , i was unable to see the option under "Additional Option".
  Later i changed SPRO setting to "NO" , then again it did not show me .
  Where can i find this option , so that if i upload say 10 roles which are assigned to firefighter ID they should not be analyzed for RAR ??
  2) I also could not find any option to upload "DEFAULT roles" which need to be assigned to any "NEW USER" request coming through CUP ??
  Where can we make this setting, so that the basic roles can get assigned to the user when any new user request comes in.
  Will you please put some light on this area ?
  Thanks in advance.
  Regards,
  Victor

  Hi Johanna
  Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
  Regards
  Swarna

• Create a specific user profile to Material master data

  Dear colleagues.
  We need create on R/3 4.6 a specific user profile for material master data, to create or modify (MM01/MM02) only the following views: 'Sales org. data 1', 'Sales org. data 2' and 'Sales:General/Plant data'. The problem is that when I use the SAP gui functions, I can create the profile, but also with the views 'Foreign trade: Export data' and 'Sales text'. Someone know how create this profile without this last two views? Thanks.

  See:
  http://technet.microsoft.com/en-us/library/cc262327(v=office.15).aspx#create
  And a more complex, in-depth example leveraging MMS:
  http://www.sharepointsteve.com/2010/10/making-custom-user-profile-properties-searchable-in-sharepoint-2010/
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• RAR v5.3 - Ignore Critical Roles & Profiles = No is not Working

  Hello everyone,
  I have SAP_ALL and SAP_NEW configured as critical profiles in Rule Architect.  I changed the Ignore Critical Roles & Profiles option to "No" to see the delta.  Yet, when I run the risk analysis (ad hoc or batch) against users with SAP_ALL, it still says No Conflicts found even though I changed the config to look at SAP_ALL users.
  Do I have to restart the server for the new Config to take effect?  It doesn't say it in the option like some of the other Config options do, but It's the only thing that I can think of.
  Thank you,
  Johonna

  Hi Johanna
  Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
  Regards
  Swarna

• How to add profiles to critical roles & profiles table in GRC RAR

  Hello,
  As per Note# 1034117, it says Add "SAP_ALL" type security roles and the SAP profiles, see list below for profiles, to the Critical Roles and Critical Profiles table.
  SAP_ALL All Authorizations For The SAP System
  SAP_NEW All Authorizations For Newly Created Objects
  S_A.ADMIN Basis Operator
  How do we add the profiles, to the Critical Roles and Critical Profiles table in RAR.
  Thanks,

  Hi,
  I configured the critical roles & profiles in rule architect.
  But when I schedule the background job for batch risk analysis, it is taking all the users, roles & profiles.
  Is there a way to exclude users, roles & profiles? (I have already configured the excluded users, roles and profiles in exclude option), but still when I schedule the background job and say show parameter, it shows the User Range as '*'. It is not showing the excluded users.
  Can you please update how to exclude the list of users, from the batch risk analysis?
  Thanks,

• Integration of multiple business role profiles in a single Z role profile

  Hi experts,
  I want to see all the work center available in service pro role and interaction center role profiles in a single Z business role prfole on the WEB UI.
  Please advise me the possibilities of the integration of multiple business role profiles in a single Z role profile(Example like Administratoru2019s profile).
  If it is possible what would be the approach please suggest me.
  Thanks in advance
  sameera

  Copy one of this 2 roles which you want to use in Z role and then manualy assign additional workcenters and links to this Z role which you are still missing.
  There is no standard predelivered admin role which would have all workcenters.

• Run a workflow with a low security role profile

  Hello,
  I created a workflow that is sending an email to the administrator when a certain action has to be done. To make sure this workflow has actually been running, I ended it with a step that update a two option field as 'Email sent'. 
  I would like to lock this field for users because I only want them to read it but not change its data. So I enabled security role. 
  The problem is that since I made that, the workflow cannot be run because users don't have the security role to change this field. 
  I found out while browsing thrgough the internet that I had to check 'Execute as the owner of the workflow', but this didn't help. 
  So does anyone has a response to my problem or another way to manage it? A solution that does not involve any code because I'm not working in IT at all, we're a small company and so I'm a salesman. 
  Thanks for your help.
  Sylvain

  Hi,
       Create these 2 fields as non-searchable fields so users cannot search them.  If the user does not need to change these fields, make the fields read-only on the form. There is no need to use security role profile and play with
  security roles for this.
  Hope this helps.
  Minal Dahiya
  blog : http://minaldahiya.blogspot.com.au/
  If this post answers your question, please click "Mark As Answer" on the post and "Vote as Helpful"

• Authorisation problem when trying to see the data after loading

  HI Everyone,
                         I loaded data in quality. when i am trying to see the data, i am getting the following messages
  1.Your user master record is not sufficiently maintained for object Authorization Object for Plant
  2.System error: RSDRC / FORM AUTHORITY_CHECK USER NOT AUTHORIZED ZCOPC_C21 ZCOPC_C21
  3.System error: RSDRC / FUNC RSDRC_BASIC_CUBE_DATA_GET ERROR IN RSDRC_BASIC_QUERY_DATA_GET ZCOPC_C21 64
  4.System error: RSDRC / FORM DATA_GET ERROR IN RSDRC_BASIC_CUBE_DATA_GET ZCOPC_C21 64
  Can any one of you tell whether it is a transport issue or some authorisation problem. Guide me how to solve this.
  Thanks in advance for your help.

  Hi,
  After you get this error goto Tcode SU53 and then you'll get the object and activity for that auth object.
  You can then go and check if this is enabled in your auth profile using SUIM tcode and going to users.
  If its enabled then you need to check for values if you have authorization to display data for that particular plant.
  This is an auth issue and you should get approval from the appropriate person in order for you to look at the Master data and then have the Security or Basis team grant you access to the same.
  Cheers,
  Kedar

• Critical Action and Role/Profile Analysis job in not running in GRC 5.3

  Hi Team,
  I  am working for a client where GRC 5.3 is installed( support pack 4 and patch 1).
  The installation is complete and also the post processing is done.
  We have scheduled a periodic ( weekly ) incremental background job for Critical Action and Role/Profile.
  Following are the parameter setting used:
  Task: Risk Analysis -Batch
  Batch Mode : Incremental
  First time it run successfully on 28th June'09 and it is completed with spool also. But next time it is supposed to run on 4th of July'09 . But it does not. And since then it is in same state.
  I am not able to find any reason that why it is behaving this way where other incremental jobs are running successfully.
  It will be helpfull if any one can guide me providing the solution.
  Regards,
  Kakali

  Hi Varun,
  I go to the Job History Button. It shows the following data only :
  2009-06-28 00:00:59 Done Job Completed successfully
  2009-06-27 23:45:00 Started RAR_PE1CLNT100_Critical Action and Role/Profile Analysis started :threadid: 0
  Under the Last Run Colomn it shows 28th June ( Status -completed)
  Under Next Run Date it is showing 4th July
  Follwoing are the list of Updates available From SP05
  When executing the critical roles/profile jobs in background, a message
  "error while executing the Job: null" comes up. ---( this one is for which come under Informer Tab)
  Background job spools are not available after upgrade from 5.2 to 5.3.
  Critical action and critical role/profile analysis cannot be run in
  background by system. --- ( But in my case It ran for once )
  Selection parameters (System, User and User Group) have been provided for
  "Critical Action and Role/Profile Analysis" in Configuration->Background
  Job->Schedule Job. --- ( it means it run usually)
  Critical Actions report in detail view shows no results after executing the
  Risk Analysis Job in the background. The same report shows data when
  executed in the foreground. ( this one is for which come under Informer Tab )
  When there is only one periodic job configured in RAR, this job fails to
  start after the first time in the specified time. ( this is not true, becoz there other periodic jobs running successfuly)
  Unable to run Informer - audit reports - critical role and profiles with
  logical systems. ( this is again under Informer Tab )
  I had gone through this  earlier also, but not able to match any update with my problem. If if have any other suggestion you can provide me the same.
  Is there any way to check for job log so that I can check what is the problem. View Log option is also greyed out as we have sap logger set up as a default logger Parameter. I have made it enable just to check but there is nothing.
  Please Guide.
  Regards,
  Kakali