S_TCode Full Authorization in all Roles

Similar Messages

• Role or Profile with Full Authorization in DISPLAY MODE

  Hi all,
  Can anyone help me or tell me if there is any standard role or profile which has full authorization in display mode.
  I wanted to assign this to all our support team for the PRD server who shud only have the display auths so that the pre-production client can be safe.
  I have checked many places for this kind of activity, but found no threads on the same and also realted links.
  Can anyone tell me how to get this task done....
  I have also tried few possible ways which never helped me and all my efforts failed.
  Waiting to hear from SDNs, for which i can assure REWARD POINTS.
  Thanks to all in advance
  Regards
  Hari Haran

  Hi,
  By enabling the permission level as 'read', the authorized user/group/role can:
  1. View the object in the Portal Catalog using the browse and search capabilities.
  2. Open the object in its respective primary and secondary editors in read-only mode; the object cannot be modified.
  3. Create instances (delta links and copies) from the object.
  4. Gain access to and choose templates in the object creation wizards.
  This permission level can be used to prevent portal administrators from editing a particular object, while still allowing them create an instance of the source and use the new instance in any way
  Regards
  Srinivasan T

• Dangers for full S_RFC authorization - for all function groups

  Hi,
  I have recently received a stern warning about all the bad things that can happen if you give users full authorization for S_RFC. This allows the user to use all function modules that use RFC (remote function calls).
  As all our standard reporting users need at least some RFC function modules, I simply awarded them all of them. Tracing this (running, changing, creating, deleting queries, planning, consolidation) in Excel and Web would have been too tedious.
  Apparently, full authorization together with the table browser transaction (SE16) would allow a user to read all available data!?
  The same result is said to be possible if you create some special excel macros which would in turn call an RFC function module.
  Is this true?
  How could it be done?
  Has anybody a complete list of all the RFC function modules needed for reporting an planning in SAP BI?
  Any advice on these issues will be very much appreciated.
  Martin

  Hi Martin,
  I am not sure of my answer will help you or not. But if you are talking abt the S_RFC authorizations needed for a reporting user in BI 7, here it is..
  Authorization Check for RFC Access                           S_RFC
  RFC authorization for function group:       
  RFC1
  RFCH
  RRMX
  RRXWS
  RRY1
  RSAH
  RSBOLAP_BICS
  RSBOLAP_BICS_CONSUMER
  RSBOLAP_BICS_PROVIDER
  RSBOLAP_BICS_PROVIDER_VAR
  RSFEC
  RSMENU
  RSOBJS_RFC_INTERFACE
  RSRCI_LOCAL_VIEW
  RSR_XLS_RFC
  RSWAD
  RSWRTEMPLATE
  RS_BEX_REPORT_RFC
  RS_IGS
  RS_PERS_BOD
  RZX0
  RZX2
  SDIFRUNTIME
  SM02
  SMHB
  SRFC
  SUNI
  SUSO
  SYST
  SYSU
  Type of RFC object to be protected   FUGR
  This is the minimum RFC authorizations required for a reporting user to exicute the report in BI. I am not sure abt the Excel macros stuff.
  Reward points of my my answer helped..

• Spro full authorization without sap_all and sap_new

  Hi Friends,
  Can u suggest me how to give spro full authorization without sap_all and sap_new profile.
  Thanks & Regards,
  Tarun

  Hi Gowrinadh,
  This is an interesting discussion. I don't mean to take shots at your concept, but I have some concerns about it as a solution.
  > I have prepared a role 8 months back, we passed 2 patch upgrade cycles and I can confirm that this role will work even after the next version of ECC upgrade.
  Sometimes the symptoms only make themselves visible later, and we don't know what is coming in the next version of ECC. Of course it should be largely compatable, but there will be new stuff. You can be sure of that.
  > If there are any modules or new functionalities required, then customer has to request for it in addition.
  My understand is that the customer requests a full and working SPRO role for each release. They will not find the tcodes for you and do not want to play ping-pong via support tickets either with it.
  So each time you bill your customer for the 20 or 40 hours work for maintaining these tcodes manually in ranges? Appart from being error-prone, this solution is not scalable for when SAP might introduce another 20000 tcodes into the SPRO. Or someone convinces SAP to introduce an S_TCODE check for every line of code the whole system... (this is something which some people seem to believe in...), which would introduce several billion new tcodes for you...
  > For which we can build separate role.
  That is different. The question here (and certainly your solution) is to have them in the same role without duplicates but still including all SPRO access.
  If you build them as seperate roles, then you can merge them as projects into one composite and live with the duplicates while checking for any known objects which should not be included.
  I would agree with you. That is in my opinion a better solution, but it is not what you have been describing earlier.
  > We can plan for authorizations and build roles based on the inputs for today and tomorrow received from customer.
  That is the whole point in having maintainable roles and scalable processes. Manually maintaining 20k tcodes is incompatable with such requirements.
  > By the way, the max no of consultants and business process owners having this role is not more than 40.
  I don't think that assigning the role to less people will make it more usefull, nor that assigning it to more people will bring down it's per user cost of maintenance.
  There is some old code posted here already which does what you have described in less than 1 minute. You can find it via the tables I have mentioned above, and will recognize it (and it's age)  by the header lines it uses for internal tables. But it still works, since about release 3 point something...
  Cheers,
  Julius

• Regarding full authorization except basis and abap

  Hello Gurus,
  I want to provide full authorization to my super users excluding Basis and ABAP transactions such as PFCG,SU01,STMS,SCXX,SEXX. Is it possible by providing some standard profile? If yes then which profiles are that? and if no then how to solve this problem.
  Please reply if u can.
  Thanks and Regards,
  Jayendra
  email - [email protected]

  Hi Jayendra,
                       You copy SAP_ALL to some ZSAP_ALL role and remove what ever the Transactions you want to remove from ZSAP_ALL.Then you assign this role to all your super users.
  Regards,
  Hari.

• Issues with test-all role and browser security

  WLS 10.3.5
  I have a deployed application on Linux using a SQLAuthentication and Authorization - all is well here.
  I have setup all the security (without the test-all role) and I cannot access any of the system.
  If I put the test-all role in - I can access the system.
  I have verified the user has all the roles (I used the example bean to display the user and roles on the menu page) and the test-all role is not in the list.
  I have the menu setup to not display items unless the user has the role (this is working fine - SecurityContext.inRole(rolelist).
  So the context is fine.
  I used jazn-data to set the same roles in the taskflows - this is not working at all unless the test-all role is set - I get authorization errors - not authorized).
  Have I missed something in this?
  I have also noticed that if I close the browser (X) without logging out and come back into the system the authentication is totally bypassed and I go back in as the same user as before.
  Is there some way to destroy the previous context every time the welcome screen is executed.

  Add the following parameters to the Run options for the ViewController project:
  -Djps.auth.debug=true -Djps.auth.debug.verbose=true
  Then restart WebLogic, run the app and watch the console - you'll see all the security evaluations take place which should help you to identify the problem.

• Regarding Authorization policy and Roles in OIM 11g

  Hi,
  In OIM 11g Admin interface, is there a way to find out what all authorization polices, a role has been assigned to ?.
  I am asking this because, if you search for a user, you will know what all roles he is a member of, and similarly if you search for a role, you will know who all users are members of that role.
  Similarly, if you search for a Authorization policy, you will know what are roles are assigned to this policy. But if I search for a role, I am not able to find what all authorization policies has been assigned to this role.
  Looking forward to hearing from you,
  Many thanks in advance

  I understand your concern. But, this feature has not been available
  --nayan                                                                                                                                                                                   

• DP - No authorization for all characteristics value

  Dear All,
  I am trying to implement the role SAP_APO_FCS_SU (APO: Demand Planning Standard User) in SCM 5.0.
  When I logon as a user who has been assigned to this role and try to load a predefined selection profile or create one, I get the error “You do not have authorization for all the characteristic values selected”.
  Can you please let me know what I am doing wrong?
  Thanks in advance for your help.
  Emilie

  Hi Raj,
  I created a BI authorization object for my additional characteristics (ie, other than 9AMATNR and 9ALOCNO) and then added to the role.
  Below is the link for how to create BI authorization object.
  [http://help.sap.com/saphelp_scm50/helpdata/en/8f/9d6937089c2556e10000009b38f889/frameset.htm]
  Regards,
  Emilie

• Demand Planning - No authorization for all characteristic values selected

  Hello All,
  I am trying to load the data and it is giving error "You do not have authorization for all the characteristic
  values selected".  I can access the data in sandbox but not in Development. SU53 of both are same.
  Also the roles are same in both the system.  /sapapo/mc77 - maintain selection assignments is also same in both the systems.
  Thank you for the help.
  Regards
  Pratap

  Hi,
  This is a case of inadequate authorization for display or execution of demand planning.
  I don't understand what you exactly mean by
  "su53 of both are same".
  SU53 gives you a list of the authorization check that the system last executed on the ID.
  Here r some suggestions. do an su53 immediately after the authorization error message is flashed.
  It shall give you the authorization object which is required for that activity that you were attempting.
  Also it suggested the name of role/s which have the required authorization object already present.
  It is possible that you might have ALL authorizations in dev system, but the quality and production systems are usually the area where selective authorizations are to be used.
  Hence the basis team might not have given you all the authorizations in the higher system where you are facing the above issue.
  Hope this helps
  Regards

• Diaplay authorization for all modules

  Hi All,
  Can any one tell me how to assign display authorization for all modules like sd, ps, mm, fico ,hr ..
  is there any profile available for that ???
  any idea would be great.
  Thank for ur help in advance.
  Regards,
  Venki

  > And best would be if you can share the created copy of SAP_ALL with SDN users - hope moderators wouldn't mind this sharing.
  Davinder,
  I'm afraid you're chasing ghosts here, as have many before you and I'm afraid it will not stop here.
  The reason a search didn't bring up an easy solution (see your other thread, SAP BASIS Display only Role) is because there's no easy way to get to a display only role.
  Some thoughts:
  1- The amount of authorization objects varies from system to system, due to patch levels and installed add-ons so sharing a role built on a 'strange' system will have it's flaws and due to the amount of objects in SAP_ALL or a copy will make it very difficult to spot those.
  2- There are somewhere between 150-200 different activity related fields in an ECC systems' authorization objects and for quite a few 03 is not display. Some do not have a display activity. See below as well.
  3- There are a lot of objects that do not have any activity related field so putting them in a role and claiming it is read-only is downright dangerous.
  To create proper display roles you will need to get requirements from the business, not only to build the roles but also to be able to test them. I've seen long lasting discussions whether printing is a display activity or not......
  Jurjen

• Maintaining the authorizations for parent role and derived role

  Hi Experts,
  Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
  Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
  1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
  2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
  please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

  I will try to answer both your queries here:
  "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
  The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
  All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
  Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
  Soumya

• User unable to view Excel button in ALV grid. Has full authorization

  Hi All,
  A user in our copany is unable to view Excel button in ALV grid. Has full authorization to S_BDS_DS, S_ALV_LAYOUT.
  Please note that this is not the export to Excel button. Its the excel icon which enables the users to view the output in excel format on screen.
  I am able to view the Excel Button. can you pls advise what might be the possible root cause.
  Are there any authorization objects as well that govern ALV Grid buttons (excel) display.
  Please help. 
  Can we add/delete the buttongs in the ALV grid from somewhere..
  Thanks,Phani

  Hi,
  oic, only specific user, not all user.
  I have a similar problem with you, but not excel button but inbox button on initial screen (session_manager)
  deleting this user and re-create this user solved my problem.
  hope it help you.
  rgds,
  Alfonsus Guritno

• Get all roles from an organization

  Hello,
  i want to get all roles 'AMRoles) from an organizations. I have Portal Server 2005Q4 on a machine and Access Manager and Directory on another and i want to extract all display profiles from all roles in different files (more than 100).
  I found the dpadmin command line to extract a Display Profile from a dn but, how can i get the list of roles with the amadmin command line tool ?
  thanks for help.
  Philippe

  Hello,
  I take a look, found differents xml files but : no help, no "howto", no thing very interesting.
  I try this command :
  /opt/SUNWam/bin/amadmin -u "cn=Directory Manager" -w ******* -e "dc=isere-savoie,dc=fr" -o /export/home/jes/test.xmland with other values in the -e parameter but always the same message :
  Erreur 9 : �chec de l'op�ration : Failed to export entityDescriptor to a file.Any idea ?
  any link to some help on this command other than Access Manager amadmin Command Line ?
  a complement : in the debug files, I have this errors :
  ==> /var/opt/SUNWam/debug/amFederation <==
  01/30/2008 04:40:59:324 PM CET: Thread[main,5,main]
  ERROR: FSAllianceManager::getEntity entityID: dc=isere-savoie,dc=fris invalid
  ==> /var/opt/SUNWam/debug/amMeta <==
  01/30/2008 04:40:59:510 PM CET: Thread[main,5,main]
  ERROR: Failed to export entityDescriptor to a file
  --------------------------------------Got Federation Exception
  Message: Invalid Provider ID.
          at com.sun.identity.federation.alliance.FSAllianceManager.getEntity(FSAllianceManager.java:1815)
          at com.sun.identity.liberty.ws.meta.LibertyMetaHandler.SMToMeta(LibertyMetaHandler.java:109)
          at com.iplanet.am.admin.cli.Main.outputLibertyData(Main.java:889)
          at com.iplanet.am.admin.cli.Main.runCommand(Main.java:730)
          at com.iplanet.am.admin.cli.Main.main(Main.java:1124)thanks
  Philippe
  Edited by: beutin on Jan 30, 2008 4:43 PM

• I've cleared almost 30 gig off of my hard drive in the past 2 weeks, and it will temporarily show that in the Get Info box.  But hours later, I am still getting a disk full error and all of the memory has disappeared.

  I've cleared almost 30 gig off of my hard drive in the past 2 weeks, and it will temporarily show that in the Get Info box.  But hours later, I am still getting a disk full error and all of the memory has disappeared.  I have cleared my backup logs from Time Machine, checked the mail folder, cleaned out tons of photos and videos and it still keeps filling back up.
  In checking the log files, here is the message repeated over and over....
  Jul  4 07:18:13 Donald-Keele-Jrs-iMac-123.local CalendarAgent[213]: CoreData: error: (21) I/O error for database at /Users/donjr/Library/Calendars/Calendar Cache.  SQLite error code:21, 'unable to open database file'
  Jul  4 07:18:13 Donald-Keele-Jrs-iMac-123.local CalendarAgent[213]: Core Data: annotation: -executeRequest: encountered exception = I/O error for database at /Users/donjr/Library/Calendars/Calendar Cache.  SQLite error code:21, 'unable to open database file' with userInfo = {
                NSFilePath = "/Users/donjr/Library/Calendars/Calendar Cache";
                NSSQLiteErrorDomain = 21;
  Jul  4 07:18:14 Donald-Keele-Jrs-iMac-123.local cfprefsd[180]: CFPreferences: error creating file /Users/donjr/Library/Preferences/com.apple.iPhoto.plist.t3l894p: 28
  Jul  4 07:18:30 Donald-Keele-Jrs-iMac-123.local Printer Pro Desktop[275]: Empty task
  Jul  4 07:18:33 Donald-Keele-Jrs-iMac-123.local Microsoft Sync Services[8149]: [0x16697c0] |ISyncSession|Warning| com.microsoft.Entourage2008: transitioning to cancel - session cancelled by server: Client 'com.microsoft.Entourage2008' tried to start a session for the plan 45AD80C3-0D52-4CF2-8CBA-103564B6C47C and the plan no longer exists.
  Jul  4 07:18:33 Donald-Keele-Jrs-iMac-123.local Microsoft Sync Services[8149]: Warning: NSBundle NSBundle </Applications/Microsoft Office 2008/Office/Microsoft Sync Services.app/Contents/Resources/MicrosoftOfficeNotes.syncschema> (not yet loaded) was released too many times. For compatibility, it will not be deallocated, but this may change in the future. Set a breakpoint on __NSBundleOverreleased() to debug
  Jul  4 07:18:33 Donald-Keele-Jrs-iMac-123.local Microsoft Sync Services[8149]: Warning: NSBundle NSBundle </Users/donjr/Library/Sync Services/Schemas/MicrosoftOfficeNotes.syncschema> (not yet loaded) was released too many times. For compatibility, it will not be deallocated, but this may change in the future. Set a breakpoint on __NSBundleOverreleased() to debug
  Jul  4 07:18:45 Donald-Keele-Jrs-iMac-123 kernel[0]: (default pager): [KERNEL]: default_pager_backing_store_monitor - send LO_WAT_ALERT
  Jul  4 07:18:45 Donald-Keele-Jrs-iMac-123 kernel[0]: macx_swapoff SUCCESS
  Jul  4 07:19:31 Donald-Keele-Jrs-iMac-123.local Printer Pro Desktop[275]: Empty task
  Any ideas on what to do next?
  I'm running and iMac 20-inch  early 2009
  Processor  2.66 GHz Intel Core 2 Duo
  Memory  8 GB 1067 MHz DDR3
  Graphics  NVIDIA GeForce 9400 256 MB
  Software  OS X 10.8.4 (12E55)

  Step 1
  Quit Calendar. Triple-click the line below to select it:
  ~/Library/Calendars/Calendar Cache
  Right-click or control-click the highlighted line and select
  Services ▹ Reveal
  from the contextual menu. A Finder window should open with a file named "Calendar Cache" selected.
  Move the selected file to the Trash. There may be one or two other files in the same folder with names that begin in "Calendar Cache". If so, delete those files too.
  Step 2
  Empty the Trash if you haven't already done so. If you use iPhoto, empty its internal Trash as well:
  iPhoto ▹ Empty Trash
  Then reboot. That will temporarily free up some space.
  According to Apple documentation, you need at least 9 GB of available space on the startup volume (as shown in the Finder Info window) for normal operation. You also need enough space left over to allow for growth of your data. There is little or no performance advantage to having more available space than the minimum Apple recommends. Available storage space that you'll never use is wasted space.
  To locate large files, you can use Spotlight. That method may not find large folders that contain a lot of small files.
  You can more effectively use a tool such as OmniDiskSweeper (ODS) to explore your volume and find out what's taking up the space. You can also delete files with it, but don't do that unless you're sure that you know what you're deleting and that all data is safely backed up. That means you have multiple backups, not just one.
  Deleting files inside an iPhoto or Aperture library will corrupt the library. Any changes to a photo library must be made from within the application that created it. The same goes for Mail files.
  Proceed further only if the problem isn't solved by the above steps.
  ODS can't see the whole filesystem when you run it just by double-clicking; it only sees files that you have permission to read. To see everything, you have to run it as root.
  Back up all data now.
  Install ODS in the Applications folder as usual. Quit it if it's running.
  Triple-click the line of text below to select it, then copy the selected text to the Clipboard (command-C):
  sudo /Applications/OmniDiskSweeper.app/Contents/MacOS/OmniDiskSweeper
  Launch the Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window (command-V). You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
  The application window will open, eventually showing all files in all folders. It may take some minutes for ODS to list all the files.
  I don't recommend that you make a habit of doing this. Don't delete anything while running ODS as root. If something needs to be deleted, make sure you know what it is and how it got there, and then delete it by other, safer, means. When in doubt, leave it alone or ask for guidance.
  When you're done with ODS, quit it and also quit Terminal.

• How do i get a list of all Roles defubed under a particular OrganizationalUnit? How can i use LDAPConnection.search method for this?

   

  Sorry for the typographical mistake.
  Please read the question as:"How do i get a list of all Roles defined under a particular OrganizationalUnit? How can i use LDAPConnection.search method for this?"