Roles in SUP

Similar Messages

• SUP role on 3 tier hierarchy

  Hi guys,
  I have this 3-tier hierarchy - Central, Primary sites & Secondary sites.
  Central site has its own SQL Server 2005 DB, and all Primary sites also have its own SQL Server 2005 DB.
  Central and Primary sites was installed with SUP role each, and connect to a single WSUS server as upstream server.
  I'm not sure why the setup was like this, but I'd like to know whether it's necessary to have SUP role installed on all Primary Servers as well?
  Afterall, we only created software updates package from Central server & distribute it to all DPs on Primary servers.
  Please let me have some advice with this design, on SUP roles especially.
  Many thanks in advanced!
  ---Pat

  holy.. we have been doing it wrong all this time?
  i've just read Wally's post here http://social.technet.microsoft.com/Forums/en-US/704e29cd-f934-480b-884d-38a494210362/configuring-wsus-and-sccm
  now this is the statement from Torsten is what puzzled me..
  If WSUS is located on a remote machine you just have to install the WSUS console on the siteserver (http://technet.microsoft.com/en-us/library/bb693886.aspx).
  The computer account of the SCCM siteserver has to be local admin and WSUS admin on the WSUS box (or define a SUP connection account: http://technet.microsoft.com/en-us/library/bb694264.aspx)
  now when I checked again
  - the single WSUS server (namely WSUS-1) on diagram was assigned a site server role for SUP
  - Central server was installed with WSUS console, and configured to point to the WSUS-1
  (under WSUS update source & proxy server options)
  - All Primary servers then installed with SUP & have their WSUS update source & proxy pointed to the WSUS-1 also.
  is this setup design is still unsupported?
  ---Pat

• Authorization for super user

  I want to create a super user on the production server who can create and save the queries only (no other authorization). He can save queries only under $TMP.
  For that I have already created role for super user in the transaction PFCG and in business content S_RS_COMP and S_RS_COMP1 I have given all authorization.
  Now User is able to create the query, but when He is going to save it the Error message is coming- 'No authorization for create and change'.
  Please suggest what I am missing.
  Regards,
  Dheeraj

  Hi Dheeraj,
  Have you given auth as per http://help.sap.com/saphelp_nw04/helpdata/en/41/05453caff4f703e10000000a114084/content.htm : Analyst3?

• Could not find iViews, Pages, Roles etc tabs in Content Admin Tab

  Hello all,
  I have installed 'Sneak Preview SAP NetWeaver 04 SP16 - Full Java Edition-Trial' from sdn.sap.com website. I am trying to learn EP development and started with EP100 (August 2002) document.
  I couldn't find iViews, Pages, Roles etc tabs in Content Admin tab from where I can create channels and pages as described in the document. Am I following the wrong document or do I have to assign any additional roles to the user.
  I have created a user with everyuser roles and super admin role. Do I have to add any other roles to this user to work with iViews and pages.
  Please help me as I have struck at the very beginning.
  Thanks in advance.

  Hi Josh,
     You can refer the following links in help.sap.com
  <a href="http://help.sap.com/saphelp_nw04/helpdata/en/f5/eb51590e6a11d7b84900047582c9f7/content.htm">Creating iViews</a>
  <a href="http://help.sap.com/saphelp_nw04/helpdata/en/db/b8df3d48b05d5ae10000000a11405a/content.htm">Creating Pages</a>
  <a href="http://help.sap.com/saphelp_nw04/helpdata/en/6e/eecf3d97ac7d10e10000000a114084/content.htm">Creating Roles and Worksets</a>
  Hope this helps.
  Regards,
  Pooja.

• Can't edit Roles & Worksets

  Hi,
  There is  very strange issue we are facing on the portal recently,
  We are on EP 7.0 Patch 15. We observed that there is a small change in the sap standard view.
  When we try to edit the roles that were created earlier and the new ones it doesn't allow us to edit them.
  EDIT MODE button is in disable mode for all the roles.
  Now If we select Trace Delta link  from the dropdown box and then switch view then we can't edit any property for role. Its the same issue with worksets.
  The user that we are using to modify developer created roles has super admin role assigned. So definately there is no issue with premission or end user rights.
  Has anyone faced this issue? Any solution that can figured out?
  Cheers

  Hi Rajesh..
  We are facing same problem in EP7, SP6
  EDIT MODE TAB is disabled for iviews...even when accessing thru administartor role.
  As far as permissions are concerned:-
  Super_admin: owner, end user, role assigner
  Administrator: Full Control, end user, role assigner
  Everyone: Read/Write, enduser
  I have Created Web-Dynpro iview and now want to edit PCD Location i.e. changing the dc of this iview..
  But cannot...
  Please help us out...
  Edited by: Chetna  Verma on Feb 11, 2009 1:48 PM

• Can't edit Roles

  Hi,
  There is  very strange issue we are facing on the portal recently,
  We are on EP 7.0 Patch 15. We observed that there is a small change in the sap standard view.
  When we try to edit the roles that were created earlier and the new ones it doesn't allow us to edit them.
  EDIT MODE button is in disable mode for all the roles.
  Now If we select Trace Delta link  from the dropdown box and then switch view then we can't edit any property for role. Its the same issue with worksets.
  The user that we are using to modify developer created roles has super admin role assigned. So definately there is no issue with premission or end user rights.
  Has anyone faced this issue? Any solution that can figured out?
  Cheers

  Hi,
  Two threads in 2 diff forums to get much better views. Bottom Line none of the solutions have worked so far.
  Yes we are on latest patch. SP 15. Yes we are accessing portal with FQDN from the very start.
  Have also tried to access on various versions of IE 6.0, 7.0, 8.0 and on differents client systems to negate any scripts errors that might have cropped.
  Much better explaination will be... I open an Role that has to be edited.
  On the top the buttons SAVE, PREVIEW, EDITMODE  are in disable mode. Only CLOSE & REFRESH are in enable mode.
  In the Bottom we have these buttons UP, DOWN, DELETE, CUT, COPY, PASTE, EDIT, RESET NODE. These all are in a disable mode.
  Only 2 buttons in Enable mode are New Folder and Refresh Node.
  So as EDIT button is always in disable state for any role that has been created its not possible to make any modification to the properties.
  If i switch view to  Delta Link Tracer it opens only in read only mode.
  POINTS TO BE NOTED.
  Unlike the previous SP levels now the changes in the STANDARD Role Iview are
  On the top You have a extra Button SWITCH VIEW after Dispay & Drop Down box.
  Unlike previously where once you open the role all the properties are displayed on the right hand side of the view in Property Editor now its no more like that. You don't have property editor.
  You won't have Properties and Trace Delta Links button at the bottom of the Standard Role View.
  Is anyone facing the same issue with SP 14 or  15 ? Or now there is some other approach to edit the roles?
  If any one need a screen shot to have a better analysis please shoot a mail to the id i would be ready to provide them.
  Cheers

• Restrict the role of User Administrator

  Hello all,
  I need to know that if it is possible to restrict the Role of an User Administrator to assign only a specific set of Roles to the end user.
  For example : The user administrator should be able to assign only say Managers, Employees Roles to the Users and not any other roles like Super Administrators etc.
  If so, how can we achieve that?
  Regards
  Avik

  There is a authorization object (combined with a parameter) that does this restriction:
  S_SPO_PAGE
  Definition
  Using authorization object S_SPO_PAGE, you can restrict the maximum number of pages of a request that can be printed on a particular printer.
  This authorization check is only active if profile parameter rspo/auth/pagelimit is set to 1.
  Defined fields
  SPODEVICE       Device name for which the restriction is to apply.
  SPOPAGES        Maximum number of pages allowed; enter a range (0 to n) here

• Folders under a role displayed for all users

  Hi
  I had created a role called Role A and this had two folders unders that named Folder A, Folder B. I assigned this role to User A only.
  I logged into the portal as User A, and saw that these two folders were visible, and as I had wanted it.
  But when I logged in with the administrator's account too, I noticed that along with Content Administration, User Administration, System Administration, I also had Folder A and Folder B.
  I checked the roles for Administrator and Role A has not been assigned.
  I dont want this Folder A and Folder B to appear in the admin's account.
  Please help.
  Thanks
  Manoj

  Hi
  Thanks for your help. Its not a permission issue for that folder, and no other groups are added in Role A.
  I guess, like Venkatesh says, it could be the content admin role or super admin role. But surprises me as to what would happen if there were more than 100 folders.
  There must be something else to it. I suspect this to be a cache problem, as I had added Role A to Administrator's group and then removed it from there. I will check this and confirm.
  Thanks for all help
  Regards,
  Manoj

• What do you mean by Role Remediation

  Guys, I want to know clearly that what does this Role Remediation means.. Pls let me know as I am little bit confused on this.!

  Hello Ramu
  Role Remediation refers to the measures, to address the SOD (segregation of duties) conflicts associated with the Roles in the ERPs.
  For example, an SOD Conflict / risk which is associated with a single role, can be removed (remediated) by splitting into two different roles, if it is feasible. This is one way of remediation of the role.
  Where ever it is not possible to split the roles or remove the roles from the system, a mitigation control can be identified for such SOD risk associated with the role, to reduce the impact to some extent ( mitigation control is generally defined in such a way that some user in the system would be monitoring the usage of such role on a periodic basis). This is one more way of remediation. Defining the mitigation control depends on the criticality of the SOD risk, as maintaining mitigation controls involves efforts and cost.
  One more way is to give access to such role through super user access (if the usage of the role is not regular).
  The best practice in the remediation would be to start with the single roles remediation as it automatically removes the SOD violations in the composite roles as well as violations associated with the users with such roles.
  I just wrote few ways of remediation to give you a brief idea of role remediation.
  Regards
  Swarna

• Roles and Action

  Hi,
  I need a clarification about this basic funda.
  administrator user belongs to  Administrator Group.
  Administrator group contains 2 roles i.e.Administrator role and Superadmin role.
  Administrator role contains Manage_all and JMXManage_all actions.
  Superadmin role contains Manage_all and Aclsuperuser actions.
  Now if I create a role that contains Manage_All,JMXmanage_All actions and Aclsuperuser actions , and If I assing this role to a user call "test", is the test user same as the administrator? As I did this but could not get the desired result. Kindly help me out in understanding this concept.
  cheers
  Naveen.H
  P.S. Loads of points would be awarded..

  Hi Naveen,
  The MANAGE_LICENSE permission is part of the Manage_all action which is only assigned to the super admin role. Therefore only users who have the super admin role assigned are able to manage licenses.
  The administration tools of the portal, such as the Cluster Administration Console and other components in the package com.sap.portal.runtime.system.console, cannot be used by roles which are not super administrator.
  Roles defined in the UME parameter: "ume.portal_admin.role" are super
  administrators.
  Cluster Administration Console, administration tools, super_admin
  Because these tools have a great impact on the security of the portal, only the super administrator has the rights to work with them. When launched, these tools check whether or not the user is a super administrator.
  These tools can be used if the user has one of the roles defined in the
  UME parameter: "ume.portal_admin.role".
  The portal comes with a minimal set of permissions assigned to its initial content. These default permissions are designed to provide maximum security for a freshly installed portal.
  The default permissions settings are sufficient to enable users assigned to the super administrator role to work and gain access to all initial content. They also enable the remaining standard administration roles (content, system, and user) to access tools specific to these roles, but not to initial content objects. For example, a content administrator has access to the Portal Content Studio, but is not able to gain access to any content objects, such as iViews, pages, and roles—the Portal Catalog in the Portal Content Studio is empty.
  This topic describes the default permissions assigned to the initial content of the portal.
  The initial permissions are only valid for a fresh and full installation of the portal. When upgrading a portal, the initial permissions script in the portal is not executed. This prevents the permissions in an existing portal from being overwritten.
  For guidelines on reconfiguring the strict initial permissions to allow the pre-configured portal roles to access initial content objects relevant to their role, read Configuring Permissions for Initial Content in SAP Enterprise Portal 6.0 (SP9 & Higher) 
  Permissions for Super Administration Role
  The standard super administer role  is assigned maximum access to the entire set of portal initial content.
  The user store and data source of the User Management Engine used in your organization determines which standard administrator users are members of the standard Administrators user group after the portal is installed. The Super Administrator role is assigned by default to the Administrators group. Therefore, initially all standard administrator users have super administrator permissions in the portal.
  Cheers,
  Shaym

• Please Help PI Data Dependent Integration Builder Authorizations NOT Workng

  Dear Friends / Experts,
  I had spend many days and explored all Weblog  and links on this website and implemented all the steps required to acheive Data Dependent Integration Builder Security and I am not successful so far. I am just giving up now - Please Help Me ---
  As I said, I already read all the important Forum Links and SAP Web links and Followed Each and Every Step - service.sap.com/instguidesNW04 ® Installation ® SAP XI
  Security Requirement - Data Dependent/Object Level Authorizations in XI / PI
  In distributed teams or in a shared PI environment it might be necessary to limit authorization for a developer or a group of developers to only one Software Component or objects within a Software Component or to specific Configuration Objects.
  Our Environment - PI 7.0 SP 16
  Created a new role in the Integration Builder Design
  u2013Add Object Types of any Software Component and Namespace
  - Enable usage of Integration Builder roles in Exchange Profile
  Integration Builder u2013Integration Builder RepositoryParameter com.sap.aii.util.server.auth.activation to true
  Assign users to the newly created Integration Builder roles
  u2013Create dummy roles in Web AS ABAP, these roles are then available as groups in Web AS Java
  u2013Assign users to these roles
  u2013Assign the Integration Builder roles to the above groups in Web AS Java
  u2013Assign unrestricted roles to Super Users
  Please help - How to validate whether Data Dependent Authorizations are Activated?
  I am working with XI Developers and Basis Team and we did updated all the Required Exchange profile parameters.
  Per this Document - User Authorizations in Integration Builder Tools - Do we need to update the server.lockauth.activation in Exchange Profile. When We updated, It removed Edit Access from all XI Developers in PI
  In both the Integration Repository and the Integration Directory, you can define more detailed authorizations that restrict access to design and configuration objects.
  In both tools, you define such authorizations by choosing Tools ® User Roles from the menu bar. The authorization for this menu option is provided by role SAP_XI_ADMINISTRATOR_J2EE. Of course, this role should only be granted to a very restricted number of administrators. To activate these more detailed authorizations, you must set exchange profile parameter com.sap.aii.ib.server.lockauth.activation to true.
  The access authorizations themselves can be defined at the object-type level only (possibly restricted by a selection path), where you can specify each access action either individually as Create, Modify, or Delete for each object type, or as an overall access granting all three access actions.
  http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/frameset.htm
  I was able to control display and maintain access from ABAP Roles, but completely failed to implement Integration Builder Security?
  Are there any ways to check Whether Data Dependent authorization or J2EE Authorizations are activated?
  Thanks a lot
  Satish

  Hello,
  so to give you status of our issue.
  We were able to export missing business component .
  But we also exported some interfaces after that and we had some return code 8, due  to objects still present in change list on quality system (seems after previous failed transports , the change list was not cleared completley...).
  So now we have checked that no objects is present in the change list of quality system and we plan to export again our devs on quality system.
  Hope after that no more return code 8 during imports and all devs transported correctly on quality system.
  Also recommending to read that, which is pretty good.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/7078566c-72e0-2e10-2b8a-e10fcf8e1a3d?overridelayout=t…
  Thanks all,
  S.N

• PeopleSoft Report Manager does not show up reports

  Folks,
  Hello. I am using Peopletools 8.49.
  The Report Manager has 4 tabs: List, Explorer, Administration, Archives
  After I run reports using Process Scheduler, nothing shows up under the above 4 tabs and this message comes up:"Invalide or missing parameter in request" under List tab.
  I have followed "Process Scheduler Documentation" - Chapter 5 "Using Report Manager" to configure it, but it's not working out.
  The following solution is for PeopleTools 8.44:
  http://peoplesoft.ittoolbox.com/groups/technical-functional/peopletools-l/report-manager-nothing-showing-under-list-1011644
  Can any folks tell me how to solve this problem in PeopleTools 8.49 ?

  Folks,
  Hello Thanks a lot for replying.
  1) The default local node (PT_LOCAL) has been set a password that is login user password.
  2) I think I define the Report node correctly under "PeopleTools>ProcessScheduler>ReportNodes" as follows:
  Http Information is selected.
  URL: http://127.0.0.1/psp/ps/psreports
  (psp is Domain name, ps is Site name while configure Webserver. psreports is a folder in C:\)
  URI Host: http://127.0.0.1
  URI Port: 80
  URI Source: don't need this since Scheduler and Webserver are in the same machine.
  Logi ID: PSADMIN
  Password:PSADMIN
  Under Intergration Broker, I have done the follows:
  1) Gateway, Domain, Pub/Sub Server are running.
  2) Service Operations: PSRF_FOLDER_CREATE, PSRF_REPORT_CREATE, PSRF_REPORT_DATE_CHANGE AND PSRF_REPORT_DELETE are set "active" and "Asynchronous One Way".
  3) Login User PSADMIN are granted Roles "Report Super User" and "Report Dist Administrator".
  But Report Manager still cannot display Reports by this point.
  The only problem is that under "PeopleTools>IB>Configuration>Service Configuration>UDDI Configuration", when Ping the Inquiry URL and Publish URL, I got such an error message: "External System Contact error."
  Inquiry URL: http://PTNTAS28/UDDI/INQUIRY
  Publish URL: HTTP://PTNTAS28/UDDI/PUBLISHING
  I think the "External System Contact error" cause Report Manager cannot display Reports. This problem is caused by "Gateway" or "UDDI Server" not running correctly.
  Thus, I have 3 questions:
  First, Do I need to change 4 Service Operations from "Asynchronous One-way" to "Request/Response" ? What is Receiver node for routings ?
  Second, do I need to set up UDDI Server and configure it ?
  Third,, where to set up single signon for the default local node (PT_LOCAL) ?

• Issue with ADF Tree Table

  Hi,
  I have the following requirement where i need to display a tree table. Here is how the initial implementation is:
  I have created the read only view for : ManagersVO > PoolsVO > MachinesVO. Where 'MachinesVO' is the destination view. And created view links between ManagersVO & PoolsVO using ManagerId and PoolsVO & MachinesVO using PoolId.
  And using this implementation, successfully created tree table on the UI. Now we got an enhancement for this:
  i.e., MachinesVO should return list of machines as per user logs in. i.e., we have 4 different roles. 'Super Admin', 'Sys Admin', 'App Admin', 'End User'. The default query for MachinesVO is for 'Super Admin'. The query for other user roles is different except the SELECT statement.
  The requirement is to dynamically change the query of MachinesVO based on user logs in and display the tree table accordingly. To implement the same i have tried using setQuery() operation on 'MachinesVO' which results with the following error:
  JBO-26016: InvalidOperException
  Cause: You cannot set customer query (calling setQuery()) on a view object if it is the detail view object in a master detail view link.
  Action: Do not call setQuery() if the view object is a detail.
  Can one suggest me a best solution to implement this.
  Thanks & Regards,
  Kiran

  Hi Navaneetha Krishnan,
  Here is how i implemented based on your comments. As i have tree table based 3 different VO's, created the following method at middle view(i.e., PoolsVO).
  1.Tree Model hierarchy
  ManagersVO > PoolsVO > MachinesVO
  I actually want to filter the data at Machines level. Hence wrote a method at PoolsVOImpls and exposed it in the PoolsVO client interface. Here is the code that i have placed in the PoolVOImpl
  public class PoolsVOImpl extends ViewObjectImpl implements PoolsVO{
       * This is the default constructor (do not remove).
      public PoolsVOImpl () {
    public void filterMachinesDataByUserRole(String userRole,String vzId){
      Row row = getCurrentRow();
      String query = "";
      if(row != null){
        RowSet rowSet = (RowSet)row.getAttribute("MachinesVO");
        if(rowSet != null){
          MachinesVOImpl machinesVOImpl = (MachinesVOImpl)rowSet.getViewObject();
          if(userRole.equalsIgnoreCase("SYS ADMIN")){
                  machinesVOImpl .setWhereClause(query related to sysadmin);
           //Similarly for other user roles.
           executeQuery();
  }And this piece of code needs to be executed before the jsff(which has the tree table) renders. Hence, i created a this methodAction as a default activity in the respective taskflow where the jsff is placed. Once this method get executed, the page should render the machines specific to the user.
  Here is the issue: getCurrentRow() method call is returning always NULL.
  Please correct me if i'm doing something wrong. I do tried the above mentioned approach by creating the method at '*ManagersVOImpl*' level too. Still the same issue.
  Thanks & Regards,
  Kiran

• Registering a second node - ISE 1.2

   Hi guys,
   I am trying to register a second node to my primary ISE node. But, I am getting the following error:
  Unable to authenticate ISE xxxx.. Please check server and CA certificate configuration and try again. 
    I did de import/export certificates in both ISEs. 
  They can ping each other by IP and FQDN.
  Timezone are the same but I have not NTP active yet.(I thing this can be the problem , although they have the same time ) 
  I did the import/export in " Local Certificates" tab. I did not use "Certificate Signing Request" .
  Anybody know if something has change in ISE 1.2 and now Local Certificates no longer works ?
  I also can´t add my ISE to AD, but, this is another fight.
  Any hint will be appreciated!

   I have found this information here :
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1053327
  •You can alternatively create an administrator account on the node that is to be registered and use those credentials for registering that node. Every ISE administrator account is assigned one or more administrative roles. To register and configure a secondary node, you must have one of the following roles assigned: Super Admin, System Admin, or RBAC Admin. SeeCisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
   Looking at Adminstration>Admin Access>Administrator>Admin User  The default admin created is part of the Superuser admin only. That´s why I created a second user admin an put him on the groups above.
   Keep in mind that this actions is necessary only on second node and will used only during the registration.

• Total number of users in NetPoint License has been exceeded

  I am keep getting this msg on my website.
  I goto admin > business partner > license users and delete all users except manager the msg goes away and after few hours it comes back again
  Total number of users in NetPoint License has been exceeded.
  Some features may not function properly.
  Please remove a user or upgrade your license.

  Hi Ghanbary,
  You may need to check the "Do not assign licensed user role to super users" option in the Synch Manager application.