Roles from Profiles
I want to create a new Role using the already existing SAP Profiles in the system (e.g.F_FICO_ALL, F_ISRE_ALL, etc.)
How do I create this Role?
Please help.
Create a new role with no auths in it.
Go into the authorisations tab
Menu->Edit->Insert Authorizations->from profile
This won't pull the S_TCODE entries into the menu though which isn't good.
You may be able to get creative and use SU25 to help you - Bernhard Hochreiter did a post in the last couple of weeks which might give you some tips though I'm only going on memory so it might not be applicable.
Similar Messages
-
How to copy and remove admin Role from SAP_ALL profile
Hi SDN Experts,
I need to copy SAP_ALL profile to another in CRM 5.0 system, thereafter i need to remove admin Role from SAP_ALL profile. Can any help regarding this point..
regds
gcpChandra,
I saw ur post in this forum regarding configuring sap intergration with genesys gplus adapter. We are in need of the same configuration. Can you please help me in configuring sap phone for gplus adapter. Reply me on [email protected]
Thanks in Advance -
Role or Profile with Full Authorization in DISPLAY MODE
Hi all,
Can anyone help me or tell me if there is any standard role or profile which has full authorization in display mode.
I wanted to assign this to all our support team for the PRD server who shud only have the display auths so that the pre-production client can be safe.
I have checked many places for this kind of activity, but found no threads on the same and also realted links.
Can anyone tell me how to get this task done....
I have also tried few possible ways which never helped me and all my efforts failed.
Waiting to hear from SDNs, for which i can assure REWARD POINTS.
Thanks to all in advance
Regards
Hari HaranHi,
By enabling the permission level as 'read', the authorized user/group/role can:
1. View the object in the Portal Catalog using the browse and search capabilities.
2. Open the object in its respective primary and secondary editors in read-only mode; the object cannot be modified.
3. Create instances (delta links and copies) from the object.
4. Gain access to and choose templates in the object creation wizards.
This permission level can be used to prevent portal administrators from editing a particular object, while still allowing them create an instance of the source and use the new instance in any way
Regards
Srinivasan T -
Receiving an error when trying to remove P00 Security role from the user
Hi All,
I am receiving an error when trying to remove P00 Security role from the user.
After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
I click on Select Roles/Groups
On the next screen,
I click on Existing Roles/Groups
ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
Regards,
VineetHi Vineet,
My be your selection is incorrect
Try this
in Applicaiton Area -- Select ALL
Functional Area -
Select ALL
Company -
Select ALL
Role/Profile/Group Names --- Give p00* and execute the report
if you give only p00 it wont give any result
Hope this helps
Thank you,
Kishore -
Compliance Calibrator Design - Roles and Profiles
Hi guys,as you know SAP's authorization concept involves generation of Roles into Profile before it can be assigned to a User. In CC, i wonder why is there a need to segregate Roles and Profiles into 2 seperate functions. Isnt it already sufficient to analyse roles instead of profiles? Profile are names which is too technical which i feel should be omitted unless really necessary.
Well, unless it is to cater for indirect assignment where profiles are granted to position/org unit etc... I will also be trying out whether there is a difference when you only batch analyse a Role and intentionally excluding the 'profile' whenever a new role is created. Will the system work fine when i do a role analysis?
Cheers!I agree that profiles are old fashioned and should be phased out. The system has to stop people from being able to maintain profiles directly and assign them directly before they do this though. SAP_ALL etc can be converted and assigned as a role. It would make the whole authorisation concept just that little bit easier. We are talking about a German company though!
Also, you don't need profiles for indirect assignment. You can relate roles to the position using PFCG! Click on the organisational management button on the user-tab, next to the user comparison button.
Using profiles (ie, maintaining directly and assignment) is highly recommended against. -
VIRSA tables for users, roles and profiles sync?
Hello,
I am in a customer, implementing CC 5.2. At the first time, we tried CC 5.2 in DEV environment, and when everything was OK, we redirect RFC connectors to QA environment.
After doing user, roles and profiles sync in DEV and in QA environment too, I have 4.500 user (1.100 from DEV + 3.400 from QA) when I recover all users "*" with "user level - risk analysis" from the "Informer" tab.
It seems that "users, roles, profiles, sync" works like and "APPEND", but I did a COMPLETE syncronization not an INCREMENTAL.
If I start an analysis for QA environment, CC works properly and only analyse QA users (3.400). But I would like to clean CC tables (users, roles and profiles) in order to have a clean copy of QA in CC.
Which VIRSA tables (users, roles and profiles) I need to clean?
It is necessary to do the same with authorization and text objects? Which would be these tables?
Thanks in advance,
VictorHi all,
SAP GRC Support provides a script which allows you to remove a connector since it does delete all data link to it. Anyway, I would recommend a deep analysis of it and find out if it does what you really want to do.
Víctor, if what you want to do it is just to remove all user, role and profile master data (stored in tables VIRSA_CC_SYSUSR and VIRSA_CC_GENOBJ) you could upload a text file using data extractor functionality with the delete field set to X. Doing so user, role and profile master data will be removed from CC database.
In order to use data extraction functionlaity you connector must be of type "File Local".
Be careful about removing data directly from DB since, as Prem states, you might loose the DB consistency.
Hope it helps. Best regards,
Imanol -
Standred Roles and profiles for OSS Connection User
Dears,
We open OSS connections several times for SAP support in which we also provide login credentials to SAP to login in our system.
Is there any standred roles or profile for this user in QAS and PRD that we can give to maintain our servers confidentiality.
Please suggest.
ShivamNot really. A note related to your question popped up in a previous discussion:Re: Exclude T-code from SAP all
> If you take a look at [SAP Note 1118396 - Roles for support activities|https://service.sap.com/sap/support/notes/1118396] you will see this explained nicely... -
Su01 recreate old user - lost roles and profiles
Situation: a person's sap account was deleted, but now that person needs it again with the same sap access as before
when you recreate an old sap user account in su01,
sap gives a message "found old user information, do you want to reacreate this".
Press yess, then all is copied except roles and profiles (empty)....
You can find them back via the menu : information<change dcuments for users.
Is there a way to make sure that roles (and/or profiles) are instantly copied from the old records of the sap account (like
the name, email user group, user parameters, etcetera)?
Regards,
ABCNo. There is no such feature.
The solution is not to delete the user but rather lock the ID and move it to a "retired" user group where it is protected. From there you can restore it again easily.
Cheers,
Julius -
Role Expert Profile generation error
Hi All,
I am getting the following error in Role Expert Profile Generation tab.
When i click Generate tab, I am geting "Name or Password is incorrect(Repeat Login)" Can any body explain what user id is generally triggered when generate profile using role expert?
Thanks,
ChandraHi there,
to be more precise. You have to use the password from the account which you use to maintain the roles in the system you want to generate the role.
Kind regards,
Richard -
Want to remove PFCG and SU01 from profile S_A.SYSTEM
Hi,
I want to remove PFCG and SU01 from profile S_A.SYSTEM.
Could you please suggest me ways to achieve that.
Thanks,
Barada1) Create a role by inserting the profile S_A.SYSTEM and then design your S_TCODE such that you enter tcodes in ranges and exclude the tcodes PFCG and SU01 from the range.
or
2) Try deactivating the objects S_USER* this might definitely remove authroization for SU01 and not allow to execute the tcode. I am not so sure if it will restrict PFCG execution. -
SAP Roles and Profiles provisioning
Hi all,
I am trying to provision SAP CUA using the SAP UM Connector.
User gets provisioned, but its role and profile do not get assigned.
The tasks "Add Role" and "Add Profile" are seen as completed.
But the roles and profiles are not seen in SAP.
Thanks in advanceAny inputs from anyone ???
-
Hi,
i am using pfcg for creating roles. When i want to derive a role from a mother role the profile is not taken with the role. Is there a way to derive not only the role but also the profile from a mother role?
Regards
FlorianHello Florian
I still do not see the point yet if the derived role should be identical to the master role then you could do the following:
(1) Copy master role -> name of derived role
(2) Update table AGR_DEFINE for the derived role name, i.e.
- select all values from AGR_DEFINE with AGR_NAME = '<name of derived role>'
- set AGR_NAME-parent_agr = '<name of master role>'
Regards
Uwe -
How can download the roles from one system and upload them into another ??
Do anyone have the solution ..... ......it very important.
Hi,
Visit [Role Maintenance Functions|http://help.sap.com/saphelp_nw04/helpdata/en/e4/15e48efd6c11d296430000e82de14a/content.htm] in section Download/Upload.
To avoid inconsistencies, all roles from which a role is derived are also downloaded. When you download composite roles, all the roles which they contain are also downloaded.
When you upload a role, all role data, including authorization data is uploaded from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case. You must therefore regenerate the authorization profiles after the upload.
Mass Download:
Save several roles on the PC.
You can choose on the selection screen whether you:
Also want to transport the single roles contained in the selected composite roles (Customizing switch ADD_COMPOSITE_ROLES in table SSM_CUST)
Also want to transport the generated profiles for all single roles (PROFILE_TRANSPORT in table PRGN_CUST)
You can define the default setting for both options using the value in the Customizing switch. If you explicitly set a switch to NO, the option in question on the selection screen is not active. Otherwise, it is active.
Regards,
Srilatha. -
Downloading an undefined role from CPPM to Controller
Requirement:
In order to provide per-user level access, user roles can be created when a user has been successfully authenticated.During the configuration of a remote access policy, administrator can define a role that should be assigned to the user after successful authentication. If the Role is not defined in the Controller, Role can not be mapped to the User hence we need a solution where we can download a relevant Role from the server.
Solution:
In RADIUS authentication, when Server (CPPM) successfully authenticates a user, the user is assigned a role ( role name) by the Server (CPPM) and if the role is not defined on the controller, the role attributes can also be automatically downloaded from CPPM.
This feature supports roles obtained by the following authentication methods:
802.1x (wireless and wired users)
MAC authentication
Captive Portal
CPPM does not perform any error checking to confirm accuracy of the role definition (policy mapped to the Role). Controller will validate the Policy before downloading.
Configuration:
How to enable :
1. Navigate to the Configuration > Security > Authentication > AAA Profiles.
2. Select an AAA profile.
3. Check the Download Role from CPPM check box to enable role download.
Providing CPPM credentials:
It is mandatory ( From CPPM 6.4 ) to specify CPPM credentials for downloading the Role
Configuring CPPM :
A Role can be defined and mapped trough an Enforcement profile as shown bellow.
We should select “ Aruba Downloadable Role Enforcement” from Template dropdown list.
Add Aruba controller IP in the Device list ( First create a group, Ex “My_Devices” and add the IP address to that group)
Defining and mapping the Policy to the Role :
Define a policy ( ACL) by selecting type of ACL (Stateless ACL/Session ACL/Ethertype)
Add the policy to the Role ( Ex Test_policy)
Add the VLAN and CP profile as per the requirement.
Summary of Enforcement Profile :
Define and Enforcement Policy :
A policy/ Rules required to pickup this Enforcement profile,
Create a new enforcement policy and define a condition for picking the Profile
Defining a Service :
Finally we have to define a Service to handle this Authentication
Define a service by selecting an appropriate template ( Ex Aruba 802.1x Wireless/ Aruba 802.1x Wired/Aruba Guest etc..)
Select desired type of Auth types ( EAP-PEAP, MSCHAP V2 etc..)
Select the Enforcement profile
Verification
Testing :
On successful Authentication, CPPM will push the Role along with the policy to the Controller as shown below.
Role is being downloaded to the Controller :
Role is downloaded and a policy is created :Requirement:
In order to provide per-user level access, user roles can be created when a user has been successfully authenticated.During the configuration of a remote access policy, administrator can define a role that should be assigned to the user after successful authentication. If the Role is not defined in the Controller, Role can not be mapped to the User hence we need a solution where we can download a relevant Role from the server.
Solution:
In RADIUS authentication, when Server (CPPM) successfully authenticates a user, the user is assigned a role ( role name) by the Server (CPPM) and if the role is not defined on the controller, the role attributes can also be automatically downloaded from CPPM.
This feature supports roles obtained by the following authentication methods:
802.1x (wireless and wired users)
MAC authentication
Captive Portal
CPPM does not perform any error checking to confirm accuracy of the role definition (policy mapped to the Role). Controller will validate the Policy before downloading.
Configuration:
How to enable :
1. Navigate to the Configuration > Security > Authentication > AAA Profiles.
2. Select an AAA profile.
3. Check the Download Role from CPPM check box to enable role download.
Providing CPPM credentials:
It is mandatory ( From CPPM 6.4 ) to specify CPPM credentials for downloading the Role
Configuring CPPM :
A Role can be defined and mapped trough an Enforcement profile as shown bellow.
We should select “ Aruba Downloadable Role Enforcement” from Template dropdown list.
Add Aruba controller IP in the Device list ( First create a group, Ex “My_Devices” and add the IP address to that group)
Defining and mapping the Policy to the Role :
Define a policy ( ACL) by selecting type of ACL (Stateless ACL/Session ACL/Ethertype)
Add the policy to the Role ( Ex Test_policy)
Add the VLAN and CP profile as per the requirement.
Summary of Enforcement Profile :
Define and Enforcement Policy :
A policy/ Rules required to pickup this Enforcement profile,
Create a new enforcement policy and define a condition for picking the Profile
Defining a Service :
Finally we have to define a Service to handle this Authentication
Define a service by selecting an appropriate template ( Ex Aruba 802.1x Wireless/ Aruba 802.1x Wired/Aruba Guest etc..)
Select desired type of Auth types ( EAP-PEAP, MSCHAP V2 etc..)
Select the Enforcement profile
Verification
Testing :
On successful Authentication, CPPM will push the Role along with the policy to the Controller as shown below.
Role is being downloaded to the Controller :
Role is downloaded and a policy is created : -
Difference between role and profile
Hi All,
I need to know the difference between role and profile. Kindly let me also know
relevant T codes. Can Profiles exist without roles? If yes please let me know how to create them.
Thanks in Advance,
KalyanKalyan,
A role is basically a container of authorizations and other related items.
A profile contains the actual authorizations once a role is generated. In addition a profile can be created from scratch using the classical method--transaction SU02. Roles are created via transaction PFCG.
Also take a look at the following threads:
Difference between Role & Profile
Re: difference between profile and role
Cheers,
Ben
Maybe you are looking for
-
My itunes will not open, it displays an error that MSVCR80.dll is missing. I tried reinstalling itunes but it fails because the service is not able to start.
-
Entries meant for Queriac are going to Verizon "Search Assist" instead
The way my about:config is set up, all URL-bar entries that aren't formatted like a URL are instead sent to "http://queri.ac/lenoxus/X", where X is the entry. The result is that I can treat the awesomebar as a command line of sorts; for example, if I
-
i am trying to re install my lightroom student addition. I have the serial number and was told to do the trial again and then update to purchase. i am unable to figure out how to do this
-
Hello, I hav a procedure which consists of select and insert statements(includes Union, Minus, DataType conversions etc.). Three tables of around 27 fields each, are involved in procedure. Table has around 87-90 lakhs of records. This procedure is ta
-
MacBook Pro. No sound in speakers or headphones
Hi, I have no audio output since downloading Kies app. (unsure if related or just happened on the same day?) I have checked system preferences to ensure it is not on mute etc. Mac chimes on restart so speakers working. Any advice of what to try next