Roles in R/3  for EP

Similar Messages

• Vendor Creation ,Partner role OA not allowed for Vendor of a/c group ZLOV

  Dear Freinds,
  I am facing problem of  Vendor creation , i am getting message  PARTNER ROLE OA NOT ALLOWED FOR VENDOR OF ACCOUNT  GROUP ZLOV.
  While creation of  Vendor in Partner function  i  could not  enter  partner number, system is not accepting any data, message is getting as above.due to which i could not create any vendor.
  Presently I am in process/ setting of  ERS functionality in MM,
  now all my Vendor creation is stuck up ,
  please help me how to solve the problem
  Regards
  Dilip

  Hi Dilip,
  Check first have you Define Permissible Partner Roles per Account Group..
  Check the path:
  SPRO-Materials Management-Purchasing-Partner Determination-Define Permissible Partner Roles per Account Group
  Here check whether OA is assigned with ZLOV or not...If no then click on new entries and enter partner function as OA and Vendor account group ZLOV...Save nd come out...
  Now proceed...Hope it helps..
  Utsav

• How to config the user and role in the runtime for executing in the GP?....

  Hi Experts,
  I am learning GP(Guided processor)according the document
  http://help.sap.com/saphelp_nw70/helpdata/en/44/0d5b8f250d5cfae10000000a155369/frameset.htmneed.
  I meet two question when I learn the GP.
  The first:
  This document don't tell me how to config the member framework of the company.  After I design the GP, I have to config the user and role in the runtime for executing. I hope I can use the WDA(webdynpro for java or webdynpro for java) to implement to config the user for executing in the runtime. Thus, the customer don't config the user when runing the GP. But I don't know how to do this.
  I need a document guide step by step to tell me how to do this.
  The second:
  If I use the workflow in the GP, I have to install and config the NWDI(Netweaver Development Infrastructure). Now I have installed the NWDI, but I don't know config it so that I can download it to my machine for develop the workfolw in the GP.
  Do you give me some hints? Thanks a lot.
  Thank a lot.
  Best regards,
  tao

  Hi, Mithu,
  Thanks a lot for your help in advance.
  I have carefully read the document: https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6b66d7ea-0c01-0010-14af-b3ee523210b5.
  Now, I think I have to set the processor of every actions in every process if I use the GP for processing the workflow.
  I am better to hope that I can set the processor to the role for every actions in every process in the runtime through get the organizational structure in the WDA(webdynpro for java or webdynpro for java). Thus, the customer don't set the processor to the role for every action in every process when runing in the GP.   I don't know how to do this. 
  Whether the function is not supported in the GP? If so, I have to config two organizational structure: in the R/3 and in the Portal. I don't think our customer don't receipt this solution.
  Do you give me some hints? Thanks a lot.  My email: [email protected]
  Thanks again.
  Thanks & Regards,
  Tao

• Configure security-role and method permission for EJB 3.0 using Jdev 11g

  The EJB 3.0 session bean created by Jdev 11g EJB wizard does not have ejb-jar.xml. Where and how can security-role and method permission for the EJB be configured?
  For example,
  <assembly-descriptor>
  <security-role>
  <role-name>managers</role-name>
  </security-role>
  <method-permission>
  <role-name>managers</role-name>
  <method>
  <ejb-name>Employees</ejb-name>
  <method-name>setSalary</method-name>
  <method-params>
  <method-param>java.lang.Long</method-param>
  </method-params>
  </method>
  </method-permission>
  </assembly-descriptor>

  user516954,
  By default annotations are used. However, you can create a new descriptor and that will take presidence over any declared annotation.
  --Ric                                                                                                                                                                                                                                                                                                                               

• Can a Worker Role process call Antimalware for Azure Cloud Services programmatically?

  I'm trying to find a solution that I can use to perform virus scanning on files that have been uploaded to Azure blob storage.  I wanted to know if it is possible to copy the file to local storage on a Worker Role instance, call Antimalware for Azure
  Cloud Services to perform the scan on that specific file, and then depending on whether the file is clean, process the file accordingly.  If the Worker Role cannot call the scan programmatically, is there a definitive way to check if a file has been scanned
  and whether it is clean or not once it has been copied to local storage (I don't know if the service does a real-time scan when new files are added, or only runs on a schedule)?  

  Hi,
  I would suggest you have a look at this article:
  http://azure.microsoft.com/blog/2014/10/30/microsoft-antimalware-for-azure-cloud-services-and-virtual-machines/, please note the Microsoft Antimalware Client and Service is not installed by default in cloud service, please try to use the PowerShell
  cmdlet, Set-AzureServiceAntimalwareExtension to enable antimalware in your cloud service. Here's some more info:http://msdn.microsoft.com/en-us/library/azure/dn771718.aspx
  Best Regards,
  Jambor
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Where can I create Partner Role type (TSW003-supplier) for TSW

  HI IS OIL Expertise,
  Where can I create Partner Role type (TSW003-supplier) for TSW?
  Because while creating partner role @T Code: O4TQ @ Role Assignment” TSW003-supplier” not available on drop-down list. 
  please do needful on this.
  Thanks
  Chandra

  Hello Chandrasekhar
    As you know that Partner Role is -
  "The master data record of a partner role is used to define a business partner. The partner role includes information about the activities that the business partner can carry out and where the business partner carries out these activities. Stock-holding objects, such as plants and storage locations can also be defined as partner roles."
  According to your screen shot and question, you want to define the TSW003 which only shown when you enter Vendor code in initial screen i.e. O4TQ.
  Thanks
  Yogesh

• Authorisation roles and transaction codes for users(MTO--PPmodule)

  Hi !!!
  GURUS !!!!!!!!
  I am working here on live project for  make to order scenario.
  We are using only batch management.
  Could you give me transaction codes for users for authorisation roles.
  All codes from start to end scenario.
  Regards,
  Nitin

  Dear,
  You have to do the JRM - Job role mapping. The list of transactions cannot be decided commonly across all implementations, as per your Business process definition you have to list the transactions invovlved and which business roles are required for that.
  One example: PP_Planner is a Role, this is applicable for the planning person, he will be given transactions related to SOP, DM and MRP, he will not be given transactions related to SFC. Its vice versa for a operations person.
  Thanks & Regards,
  Vijaya Bhaskar A

• Roles in satellite system for message creator

  while creating support message in satellite syatem, i am getting the following error.
  Error in Local Message System: No authorization to logon as trusted system (Trust Message was Not Created
  Message no. BCOS088
  what role i have to give it to the message creator @ satellite system

  Hi.
  Looks like you are using a trusted connection (maintained in table BCOS_CUST) to connect your satellite system to the Solution Manager.
  If you keep this configuration every user who tries to create a support message in your satellite system also needs a real user in the Solution Manager (including authorization objects S_RFC and S_RFC_ACL).
  Instead you should use the SM_<your sol man>_BACK destination and set NO_USER_CHECK=X in Tx: DNO_CUST04 (SolMan).
  Also you should create a Business Partner in SolMan (for each user who should be able to create a support message in satellite system) with external ID referring to the satellite system user.
  You do not need a user in SolMan for everyone who should be able to create a support message from satellite system.
  Hope this helps.
  /cheers

• What are the roles need to add for webservice user in SAP ECC 6.0

  Dear SDNS,
  Can you please help me to understand , what are the roles needed to add while creating a webservice user in ABAP STACK.
  Really appreciate your immediate help and response.
  Thanks and Regards.
  Suraj

  Hi Suraj,
  Please refer to this link & apply the role/s as per the requirements for the web service user:
  [http://help.sap.com/saphelp_nwpi71/helpdata/en/2b/07074155bcf26fe10000000a1550b0/content.htm]
  Best Regards, Trevor

• Branch office Exchange 2010 Role base administration control for branch site administrator

  Dear sir,
       Customer has a Exchange 2010 Main and Branch office environment:
  - Main office Exchange 2010 CAS x2 +HTS & Mailbox x2  (Server1,2 & Server 3,4)
    (Main office administrator:domain1\administrator) - DAG1
  - Branch office Exchange 2010 CAS+HTS x2 & Mailbox with DAG x2 (Server5,6 & Server7,8
     (Branch Administrator: domain1\badmin) - DAG2
       Customer would like to know what is the role which permission should grant / delegate for ID: badmin in order to manage Exchange server 5,6,7,8 ?  (with manage user account and performance in DAG2 failover & branch exchange server)
  Regards,
  Joe Tam

  Dear Brian,
     I have try in my lab to scale down into 2 x Server in 1 AD Single Domain And Single Forest.  It still have many unexpected behaviour, can you please suggest whether it is a design or bug of Exchagne 2010 SP1?
  Procedure:
  ============================================================================
  Exchange 2010 Role Delegation Problem: (Single AD, Single Site)
  Environment:
  Server: Windows 2008 R2 AD x1 + (CAS+HTS+Mailbox) Server x1
  AD Server: AD1
  Exchange2010 Server : EX2010 (with SP1) – Member Server Joined to testdomain1.net
  Domain Name: testdomain1.net (NETBIOS: TESTDOMAIN1)
  In AD,
  Login as domain administrator: Testdomain1\administrator
  1. Create an Organization Unit OU1.
  2. Create User User1 under OU1
  3. Delegate User1 to allow create user in OU1
  Select all item in “Delegate the following common tasks:
  In Exchange 2010 Server,
  Login as domain administrator: Testdomain1\administrator
  1. Rename existing database name to HKDB1
  2. Create a new database AUDB1 in EX2010 Server:
  AUDB1 Create Done.
  Assign testdomain1\User1 as Exchange 2010 local administrators group.
  Logoff Testdomain1\administrator and Login Testdomain1\User1
  Open Exchange EMC: (Failed, because no user management roles is grant).
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange 2010 PowerShell:
  Delegate User1 to allow perform recipient management in HKDB1 only:
  ====================================================================
  New-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Eq 'HKDB*' }
  $RoleGroup = Get-RoleGroup "Recipient Management"
  New-RoleGroup "HKDBRecipientManagement" -Roles $RoleGroup.Roles -CustomConfigWriteScope "HKDBSCOPE"
  Add-RoleGroupMember “HKDBRecipientMANAGEMENT” -Member User1
  ====================================================================
  Result:
  In Exchange 2010 Server, logon as domain user: Testdomain1\User1
  Open Exchange Management Console: (User1 able to open EMC now)
  Perform Create User User2 in OU1 with Mailbox located in HKDB1
  Mailbox Creation Failed because it cannot match the Database name = HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  In Exchange Management Shell, enter:
  Set-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Like 'HKDB*' }
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Open Exchange Mangement Shell and Create User2 again.
  Create user successfully.
  Perform create User User3 in OU1 with Mailbox located in AUDB1
  User3 Creation Failed because it is not meet the Database restriction of User1 – Like HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange Management Console, create User3 in AUDB1
  Create User3 in Users Container, by administrator ID.
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Perform mailbox remove of User2
  User2 mailbox remove successfully.
  Perform deletion of User3
  Mailbox User3 Remove Successfully.
  Why User3 is allowed to deleted mailbox which is located in by using delegated of User1?
  Moreover, it found that User3 properties can also be changed by using User1. Why?
  Does it mean delegation cannot handle delete operation?
  In Active Directory User and Computer: User2 is deleted successfully by using User1 ID.
  In Active Directory User and Computer: User3 is also deleted successfully by using User1 ID.

• Roles and Authorization strategy for SAP BIBO

  Hello All,
  We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
  Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
  Current structure is like,
  User 1 belongs to Plant1 of Country1
  User 2 belongs to Plant2 of Country2
  user 3 belongs to Plant3 of Country1 etc..     
  We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
  As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
  The options we considered are,
  1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant  1, 2 or 3 and provide necessary authorizations.
  2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
  We are also forced to avoid Bex queries in BW and hence,  trying to connect Multiproviders directly in BO universe.
  How should we go forward in designing the authorization concept? Any better ideas?
  Thanks and Regards,
  Srinivas

  There are two ways which we can implement this kind of authorization based on my knowledge.
  1. Data Security purely at BW
  If the data is secured based on roles and users, there is no  need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
  Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
  2. Data Security from BO
  Let's assume that, if nothing is set at BW and every thing to be take care from BO.
  Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
  Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
  So you would need to create many restrictions for different permutations and combinations.
  I never tries this option with Multiprovider. But It worked well with NON-SAP data.
  Hope this helps!
  Regards
  Gowtham

• Using Role as WF Admin for a specific workflow - Reg

  HI All,
  I am trying to define a WF Admin for a specific workflow. I know we can maintain a USER ID or EXPRESS(WFsyst-agent) or Rule for this in the Version Dependent tab of Basic Data for wflow template.
  But, when i give a Role(Custom R:XXXXXXX role), and do the syntax check, it is giving me the following error and am not able to proceed further.
  "Organizational object 'R:PR044_TRAVEL_MANAGER' not available".
  My guess is the agent that you give here should be an Org. Obj. For ex., when we specify a USER ID, then the Admin for this witem is shown as "ORGUSXXXXX" and similarly when we assign this custom role, may be it is trying to find if this role is an org. obj (which is obviously not) and hence the error.
  Have any of you tried this ROLE option here and can you pl explain me what is wrong with my setting.
  I'd appreciate your quick response as this is very critical for me.
  Thanks in advance.
  venu

  Mike,
  I thought i had solved it. But, when i am trying now with a role "RXXXXXXX" that is 14 char, its not working again.
  Can anybody tell me if there is any limitation on the role name (should start with Y or Z) or char length (14 char or 12..).
  Your immediate response is greatly appreciated.
  ========
  Hey, i just foudn that its the limitation with 12 char ..not Y or Z..and also found this OSS note 860251. It discussed the issue, but not a solution other than choosing a 12 char length for Role name.
  Anybody, any ideas ?
  Thanks in advance,
  venu
  Edited by: Venugopal Jogi on Jul 14, 2008 6:07 PM

• Role Assignment Discovery Issue for Files and Folders through Sharepoint REST services

  To preface, I am a decided Sharepoint newbie in every sense. I am trying to use the Sharepoint REST services (Sharepoint 2013) to walk the folder and file structure of my Sharepoint server and, determine as I go, the Role Assignments (and subsequently
  Permissions) on those folders and files. I'm using an Administrator credentials and I'm actually able to successfully do it but I've run into some caveats. All the caveats begin with this; when I'm examining a folder, for example:
  /_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/ListItemAllFields
  I receive either an empty list or an error response doc when following the link supplied for ListItemAllFields.  When following that kind of link for folders, I either get:
  <d:ListItemAllFields
  m:null="true"
  />
  or an error response document that says "The object specified does not belong to a list." When I hit the /ListItemAllFields endpoint for files, I receive a response with a link for Role Assignments which subsequently also works and I get the
  info I need. So, is this a bug? Why does the link returned from Sharepoint work for files and not folders? So, google, google, google, and I discover that there is another possible way to get at the Role Assignments (and that the object does, indeed, belong
  to a list!).
  If I know the Title (or the guid) of the folder in question, I can use the following endpoint:
  /_api/Web/Lists/GetByTitle('Development')
  If I use that endpoint, I get the information I would have expected to get from following /ListItemAllFields and the subsequent Role Assignments links all work and I get what I need. If there's a bug and this is how I have to work around it, that's fine
  but I have yet to discover how to dynamically determine the Title of a given folder nor am I sure if all Titles are supposed to be unique within a given Sharepoint server. I'm assuming that the folder name as represented in the server relative URL and the
  Title may be different and this is where my newbishness may start to shine if I'm misunderstanding what a "List" is supposed to be in Sharepoint. Anyway, I did find that I could use the Properties endpoint to perhaps get the Title, for example:
  /_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/Properties
  gives me:
  <d:vti_x005f_listtitle>Development</d:vti_x005f_listtitle>
  whose value I assume I could then supply to the /GetByTitle endpoint and be golden. However, "vti_x005f_listtitle" just sounds a little too deep to be something I should be relying on but maybe that's kosher. That's part of what I'm trying to
  find out. Also, if there is a way to use the Sharepoint REST API to discover the guid of a given object, then I could look it up in that way.
  So, in summary:
  1. Am I going about getting folder Role Assignment information in the wrong way? Based on the CSOM examples I've seen, I believe I'm doing it correctly and that the answer to #2 below is a resounding "Yes!" :)
  2. Is it a bug if I'm not able to use /ListItemAllFields on folders using the server relative url?
  3. If I'm supposed to use GetByTitle as a workaround, am I discovering that Title correctly through /Properties? Seems quite circuitous and awkward. Are Titles required to be unique throughout a given Sharepoint server?
  4. If I'm supposed to use the guid, how can I use the REST interface to discover an object's guid? Once we get down to the Role Assignments and other links, the guid appears in those links but I don't know how to discover it independently if that's the
  path I should use to get the data I described above.

  Upon further research, I'll answer my own question for the benefit of some other potential future newbie.  The answer to question number 1 above is "Not exactly.".  The server relative URLs I was using corresponded to lists (which are
  returned as a collection through /_api/web/lists).  I was treating them mentally like regular folders.  That, coupled with the fact that accessing their data as I showed above returns a ListItemAllFields link, made me think that was the way to get
  the Role Assignments just as I would for files and, as it turns out, "real" folders and sub-folders created under these lists.  That was the other problem with thinking of these lists as regular folders.  So, ListItemAllFields works on
  all files and folders in a list.  However, if you want Role Assignments for the lists themselves, you can keep track of the Titles and\or Guids from the /_api/web/lists that you're interested in (in my case, all non-hidden "document library"
  type lists) and then access those Role Assignments as I discussed in questions 3 and 4 above.  For example, from the /_api/web/lists collection from my test server, the "Development" document library Role Assignments are accessable via /_api/Web/Lists(guid'cd242eeb-aafa-4efa-aecc-9bbdf8e3d459')/RoleAssignments
  or /_api/Web/Lists/GetByTitle('Development')/RoleAssignments.

• Impact of having the fsmo role holders not available for 14 hours...

  Hi everyone, we have a situation where we will lose power to the building for 14 hours and since we don't have a generator we'll be shutting down our main site. We have 15 sites, each has a dc and the hq site has two with the fsmo roles distributed between
  the two at hq. So two questions to start with:
  1. What will be the impact of having the fsmo role holding domain controllers inaccessible for a period of 14 hours?
  2. What will we be facing once we regain power and turn the hq dc's back on?
  Look forward to hearing back about this - the power outage is this weekend though!!

  Hi,
  Sorry for the delay reply.
  If your PDC Emulator fails, certain domain functions, security functions, can stop functioning. If anyone of the following is not happening then you should check if your PDC Emulator is working properly:
  •Time is not Syncing: PDC is the default source for the client computers to sync the time. If client computers are not syncing the time then you should always check the PDC.
  •User accounts are not locked out: PDC Emulator processes the account lockouts immediately for the entire domain.
  For more detail information, please refer to:
  FSMO - if server holding PDC Emulator fail on 2003 / 2008, what happen?
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/1752b861-53d7-49f5-b066-2ca6a18070e7/fsmo-if-server-holding-pdc-emulator-fail-on-2003-2008-what-happen?forum=winserverDS
  Regards.
  Vivian Wang

• Creating Roles in SAP ECC for autority in BO

  Hi Guru's,
  Can anyone point me to additional information about how provisioning works in SAP ECC for BO?
  I am also looking for information on how to create some general roles in SAP ECC to transport into BO to control authority.
  I have already read through the "Business Objects Enterprise Admin Guide".
  Thank you in advance,
  Steven

  Hi,
  to synchronize the roles you can use CUA. In CUA, you define 1 system as a central store for user administration and then distribute the users + roles + groups to the systems. You configure your EP and ECC to receive the user data from that system, therefor, you user information is in sync.
  SAP Help: http://help.sap.com/saphelp_nw70/helpdata/EN/07/622441cd87a12be10000000a1550b0/frameset.htm
  For more information, there is an SAP product: Identity Management.
  SDN: https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  To upload ECC roles to EP:
  SDN Article: https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/06a0e690-0201-0010-4b9f-e529c345a831
  User Mapping is for logging in to a backend, when the userid in the backend is different from the userid in the portal
  SAP Help: http://help.sap.com/saphelp_nw04s/helpdata/en/f8/3b514ca29011d5bdeb006094191908/frameset.htm
  br,
  Tobias

• Multiple connections/roles on same machine for same site?

  As a Contribute CS3 Administrator (newbie; just converted a
  Dreamweaver site to work with Contribute), can I set up multiple
  connections to the same site? I want to test the Publisher role and
  Writer role on my development machine before creating connnection
  keys for these roles for the customer who owns the site (and is
  waiting with new Contribute licenses and eager but idle staff)?
  I just want to be able to test my site under these roles
  (using different passwords and username/email addresses), but there
  seems no obvious way to do this as Contribute seems to allow me to
  set up only one connection per URL, and also seems to want to wipe
  out my existing Admin connection if I come on in another role (from
  a connection key generated for a Publisher or Writer role).

  Two problems with that:
  1. Tried it by creating a connection key for a Publisher
  role, but invoking the key zaps the old connection, so I no longer
  have Administrator access without deleting then re-creating the
  connection and setting myself up as Admin again.
  2. When I went into the (new) connection as Publisher, it
  would let me connect and see pages, but would NOT allow editing of
  any pages (even though I had specifically looked when originally
  defining the role to make sure all editing privileges were -- or
  appeared to be -- intact).