Roles & Profiles

Similar Messages

• User, Role, Profile Synchronization Job Fails

  Hi Gurus,
  When I am scheduling a job the User, Role, and Profile Sync. job fails giving an error
  "Cannot assign a java.lang.String object of length 53 to host variable 5 which has JDBC type VARCHAR(40)."
  This happens when the synchronization happens with a portal system. We dont have a ruleset for the portal system, So if I put in a "*", it includes this system and results in the error, If I manually select all other system, it works fine. Is there any way to remove this error so that I can schedule the jobs without having to select every system manually.
  Regards,
  Chinmaya

  Hi,
  As per my knowledge, in the Portal system, you should perform only user sync. Roles/profile sync will not work since portal will have workset roles.
  Please refer SAP Note 1168120, which may help you to understand the limitations
  Hope this helps!!
  Rgds,
  Raghu
  Edited by: Raghu Boddu on Nov 4, 2010 7:39 PM

• Solution Manager 4.0 Solution Monitoring User -Roles-Profiles for Satellite

  Hi All,
  I have installed Solution Manager 4.0 (OS -Linux ,Database - DB2) .
  Now i need to connect solution manager to the R/3 4.6C
  Satellite Systems (DEV, QAS ,PRD) for Solution Monitoring
  and Service level Reporting .
  I have read the configuration guide , but unable to get clear idea .
  1) what users (alos type of user -Dialog , Service, Communication etc) do i need create in DEV , and Test in QAS  for solution Monitoring  .
  2) what exact roles /profiles need to be assigned to these users in satellite systems .
  3) what users/roles /profiles needs to be done in SOLMAN system
  i have applied all the required plug ins and support packs
  in satellite systems and solman 40 ..
  Please advice  . Your response will be a great help for me .
  Satish

  Hello Satish,
  Just clarify, if u have meant connecting the satellite systems for EWA reports to be precise. Early watch Reports. If its is the case, then repond so that i can putin my inputs which may be helpful for you in this config.
  Rgds,
  Sri

• What are the roles/profiles required in solman and satilite system.....

  Hi All,
  What are the list of roles/profiles (for SOLMAN and Satellite system) required to create logical instance etc... for monitoring and tasks.
  Regards.
  kumar

  Hello Kumar,
  please have a look at the Configuration Guide for SolMan on the SAP Marketplace. ALso for information on required documentation, see SAP Note 1088980.
  Best regards,
  Annett

• Trying to understand "User/Role/Profile Synchronization" and Batch Analysis

  Hello,
  Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job. 
  I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile  to be included to the full and incremental jobs?
  How the incremental analysis logic is built ?
  br Janne

  Janne,
  In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
  The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
  In terms of CC tables:
  VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
  VIRSA_CC_GENOBJ >> User, Role and Profile master data
  VIRSA_CC_GENACT >> User-action, role-action and profile-action data
  VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
  VIRSA_CC_SAPOBJ >> Action-permission
  VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
  Hope this helps.
  Regards,
     Imanol

• Table used for storing roles/profiles assignment in CUA lansscape

  Hi,
  following is my cua setup
  master client - 999 of SRM 4.0
  child client - 101 of ECC 5.0
  child client - 202 of SCM 4.1
  in cua all distribution works on its logical name assign to respective client.
  here is my question
  lets say user 'XYZ' in master client assign single as well as composite role and composite profiles assigned in the master as well as child system.
  please tell me in which table this relationship is maintain in sap that Composite roles/profile is from which cua client.
  from my finding the tables which store the role and profiles from master and child system are i.e. USRSYSACT & USRSYSPRF.
  but i am not able to find table which store the roles to user and user to profiles assigment in CUA setup,can someone please help me.
  Thanks,
  John.

  Hi Check the tables
  <b>USR10  -role definition
  AGR_PROF   -Profile for Roles
  AGR_TEXTS  - Role descriptions
  AGR_USERS  - Assignment of roles to users
  AGR_DEFINE - Auth profiles</b>
  if needed see other tables with USR* and AGR_*
  Reward points if useful
  Regards
  Anji

• Critical Action and Role/Profile Analysis

  Hi,
  I want to know the purpose of the Batch Risk Analysis back ground job "Critical Action and Role/Profile Analysis" in RAR 5.3.
  I'm assuming that I need not run this job if I do not want the critical roles/profiles like SAP_ALL to be analysed which were defined to be critical in rule architect.
  Please let me know if there is any other purpose to run the BG job "Critical Action and Role/Profile Analysis".
  Thank you,
  Partha

  Hello Partha,
    You got this right. It will analyze the defined critical actions/roles/profiles.
  Regards, Varun

• GRC AC10 RAR :"Ignore Critical Roles/Profile" option not available in

  Hello Gurus,
  I have configured RAR and the reports are working as usual , but i observed that i could not see two things
  1) Option to select "IGNORE CRITICAL ROLES/PROFILE" during Role/User ANALYSIS under "Reports & Analytic" tab.
  I checked in SPRO>GRC>AC-->Maintain Config Settings
  There is a parameter "Ignore Critical  Roles/ Profiles" which i first set to "Yes" and then checked in NWBC , i was unable to see the option under "Additional Option".
  Later i changed SPRO setting to "NO" , then again it did not show me .
  Where can i find this option , so that if i upload say 10 roles which are assigned to firefighter ID they should not be analyzed for RAR ??
  2) I also could not find any option to upload "DEFAULT roles" which need to be assigned to any "NEW USER" request coming through CUP ??
  Where can we make this setting, so that the basic roles can get assigned to the user when any new user request comes in.
  Will you please put some light on this area ?
  Thanks in advance.
  Regards,
  Victor

  Hi Johanna
  Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
  Regards
  Swarna

• Roles/Profiles for ALEREMOTE

  hi all,
  can anyone let me know all the Roles/Profiles required for the User ALEREMOTE in a production system.
  I understad that the roles sap_all, sap_new , s_bi-wx_rfc and s_bi-whm_rfc can be used in the development and the Quality systems but am told that the roles SAP_ALL & SAP_NEW are not supposed to be used for ALEREMOTE in the Production systems as it would give all authorizations to all the users.
  so, could anyone kindly let me know the various roles/profiles that need to be assigned to the user ALEREMOTE keeping in mind that SAP_ALL & SAP_NEW are not allowed and at the same time all the transactions w.r.t BW3.5 should go through successfully.
  kindly revert back at the earliest as we are in the process of going to the BW Production.
  Thanks & Regards
  Manicks

  hi Manicks,
  check oss note 150315-BW-Authorizations for Remote-User in BW and OLTP. hope this helps.
  Symptom
  1) The ALE user fails security in the BW side
  2) Missing authorizations when executing Customizing of extractors
  3) No IDocs could be sent to the SAP-BW using RFC.
  4) Automatic source system connection failes with error R3220: No RFC-Parameters in source system defined
  5) When collecting content in BW, warning message RSAOLTP035 comes up
  Other terms
  Authorizations, SAP_ALL, S_BI-WX_RFC, S_BI-WHM_RFC, S_RS_ALL, ALEREMOTE, BWREMOTE, RSAOLTP 553, RSAOLTP553
  Reason and Prerequisites
  a) In the BW there exist two user:
     i)  a human administrator, using S_RS_ALL
     ii) a user called BWREMOTE (or similar), used to receive the data from the OLTP, using S_BI-WHM_RFC
  b) In the OLTP there exist also two user:
     i)  a human administrator, needing authorizations to create users and RFC-destinations.
     ii) a user called ALEREMOTE (or similar), used to ...
         1) ... connect the OLTP to the BW
         2) ... extract the data
         3) ... send the data to the BW
         4) ... show monitoring dialogs for tasks 1 to 4, the profile S_BI-WX_RFC is used (<i>however does
  not suffice on some points since some authorizations are
  missing in the delivered profile</i>)
         5) ... make customizing of OLTP extractors
         for this, additionally the authorizations to execute IMG-functionality, to execute Transaction SBIW and to maintain the applications, which shall be customized, must be given during the customizing functionality is used.
  Solution
  1) The profile S_RS_ALL resp. S_BI-WHM_RFC must contain (at least) the following authorizations:
  Profile
  2) The referred functionality is b) i) 5), thus
     the authorizations to execute IMG-functionality,
     to execute Transaction SBIW and to
     maintain the applications, which shall be customized,
     must be temporarily given to ALEREMOTE, if you want to execute the
     functionality from BW-side. The permissions for executing the
     customizing is not included in the profile S_BI-WX_RFC, since
     this is a critcal functionality.
     However there is the possibility to execute the customizing
     in the OLTP by a human administrator by hand, using Transaction
     SBIW.
  3), 4) For sending the Idocs and reading RFC-destinations
     the profile S_BI-WX_RFC is incomplete.
     Please check, if the following authorizations are included:
  Profile
    ---   S_BI-WX_RFC  <PRO> Business Information Warehouse, RFC User
  --   B_ALE_ALL    <PRO> All authorizations for ALE/EDI
  --   S_APPL_LOG_A <PRO> Application log: All
  --   S_BTCH_ADM   <PRO> BC: Batch - Processing authorization
  --   S_BW_RFC     <PRO> BW: Authorization Profile: Other
  --   See above, same sub-profile as in S_BI-WHM_RFC
        ---   S_IDOC_ALL   <PRO> All authorizations for IDoc functions
  - BW AddOn BW-BCT 1.2B:
  These authorizations have been delivered with BW AddOn Patch 2 (see 158489 for the AddOn Patch information), except release 45B. For 45B, the authorizations are delivered with BW AddOn Patch 1.
  - PI2000.1:
  For 4.6B and 4.6C due to delivery errors, this profile also is incorrect. Please transport it from the BW into the Oltp (it is the same in any system and release).
  - PI2000.2:
  For 4.6C due to delivery errors, this profile also is incorrect.
  Please transport it from the BW into the OLTP (it is the same
  in any system and release).
  - PI2001.2:
  For 4.6C due to delivery errors, this profile also is incorrect.
  Please transport it from the BW into the OLTP (it is the same in any system and release).
  Alternatively, import the sapserv* transport BRSK002208 under the directory
  general\R3server\abap\note.0150315 into your OLTP-System.
  For help on the sapserv* transport refer to Note 13719.
  5) If you have PI-Basis 2005.1 in your source system, you need to attach role SAP_RO_BCTRA to your user in the source system. Otherwise, the functionality mentioned in the message is not available. The system continues to function as before, you may ignore the warning.

• RAR v5.3 - Ignore Critical Roles & Profiles = No is not Working

  Hello everyone,
  I have SAP_ALL and SAP_NEW configured as critical profiles in Rule Architect.  I changed the Ignore Critical Roles & Profiles option to "No" to see the delta.  Yet, when I run the risk analysis (ad hoc or batch) against users with SAP_ALL, it still says No Conflicts found even though I changed the config to look at SAP_ALL users.
  Do I have to restart the server for the new Config to take effect?  It doesn't say it in the option like some of the other Config options do, but It's the only thing that I can think of.
  Thank you,
  Johonna

  Hi Johanna
  Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
  Regards
  Swarna

• Function module to modify the user roles & profiles

  Hi All,
  I am working on user maintenance and i need a function module to modify the user roles & profiles.
  Thanks in Advance.
  Phani.

  i used the below fms
  BAPI_USER_ACTGROUPS_ASSIGN for assigning the roles.
  delete the profiles of the user qnd assign the profiles to the user:
  BAPI_USER_PROFILES_DELETE
  BAPI_USER_PROFILES_ASSIGN
  i used the above FMs for my requirement.
  Regards,
  Phani.

• How to add profiles to critical roles & profiles table in GRC RAR

  Hello,
  As per Note# 1034117, it says Add "SAP_ALL" type security roles and the SAP profiles, see list below for profiles, to the Critical Roles and Critical Profiles table.
  SAP_ALL All Authorizations For The SAP System
  SAP_NEW All Authorizations For Newly Created Objects
  S_A.ADMIN Basis Operator
  How do we add the profiles, to the Critical Roles and Critical Profiles table in RAR.
  Thanks,

  Hi,
  I configured the critical roles & profiles in rule architect.
  But when I schedule the background job for batch risk analysis, it is taking all the users, roles & profiles.
  Is there a way to exclude users, roles & profiles? (I have already configured the excluded users, roles and profiles in exclude option), but still when I schedule the background job and say show parameter, it shows the User Range as '*'. It is not showing the excluded users.
  Can you please update how to exclude the list of users, from the batch risk analysis?
  Thanks,

• Role/Profile required with full access but not HR/payroll

  HI,
  We are running SAP ECC 6.0 and HR/payroll is also live. Few memebers in our functional team need full access. But as per our policies HR and Payroll access should be there only with HR team.
  My query is: Is there any role/profile that I can assign to functional team memebrs through whcih they will have access for all T codes/programs but NOT related to HR.

  Hi ,
  BASIS needs to restrict authorizations.
  Ojbect Id  : P.
  ...lakhan

• How to upload authorization role & profile to PFCG

  I have downlaod the authorization role & profile from PFCG at client 100.
  How to upload the authorization role & profile to SAP client 200?

  check with ur basis guys once
  generally it will be dont by them check with them once

• List roles/profiles/authorizations for end user

  HI All
  Can anyone please give the list roles/profiles/authorizations
  that needs to be added to our end user id so as to view
  (Only Display) all the BEx Reports.
  Points assured
  Thanks
  Vijaya

  Hi Vijaya,
  Go through this link:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a07122ae-8216-2a10-c9a5-996717a0648b
  Thanks,
  Ajay

• Authorization,roles,profiles

  i want to know how authorization and roles and profiles will be created...
  and the hirearchy of above 3 (authorization,roles,profiles)
  can anyone help me in getting the documens

  Hi,
  The common used t-code for the above is
  PFCG to create the Role.Here we can assign the role to user also.
  You can see the same in SU01 t-code.
  IN PFCG we create the role and it will ask for profile name.
  Basically it contain the  authorization object.
  In BW we hade rssm t-code,now we have RSECADMIN in BI.
  RSECADMIN is basically used to create the auth object.
  For Example: If you want to restrict the user to see their
  company code data then you need to crete auth object for company code
  and give access to user according to therir requirement ie
  you need to add this auth object to their respetive role.
  Thanks,
  Saveen Kumar
  Edited by: saveen kumar on Jan 10, 2011 7:47 AM