Roles from Profiles

I want to create a new Role using the already existing SAP Profiles in the system (e.g.F_FICO_ALL, F_ISRE_ALL, etc.)
How do I create this Role?
Please help.

Create a new role with no auths in it.
Go into the authorisations tab
Menu->Edit->Insert Authorizations->from profile
This won't pull the S_TCODE entries into the menu though which isn't good.
You may be able to get creative and use SU25 to help you - Bernhard Hochreiter did a post in the last couple of weeks which might give you some tips though I'm only going on memory so it might not be applicable.

Similar Messages

  • How to copy and remove admin Role from SAP_ALL profile

    Hi SDN Experts,
    I need to copy SAP_ALL profile to another in CRM 5.0 system, thereafter i need to remove admin Role from SAP_ALL profile. Can any help regarding this point..
    regds
    gcp

    Chandra,
    I saw ur post in this forum regarding configuring sap intergration with genesys gplus adapter. We are in need of the same configuration. Can you please help me in configuring sap phone for gplus adapter. Reply me on [email protected]
    Thanks in Advance

  • Role or Profile with Full Authorization in DISPLAY MODE

    Hi all,
    Can anyone help me or tell me if there is any standard role or profile which has full authorization in display mode.
    I wanted to assign this to all our support team for the PRD server who shud only have the display auths so that the pre-production client can be safe.
    I have checked many places for this kind of activity, but found no threads on the same and also realted links.
    Can anyone tell me how to get this task done....
    I have also tried few possible ways which never helped me and all my efforts failed.
    Waiting to hear from SDNs, for which i can assure REWARD POINTS.
    Thanks to all in advance
    Regards
    Hari Haran

    Hi,
    By enabling the permission level as 'read', the authorized user/group/role can:
    1. View the object in the Portal Catalog using the browse and search capabilities.
    2. Open the object in its respective primary and secondary editors in read-only mode; the object cannot be modified.
    3. Create instances (delta links and copies) from the object.
    4. Gain access to and choose templates in the object creation wizards.
    This permission level can be used to prevent portal administrators from editing a particular object, while still allowing them create an instance of the source and use the new instance in any way
    Regards
    Srinivasan T

  • Receiving an error when trying to remove P00 Security role from the user

    Hi All,
    I am receiving an error when trying to remove P00 Security role from the user.
    After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
    I click on Select Roles/Groups
    On the next screen,
    I click on Existing Roles/Groups
    ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
    Regards,
    Vineet

    Hi Vineet,
    My be your selection is incorrect
    Try this
    in Applicaiton Area -- Select ALL
    Functional Area  -
    Select ALL
    Company           -
    Select ALL
    Role/Profile/Group Names --- Give p00* and execute the report
    if you give only p00 it wont give any result
    Hope this helps
    Thank you,
    Kishore

  • Compliance Calibrator Design - Roles and Profiles

    Hi guys,as you know SAP's authorization concept involves generation of Roles into Profile before it can be assigned to a User. In CC, i wonder why is there a need to segregate Roles and Profiles into 2 seperate functions. Isnt it already sufficient to analyse roles instead of profiles? Profile are names which is too technical which i feel should be omitted unless really necessary.
    Well, unless it is to cater for indirect assignment where profiles are granted to position/org unit etc... I will also be trying out whether there is a difference when you only batch analyse a Role and intentionally excluding the 'profile' whenever a new role is created. Will the system work fine when i do a role analysis?
    Cheers!

    I agree that profiles are old fashioned and should be phased out.  The system has to stop people from being able to maintain profiles directly and assign them directly before they do this though.  SAP_ALL etc can be converted and assigned as a role.  It would make the whole authorisation concept just that little bit easier.  We are talking about a German company though!
    Also, you don't need profiles for indirect assignment.  You can relate roles to the position using PFCG!  Click on the organisational management button on the user-tab, next to the user comparison button.
    Using profiles (ie, maintaining directly and assignment) is highly recommended against.

  • VIRSA tables for users, roles and profiles sync?

    Hello,
    I am in a customer, implementing CC 5.2. At the first time, we tried CC 5.2 in DEV environment, and when everything was OK, we redirect RFC connectors to QA environment.
    After doing user, roles and profiles sync in DEV and in QA environment too, I have 4.500 user (1.100 from DEV + 3.400 from QA) when I recover all users "*" with "user level - risk analysis" from the "Informer" tab.
    It seems that "users, roles, profiles, sync" works like and "APPEND", but I did a COMPLETE syncronization not an INCREMENTAL.
    If I start an analysis for QA environment, CC works properly and only analyse QA users (3.400). But I would like to clean CC tables (users, roles and profiles) in order to have a clean copy of QA in CC.
    Which VIRSA tables (users, roles and profiles) I need to clean?
    It is necessary to do the same with authorization and text objects? Which would be these tables?
    Thanks in advance,
    Victor

    Hi all,
    SAP GRC Support provides a script which allows you to remove a connector since it does delete all data link to it. Anyway, I would recommend a deep analysis of it and find out if it does what you really want to do.
    Víctor, if what you want to do it is just to remove all user, role and profile master data (stored in tables VIRSA_CC_SYSUSR and VIRSA_CC_GENOBJ) you could upload a text file using data extractor functionality with the delete field set to X. Doing so user, role and profile master data will be removed from CC database.
    In order to use data extraction functionlaity you connector must be of type "File Local".
    Be careful about removing data directly from DB since, as Prem states, you might loose the DB consistency.
    Hope it helps. Best regards,
       Imanol

  • Standred Roles and profiles for OSS Connection User

    Dears,
    We open OSS connections several times for SAP support in which we also provide login credentials to SAP to login in our system.
    Is there any standred roles or profile for this user in QAS and PRD that we can give to maintain our servers confidentiality.
    Please suggest.
    Shivam

    Not really. A note related to your question popped up in a previous discussion:Re: Exclude T-code from SAP all
    > If you take a look at [SAP Note 1118396 - Roles for support activities|https://service.sap.com/sap/support/notes/1118396] you will see this explained nicely...

  • Su01 recreate old user - lost roles and profiles

    Situation: a person's sap account was deleted, but now that person needs it again with the same sap access as before
    when you recreate an old sap user account in su01,
    sap gives a message "found old user information, do you want to reacreate this".
    Press yess, then all is copied except roles and profiles (empty)....
    You can find them back via the menu : information<change dcuments for users.
    Is there a way to make sure that roles (and/or profiles) are instantly copied from the old records of the sap account (like
    the name, email user group, user parameters, etcetera)?
    Regards,
    ABC

    No. There is no such feature.
    The solution is not to delete the user but rather lock the ID and move it to a "retired" user group where it is protected. From there you can restore it again easily.
    Cheers,
    Julius

  • Role Expert Profile generation error

    Hi All,
    I am getting the following error in Role Expert Profile Generation tab.
    When i click Generate tab, I am geting "Name or Password is incorrect(Repeat Login)" Can any body explain what user id is generally triggered when generate profile using role expert?
    Thanks,
    Chandra

    Hi there,
    to be more precise. You have to use the password from the account which you use to maintain the roles in the system you want to generate the role.
    Kind regards,
    Richard

  • Want to remove PFCG and SU01 from profile S_A.SYSTEM

    Hi,
      I want to remove PFCG and SU01 from profile S_A.SYSTEM.
    Could you please suggest me ways to achieve that.
    Thanks,
    Barada

    1) Create a role by inserting the profile S_A.SYSTEM and then design your S_TCODE such that you enter tcodes in ranges and exclude the tcodes PFCG and SU01 from the range.
    or
    2) Try deactivating the objects S_USER* this might definitely remove authroization for SU01 and not allow to execute the tcode. I am not so sure if it will restrict PFCG execution.

  • SAP Roles and Profiles provisioning

    Hi all,
    I am trying to provision SAP CUA using the SAP UM Connector.
    User gets provisioned, but its role and profile do not get assigned.
    The tasks "Add Role" and "Add Profile" are seen as completed.
    But the roles and profiles are not seen in SAP.
    Thanks in advance

    Any inputs from anyone ???

  • Deriving roles and profiles

    Hi,
    i am using pfcg for creating roles. When i want to derive a role from a mother role the profile is not taken with the role. Is there a way to derive not only the role but also the profile from a mother role?
    Regards
    Florian

    Hello Florian
    I still do not see the point yet if the derived role should be identical to the master role then you could do the following:
    (1) Copy master role -> name of derived role
    (2) Update table AGR_DEFINE for the derived role name, i.e.
    - select all values from AGR_DEFINE with AGR_NAME = '<name of derived role>'
    - set AGR_NAME-parent_agr = '<name of master role>'
    Regards
      Uwe

  • How can download the roles from one system and upload them into another  ??

    Do anyone have the solution ..... ......it  very  important.

    Hi,
    Visit [Role Maintenance Functions|http://help.sap.com/saphelp_nw04/helpdata/en/e4/15e48efd6c11d296430000e82de14a/content.htm] in section Download/Upload.
    To avoid inconsistencies, all roles from which a role is derived are also downloaded. When you download composite roles, all the roles which they contain are also downloaded.
    When you upload a role, all role data, including authorization data is uploaded from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case. You must therefore regenerate the authorization profiles after the upload.
    Mass Download:
    Save several roles on the PC.
    You can choose on the selection screen whether you:
         Also want to transport the single roles contained in the selected composite roles (Customizing switch ADD_COMPOSITE_ROLES in table SSM_CUST)
         Also want to transport the generated profiles for all single roles (PROFILE_TRANSPORT in table PRGN_CUST)
    You can define the default setting for both options using the value in the Customizing switch. If you explicitly set a switch to NO, the option in question on the selection screen is not active. Otherwise, it is active.
    Regards,
    Srilatha.

  • Downloading an undefined role from CPPM to Controller

    Requirement:
    In order to provide per-user level access, user roles can be created when a user has been successfully authenticated.During the configuration of a remote access policy, administrator can define a role that should be assigned to the user after successful authentication. If the Role is not defined in the Controller, Role can not be mapped to the User hence we need a solution where we can download a relevant Role from the server.
    Solution:
    In RADIUS authentication, when Server (CPPM) successfully authenticates a user, the user is assigned a role ( role name) by the Server (CPPM) and if the role is not defined on the controller, the role attributes can also be automatically downloaded from CPPM.
    This feature supports roles obtained by the following authentication methods:
    802.1x (wireless and wired users)
    MAC authentication
    Captive Portal
    CPPM does not perform any error checking to confirm accuracy of the role definition (policy mapped to the Role). Controller will validate the Policy before downloading.
    Configuration:
    How to enable :
    1. Navigate to the Configuration > Security > Authentication > AAA Profiles.
    2. Select an AAA profile.
    3. Check the Download Role from CPPM check box to enable role download.
    Providing CPPM credentials:
    It is mandatory ( From CPPM 6.4 ) to specify CPPM credentials for downloading the Role
    Configuring CPPM :
    A Role can be defined and mapped trough an Enforcement profile as shown bellow.
    We should select “ Aruba Downloadable Role Enforcement” from Template dropdown list.
    Add Aruba controller IP in the Device list ( First create a group, Ex “My_Devices” and add the IP address to that group)
    Defining and mapping the Policy to the Role :
    Define a policy ( ACL) by selecting type of ACL (Stateless ACL/Session ACL/Ethertype)
    Add the policy to the Role ( Ex Test_policy)
    Add the VLAN and CP profile as per the requirement.
    Summary of Enforcement Profile :
    Define and Enforcement Policy :
    A policy/ Rules required to pickup this Enforcement profile,
    Create a new enforcement policy and define a condition for picking the Profile
    Defining a Service :
    Finally we have to define a Service to handle this Authentication
    Define a service by selecting an appropriate template ( Ex Aruba 802.1x Wireless/ Aruba 802.1x Wired/Aruba Guest  etc..)
    Select desired type of Auth types ( EAP-PEAP, MSCHAP V2 etc..)
    Select the Enforcement profile
    Verification
    Testing :
    On successful Authentication, CPPM will push the Role along with the policy to the Controller as shown below.
    Role is being downloaded to the Controller :
    Role is downloaded and a policy is created :

    Requirement:
    In order to provide per-user level access, user roles can be created when a user has been successfully authenticated.During the configuration of a remote access policy, administrator can define a role that should be assigned to the user after successful authentication. If the Role is not defined in the Controller, Role can not be mapped to the User hence we need a solution where we can download a relevant Role from the server.
    Solution:
    In RADIUS authentication, when Server (CPPM) successfully authenticates a user, the user is assigned a role ( role name) by the Server (CPPM) and if the role is not defined on the controller, the role attributes can also be automatically downloaded from CPPM.
    This feature supports roles obtained by the following authentication methods:
    802.1x (wireless and wired users)
    MAC authentication
    Captive Portal
    CPPM does not perform any error checking to confirm accuracy of the role definition (policy mapped to the Role). Controller will validate the Policy before downloading.
    Configuration:
    How to enable :
    1. Navigate to the Configuration > Security > Authentication > AAA Profiles.
    2. Select an AAA profile.
    3. Check the Download Role from CPPM check box to enable role download.
    Providing CPPM credentials:
    It is mandatory ( From CPPM 6.4 ) to specify CPPM credentials for downloading the Role
    Configuring CPPM :
    A Role can be defined and mapped trough an Enforcement profile as shown bellow.
    We should select “ Aruba Downloadable Role Enforcement” from Template dropdown list.
    Add Aruba controller IP in the Device list ( First create a group, Ex “My_Devices” and add the IP address to that group)
    Defining and mapping the Policy to the Role :
    Define a policy ( ACL) by selecting type of ACL (Stateless ACL/Session ACL/Ethertype)
    Add the policy to the Role ( Ex Test_policy)
    Add the VLAN and CP profile as per the requirement.
    Summary of Enforcement Profile :
    Define and Enforcement Policy :
    A policy/ Rules required to pickup this Enforcement profile,
    Create a new enforcement policy and define a condition for picking the Profile
    Defining a Service :
    Finally we have to define a Service to handle this Authentication
    Define a service by selecting an appropriate template ( Ex Aruba 802.1x Wireless/ Aruba 802.1x Wired/Aruba Guest  etc..)
    Select desired type of Auth types ( EAP-PEAP, MSCHAP V2 etc..)
    Select the Enforcement profile
    Verification
    Testing :
    On successful Authentication, CPPM will push the Role along with the policy to the Controller as shown below.
    Role is being downloaded to the Controller :
    Role is downloaded and a policy is created :

  • Difference between role and profile

    Hi All,
    I need to know the difference between role and profile. Kindly let me also know
    relevant T codes. Can Profiles exist without roles? If yes please let me know how to create them.
    Thanks in Advance,
    Kalyan

    Kalyan,
    A role is basically a container of authorizations and other related items.
    A profile contains the actual authorizations once a role is generated.  In addition a profile can be created from scratch using the classical method--transaction SU02.  Roles are created via transaction PFCG.
    Also take a look at the following threads:
    Difference between Role & Profile
    Re: difference between profile and role
    Cheers,
    Ben

Maybe you are looking for