Roles and their authorization profiles time period
Can roles and their authorization profiles be assigned to a user for a limited time period?
please reply
Thanks
Edited by: tracey_hrecc6.0 on Nov 1, 2010 5:24 PM
Hi,
It is possible.
Read below links for more details
http://help.sap.com/saphelp_mic10/helpdata/en/69/1810a4c51144dc833353183155ec88/content.htm
http://www.sap-img.com/basis/frequently-asked-questions-on-authorization.htm
http://help.sap.com/saphelp_wp/helpdata/en/cd/cc5664d22a11d296110000e82de14a/content.htm
Regards
S.Ravi
Edited by: S.Ravi-at-SAP on Nov 25, 2010 5:36 AM
Similar Messages
-
Transport roles and analysis authorization with user assigned
Hi expert,
I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
Thanks for your time,
LuisHi,
In role administration, you have the following options for transporting roles:
You can download the roles from one system and upload them into another
You can import the role from a remote system using RFC
You can transport the roles with the transport function.
Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
Transporting Roles with the Role Transport Function
1. Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
2. Enter the role to be transported and choose Transport Role.
The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
For more information go thrpugh the below link
http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
Regards,
Marasa. -
How to create and allocate authorization profiles?
How to create and allocate authorization profiles? please issue step by step and usage of TC:PFCG.
Hi Srinivas,
I would like to try to explain how to create an authorization profile.
1. you have to create a user with the Tcode SU01 at first
2. run Tcode /nPFCG.
3. enter a name for the role (naming convention is here very important) which you want to create and then click on "create Role".
4. enter a short description for the role and then click on Authorization tab.
5. now you are required to save the role. Click on it and continue.
6. click on the tab "change authorization data" and select the authorization template what you need.
7.change the authorization field value.
8.click on button "Generate".
9.click on button Back
10. click on Tab user to assign the role to the user which you created in step one
11.click on button User comparison and then complete comparison
Hope this helps -
Role and Analysis Authorizations in BI
Hello allo,
Since analysis authorizations contains carateritics like infocube, queries, activities., is using role and the PFCG transaction (authorizations object)in BI obsolete ? i.e is Analysis authorizations completely replacing Authorization objects (and PFCG) in BI ?
thanks !!Hatem,
You have an option to use the old method however it's recommend to use analysis authorizations going forward.
Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
Cheers,
Ben -
Role and Analysis Authorization Transport
Dear Experts,
I'm working with migration authorization project from 3.5 to 7.0. My doubt is when migrate in development enviroment enhancement each whith join S_RS_AUTH with Analysis Authorization which the role doesn't have any users assigning and transport to test enviroment where have a same role with user assigning. Do lose the user assign?
Thank for all,
LuisHi,
I think it will orverwrite the Role. If you want to lock the target system against import of user assignments, you can goto sm30 (Table - PRGN_CUST). Make an entry - USER_REL_IMPORT (value - NO).
Thanks -
PBC 10 user users/teams/roles and access data profiles
Hello experts,
couples of questions with regards to BPC 10 security
1) In PBC 10, version SAP NetWeaver , if a team or a user was created in BPC not in BW, can the created user/team has access to SAP BW? Can the created team/user be imported and assigned assigned rights in BW? Or , if I need a user who will have acces to both SAP BW and BPC , do I HAVE to create the user in SAP NetWeaver (BW) and assign rights?? or
2)
If the defined attributes are Currency=Euro: Read and Country=France: Write, then Entity102 is writable.
Assuming that a write access to Currency = Euro : Write produce the same output as in the above, How can ensure that I can give a write access on a dimension without having allowing the write access to the whole entity as in the above case?
Thanks
JhHi John,
For your 1st question, to add a BPC user, you need to create BW user first on BW. Then add this BW user as BPC user. When you create a BW user, you need to assign two roles
/POA/BUI_FLEX_CLIENT, /POA/BUI_UM_USER.
Actually, once you created the BW user, you can use this BW user to log on to BW now, but this user has few rights, such as no rights to execute some t-code RSA1, etc. To make this BW user more powerful, you need to assign the corresponding rights directly on BW, not from BPC. The rights(Data Access profile or task profiles) added from BPC only works on BPC object, such as members, cube, etc.
Best Regards,
Charlie -
Roles and transaction authorizations for XI developer
Hi All,
Can anyone validates my requirements to Basis gui in SAP-XI installation.
Transactions authorizations needed are:
SXMB_IFR
SXMB_MONI
SXMB_MONI_BPE
SXI_Monitor
SXI_Cache
IDX1
IDX2
ALERTCATDEF
SM59
WE21
WE20
Do we require any other transactions as a developer.
2) During File-XI-Idoc scenario, we need to place Idocs in one SAP directory with read/write and delete permisions
Can any one suggests howmuch size should be allocated for this directory.
Regards,
venuHI Venu
As a developer you need to have also the authorization of SE80..SE38..etc which are there in ABAP
There is predifined Authorization Group for Developer ..Just ask him to add you into that group...You will automatically gain those authorization...
Regarding
File-XI-Idoc Scenario...
You need not to place any IDOC in any of You directory..
You just place a text file which contains all the required information in such a format that can be easily converted into XML using File Adapter...Once You will convert that text file into XML format after that you need to MAP this XML Formated Data to Your IDOC Message Type.
Also Check out these links
it could be helpful for your scenario...
/people/anish.abraham2/blog/2005/12/22/file-to-multiple-idocs-xslt-mapping
/people/prateek.shah/blog/2005/06/08/introduction-to-idoc-xi-file-scenario-and-complete-walk-through-for-starters
http://help.sap.com/saphelp_nw04/helpdata/en/b9/c5b13bbeb0cb37e10000000a11402f/content.htm
Cheers:-)
Mithlesh -
Need steps to create: Users, and then allocate authorization profiles.
Hello,
I have set up release procedures using a how to doc which was posted an sap123.com. It doesnt go through how to do this, only gives a screen shot. The SAP environment is a test environment for training. We have maybe 4 users existing in system. I would like to know how to first create a user, then go through PFCG and create and allocate authorization profiles. They need to be able to approve PR's/ PO's using the two release codes and release groups I have set up. The steps I followed are posted here: http://www.sap123.com/showthread.php?t=59.
Thanks for any help.Thanks. I do have authorization to create users/ roles & such. I have created 3 specifically to test the workflow I am trying to set up that contains release procedures.
In PFCG - I created a new role MATMGT. On the Menu tab, Assign Transactions screen, could someone please tell me what the Transaction Code would be so that, when I goto the Authorizations tab and click on the Change Authorization Data button, I get a "Materials Management: Purchasing" row displayed in the Change Role: Authorizations screen. I am following http://www.sap123.com/showthread.php?t=59 - and am stuck at the "Create and allocate authorisation profiles" section, as there are no steps detailing the usage of PFCG. -
Diff.between BW and R/3 roles and authorizations
Hi Experts,
Please any one let me know is there any difference for creating roles and assigning authorizations in BW and R/3 systems.
Please let me know the BW related T-codes
Regards,
Reedy V.What version of BW? Are you using BI7 analysis authorisations.
BI7 - go [here|https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce]
If using BW 3.5 or another similar version then build your roles in PFCG and assign to users in SU01
There is more to it which you can find [here|https://service.sap.com/SECURITY] (sorry for the poor link Bernhard ) under category SAP Business Information Warehouse Security Guides
Edited by: Julius Bussche on Jul 8, 2008 12:34 PM
Formatting and link corrected
Thanks Julius!
Edited by: Alex Ayers on Jul 8, 2008 2:10 PM -
Hi Gurus,
I am not an expert in the OBIEE 11g security area, we have an urgent requirement where in i need to obtain the complete list of all users along with their roles/responsibilities.Ours is a big organization and there are nearly 8000 users. Please advice if i need to write any weblogic script (WLST) or is there any other simple way for this..
Thanks,If it is through Presentation Layer,Below the steps you can follow:-
1. Open the OBIEE 11G RPD (offline/online) in Administration Tool
2. Select the ALL/required presentation objects form your Presentation Layer and right-click.
3. On the context menu select “Permission Report”
4 .The Permission Report dialog displays the name and a description of the selected presentation object,
along with a list of users/application roles and their permissions. CLick the Save button to save the permissions in CSV format.
5.Once you saved to a CSV format, you can use that report for the quick auditing of security management.
Below the screen shot for the same
http://www.4shared.com/photo/h1EKYgh1/zrclip_002p5719bc78.html
Mark if helps.
Thanks, -
Is there any way to force a Role Check for authorization from a Ztable
Hi all,
I have an issue that deals with Authorization check using a role. I have to know if there is any way to make a Role force to check if an entry exists in a Ztable.
Eg. A User is assigned a role Z:Ztable_check. Can we now force this Role to somehow check for a particular entry in a Ztable which has a Username and its Corresponding Authorized Cost center. Can the role check from the Ztable and allow the user to view only those cost centers that he is allowed to.
Don't know if this is even theoretically possible.hi
see if this helps you
<b>The SAP Authorization Concept
Authorization checks are a means of protecting functions or objects in the R/3 System. The programmer of the function determines where and how these checks are made, while the user administrator determines (within the framework defined by the programmer) who can execute a function or access an object.
The terms central to the SAP authorization concept are:
Authorization field
This is the smallest unit against which checks can be made. The programmer can create authorization fields by selecting Tools → ABAP Workbench → Development → Other tools → Authorization objs → Fields.
Example: ACTVT and CUSTTYPE.
Authorization object
An authorization object groups together 1 to 10 authorization fields which can then be checked as a combination. The programmer can create authorization fields by selecting Tools → ABAP Workbench → Development → Other tools → Authorization objs → Objects.
Example: The authorization objekt S_TRVL_BKS groups together the authorization fields ACTVT and CUSTTYPE.
Authorization
An authorization is a combination of permitted values for each authorization field of an authorization object. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Authorization.
Example:
S_TRVL_CUS1 is an authorization for the authorization object S_TRVL_BKS with the values
for customer type (CUSTTYPE) and
02 for activity (ACTVT).
Users who have this authorization are allowed to change the bookings of all customers.
S_TRVL_CUS2 is an authorization for the authorization object S_TRVL_BKS with the values
B for customer type (CUSTTYPE) and
03 for activity (ACTVT).
Users who have this authorization are allowed to display the postings of all customers.
Authorization profile
An authorization profile represents a simple workplace in the context of authorizations. An authorization profile contains authorizations for the authorization objects a user needs to operate effectively in a restricted task area. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Profiles.
User master record
Your user master record is checked when you logon to the R/3 system. Through the authorization profiles, this provides restricted access to the functions and objects of the R/3 System. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Users.
Authorization check
The programmer can perform authorization checks with the ABAP command AUTHORITY-CHECK by specifying the value to be checked for each authorization field defined. The system then scans the profiles in the user master record for the authorizations specified. If one of the authorizations found for all fields of the authorization object covers the values specified by AUTHORITY-CHECK, the check was successful.
Example: Check whether the user is allowed to change the postings of business customers:
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
If the authorization S_TRVL_CUS1 exists in the user's master record, the authorization check is successful. However, if the authorization S_TRVL_CUS2 exists, but not the authorization S_TRVL_CUS1, the check fails.
Authorization assignment
The system administrator is responsible for assigning user master records with the correct authorizations. You should use the Profile Generator to maintain authorization profiles. However, you can also change them manually. Each authorization object contains authorizations. These are grouped together in authorization profiles such that each authorization profile represents a job description, for example 'flight reservations clerk'. You assign one or more authrization profiles to each user master record. You can assign an authorization to as many authorization profiles as you like, and an authorization profile to as many composite profiles and users as you like. Composite profiles are used in manual authorization maintenance, and form a further division in the authorization structure. However, they are not strictly necessary.
User master record
Auth. profile Composite auth. profile
Authorization Auth. profile
Values Authorization
Values</b>
plz reward if satisfied -
SQL Help with Time Period vs Time Period Comparison
Hello,
I am trying to create a query that will provide me a result set that will have current revenue (based off user selection of time) compared to another set of revenue with a different time period.
For example:
select a.xx_adm_adv_id, a.xx_edition, sum(a.xx_net_space)
from ps_xx_adm_work_ord a
where A.xx_issue = 'JAN'
AND A.XX_ISSUE_YEAR = '2011'
group by a.xx_adm_adv_id, a.xx_edition
will provide my current data set, now I want to pull in the result set below, but in the 4th column based off of XX_ADM_ADV_ID & XX_EDITION (no repeats for these combinations).
select B.xx_adm_adv_id, B.xx_edition, sum(B.xx_net_space)
from ps_xx_adm_work_ord B
where B.xx_issue in ('JUN', 'JUL')
AND B.XX_ISSUE_YEAR = '2012'
group by B.xx_adm_adv_id, B.xx_edition
So essentially, I should be seeing all xx_adm_adv_id and xx_edition for both time periods and data in atleast one set of columns (3rd or 4th)
I am running 10.2.0.4.0
Many thanks in advance!Did you try the query that i provided?
Commented XX_ISSUE_YEAR condition,adjust it to meet your requirements.
SQL>
SQL> select distinct a.xx_adm_adv_id,
2 a.xx_edition,
3 sum(case
4 when xx_issue = 'JAN'-- and XX_ISSUE_YEAR = '2011'
5 then
6 a.xx_net_space
7 else
8 0
9 end) over(partition by a.xx_adm_adv_id, a.xx_edition),
10 sum(case
11 when xx_issue in ('JUN', 'JUL')-- and XX_ISSUE_YEAR = '2012'
12 then
13 a.xx_net_space
14 else
15 0
16 end) over(partition by a.xx_adm_adv_id, a.xx_edition)
17 from PS_ORDER a
18 where A.XX_ISSUE in ('JAN', 'JUN', 'JUL')
19 --AND A.XX_ISSUE_YEAR in ('2011', '2012')
20 order by a.xx_edition
21 ;
XX_ADM_ADV_ID XX_EDITION SUM(CASEWHENXX_ISSUE='JAN'--AN SUM(CASEWHENXX_ISSUEIN('JUN','
000016004 NAT 5722.2 2861.1
000016073 REG 5111.12 0
000025008 REG 0 2665.32
SQL> -
After BI 7.0 Upgrade, Authorization Roles and profiles are not visible
Hi Gurus,
We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
I verified in SU01 for user access and every are assigned there roles and they are green.
Do we need to add any new authorization object to fix this issue, please let me know
Thanks and appreciate your help.
Thanks
Ganesh Reddy.
Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PMHi Ganesh,
check the behaviour, if you assign
S_USER_AGR
ACT_GROUP = "..name of the assigned role.."
ACTVT = 03 (for "display")
b.rgds,
Bernhard -
Two user with same profile and role having different authorization
Dear All,
I have very strange case of authorization . We have a new abap developer in our company . Her profile as copied from an exiting abap developer's profile in Development system. But she don't have authorization for lot of transaction that the existing user have. I checked the profile tabs , role tabs . then done the user compare for all the roles , but of no use.
I did a compare of the two uses using S_BCE_68001430 and could see is that the existing abap user is having authorization starting with T_PXXXXXXXX that is giving him extra rights. These authorization is not present in any of the existing role he is assigned to (checked using S_BCE_68001396). The authirsaction in the roles start with T-DXXXXXXXX
Will appreciate if any one can give any input . The problem is i need to assign each authorisation the existing user having manually to the new user.
regards
TonyThanks for the mail.
I check the "Reference User for Additional Rights" -- there is no refernce user assgined.
I checked the table USR04 the no. of Profle for the two users are diffrent and in the table UST04 also the the existing uer is having addtional profiles.
I like to add one more point Some of the roles of the two users are composite roles and both the composite and its orignial roles are included the profile of both users.
Does any one have idea of the authorisations starting with T_PXXXXXXXX
regards
tony
MANDT BNAME PROFILE
100 CHARLHO B_LSMW_ALL
100 CHARLHO T-D1780054
100 CHARLHO T-D1780057
100 CHARLHO T-D1780058
100 CHARLHO T-D17800581
100 CHARLHO T-D1780075
100 CHARLHO T-D17800751
100 CHARLHO T-D1780086
100 CHARLHO T-D17800861
100 CHARLHO T-D17800862
100 CHARLHO T-D17800863
100 CHARLHO T-D17800864
100 CHARLHO T-D1780087
100 CHARLHO T-D1780088
100 CHARLHO T-D1780247
100 CHARLHO T-D1780304
100 CHARLHO T-D1781182
100 CHARLHO T_P0920411
100 CHARLHO T_P09204111
100 CHARLHO T_P092041110
100 CHARLHO T_P09204112
100 CHARLHO T_P09204113
100 CHARLHO T_P09204114
100 CHARLHO T_P09204115
100 CHARLHO T_P09204116
100 CHARLHO T_P09204117
100 CHARLHO T_P09204118
100 CHARLHO T_P09204119
100 TESTUSER2 B_LSMW_ALL
100 TESTUSER2 T-D1780054
100 TESTUSER2 T-D1780057
100 TESTUSER2 T-D1780058
100 TESTUSER2 T-D17800581
100 TESTUSER2 T-D1780075
100 TESTUSER2 T-D17800751
100 TESTUSER2 T-D1780086
100 TESTUSER2 T-D17800861
100 TESTUSER2 T-D17800862
100 TESTUSER2 T-D17800863
100 TESTUSER2 T-D17800864
100 TESTUSER2 T-D1780087
100 TESTUSER2 T-D1780088
100 TESTUSER2 T-D1780247
100 TESTUSER2 T-D1780304
100 TESTUSER2 T-D1781182 -
Authorization : roles and profiles
Hi,
I have two questions that I need answers
- How do I check roles that are assigned to reports and
- roles and profiles needed to execute reports
thanks in advanceHi,
Roles or profiles are assigned to user not specific reports or queries, if u need u can check what roles are assigned to u in SU01, provide the user name and go to display mode there u will find profiles tab, u can check .
Hope this helps u a lot.........
Assigning points is the way of saying Thanks in SDN
Regards
Ramakrishna Kamurthy
Maybe you are looking for
-
Apps won't open and computer is slow to start up
My mac book is screwed up. About a week ago I noticed that everything on my computer started working extremely slowly. So, I ran a verify disk in disk utility. I got a message that my start up disk had an error. So, I started up from the install disk
-
Multiple submit on single form
hi all, My current system have 1 submit button with single form. This submit button will call file_content.upload. htp.p('function on_submit() {'); htp.p(' ...the rest of my code here..'); htp.p(' document.forms[0].submit();'); htp.p(' re
-
Group report without repeating group value
I am trying to format my report that breaks by department like this: Dept ID Employee 1____1___BoB _____2___Mike _____3___John 2____4___Tim I don't want the 'Dept' field to repeat every line. Only where it is changed. I tried this, but ut shows the v
-
Transaction - the subprocess rolling back parent JTA
According to Oracle documentation, "if the caller partner link specifies transaction=participate and the subprocess also specifies transaction=participate, the subprocess rolls back the client JTA transaction." But what I experience is if I just set
-
9i Client/Server installantion Hangs on XP Pro
I'm running a Sony VAIO PCG-GR300P notebook, PIII-1.13 GHz, 512MBs RAM, Win XP Pro. When installing the Client tools from the 9i Client download, installation hangs at 27%. When installing Client tools from Server download, it hangs at 7%. I was able