Roles for Admin Approvers
(1) I'd like to give a user an admin role that'll allow him to see all work items that are in approval waiting status so that he can forward or complete the work items on behalf of the true approvers when they are out of office.
(2) Or that when no approver is found in the approval table in the N-step approval badi, the work item is to be forwarded to this admin approver so he can take appropriate actions.
Can I achieve both? If so, what role(s) should this admin have in order to do this? And is there any other attribute or customizing I need to do to enable this?
Thanks much,
SN
Hi
Which SRM Version are you using ?
1) I think, the user is having authorization role problem
Purchaser worklist is :
- either in BBP_POC (process purchaser order -> worklist tab)
- or in the sourcing cockpit transaction
or Do this
Also, try assigning the role SAP_EC_SC_ADMIN_PURCHASER to the relevant user and then chk it out.
Also check, in the Extended search option, include the options, Bought on behalf of as checked ('X') and Include Completed Shopping carts as 'X' with Time Frame - (LAst Year) and Status = ALL
Refer to Transaction BBP_MON_SC (Monitor Shopping cart ) to check it whether it's pending in with whom and at what status.
Also, alternatively, you can refer to BBP_PD transaction, Specify the Shopping cart number there in the Object_ID field and you will get the details. Find this SC in transaction BBP_PD and double click on Organization field.
There is a list of purchasers who has access to this SC via sourcing cockpit.
2) Implement BBP_WFL_APPROV_BADI to send items to Administartors.
First check whether the approval_table[] is initial.If so,you will have to populate the table approval_administrators so that the SC is sent to the default administrator if the approvers are not found.
Also make sure in the field "approval_agent",you are assigning the username as "USXXXXX".
Populate the APPROVAL_ADMINISTRATORS[] table in the BADI with the 'US' followed by SAP user name. It will go to the administrator inbox.
<u>See related SAP OSS Notes / links -></u>
Note 978709 - Administrator receives no work item for the BADI workflow
Shop on behalf - SECRETARY role
<u>Hope this will help. Do let me know.</u>
Regards
- Atul
Similar Messages
-
How to create Users/Roles for ldap in weblogic without using admin console
Is it possible to create Users/Roles for ldap in weblogic without using admin console? if possible what are the files i need to modify in DefaultDomain?
or is there any ant script for creating USers/Roles?
Regards,
Raghu.
Edited by: user9942600 on Jul 2, 2009 1:00 AM
Edited by: user9942600 on Jul 2, 2009 1:58 AMHi..
You can use wlst or jmx to perform all security config etc.. same as if it were perfomred from the admin console..
.e.g. wlst create user
..after connecting to admin server
serverConfig()
cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator")
cmo.createUser("userName","Password","UserDesc")
..for adding/configuring a role
cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/RoleMappers/XACMLRoleMapper")
cmo.createRole('','roleName', 'userName')
...see the mbean docs for all the different attributes, operations etc..
..Mark. -
Do we have to have system admin role for pdk???!!!
Hi ,
Pdk Is meant for Java developers.and we have a requirement where developers will not be given system admin role, but just java developer role, that comes with PDK(to deploy, download, par applications)
i was going through the weblog
and in that it is mentioned ·
"To ensure that you have the correct permissions to run all the applications in the business package, you must be assigned to the following portal roles:
Role ID Description
pcd:portal_content/administrator/super_admin/super_admin_role Super Administration
pcd:portal_content/com.sap.pct/administrator/super_admin/com.sap.portal.super_admin_role Super Administration "
if the pdk has to have system admin role, then there is no meaning that it comes with java developer role .
can anyone tell me if i understood it a wrong way .
please help
Thanks,
Lakshmi.Hi Lakshmi,
The Java developer role only comes with Component manager and Component Inspector and some plugins for IDE.
To work just with PDK a Java Developer role is fine, but once the PAR is deployed, a developer has to login and create the iview from that par.For this he needs a Content Admin Role.
I have gone through the link mentioned by you and it says u need to have superadmin role,every user,conent admin role for all the iviews to work correctly which is true this way.
If your iview is talking to the backend system u need access to the backend and to create a System object u need a System Admin role.
So, along with the Java developer role, a developer has to have ContentAdmin and SystemAdmin roles.
Hope this helps. -
Roles for Contact Person in MM-SUS Scenario
Hi !
When we create a contact person using the Create user option in SUS, we assign the roles to the contact person. These roles are basically the standard SAP roles for SUS. We have created Z-roles ( a copy of the standard roles) to restrict cetain txns for users and would like to assign these Z-roles to the contact person . How can we ensure that the Z-roles are displayed instead of the standard roles ?
RegardsHi
<u><b>Please go through these complete SUS-MM Configuartion detail links, which will definitely help -></b></u>
<u>Roles:</u>
SAP deliver standard roles with authorisations, if You want to maintain your own go to transaction PFCG.
There are two type of role:
- single role
- composite role - (one or more single roles)
To roles You can assign transaction codes, reports, URL links, etc. SAP System automatically creates the authorisations that you can set on Authorisations tab page.
<u>Authorisation:</u>
Authorization profiles must be generated before you can assign them to users. An authorization is generated for each authorization level in the browser view, and an authorization profile for the whole role as represented in the browser view.
Re: Clarifications on EBP-SUS and MM-SUS Scenario
Re: Cancellation from SUS hangs in XI interface
Re: Vendor Replication in SUS scenario
Re: SUS-MM for service items
Re: Central Person already exists
SUS and Central User Admin
Re: User roles.
<b>Please look at following links for Roles and Authorizations </b>
<u>Links for user roles:</u>
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/42/271d24d86211d2961a0000e82de14a/content.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/e4/15e48efd6c11d296430000e82de14a/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/d3/559a4271c80a31e10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/4e/52b74065448431e10000000a1550b0/frameset.htm
<u>For profiles and authorisations:</u>
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/67151e439b11d1896f0000e8322d00/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/20/efcbfed8a511d397110000e82de14a/frameset.htm
Regards
- Atul -
Portal Run time error when created a seperate role for Transport package.
Hi Experts,
I have created a seperate role for Transport Package(import/export iviews).
Normally we have transport package functionality in system admin.
Below steps i followed for creating the new role(trans admin)
1.Copied SAP provided system admin role to a seperate folder.
2.Deleted reamining portal objects(like UWL, portal display etc ..) except transport packege workset.
3.Renamed the role to trans admin.
I have assigned that role to my self, it is working fine to me when i clcik on export and import.I have super admin role.
when i assign this role to some portal users, Export is not working.
when user clicks on Export role they are getting below error.
Portal Runtime Error
An exception occurred while processing a request for :
iView : N/A
Component Name : N/A
Access denied (Object(s): com.sap.portal.system/security/sap.com/NetWeaver.Portal/medium_safety/com.sap.portal.appdesigner.contentcatalog/components/Framework).
Exception id: 12:10_31/08/09_0031_21763550
See the details for the exception ID in the log file
By looking into exception iD also, same error access denied it is showing.
Please Advice.
Thanks
Sony.Hi Raghu,
Thanks for the reply.
I have given full permissions to all users to this trans admin role before itself.
Thanks in advance.
Sony.
Edited by: ambica sony on Aug 31, 2009 1:53 PM -
I swich to Oracle11g express and create user
CREATE USER LEO
IDENTIFIED BY xy
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
-- 3 Roles for LEO
GRANT AUTHENTICATEDUSER TO LEO;
GRANT CONNECT TO LEO;
GRANT FER_ADMIN TO LEO WITH ADMIN OPTION;
ALTER USER LEO DEFAULT ROLE FER_ADMIN;
-- 1 System Privilege for LEO
GRANT CREATE SESSION TO LEO;
-- 1 Tablespace Quota for LEO
ALTER USER LEO QUOTA UNLIMITED ON USERS;
and after login i check
select * from SESSION_ROLES
and i have none role
if I set role all works fine.
Why I doesn't have DEFAULT ROLE after login.
Pleas for help .here is the solution
default roles and grants
Edited by: Leo Lakota on 4.10.2012 5:52 -
How to Restrict Search based on the Roles for External crawled sites
I have a situation where the search results have to be restricted based on role
When External sites are crawled, how can we restrict the search results based on roles,
I know that we can restrict the search to a group or set of groups that can contain many users but if the group have different roles and if that group has given access to a web repository search, how can we restrict the document/search access based on roles for the same group?
For Example an Index that has external site as data source and the permissions were set for a group and that group has 2 roles, lets say <b>"Admin" and "user"</b> and the external site have some documents when searched the documents should come up only for the "Admin" role during search, but should not come up for the "user" role
Is it possible to achieve this? Is there a solution?
Any advices are greatly appreciated and awarded
Thanks,
kkIs it possible to restrict on role based?
Any suggestions are appreciated
Thanks
KK -
Report or ways to find who removed portal roles for an user id ?
Hi Experts,
Scenario: if admin removes super admin role or any other portal role for my id. is there any possibility to see who exactly deleted the roles for my id?
Many Thanks
SekharHI,
as Anja wrote, this is not possible with a default installation of the SAP Portal.
What you can do is to provide role provisioning with IIDM, GRC or ABAP user store solution instead of giving the portal admin the permission to change role <-> user attribution.
br,
Tobias -
Buyer roles for monitoring SUS vendor changes
Hi,
We are looking for EP and SUS roles for below scenario
When supplier admin logs in to SUS via EP portal, he can modify his /
her company (as part of supplier self service) data such as name,
contact info etc. Then, buyer can monitor changes done by supplier,
then he can transfer the changes to ECC. We were looking for roles in
EP and SUS that will allow buyer to monitor the changes, we tried SRM
admin role, but it was not pulling vendors modified in SUS. I can
monitor changes done for Vendor by buyers in SRM via application
monitor. But, we are having difficulty in identifying a role to monitor
changes done by supplier in SUS.
Will you please suggest which EP (front end) and SUS (Backend) roles
need to be used? Appreciate your help!
Thanks,
ChandraBarbara,
You can achieve this by building a custom program to add additional entries in VENMAP table for the same partner_GUID for the new backend system data.
SG -
Hi,
in forms 10g , it's possible to change the role for user
REVOKE role_name FROM :USERNAME;This should work, but the user revoking a role from a different user needs to have the admin option of this role.
When creating a role, by default the "Admin option" for that role should be enabled for the user creating the role.
Normally, this would be the schema-owner of the application objects ...
A user holding the "admin option" may grant a role to a different user and grant the other user "admin option" on this role... -
Fix for Admin Console UN/PW problem!!
Hi all,
The following will allow you to log on to the AdminConsole after setup in Win2000.
First, open config.xml for your in your \bea\weblogic600\config\yourdomain directory in an editor. I used XMLWriter, but I'm sure Notepad would work.
Next, find the following:
<Security Name="mydomain" GuestDisabled="false"/>
Add a SystemUser attribute to the line so that it looks like this:
<Security Name="mydomain" GuestDisabled="false" SystemUser="system"/>
where "system" is the UserName you want to log into the AdminConsole with.
Now, fire up the Admin Console and login with this username. The password will be the password you entered during setup. To locate this password, open password.ini from the same directory where you found the XML file. Open password.ini in Notepad to see your password. If it's empty, no password is required.
Good luck
BillCan you check if your admin-server's server.xml (admin-server/config/server.xml) has the following settings?
<default-auth-db-name>ldap</default-auth-db-name>
<auth-db>
<name>ldap</name>
<url>ldap://<hostname>:<port>/<base-dn></url>
<property>
<name>bindpw</name>
<value><passwd></value>
<encoded>true</encoded>
</property>
<property>
<name>binddn</name>
<value><binddn-value></value>
</property>
</auth-db>Can you also verify if the file under admin-server/config/default-sun-web.xml has the following settings?
# cat default-sun-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2004 Sun Microsystems, Inc. All rights reserved.
SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
-->
<sun-web-app>
<security-role-mapping>
<role-name>admin</role-name>
<group-name><your_group></group-name>
</security-role-mapping>
</sun-web-app>- Amit -
Cisco Nexus 5K + Micrososft Radius for Admin Authentication
Hi,
I have cisco 3750 switches configured to use MS radius for administrator authention. however, now I would like to add our cisco nexus switches to MS radius as well so that administrators are authenticated against the Microsoft radius for admin authention.
I tried it earlier but it won't accept 3750 commands.. Can you please help with me with a configuration example please that I can follow?
the commands I have used on 3750 are as follows:
aaa new-model
aaa authentication login vtylogin group radius local
aaa authentication login conlogin group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec vtylogin group radius local
aaa authorization exec conlogin group radius local
radius-server host x.x.x.x key SECRETE
line con 0
exec-timeout 5 0
authorization exec conlogin
logging synchronous
login authentication conlogin
line vty 0 4
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input ssh
line vty 5 15
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input sshI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
Hi experts,
Is it possible to create a role in UME only with "view"/"information" actions?
So that the revisors only can check the tab "my work", "informer", "configuration" and cannot change the configurations?
If I give a UME-User only all "View*" roles the tab "configuration" appears but not with all subitems?! Otherwise the revisor get to do modifications in the systems. Okay all modifications are marked in the logs but this is again work for the admins to check the log-files after each review.
Is there any possibilty to go round this process?
Thanking you in anticipation,
AlexaHi Alexa,
Yes it is possible to restrict CUP Reviewer's access to only "My Work" and "Informer" tabs, or even certain options under "Configuration tab" though GRC AC UME role/permissions.
I would advise not to give "Configuration" tab access to the reviewers, as it contains ADMIN only functionalities. This can be done by not assigning Action "ViewConfiguration" to Reviewers in UME. Also not all "Viewxxx" actions should be assigned to reviewers.
To start with you can use SAP delivered "AEApprover" UME role for CUP Reviewers and then customize the permissions in it to suite your requirement.
Refer latest Access Control Security guide to know more on different Actions/permissions.
Regards,
Amol -
CUP 5.3 - request with different roles and different approvers
Hello,
Here is a scenario we are experiencing in CUP 5.3:
A Request was created to add 2 roles to a user.
Role 1 has Role Approver A and Role Approver B
Role 2 has Role Approver X and Approver X
In my final approval level when Role Approver A logs into CUP to approve Role 1, he still sees Role 2 listed in the screen, even though he does not have authority to approve it. Same thing happens for Role Approver X.
My issue is if anyone of the role approvers approves the request, both roles (Role 1 and Role 2) are assigned to the user master. (Here the system should have said request pending approval from other approvers, but it didnu2019t)
The additional configuration on my final stage of approval says approval type = any one approver.
I figured that I if I change this setting to u201CAll Approversu201D it would work (and it did), but now the request wants to be approved by Role Approver A and Role Approver B for Role 1 and the same goes for Role Approver X and Approver X for Role 2
When I do the above change the system tells me that the request is pending approval from other approvers
Do you have any ideas on how I can solve my issue? Please let me know if I need to clarify further.
Thank you
JacklynJacklyn,
I guess you want to use the second approver on each role as the secondary approvers (when escalated the request will go to these approvers), but instead you defined both of them as primary approvers, so you need to add both the second aprovers on the roles as secondary approvers instead of primary approver and reroute the request for role owner stage. This should fix your issue.
Naveen -
Using Roles for Delagated Administration
Hi all,
Does anyone know if the following is possible in 2005Q1 version of Access Manager?
I have created a top level organisation in Access Manager (dc=myorg,dc=com), and this organisation has some sub-organisations i.e (o=customers,dc=myorg,dc=com). What I would like to do is create a role in the top level organisation, to assign to users that will manage entries in sub-organisations.
So for example, uid=chris,ou=people,dc=myorg,dc=com must be a user that can be assigned the role "Customer Admin" which will enable him to only create/administer users in ou=people,o=customers,dc=myorg,dc=com.
Is this at all possible in Access Manager, and how would one go about setting up such a structure?
Any help appreciated
Thanx
ChrisHello Chris,
We have done this recently with our portal implementation. Check out:
http://docs.sun.com/source/817-7691/dadmnadm.html
The general steps are:
1. Define the ACI's for the new "manager" roles
2. Creating the manager roles with the above ACI's
3. Configure Display Options for the manager roles
4. Configure Available Actions for the manager roles
5. Assign roles to users.
Steps 1 and 2 are documented in the above link. The combination of steps 3 and 4 restrict the views of the AM console so the manager users only sees Users and Roles.
Hope that helps
Jeff
Maybe you are looking for
-
After installing lion, windows 7 boot option disappeared.
I had a macbook with snow leopard and windows 7 together. Yesterday I installed macosx lion. After installing it, windows 7 selection disappeared in boot menu. I tried to select boot options by pressing "alt key". I saw a new partition which is R
-
Migrate RoboHelp 2002 with RoboHelp 7
Hi there, I want to convert my hold RoboHelp file with version 7 or 8, i don't know today which one i must choose. But i got both and i began to convert with 7 first. My version into «Help about robohelp» Robohelp for winhelp 2002.r2. Build 1092. If
-
Problems with Digitus DA-70577 on MAC PRO 4.1
Hello My USB3 Digitus DA-70577 connected to my MAC PRO 4.1 through the Cal digit Card stops working randomly and requires to be switched off and on to work again. The apps with files linked to the drive freeze and occasionally I must reboot the Mac I
-
Hi, I have an issue in my with my one of my Windows 2012 Failover node. One server was rebooted unexpectedly and i found the event id 1001 BugChecks The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009e (0xfffffa8036f00980, 0x00000
-
I want to know when apple Ipod 5g is coming out, and please the specific time!
People keep telling me, "it's coming out in october!" can you at least tell me the week? Like this week, or next week, and yes, i have checked hot news.