SAP BI : Roles & Authorizations

Similar Messages

• How to determine role authorization of user in MAM?

  Hi everyone,
  I'm new to SAP and SAP MI, and I am currently implementing (or "enhancing") a MAM.  I have the following question on user authorization:
  In terms of role authorizations, does anyone know how I can determine what roles an authenticated user have from SAP?  For example, if user A logs into the MI Client, and if this user accesses the MAM, is there a way for the MAM to know what kind of user roles he/she has?  Is there a SyncBo that will give me such info?  I checked the JavaDocs for the SyncBo's, but they have NO descriptions.  The closest thing that I found was in MAM090 (Interface com.sap.mbs.mam.bo.MAM090).  There are getter methods for getRoleGen(), getProfileResource(), and getPartnerRole().  Are any of these usable?
  Are there any good documents that I can look at to determine what each SyncBo's does? 
  Many thanks!
  Jeffrey

  Hi Jeffrey!
  Here are the 3 different checks you have to look at"Users & Authorizations" for setting up your MAM Users.
  (1) SAP Backend:
  (1a) The SAP MAM User who synchronizes with the Backend from the MI Client should have all necessary authorizations for Plant Maintenance Components of the SAP System that are associated with your MAM Scenarios.Pl refer to the following SAP Authorization Objects I_ALM_ME ,I_AUART,I_BEGRP,I_BETRVORG,I_CCM_ACT ,I_CCM_STRC,I_ILOA,I_INGRP,I_IWERK,I_KOSTL ,I_QMEL,I_ROUT ,I_ROUT1,I_SOGEN,I_SWERK,I_TCODE ,I_VORG_MEL,I_VORG_MP ,I_VORG_ORD,I_WPS_MEB ,I_WPS_REV in your Backend System and have it assigned to the User Profile, based on your requirement.
  (1b) Service User for setting up the MAM & MI Landscape: This user logon info has to be setup in the RFC Destination that is associated with your MAM25 SyncBOs, to logon to the Backend System and this user should have the basic authorizations required to establish the connection.
  (2) MI Middleware: The SAP MAM User who synchronizes with the Backend from the MI Client should have the following Authorization Objects assigned to his/her profile. S_ME_SYNC, S_RFC, S_TCODE.
  (3) MI Client: Refer to MI Security Guide.Pl note that the MI Client MAM User is same as the Middleware User and the Backend User.You should be taking care of this already.This is just a FYI.
  Let me know, if you are looking for any other additional info.
  Thank You
  Gisk

• SAP USERS ROLE TABLE

  Can some one tell me the SAP USERS ROLE TABLE
  I Will assign point to any input.
  Balance Roll forward     
  Change Vendor Line Items
  Change Parked Vendor Document
  Change/ Reverse Vendor Invoice     
  Check Processing
  Clear Accounts Payable Items
  Display A/P  Balance & Items
  Display Checks     
  Display Vendor Documents     
  Display A/P Master Data     
  Display Parked Vendor Documents     
  Account Payable Interest Calculation     
  A/P Invoice Entry     
  A/P Accounting Key Reports     
  Manual Payment     
  Payments Using Bill of Exchange     Display
  Payment Run Parameters     
  Create and Process Payment Run Proposal     
  Accounts payable period closing     
  Post Parked Vendor Document     
  Maintenance of Accounts Payable Master Data     
  Process Withholding Tax

  go to t code PFCG
  Search for roles with SAP_FI_AP*
  You could always create your own role.
  In the Menu tab add the t codes you have specified.
  You will then need to add the authorization objects in the authorization tabs.
  For the t codes you have I guess it would take an hour max.

• Check user role/authorization during Web report run-time?

  Hello again,
  I ran into a problem. I need to check <b>user's authorization during webtemplate execution (run-time)</b>. I want to have a possibility to allow in one web template extra functionality (through template menu) to key users. Normal users, who are running same report, should not have this extra menu visible.
  Is it possible to check user authorizations or roles during web-template run-time?
  Thank you!
  Vitaliy

  Hi Harinam,
  From my logic your are right.
  The restriction is in two new roles (Requestor and Approver role).
  But ->
  If I assign my approver role the selection possiblities of the request types during the AR creation is restricted and the AR search function does not work.
  If I assign my requestor role the restriction of the request type is not there, but the AR search function works again. :-(
  If I assign the original approver role of sap I have the same behavoiur for the AR search.
  Both new roles are a 1:1 copy of the SAP standard roles - > Exception, ristriction on request type 'Execption Approval' is not displ.
  I have execute ST01 now. If I try to open the log, the system syst "No records that correspond to these search criteria".
  But I have found something else.
  The problem appears only if I search for Process ID "Access Request Approval Workflow".
  If I select other Process ID such as "Control Assignment Approval Workflow" or "Fire Fighter Log Report Review Workflow", everything works fine.
  Very strange!
  BR
  Melanie

• SAP HR Structural Authorizations

  Hi Experts,
  I need a help regarding SAP HR Structural Authorizations.
  Currently our HR System is set with structural authorizations were in
  users will be accessing HR Org structure with different pd-profile and HR relationships (with Org units ex:
  assistant relation, manager relation).
  Now we want to design the roles based on company codes, where users should be able to see
  all organization units within company code 'xyz'.
  Do we need to create new pd-profile or new HR relationships or just restrict within existing HR roles for
  accessing organizations units within different company codes.
  Please guide me steps to proceed with this requirement?
  Your early response is highly appreciated, thanks in advance......

  You will need to talk to the HR folks about this and whether any employee grouping on the HR side matches a company code unit on the FI side to use in the authorizations.
  This means that HR data and processes are also aligned to finance processes, which was often the case with local HR systems but less so with global ones.
  The answer is on your side in the data and the processes. There is no single field which you can use for both, let alone an org. level field known to structural authorizations.
  Cheers
  Julius

• Is there any SAP substitute role to create expense report for executives?

  Hello,
  In an organization there are executives like MD, CEO and they need to submit their expenses. This activity is basically needs to be done by their secretary (substitute). So is there any SAP provided roles to do this activity?
  I have seen SAP_FI_TV_WEB_ASSISTANT used for My Employees/POWL. Apart from this role do we have any other way for executives?
  Appreciate your help.
  Thanks,
  Chandra.

  Hi ,
  You can create travel request from PR05 from ECC or if you have ESS and you want administrators to create on behalf of others provide the below role and you can create from My Employees or you can customize a role specific for administrators using structural authorizations.
  SAP_FI_TV_WEB_ASSISTANT
  Hope this helps,
  Regards,
  S.Srikanth
  Edited by: SrikanthS on May 10, 2011 6:32 AM

• Break sap standard role into two sub roles

  hi,
  i have one SAP standard role. now i want to break this role into two  sub roles. how shall do it.
  please suggest me.
  regards
  ramesh
  Edited by: Ramesh Sammiti on Jul 31, 2008 11:00 AM

  Hi Ramesh,
  When you say that you want to split the SAP Standard role into two roles:
  1.Do you mean to say that you want to split the transactions and authorization data of the SAP Standard role into two separate Z* or Y* roles?
  2.Do you want to copy the SAP Standard role into two different Z* or Y* roles and then modify the authorization data according to your company's requirements?
  In the above two scenarios you must copy the SAP Standard role into Z* or Y* roles in PFCG transaction with the appropriate naming convention and make necessary changes in both the transaction data and the authorization data.
  Please be clear which SAP Standard role you are willing to split into roles and i can provide more details.
  Hope this helps.
  Regards,
  Kiran Kandepalli

• Role authorization for product selection

  Hi All,
  i have a requirement for which i need your help. Now my Account Manager can see all products while placing an order. I want to restrict his selection to only 5* and 6* products. That means when he will look for placing an order in the next time, he should only see 5* and 6* products not all products. Can you please tell me how to go about this role authorization. 
  your valuable inputs will be appreciated.
  Regards,
  Sasmita

  Hi,
  I feel Access Control Engine would be the most elegant and futuristic solution.
  However, you need to review all the solutions suggested. Solution suggested by Shalini and Ashish are more practical. However, generally partner product range is used in case of Sold-to parties.
  Please review all the solutions suggested and take decision based on circumstances at your client's end.
  You can get more information about Access Control Engine at
  http://help.sap.com/saphelp_crm40/helpdata/en/04/0177f9bb67ac4cafb84bb4d4c1d8fc/frameset.htm.
  Also there are several guides and cookbooks on ACE at service market place.
  Regards,
  Deepak

• Re-Engineering SAP Complex roles

  Last week I visited a large European telecomm company in order to assist and consult them on their SAP system access rights.
  In the first couple of days, we dedicated the time to analyze the data that was imported into Eurekify/Sage and generate many cleansing reports. A cleansing project is an essential process before any RBAC project.
  By the way, the import of data was done by using the Eurekify built- in connectors to SAP.
  The cleansing analysis was done on 2 levels:
  1.     Roles (complex and simple)
  2.     Authorization objects and fields.
  The second phase of the analysis revealed astounding facts about their current roles:
  1.     The complex roles covered only 2% of the users!!
  2.     Most of the access rights were not via complex roles, but rather directly to simple roles. Only 4% of the access rights to simple roles where via complex roles.
  3.     They had many dual access rights to “simple role” which means that a user had access to the simple role directly and also via a complex role.
  4.     They found that they had many simple roles that could be merged.
  The highlight of the project was the SAP complex role re-engineering. We reversed engineered the “complex roles” and deleted the roles.
  Within 1 day of (partial!!) role engineering, we managed to create new complex roles (less than what they had before by 20%), however:
  1.     The new roles covered 40% of the users!!
  2.     The new roles covered 26% of the access rights to “Simple Roles”!!
  In the upcoming weeks the project will continue in 2 layers:
  1.     Cleansing the SAP access rights data from complex roles down to the fields.
  2.     Continuing with the Role Engineering in order to create a full model of complex roles.
  Are you interested in applying this experience to your SAP system?
  If yes, feel free to contact me.
  Ilan Sharoni
  <b><REMOVED BY MODERATOR></b>
  Message was edited by:
          Alvaro Tejada Galindo

  Maybe you use the CAF for the project? You shall then be able to use any technology you want to use or are comfortable with and then integrate the different objects as part of a process.
  Sameer

• Role Authorization Vs ACL in cProjects

  We do not want to use ACL (Authorization at the Project level) to grant authorization. We are looking for a way to have this authorization by roles. Not too sure if the minutest of details can be controlled by authorization objects.
  Of the few requirements that we have, one goes as follows:
  1. We need a role of "Resource Manager" to be able to view all projects. However, this role must not be able to edit the project structure. This is possible. However, another requirement that we have is that this role must have all "admin" level access at the "Resources" level. Which means, this role must be able to staff roles and assign tasks to roles and resources, but must have read-only access to the project structure.
  Can this be done?
  2. Another requirement is with regard to status management. We want a role to have the authorization to set only select statusses. We have a combination of standard and custom stasusses in the status profile that we are using. We look to control the access for roles by which one role can only set a few of these statusses.
  Can this be done?
  Thanks and Regards...

  Hi Peter,
  We have exactly the same need, and unfortunately everything is not solved yet.
  1/ In standard, there is no distinction between project and role authorizations. This means you need 'admin' auth at project level if you want to manage the roles. We created an OSS message for this, and SAP answer was to create a development request --> Until then, and if we get a positive answer, nothing can be done to separate project & role authorizations. So there is no solution today.
  2/ For the statuses, we add to enhance class CL_DPR_STATUS_MANAGEMENT, methods GET_PERMITTED_USER_STATUS and/or GET_PERMITTED_ACTIVITIES. Thanks to this, we are now able to filter the status list that is populated in the screen.
  Regards,
  Matthias

• Deletion of SAP standard roles

  I have been asked by the client if we could delete all of the SAP standard roles. I think there are many good reasons not to delete them, but does anyone know what SAP's official recommendation would be to that question and could you point me to the documentation or SAP Note where that recommendations is written?
  So far all I have found is the following documentation(http://help.sap.com/saphelp_47x200/helpdata/en/52/67164b439b11d1896f0000e8322d00/frameset.htm) saying that:
  Do not change the delivered standard roles (SAP_), but rather only the copies of these roles (Z_). Otherwise, the standard roles that you have modified will be overwritten by newly delivered standard roles during a later upgrade or release change.
  But it does not say that you should never delete them.
  Br,
  Jon

  Christensen Jon Jagd wrote:>
  > The client want's to "clean up" the authorizations concept by deleting all of the unused roles. And all the SAP_* roles are not assigned to any users (and not generated neither).
  I've seen that before, the urge to clean up...... unused roles aren't the worst thing to happen on a system, as long as they're part of the concept.
  Come to think of it. I'd delete them from my test and prod systems to avoid confusion and/or (mis)use, but not from dev. On dev the majority of roles is not assigned to users anyway........
  > But I would like to know if for example "SAP recommends that you do NOT delete system delivered roles".
  I don't think such advice exists. Try to convince the client they should be kept on dev for future reference. Delete them on the other systems to clean up. Everybody happy.
  Jurjen
  Edited by: Jurjen Heeck on Feb 12, 2008 10:16 AM

• Roles & authorizations

  hi all,
  am a BI consultant.
  in my project CRM part there is a need for creating new users and for that roles & authorizations has to be assigned.
  i want to do it.
  in this business same role will be having diff autherizations as per the location.
  example: mumbai Branch manager for mumbai
                baroda BM for baroda,and few other cities.
  how to assign the auth for this.
  we need to restrict each one with their respective branches.
  in this what is the role for a Basis consultant.
  kindly give the road map for this problem. so that i will start learn.
  jeeva

  hi
  for roles and authorisation please go through this link
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/0062e975-48c2-2910-e49c-8d6ad796ba21
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/0062e975-48c2-2910-e49c-8d6ad796ba21
  it will surely help you
  best regards
  ashish

• Roles & Authorizations in FICO

  Hi frends,
  can anybody help me in preparing the Roles & Authorizations.What is the procedure  and How can we prepare?what is the base?
  Regards
  Sap Guru
  [email protected]

  Fist you decide based on your organosation, how many roles you want, ex: user , officer, manager.
  even if you want create like AR users, AP usera,  like that also.
  Once rolls  ready assgin your employees to your rolls.
  For Each roll you decide which type of transaction you want give access.
  wHAT ARE ALL TRANSACTION CODE YOU GIVE ACCESS TO ROLL , THAT T.CODES ONLY WORKED FOR THAT EMPLOYEES based on the Roll CREATED.
  CHANDRA.

• SAP BW Roles for CPIC user to use in Univ Connection

  Hello All,
  I am working on BO XI 3.1 and SAP BW 7.0. At present we are using personal logon credentials in the Universe creation wizard to connect to SAP BW. Instead we would like to create a CPIC user and use that user to connect to SAP BW.
  I am wondering what are the roles/authorization this user should assigned.
  I greatly appreciate your input.
  Thanks

  Ingo,
  Thanks for the reply. I went the through "SAP Integration Kit Installation" document.
  It has details on SAP Single Sign-On and required authentication details. At this moment we are not ready for that.
  As I mentioned in the email, we are using the BW developer logon credentials in the Universe Connection Wizard to SAP BW. We would like to get away from that by creating general user in SAP BW specifically for the purpose of BOBJ reporting.
  And we just do not want to copy SAP BW developer role to the generic user instead we would like to assign only the required roles. I am not sure what are the minumum roles required for this user.
  It would be great if you can share any information related to that.
  Thanks

• SAP standard roles for Mii inside of objects?

  Hi,
  It is our practice to rename SAP standard roles we plan to use "as is" to our company's naming convention.  I am being told by an Mii implementer that Mii uses the standard role names in objects and that by changing these names to our convention, I will create "complications" in their implementation process.  I find this hard to believe, it would be a departure from what (little) I know about SAP and how they handle authorizations and roles.  It also seems to be very limiting when it comes to customization in the future.
  Is this true?  Does Mii name standard roles inside of objects? (These "objects" were not clearly defined to me and I plan on calling a meeting so they may show me examples.)
  Anyone else on Mii have this issue?

  As far as I know, in Mii a user typically needs at least one of these roles:
  SAP_XMII_User
  SAP_XMII_Developer
  SAP_XMII_Administrator
  You can of course add additional roles with the authorization the different users require using your own naming convention.
  I think this is what the Mii implementer is talking about.
  Good luck!