SAP ECC 6.0 delivered Roles - SOD compliant?

Similar Messages

• Creating Roles in SAP ECC for autority in BO

  Hi Guru's,
  Can anyone point me to additional information about how provisioning works in SAP ECC for BO?
  I am also looking for information on how to create some general roles in SAP ECC to transport into BO to control authority.
  I have already read through the "Business Objects Enterprise Admin Guide".
  Thank you in advance,
  Steven

  Hi,
  to synchronize the roles you can use CUA. In CUA, you define 1 system as a central store for user administration and then distribute the users + roles + groups to the systems. You configure your EP and ECC to receive the user data from that system, therefor, you user information is in sync.
  SAP Help: http://help.sap.com/saphelp_nw70/helpdata/EN/07/622441cd87a12be10000000a1550b0/frameset.htm
  For more information, there is an SAP product: Identity Management.
  SDN: https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  To upload ECC roles to EP:
  SDN Article: https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/06a0e690-0201-0010-4b9f-e529c345a831
  User Mapping is for logging in to a backend, when the userid in the backend is different from the userid in the portal
  SAP Help: http://help.sap.com/saphelp_nw04s/helpdata/en/f8/3b514ca29011d5bdeb006094191908/frameset.htm
  br,
  Tobias

• Maximum Nr of Roles in a SAP ECC 6.0 System

  Hi,
  How many roles maximum could be assigned to one user in a SAP ECC 6.0 System?
  In case some single roles are assigned several times to the same user ( because one single role belongs to the several composite roles) ..then will be this role count only 1 time?
  Thanks,
  FedeX

  > can I find this note in SDN?
  Notes are to be found in the SAP service marketplace.
  > the secoond part of my question would interest to me..
  > if the profile appears 2 times...it will count as 1 or as 2.
  If the role appears twice in the user master record and PFCG_TIME_DEPENDENCY runs regularly the profile should appear (and count) only once.

• Best practices / preferred usage of SAP standard (delivered) roles

  Dear Experts,
  When going about designing roles for a new system, what is the preferred usage on SAP standard/delivered roles?  I was thinking of using them as a "base", then tweaking auth objects here and there to make the roles work but the more I work with them, I find it may be better to create roles entirely from scratch.  A lot of the time, I find a lot of inactivated auth objects or objects that seem to not really be needed when looking at the t-codes offered in the menu (S_TCODE).
  In that case, I figured it might be cleaner if I started creating roles and adding t-codes via the Menu and maintaining only the auth objects that are proposed in PFCG (and adding a few if necessary).
  Do people typically build their roles around these the standard SAP role set or is it preferred to create your own and only use the SAP standard roles as reference (i.e. the t-codes offered in the menu, etc.)?
  Thanks for any insights!

  > When going about designing roles for a new system, what is the preferred usage on SAP standard/delivered roles?
  Those are provided by SAP as a reference so that you can consult with the Authorization Structure of a Standard Position / Task for which you are going to create your own role. For e.g. what are the TCodes, values of Objects should be given to users for their tasks.
  I was thinking of using them as a "base", then tweaking auth objects here and there to make the roles work but the more I work with them, I find it may be better to create roles entirely from scratch.
  Absolutely! Please do not use SAP delivered roles for you use and also don't try to alter any values.
  A lot of the time, I find a lot of inactivated auth objects or objects that seem to not really be needed when looking at the t-codes offered in the menu (S_TCODE).
  >
  > In that case, I figured it might be cleaner if I started creating roles and adding t-codes via the Menu and maintaining only the auth objects that are proposed in PFCG (and adding a few if necessary).
  >
  > Do people typically build their roles around these the standard SAP role set or is it preferred to create your own and only use the SAP standard roles as reference (i.e. the t-codes offered in the menu, etc.)?
  >
  Yes.. as reference.. as you say..
  Regards,
  Dipanjan

• SAP Delivered Roles

  Can anybody tell me how to find SAP deliver roles for specific Modules (CD,FI) and stuff. Please tell me how can I find SAP Standard roles?
  Thanks in Advance
  Faisal

  Hi Fisal,
                   This you can find from PFCG, go to PFCG-----> in the roles field pull down the menu, then give a search with FI, finance, or accounts yopu will get all the SAP delivered standard roles.
  This way you can search for the other modules/ areas as well.
  Regards,
  Hari.
  PS: Award points if helpful.

• SAP ECC 6.0 - Using BAPIs for C# to extract data out

  I have had a client recommend a strategy of extracting data usin C# (Visual Studio 2005) to extract data from SAP ECC using BAPIs.
  We do have an existing methodology in place using flat files to extract data to non SAP systems
  We have purchase XI which we intend to implement next year.
  I basically wanted to keep things tidy and continue with the flat file interface strategy just to keep things simple going forward to XI.
  THen there is also the security piece, the developer has had to slowly build a profile / roles that alows him to come in thru visual studio to access these BAPIs
  I am looking for anyone who has had experience with this and what your experiences are.  As well, what are the SAP best practicies concerning this strategy
  Thank YOU ALL who will reply

  I think that SAP's strategy toward exposing BAPI is leaning toward leveraging their AS-JAVA stack.  With the AS-JAVA Enterprise Services and standard delivered web content, SAP is already exposing many existing BAPI/Business Functionality outside of the ABAP world.   However, that's not saying that traditional flat files have no place in the future.  Matter of fact, I don't see flat/delimited files going away any time soon.
  It all really comes down to what you are doing, you may even end up with a landscape that's a mix of files/RFCs.  Here inhouse, we leverage file based transfers for large data sets such as SAP BI OHS extracts, and daily R/3 FI extracts.  Why file?  because it's simple, easy to control, and you can see the data being transferred.  A file can be "hold in my hands" if you will, at best there's just a few characters in-flight.
  As for RFCs, any type of RFCs in fact (Anything from sap .net connector to AS-JAVA ESOA Based ES), are basically designed for transactional data.  Here, you are looking at things that are high in transactional count but small in individual size.  Your client's call using C#, it all really depends on how you are doing it.  MOST IMPORTANTLY:  Make sure you are using a proven, standarized, and SAP supported way, PERIOD.  NEVER EVER go into production with a "hack".
  For the high-transactional-count-small-individual transactions, we leverage BizTalk Server (BTS) here.  I'll be frank, we are not using BTS because we wrote it.  We are using BTS because it just works better for us, in our environment.  BTS now support SAP 2.0 connector (registered program ID) and SAP 3.0 (WCF based, direct SAP RFC call, supported by Microsoft AND SAP).  We are leveraging these adapters and BTS (as distribution and transformation) in our environment more and more.
  So, long story short:  Determine the transaction type, multiple solutions is ok, make sure the solution is supported!

• Create Substitute Users in SAP ECC 6.0

  Dear Gurus,
  Can someone guide on how to create a temporary user Substitute User) in SAP ECC 6.0. This is a user who will only use the SAP system for a short period while the substantive user is away on leave such that the system should lock the substitute user automatically when the leave preiod expires.
  regards,
  Chansa

  > Very valid points on the PID's etc - hadn't thought of those!.
  A lot of things are easily overlooked when designing substitution or emergency user procedures.
  > Seems that, if the covering user doesn't have the authorisations in their UMR and has to fall back on the reference user's roles, it shows the reference user ID instead.
  This would be very application specific and is not "mainstream". Where you can use it is with WAPIs (Workflow Application Program Interfaces) and BatchInput has been much the same for decades already.
  > I'm not really sure if there''s a way around this as it may cause some questions internally but may benefit the business as the supplier/vendor etc think they are still dealing with their original contact.
  On the backend you still have the created by and posted by fields for many application documents (all else being the same - which I would not rely on...).
  > For small user groups, when one person is covering for another absent user in their user group then there shouldn't be any increased SoD figures (as long as reporting on org levels hasn't been activated in RAR) but we have found many instances where the covering user is either a team leader or similar which tends to increase SoD.
  This is often because the user ID is changed (to a service user) when entering the "special mode". So access other user's (namely back to your own)  spools, jobs, variants, layouts, work items, queries, office messages, etc etc is needed, and these are generally protected by strong administrator authority-checks. These will in combination provide many SoD conflicts or usually over-riding system admin access which makes the application restriction pretty weak in comparison.
  > Pity it (SM20N) doesn't seem to work by user group but not bad at all...
  It does via naming conventions, but is backward compatible for those already logging SAP* user and expecting no entries, which would then become all users starting with the name SAP... See Rz11 param rsau/user_selection (default is "off").
  > Can't make the Berlin conference unfortunately but thank you for the welcome to SDN.
  You can keep an eye out for "SDN Hacker Lunch" in the news streams. After the event, I normally put the infos and discussions together into a blog on SDN.
  Cheers,
  Julius

• SAP Personas using SSO to connect SAP ECC

  Hi,
  We configured SAP Screen Personas test landscape.
  When I launch the mainapp page, the system is prompting for user credentials.
  Then I get "System Selection" screen where the system I have configured  (SAP ECC).
  When I click on system backend, an new popup ask for user and password (SAP ECC credentials).
  We are trying to understand if it is possible configure SSO to access ECC backend.
  So, the ECC backend credentials will not be required anymore.
  I am not sure if it is possible this configuration.
  According SAP note 1684886 - License conditions of SNC Client Encryption, I think this scenario requires additional license.
  Any help to resolve this is highly appreciated.
  Best Regards,
  Leonardo.

  The project requirement is avoid the user can log in with SAPGUI and run the standard transaction.
  So, the user can log in only with SAP personas user/password and run the transaction on backend with a modified screen with the restrictions of authorization roles.
  Regards,

• Error while Importing Integration kit  Transport Requets into SAP ECC 5.0

  HI ,
  1.  AT BO side -> I can see the many roles, but under 'role import tab'  in CMC  when i add any 'role' and click on update button,
       system showing an  error as below .
     "Failed while trying to get user list using class CSecRfcRemoteUsersActGrp in method CSecSAPR3Binding::GetUsersInternal(). Error code: 3. Description: Syntax error in program /CRYSTAL/SAPLSECURITY .. "
  2. After successfull installation of integration kit on windows 2008 server, i have imported the transport request into SAP ECC    
     5.0 When i  imported open sql connectivity transport request, i got error mesage . The error message number is 8 and it came
    for Generation of programs and screens. i have installed sap gui 710 ( verion : 7100.1.0.1027).
    I also transported remaining transport request (infoset, row level, cluster definition, security functions) but all these request
    contain similar error. Now when i try to login into sap  its going dump.Is there any possibility of reverting back the transport
    requests.
    Pls help me to fix these issues.
  Edited by: sheshikanth reddy on Apr 14, 2010 2:15 AM

  Hi ingo,
  Now i can able to transport successfully after following the order.
  Thank you very much
  Edited by: sheshikanth reddy on Apr 14, 2010 11:46 PM
  Earlier i have imported non unicode request numbers into sap unicode system.
  tats why i got error.
  Now i have imported unicode request number to unicode sap system with sequence.
  Edited by: sheshikanth reddy on Apr 15, 2010 12:19 AM

• Can I retrofit from SAP ECC to SAP R/3

  My understanding was yes. However how do I set this up in SMSY? My system is coming in as an R/3 Enterprise system. However when I select the system role for post processing only my SAP ECC systems show up in the drop-down.
  How do I include my SAP R/3 system:clients in the SAP ECC drop down?

  Hmmm, it can be done both the ways. What system you need to keep it eventually?.
  Form your point, Your ECC system is defined right?.
  If thats that case, goto Txn SMSY-><your SID>-> Header Data-> Installed prodiuct version->from the free selections select SAP R/3->and the related compoent-(I Guess ECC server). This actually creates by itself an duplicate in R/3. but you have to un-check the leading product role box. (You can have the desired system- by cleaning up the inconsistencies).
  The vice versa in the other case.
  Does this sound OK. I know, its bit confusing all over, Please try it for a test/Sandbox SID first, to get that on place.
  Thanks,
  Jagan

• Difference between SAP CRM Security and SAP ECC 6.0 security

  Hi
  I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
  Can anyone please let me know the difference between CRM security compared to  ECC security.
  Thanks...

  I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
  really sad.....
  The big  difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
  1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
  2)  If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
  E.g. transaction code BP allows you to create/change/display  any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
  another example is business transaction processing...which can be launched by:
  a very generic transaction code: CRMD_ORDER
  transaction category related transaction codes :e.g.
        > CRMD_BUS2000126 for activity management
        > CRMD_BUS200115 for Sales processes
  Again...allowed activity is not controlled by the tcode, but on authorization object level...
  3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links....  controlled by object UIU_COMP.
  However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
  Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
  STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
  4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
  This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
  You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
  cheers
  Davy Pelssers

• How to install BI-CONT 7.37 in SAP ECC system EHP 5

  Hi SAP Gurus,
  We recently upgraded BI_CONT in our BW landscape(SAP netweaver 7.3) from 7.36 to 7.37
  What is the strategy to upgrade BI _CONT or corresponding changes in SAP ECC system(EHP 5).
  Currently we don't have BI_CONT installed in our  ECC system.
  KIndly, let me know how to upgarde BI_CONT related objects.
  Earlier we used to use custom extractors and data sources in ECC system for BI_CONT now we business has planned to use all standard data sources.
  Question here is do we need to install BI_CONT in SAP ECC and what is the procedure?
  Thanks,
  Avadhesh
  +91 8095226536

  Hi Avadhesh,
  No need to upgrade or install add-on BI CONTENT in ECC system if you have already BI landscape for doing BI functions.
  BI content includes below functionality which can be installed as an add on in ECC when you dont have BI landscape.
  DataSources
  Process chains
  InfoObjects
  InfoSources
  Transformations
  InfoProvider (InfoCubes and DataStore objects)
  Variables
  Data mining models
  Queries
  Workbooks
  Web templates
  Roles
  Aggregation level
  Planning function
  Planning function type
  SAP Crystal Reports (BI Content Ext.)
  SAP BusinessObjects Dashboards (BI Content Ext.)
  Regards,
  Karthik

• Webservice:get data from SAP ECC

  hi,
  i want webservice.that webservice will fetch the data from sap ecc system.
  i need steps for creating webservice.i have some functionality .what can i expose as webservice.
  thanks
  raj

  Hi Raj,
  If we trying to fetch data from SAP ECC system then expsoing as a web service from NWDS (Netweaver Developer studio ) would the best option.First we need to create a Portal Service that invokes the functionalities of the SAP application component( Business solution which uses ECC) using the SAP Java Connector. Then you can create a Web Service from the Portal Service.
  If your SAP application component runs on SAP Web Application Server (WebAS) 6.20 or later, then you can directly enable Web Services on the application component by using the application server's native Web Service capabilities.
  1. To turn on the WebAS 6.20 SOAP Processor, you need to:
  Configure the Internet Communication Framework (ICF) of the WebAS to start the Internet Communication Manager (ICM) and activate the HTTP protocol support
  Use transaction SICF to activate the SOAP Runtime Handler: default_host -> sap -> bc -> soap -> rfc.
  Once the SOAP Processor is turned on, the RFM-implemented Web Services can be invoked at http://<host_name>:<port_number>/sap/bc/soap/rfc
  6.20 also provides a Web Service Browser, which is a BSP web application that can be used to browse all RFM-implemented Web Services in the system, and generate WSDLs for these Web Services.
  2. In a WebAS 6.40-based SAP application component, such as SAP Enterprise Core Component (ECC) 5.0, or a WebAS 7.0-based application component, such as ECC 6.0, by default, few Web Services are pre-delivered by SAP. But it is pretty easy to create Web Services in a WebAS 6.40-based system.
  Inside-Out Approach: if within the SAP application component there already exist one or several RFMs or BAPIs that suit your needs, you can create Web Services based on them without any additional programming. The basic steps include:
  Using the Service Definition Wizard, which can be started from transaction SE80, SE37, or BAPI, to create a (Web) service definition from an RFM, a function group, or a BAPI.
  When creating the service, you have the option to rename or hide operations (methods) and parameters, define default values for parameters, and changing parameter types.
  After the service definition is created, you need to use transaction WSCONFIG to release the service definition for the SOAP runtime.
  Afterwards, by using transaction WSADMIN, you can for any released Web Service, call the Web service homepage which provides utilities for using and testing the Web Service, generate WDSL, configure the logging and tracing settings, and publish the Web Service as a Business Service in an UDDI registry.
  Hope these steps are helful to you.
  Regards,
  Shaila

• SAP GRC 10 - PSS Access from SAP ECC System

  I have configured Password Self Service in GRC System and is working perfectly fine for all password resets if access provided to NWBC from  GRC System.
  We have requirement to provide end users to reset password using SAP ECC System only. I have tried to access NWBC using SAP ECC System but is giving me error that Menu not configured or roles not assigned.
  Currently Maintain Data Sources is configured as below
  User Search Data Sources , User Detail Data Sources  & User Authentication Data Sources set to ECC Connector and End User Vertification Set to yes.We are not using LDAP / Active Directory for the User Search Database and instead ECC Only
  Can anyone provide the roles to be assigned in SAP ECC System to access NWBC - Password Reset .

  Hi Anil,
  In support to Colleen's comments, It seems that you have not configured the USER on the End User Services.  You need to make sure that the guest user (not available in GRC) is configured in each of the 10 services in SICF for the end user Login Pages to work.
  Here are the 10 required services to be activated:
  1.)GRAC_OIF_MY_PROFILE_EU
  2.)GRAC_GAF_NAME_CHANGE_SERV_EU
  3.)GRAC_POWL_REQUEST_STATUS_EU
  4.)GRAC_GAF_PWD_SELFSERVICE_EU
  5.)GRAC_OIF_USER_REGISTER_EU
  6.)GRAC_GAF_ACCREQ_WITH_REQREF_EU
  7.)GRAC_OIF_REQUEST_SUBMISSION_EU
  8.)GRAC_GAF_ACCREQ_WITH_TEMPL_EU
  9.)GRAC_GAF_ACCREQ_WITH_USEREF_EU
  10.)GRAC_UIBB_END_USER_LOGIN
  You can refer note#http://service.sap.com/sap/support/notes/1628387
  If the user is not present in GRC system then, they have to go with end-user-logon page to reset their passwords where you can always define the user authentication configurations.
  Regards,
  Ameet
  Message was edited by: Ameet kumar

• SAP ECC 6.0 / Active Directory Password synchronization

  Hello,
  We have a need to synchronize our users Windows passwords (AD) to our SAP systems (ECC 6.0, BW 3.5, and SCM 5.0).  We do not use CUA and currently do not use a Portal and are not looking at doing SSO.  We simply want to have one repository (AD) that will manage passwords for our Windows apps as well as our SAP systems.  So far, we have not found a way to do this.  SAP Note 603208 says this kind of synchronizing is not possible due to encryptions, among other things.  However, we did find a white paper that stated the following:
  ~snip
  <i>The Management Agents delivered with MIIS generally support password management: <b>they can take a password from some source (either from a user password change from the Windows interface, or from a self-service web-based password reset interface) and can set the same password in the various connected systems</b>. The Management Agent developed by Oxford is no exception. To change a password in an R/3 System the Susr_User_Change_Password_Rfc function can be used, but this is only possible if the old password is known and the SAP system allows the password change for this user. In cases where the old password is not known (for example the setting of an initial password) the password can be reset using the BAPI_User_change function.</i>~snip
  Does anyone have any information on how we can achieve the password synchronization between Active Directory and Abap-based SAP Systems?
  I very much appreciate your time and help.
  Paul

  Paul,
  You can achieve this using "common authentication". Since Active Directory uses Kerberos, if you allow your SAP systems to support Kerberos authentication as well, then you will be able to logon to Windows workstation, and use the Kerberos credentials issued by Active Directory during this logon to log the user onto SAP.
  This is common, and easy to acheive. You need to use the SNC capability which is provided in SAP GUI and also in SAP ABAP engine, and you also need a GSS-API library for both workstations and for the SAP servers that implements the Kerberos protocol. If your SAP server is running on Windows Servers then you can get this GSS-API library from SAP, but if (like many companies) you are running SAP ECC, BW, SCM etc. on UNIX or Linux servers then you need to license a third-party product which provides the GSS-API library etc. I represent a vendor (CyberSafe) that provides this exact product, but you can also find other vendors by looking on SAP partner website, under SNC certified products list. If you want to find out more about our product, please ask me offline by getting my email address from my business card.
  I hope this helps. Of course, if there are any questions for me related to this which are appropriate for public viewing then please ask them via this forum instead of via email.
  Regards,
  Tim