Roles and Attributes Maintenance

Similar Messages

• Difference between SU01 ROLE and attribute ROLE in org.structure

  HI,
  In SU01 transaction ROLE tab employee role is assigned to the user.
  In org. strucute attribute ROLE also contains the employee role.
  what is the difference between ther two ?
  we should mention employee role for the user in SUO1 and attribute ROLE both places to create shopping cart ?
  please guide...points are alloted.
  Thanks
  mani

  Hi SRM guys,
  Just i want to know what is the perpose of the attribute - ROLE in Org.structure
  and what is use of the  ROLE tab in SU01 for user.
  Both places ( attributes and in SUO1-ROLE tab ) need to give the sap_bbp_stal_employee role ???  to shop the user... 
  please confirm ..

• Roles and Object queries tab not visible in MBO attribute properties

  Hi,
  We have installed the SUP Personal developer edition 2.0 on a windows 2008 server. I am trying to create a sample application for getting the list of sales orders by using the SAP BAPI. Once I have the MBO in place, I see that I cannot view the 'Roles' and 'Object Queries' tabs in the 'Attributes' section of the MBO properties.
  Does anyone know why this happens? Is it due to configuration issues? Do help me out as we're trying to get a demo working.
  Thanks & Regards,
  Vaishnavi

  Hi Vaishnavi,
  Check whether you have selected "Advanced" mode . You should be able to see it.
  Regards,
  Viju

• ERM & CUP and Role Status attribute

  Hi,
  Under a strategy where roles are imported into CUP from ERM, could anyone share the use / meaning / purpose for "Role Status" attribute in EMR?
  Thanks for all. Best regards,
      Imanol

  Varun,
  We have been extensively checking the sync from ERM into CUP and I can tell you that roles into CUP can be imported eventhough they have Development status value in ERM.
  Anyone has identified the same behaviour in CUP when sync roles from ERM?
  Thanks for all. Best regards,
    Imanol

• Creation of Service Product with Set Type and Attribute

  Dear All,
  Please guide me with proper step by step process,
  How to create the product with the set type and attribute for service industry in sap crm 7.0
  Regards,

  Hi Nitin,
  Before creating the Service type of product, you have to define the Base category for Service type product. Generally the category for service will be created under the R3 hierarchy R3PRODSTYPE. You can create this category using the TCode:
  COMM_HIERARCHY. Here you have to select the product type as Service and have to assign the set types to the category.
  You can create a service product using the transaction : COMMPR01 -> Click on Service ICON -> Select the Category for Service Type. Then fill in the details for Service Product description, Service ID(Based on number range settings for products), Language.
  Also fill other details like Base Unit of measure, Pricing condition for different sales areas for the service product.
  Since you are using CRM7.0, you can do all these activities using a POWER USER role.
  For more information about Set types and hierarchies please refer the following help link:
  http://help.sap.com/saphelp_crm70/helpdata/EN/46/57672501a208e7e10000000a114a6b/frameset.htm
  Hope this helps!
  Regards,
  Chethan

• Account Creation - Badi for Default values for BP Role and Sales Area

  Hi all,
  my requirement regards the possibility to create a new prospect (a link should be available in the navigation bar or create section).
  Logically, a bp role as "Prospect" and particoular sales area should be created automatically.
  I created an implementation for the BADI definition "BADI_CRM_BP_UIU_DEFAULTS". But don't know how to create the default values for BP role and Sales area:
  In my code
  assign cr_me->('VIEW') to <lv_view_name>.
    if sy-subrc ne 0.
      exit.
    endif.
    lv_viewname = <lv_view_name>.
    case lv_viewname.
      when 'AccountDetails.htm'.
  I obtain the viewname "AccountDetails" , the related context "Header". After I don't know how to proceed to obtain the related entities through the relationship BuilRolesRel and BuilSalesArrangementRel.
  Am I following the right way? Is there another solution to prepare the output for default values?
  Any kind of suggestion will be appreciated.
  Regards, Roberto

  go to spro>cross-application components>sap busines partner>business partner> basic settings>field groupings>Configure Field Attributes per BP Role
  Double click the business role which you want to customaze (e.g. 'A') and change the proper settings.
  Regards.

• Roles and Authorization strategy for SAP BIBO

  Hello All,
  We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
  Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
  Current structure is like,
  User 1 belongs to Plant1 of Country1
  User 2 belongs to Plant2 of Country2
  user 3 belongs to Plant3 of Country1 etc..     
  We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
  As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
  The options we considered are,
  1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant  1, 2 or 3 and provide necessary authorizations.
  2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
  We are also forced to avoid Bex queries in BW and hence,  trying to connect Multiproviders directly in BO universe.
  How should we go forward in designing the authorization concept? Any better ideas?
  Thanks and Regards,
  Srinivas

  There are two ways which we can implement this kind of authorization based on my knowledge.
  1. Data Security purely at BW
  If the data is secured based on roles and users, there is no  need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
  Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
  2. Data Security from BO
  Let's assume that, if nothing is set at BW and every thing to be take care from BO.
  Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
  Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
  So you would need to create many restrictions for different permutations and combinations.
  I never tries this option with Multiprovider. But It worked well with NON-SAP data.
  Hope this helps!
  Regards
  Gowtham

• How to do Enhancements in Reporting & What is Role and How to create Roles

  Hi All,
  Can any one tell How to do Enhancements in Reporting, and also What is Role and How to create Roles in Reporting?
  Plz reply back me on [email protected]
  Regards,
  Kiran

  Reporting Enhancement - RSR00001 - BW: Enhancements for global variables in reporting
  And using the SAP Exit - EXIT_SAPLRRS0_001
  RSR00001- With this enhancement to global variables in reporting you have the option of determining your default values for variables. You can use this enhancement for variables, for which 'Processing by Customer-Exit' has been selected in the variable maintenance. This is valid for all variable types (characteristic value, node, hierarchy, formula and text variables). You use the Exit EXIT_SAPLRRS0_001 for this.
  The Enhancement component (RSR00001) must be assigned to a Project Created using the Transaction CMOD. On activating the Project, the Exit would become active and in turn the logic written inside the Exit.
  To ensure that the data warehousing soultion reflects your company's structure and business needs it is critical that you establish who is authorized to access the data.With SAP BW, Authorizations can be defined and maintained by object and can also be applied to hierarchies and these authorizations can be inserted into roles that are used to determine what type of content is available to specific users or user groups.
  T-code for Role maintainence -PFCG.
  Please assign points if it is useful.
  Regards
  Pavan Prakhya

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• Business Partner Role  and Business Partner Grouping

  Hello Everybody!
  Business Partner Role  and Business Partner Grouping.
  Which correlation ist between this attributes existing.
  In which table are this infos stored, In order create I can use
  e.g. BUPA_CREATE_FROM_DATA
  but how is the way inversely. Suppose I want to abtain the information
  about a existing business partner which group he has etc.
  Regards
  sas

  Dear Sas,
  Business Partner Grouping is used to determine the number ranges to be used by the business partner at the time of creation.
  Business Partner Role determines the subset of all the data available to be shown and edited.
  I will give you a very simple (but imaginary) example for understanding the role concept: the business partner in a role of employee might allow you to enter a department id. So this field should be available to you for input when you edit the business partner in the role of employee. But suppose the same business partner is also a person who is your customer. And your customer will require a default payment term. So this field should be available for input when you edit the business partner in the role of a customer. Also, some applications use these roles to determine if the business partner is suitable for particular transaction. In the above example, Payroll application will only allow those Business Partner to be used if they are maintained as an employee. Similarly the sales application can mandate that you can only sell a product to a business partner if he is maintain in a 'customer' role.
  Please understand the example above is not real but given for the understanding of the concept of role.
  You can use the function module 'BUPA_CENTRAL_GET_DETAIL' to find the business partner group. And you can use the function 'BUPA_ROLES_GET' to find the role assigned to a Business Partner.
  Regards, Rakesh

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Export and Import of Roles and Privileges

  Hi,
  We're nearing the end of our development phase and are now preparing for initial load in our QA / Test environment.
  Is there a way to export the Roles and Privilege metadata from one environment to import them into the other. The Staging guide states you need to create them before importing your Identity Stores. I was hoping we didn't need to do this as it's a time consuming task to create them manually.
  Thanks
  Paul

  What I've seen is Business Role Export / Import functionality. It is pretty straight-forward to do, just export the Business Roles in a job (limit what to export in the source SQL) to a CSV-file, then read it back in to different environment in similar job.
  When we were exporting the Business Roles we expored the privilege-references as MSKEYVALUEs not MSKEYs. Note how you have named your repositories in different environments (as you know the name of the MX_PRIVILEGE differs if your ERP repository in development is eg ERP100 and in Q/A ERP200), you may need to convert the privilege names accordingly in export or import.
  One more thing you need to keep in mind is to pay attention whether your data has CR+LFs, which will break the CSV, we tackled this by encrypting/decrypting the data that had line feeds (DESCRIPTION-attribute).

• Role and groups ?

  What is the difference between roles and groups in Identity Server

  The main difference between roles and groups in Identity Server 5.1 is that you cannot assign policy to groups, only to roles.
  Roles in Identity Server are used to define management permission via ACIs and to allow attribute inheritance via CoS and roles.

• Implementing roles and rules based authorisation with Azure AD

  Hi all,
  I would greatly appreciate some input on feasibility and patterns I should look at for a complex technical requirement that I am currently tasked with designing.
  We have a system that comprises a web and mobile app. In the past we have implemented session based authentication through ADAM and authorisation through custom business rules contained within the applications. The authentication mechanism is in the process
  of being migrated to Azure AD and authorisation is planned to be moved to Azure AD for our next release.
  Existing authorisation within our web application is already complex. We have users that belong to different groups with a range of permissions such as read, write or admin. Additionally each user is granted access to N customers and also N locations within
  each customer. We have a requirement that any number of combinations of customers and locations be supported. Users also need to have different permissions for each entity, i.e. read access to customer 1 location 2, write access to customer 4 and administer
  customer 7. Currently these privileges are maintained within a relational database and enforced as part of each PageLoad(). Essentially this is a combination of roles and rules based authorisation.
  We are struggling to represent this complex matrix structure within Azure AD and efficiently implement the authorisation decision in Azure AD. The driver for this technical requirement is to provide re-usability of the authorisation component to other (as
  yet unidentified) applications.
  Currently the best option we have come up with is implementing custom attributes for each class of permissions and storing within this 2048 bit field a bitmask that represents whether this permission is granted for a given location (which has a many to one
  relationship with customer).
  Any help or comment would be gratefully received,
  Phil

  Hi
  When "Advance routing" is used for Task assignment; the task service asserts the folllowing fact types : Task, PreviousOutcome and TaskAction to the rules engine. These facts gives all the reqd info about the task (like outcome of the participant, task stage .. etc)
  Now in the defined ruleset; we can have rules as per our requirement that can extract info from the asserted fact types and assign task to the required/next participant.
  Also note that we write the advance rules for exception cases only.
  For example; let's say all participants have 2 possible Outcomes [COMPLETE, RECHECK]. We have defined the ideal task routing flow as :
  Participant A -> Participant B -> Participant C. This is the flow when all participant selects "COMPLETE"
  Now suppose B selects outcome as "RECHECK" then the task shld move back to A. So for this case only we need to write a advance rule.
  Pls refer to the code sample at : http://download.oracle.com/technology/sample_code/hwf/workflow-106-IterativeDesign.zip
  Also dev guide : refer to section 28.3.7.2 http://download.oracle.com/docs/cd/E14571_01/integration.1111/e10224/bp_hwfmodel.htm#BABBFEJJ
  Thanks
  Edited by: Kania on May 19, 2010 2:41 AM

• Problems with roles and ldapgroups in IDM 8

  Hello Guys,
  I'm facing a problem. I have to put users in ldap groups and i using roles. I have create an IT role and a Business role.
  I use the IT Role to add users in ldap groups through a rule and the business role to assign groups to a user. The business contains the IT Role.
  Normally, when i put a list of two groups in the rule, i must have user put in the two groups and if i remove one of this group in the rule, user must be removed from the choosen group. Unfortunatly, the second scenario doesn't work. I always have the two. And i can't removed the users from all groups.
  Is there something that i'm missing?
  I'm using IDM 8.A patch 2 and Sun Directory Server 6.3.
  The definition of my IT Role is :
  <?xml version='1.0' encoding='UTF-8'?>
  <!DOCTYPE Role PUBLIC 'waveset.dtd' 'waveset.dtd'>
  <Role authType='ITRole' name='My Groups'>
    <ResetLimit count='0'>
        </ResetLimit>
    <Services>
      <ObjectRef type='Resource' name='RESSOURCE LDAP'/>
    </Services>
    <ContainedRoles>
    </ContainedRoles>
    <RoleAttributes>
      <RoleAttribute name='My Groups:#ID#RESSOURCE LDAP:groups'>
        <Comment>Auto generated by Role Mes Groupes</Comment>
        <AttributeName>groups</AttributeName>
        <AttributeValueRef>
          <ObjectRef type='Rule' id='#ID#RuleListeUserGroups' name='Rule Liste User Groups'/>
        </AttributeValueRef>
        <Requirement>Authoritative merge with value, clear existing</Requirement>
        <ResourceRef>
          <ObjectRef type='Resource' id='#ID#RESSOURCE LDAP' name='RESSOURCE LDAP'/>
        </ResourceRef>
      </RoleAttribute>
    </RoleAttributes>
    <MemberObjectGroups>
      <ObjectRef type='ObjectGroup' id='#ID#All' name='All'/>
    </MemberObjectGroups>
  </Role>Thanks All!

  i have it role mapped to ldap groups implemented successfully with the following...
  1. Instead of a rule adding to groups, you should have a resource attribute mapping ... this is described in the ldap resource adapter references....
  <AccountAttributeType id='101' name='ldapGroups' syntax='string' mapName='ldapGroups' mapType='string' multi='true' />2. Now have your IT ROLE to have the group population like the following
  <RoleAttribute name='MYROLE:RESOURCE-NAME:ldapGroups'>
        <AttributeName>ldapGroups</AttributeName>
        <AttributeValueString>
          <List>
            <String>cn=Wirelessaccess,ou=Groups,dc=example,dc=com</String>
          </List>
        </AttributeValueString>
        <Requirement>Authoritative merge with value</Requirement>
        <ResourceRef>
          <ObjectRef type='Resource' name='RESOURCE-NAME'/>
        </ResourceRef>
      </RoleAttribute>