Roles and their authorization profiles time period

Similar Messages

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• How to create and allocate authorization profiles?

  How to create and allocate authorization profiles? please issue step by step and usage of  TC:PFCG.

  Hi Srinivas,
  I would like to try to explain how to create an authorization profile.
  1. you have to create a user with the Tcode SU01 at first
  2. run Tcode /nPFCG.
  3. enter a name for the role (naming convention is here very important) which you want to create and then click on "create Role".
  4. enter a short description for the role and then click on Authorization tab.
  5. now you are required to save the role. Click on it and continue.
  6. click on the tab "change authorization data" and select the authorization template what you need.
  7.change the authorization field value.
  8.click on button "Generate".
  9.click on button Back
  10. click on Tab user to assign the role to the user which you created in step one
  11.click on button User comparison and then complete comparison
  Hope this helps

• Role and Analysis Authorizations in BI

  Hello allo,
  Since analysis authorizations contains carateritics like infocube, queries, activities., is using role and the PFCG transaction (authorizations object)in BI obsolete ? i.e is Analysis authorizations completely replacing Authorization objects (and PFCG) in BI ?
  thanks !!

  Hatem,
  You have an option to use the old method however it's recommend to use analysis authorizations going forward.
  Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
  Cheers,
  Ben

• Role and Analysis Authorization Transport

  Dear Experts,
  I'm working with migration authorization project from 3.5 to 7.0. My doubt is when migrate in development enviroment enhancement each whith join S_RS_AUTH with Analysis Authorization which the role doesn't have any users assigning and transport to test enviroment where have a same role with user assigning. Do lose the user assign?
  Thank for all,
  Luis

  Hi,
  I think it will orverwrite the Role. If you want to lock the target system against import of user assignments, you can goto sm30 (Table - PRGN_CUST). Make an entry - USER_REL_IMPORT (value - NO).
  Thanks

• PBC 10 user users/teams/roles and access data profiles

  Hello experts,
  couples of questions with regards to BPC 10 security
  1) In PBC 10, version SAP NetWeaver , if a team or a user was created in BPC not in BW, can the created user/team has access to SAP BW? Can the created team/user be imported and assigned assigned rights in BW?  Or , if I need a user who will have acces to both SAP BW and BPC , do I HAVE to create the user in SAP NetWeaver (BW) and assign rights?? or
  2)
  If the defined attributes are Currency=Euro: Read and Country=France: Write, then Entity102 is writable.
  Assuming that a write access to Currency = Euro : Write produce the same output as in the above, How can ensure that I can give a write access on a dimension without having allowing the write access to the whole entity as in the above case?
  Thanks
  Jh

  Hi John,
  For your 1st question, to add a BPC user, you need to create BW user first on BW. Then add this BW user as BPC user. When you create a BW user, you need to assign two roles
  /POA/BUI_FLEX_CLIENT, /POA/BUI_UM_USER.
  Actually, once you created the BW user, you can use this BW user to log on to BW now, but this user has few rights, such as no rights to execute some t-code RSA1, etc. To make this BW user more powerful, you need to assign the corresponding rights directly on BW, not from BPC. The rights(Data Access profile or task profiles) added from BPC only works on BPC object, such as members, cube, etc.
  Best Regards,
  Charlie

• Roles and transaction authorizations for XI developer

  Hi All,
  Can anyone validates my requirements to Basis gui in SAP-XI installation.
  Transactions authorizations needed are:
  SXMB_IFR
  SXMB_MONI
  SXMB_MONI_BPE
  SXI_Monitor
  SXI_Cache
  IDX1
  IDX2
  ALERTCATDEF
  SM59
  WE21
  WE20
  Do we require any other transactions as a developer.
  2) During File-XI-Idoc scenario, we need to place Idocs in one SAP directory with read/write and delete permisions
  Can any one suggests howmuch size should be allocated for this directory.
  Regards,
  venu

  HI Venu
     As a developer you need to have also the authorization of SE80..SE38..etc which are there in ABAP
  There is predifined Authorization Group for Developer ..Just ask him to add you into that group...You will automatically gain those authorization...
  Regarding
  File-XI-Idoc Scenario...
  You need not to place any IDOC in any of You directory..
  You just place a text file which contains all the required information in such a format that can be easily converted into XML using File Adapter...Once You will convert that text file into XML format after that you need to MAP this XML Formated Data to Your IDOC Message Type.
  Also Check out these links
  it could be helpful for your scenario...
  /people/anish.abraham2/blog/2005/12/22/file-to-multiple-idocs-xslt-mapping
  /people/prateek.shah/blog/2005/06/08/introduction-to-idoc-xi-file-scenario-and-complete-walk-through-for-starters
  http://help.sap.com/saphelp_nw04/helpdata/en/b9/c5b13bbeb0cb37e10000000a11402f/content.htm
  Cheers:-)
  Mithlesh

• Need steps to create: Users, and then allocate authorization profiles.

  Hello,
    I have set up release procedures using a how to doc which was posted an sap123.com. It doesnt go through how to do this, only gives a screen shot. The SAP environment is a test environment for training. We have maybe 4 users existing in system. I would like to know how to first create a user, then go through PFCG and create and allocate authorization profiles. They need to be able to approve PR's/ PO's using the two release codes and release groups I have set up. The steps I followed are posted here: http://www.sap123.com/showthread.php?t=59.
  Thanks for any help.

  Thanks. I do have authorization to create users/ roles & such. I have created 3 specifically to test the workflow I am trying to set up that contains release procedures.
  In PFCG - I created a new role MATMGT. On the Menu tab, Assign Transactions screen, could someone please tell me what the Transaction Code would be so that, when I goto the Authorizations tab and click on the Change Authorization Data button, I get a "Materials Management: Purchasing" row displayed in the Change Role: Authorizations screen. I am following http://www.sap123.com/showthread.php?t=59 - and am stuck at the "Create and allocate authorisation profiles" section, as there are no steps detailing the usage of PFCG.

• Diff.between BW and R/3 roles and authorizations

  Hi Experts,
  Please any one let me know is there any difference for creating roles and assigning authorizations in BW and R/3 systems.
  Please let me know the BW related T-codes
  Regards,
  Reedy V.

  What version of BW? Are you using BI7 analysis authorisations.
  BI7 - go [here|https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce]
  If using BW 3.5 or another similar version then build your roles in PFCG and assign to users in SU01
  There is more to it which you can find [here|https://service.sap.com/SECURITY] (sorry for the poor link Bernhard ) under category SAP Business Information Warehouse Security Guides
  Edited by: Julius Bussche on Jul 8, 2008 12:34 PM
  Formatting and link corrected
  Thanks Julius!
  Edited by: Alex Ayers on Jul 8, 2008 2:10 PM

• How to export users and their roles/responsibilities from OBIEE 11g weblogic console ? (we have nearly 8000 users)

  Hi Gurus,
  I am not an expert in the OBIEE 11g security area, we have an urgent requirement where in i need to obtain the complete list of all users along with their roles/responsibilities.Ours is a big organization and there are nearly 8000 users. Please advice if i need to write any weblogic script (WLST) or is there any other simple way for this..
  Thanks,

  If it is through Presentation Layer,Below the steps you can follow:-
  1. Open the OBIEE 11G RPD (offline/online) in Administration Tool
  2. Select the ALL/required presentation objects form your Presentation Layer and right-click.
  3. On the context menu select “Permission Report”
  4 .The Permission Report dialog displays the name and a description of the selected presentation object,
  along with a list of users/application roles and their permissions. CLick the Save button to save the permissions in CSV format.
  5.Once you saved to a CSV format, you can use that report for the quick auditing of security management.
  Below the screen shot for the same
  http://www.4shared.com/photo/h1EKYgh1/zrclip_002p5719bc78.html
  Mark if helps.
  Thanks,

• Is there any way to force a Role Check for authorization from a Ztable

  Hi all,
  I have an issue that deals with Authorization check using a role. I have to know if there is any way to make a Role force to check if an entry exists in a Ztable.
  Eg. A User is assigned a role Z:Ztable_check. Can we now force this Role to somehow check for a particular entry in a Ztable which has a Username and its Corresponding Authorized Cost center. Can the role check from the Ztable and allow the user to view only those cost centers that he is allowed to.
  Don't know if this is even theoretically possible.

  hi
  see if this helps you
  <b>The SAP Authorization Concept
  Authorization checks are a means of protecting functions or objects in the R/3 System. The programmer of the function determines where and how these checks are made, while the user administrator determines (within the framework defined by the programmer) who can execute a function or access an object.
  The terms central to the SAP authorization concept are:
  Authorization field
  This is the smallest unit against which checks can be made. The programmer can create authorization fields by selecting Tools &#8594; ABAP Workbench &#8594; Development &#8594; Other tools &#8594; Authorization objs &#8594; Fields.
  Example: ACTVT and CUSTTYPE.
  Authorization object
  An authorization object groups together 1 to 10 authorization fields which can then be checked as a combination. The programmer can create authorization fields by selecting Tools &#8594; ABAP Workbench &#8594; Development &#8594; Other tools &#8594; Authorization objs &#8594; Objects.
  Example: The authorization objekt S_TRVL_BKS groups together the authorization fields ACTVT and CUSTTYPE.
  Authorization
  An authorization is a combination of permitted values for each authorization field of an authorization object. The user administrator creates authorizations by selecting Tools &#8594; Administration &#8594; Maintain users &#8594; Authorization.
  Example:
  S_TRVL_CUS1 is an authorization for the authorization object S_TRVL_BKS with the values
  for customer type (CUSTTYPE) and
  02 for activity (ACTVT).
  Users who have this authorization are allowed to change the bookings of all customers.
  S_TRVL_CUS2 is an authorization for the authorization object S_TRVL_BKS with the values
  B for customer type (CUSTTYPE) and
  03 for activity (ACTVT).
  Users who have this authorization are allowed to display the postings of all customers.
  Authorization profile
  An authorization profile represents a simple workplace in the context of authorizations. An authorization profile contains authorizations for the authorization objects a user needs to operate effectively in a restricted task area. The user administrator creates authorizations by selecting Tools &#8594; Administration &#8594; Maintain users &#8594; Profiles.
  User master record
  Your user master record is checked when you logon to the R/3 system. Through the authorization profiles, this provides restricted access to the functions and objects of the R/3 System. The user administrator creates authorizations by selecting Tools &#8594; Administration &#8594; Maintain users &#8594; Users.
  Authorization check
  The programmer can perform authorization checks with the ABAP command AUTHORITY-CHECK by specifying the value to be checked for each authorization field defined. The system then scans the profiles in the user master record for the authorizations specified. If one of the authorizations found for all fields of the authorization object covers the values specified by AUTHORITY-CHECK, the check was successful.
  Example: Check whether the user is allowed to change the postings of business customers:
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
                  ID 'ACTVT'    FIELD '02'
                  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
    MESSAGE E...
  ENDIF.
  If the authorization S_TRVL_CUS1 exists in the user's master record, the authorization check is successful. However, if the authorization S_TRVL_CUS2 exists, but not the authorization S_TRVL_CUS1, the check fails.
  Authorization assignment
  The system administrator is responsible for assigning user master records with the correct authorizations. You should use the Profile Generator to maintain authorization profiles. However, you can also change them manually. Each authorization object contains authorizations. These are grouped together in authorization profiles such that each authorization profile represents a job description, for example 'flight reservations clerk'. You assign one or more authrization profiles to each user master record. You can assign an authorization to as many authorization profiles as you like, and an authorization profile to as many composite profiles and users as you like. Composite profiles are used in manual authorization maintenance, and form a further division in the authorization structure. However, they are not strictly necessary.
                    User master record
                  Auth. profile  Composite auth. profile
             Authorization              Auth. profile
               Values              Authorization
                                 Values</b>
  plz reward if satisfied

• SQL Help with Time Period vs Time Period  Comparison

  Hello,
  I am trying to create a query that will provide me a result set that will have current revenue (based off user selection of time) compared to another set of revenue with a different time period.
  For example:
  select a.xx_adm_adv_id, a.xx_edition, sum(a.xx_net_space)
  from ps_xx_adm_work_ord a
  where A.xx_issue = 'JAN'
  AND A.XX_ISSUE_YEAR = '2011'
  group by a.xx_adm_adv_id, a.xx_edition
  will provide my current data set, now I want to pull in the result set below, but in the 4th column based off of XX_ADM_ADV_ID & XX_EDITION (no repeats for these combinations).
  select B.xx_adm_adv_id, B.xx_edition, sum(B.xx_net_space)
  from ps_xx_adm_work_ord B
  where B.xx_issue in ('JUN', 'JUL')
  AND B.XX_ISSUE_YEAR = '2012'
  group by B.xx_adm_adv_id, B.xx_edition
  So essentially, I should be seeing all xx_adm_adv_id and xx_edition for both time periods and data in atleast one set of columns (3rd or 4th)
  I am running 10.2.0.4.0
  Many thanks in advance!

  Did you try the query that i provided?
  Commented XX_ISSUE_YEAR condition,adjust it to meet your requirements.
  SQL>
  SQL> select distinct a.xx_adm_adv_id,
    2         a.xx_edition,
    3         sum(case
    4               when xx_issue = 'JAN'-- and XX_ISSUE_YEAR = '2011'
    5                  then
    6                a.xx_net_space
    7               else
    8                0
    9             end) over(partition by a.xx_adm_adv_id, a.xx_edition),
  10         sum(case
  11               when xx_issue in ('JUN', 'JUL')-- and XX_ISSUE_YEAR = '2012'
  12                 then
  13                a.xx_net_space
  14               else
  15                0
  16             end) over(partition by a.xx_adm_adv_id, a.xx_edition)
  17    from PS_ORDER a
  18   where A.XX_ISSUE in ('JAN', 'JUN', 'JUL')
  19     --AND A.XX_ISSUE_YEAR in ('2011', '2012')
  20     order by a.xx_edition
  21  ;
  XX_ADM_ADV_ID XX_EDITION                     SUM(CASEWHENXX_ISSUE='JAN'--AN SUM(CASEWHENXX_ISSUEIN('JUN','
  000016004     NAT                                                    5722.2                         2861.1
  000016073     REG                                                   5111.12                              0
  000025008     REG                                                         0                        2665.32
  SQL>

• After BI 7.0 Upgrade, Authorization Roles and profiles are not visible

  Hi Gurus,
  We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
  As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
  I verified in SU01 for user access and every are assigned there roles and they are green.
  Do we need to add any new authorization object to fix this issue, please let me know
  Thanks and appreciate your help.
  Thanks
  Ganesh Reddy.
  Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PM

  Hi Ganesh,
  check the behaviour, if you assign
  S_USER_AGR                          
     ACT_GROUP = "..name of the assigned role.."
     ACTVT = 03 (for "display")    
  b.rgds,
  Bernhard

• Two user with same profile and role having different authorization

  Dear All,
  I have very strange case of authorization . We have a new abap developer in our company . Her profile as copied from an exiting abap developer's profile in Development system. But she don't have authorization for lot of transaction that the existing user have. I checked the profile tabs , role tabs . then done the user compare for all the roles , but of no use.
  I did a compare of the two uses using S_BCE_68001430 and could see is that the existing abap user is having authorization starting with T_PXXXXXXXX that is giving him extra rights. These authorization is not present in any of the existing role he is assigned to (checked using S_BCE_68001396). The authirsaction in the roles start with T-DXXXXXXXX
  Will appreciate if any one can give any input . The problem is i need to assign each authorisation the existing user having manually to the new user.
  regards
  Tony

  Thanks for the mail.
  I check the "Reference User for Additional Rights" -- there is no refernce user assgined.
  I checked the table USR04 the no. of Profle for the two users are diffrent and in the table UST04 also the the existing uer is having addtional profiles.
  I like to add one more point Some of the roles of the  two users are composite roles and both the composite and its orignial roles are included the profile of both users.
  Does any one have idea of the authorisations starting with T_PXXXXXXXX
  regards
  tony
  MANDT BNAME          PROFILE    
  100   CHARLHO        B_LSMW_ALL 
  100   CHARLHO        T-D1780054 
  100   CHARLHO        T-D1780057 
  100   CHARLHO        T-D1780058 
  100   CHARLHO        T-D17800581
  100   CHARLHO        T-D1780075 
  100   CHARLHO        T-D17800751
  100   CHARLHO        T-D1780086 
  100   CHARLHO        T-D17800861
  100   CHARLHO        T-D17800862
  100   CHARLHO        T-D17800863
  100   CHARLHO        T-D17800864
  100   CHARLHO        T-D1780087 
  100   CHARLHO        T-D1780088 
  100   CHARLHO        T-D1780247 
  100   CHARLHO        T-D1780304 
  100   CHARLHO        T-D1781182 
  100   CHARLHO        T_P0920411 
  100   CHARLHO        T_P09204111
  100   CHARLHO        T_P092041110
  100   CHARLHO        T_P09204112
  100   CHARLHO        T_P09204113
  100   CHARLHO        T_P09204114
  100   CHARLHO        T_P09204115
  100   CHARLHO        T_P09204116
  100   CHARLHO        T_P09204117
  100   CHARLHO        T_P09204118
  100   CHARLHO        T_P09204119
  100   TESTUSER2      B_LSMW_ALL 
  100   TESTUSER2      T-D1780054 
  100   TESTUSER2      T-D1780057 
  100   TESTUSER2      T-D1780058 
  100   TESTUSER2      T-D17800581
  100   TESTUSER2      T-D1780075 
  100   TESTUSER2      T-D17800751
  100   TESTUSER2      T-D1780086 
  100   TESTUSER2      T-D17800861
  100   TESTUSER2      T-D17800862
  100   TESTUSER2      T-D17800863
  100   TESTUSER2      T-D17800864
  100   TESTUSER2      T-D1780087 
  100   TESTUSER2      T-D1780088 
  100   TESTUSER2      T-D1780247 
  100   TESTUSER2      T-D1780304 
  100   TESTUSER2      T-D1781182

• Authorization : roles and profiles

  Hi,
  I have two questions that I need answers
  - How do I check roles that are assigned to reports and
  - roles and profiles needed to execute reports
  thanks in advance

  Hi,
  Roles or profiles are assigned to user not specific reports or queries, if u need u can check what roles are assigned to u in SU01, provide the user name and go to display mode there u will find profiles tab, u can check .
  Hope this helps u a lot.........
  Assigning points is the way of saying Thanks in SDN
  Regards
  Ramakrishna Kamurthy