SAP PP: Security Profiles

Similar Messages

• SAP BOBI 4.0: Data Security Profile Issue

  Consider the below scenario :
  We have two environments(SAP BOBI 4.0): Dev and Prod
  Schemas used are test and testABC in DEV and Prod respectively. And structure (table
  names and column names) inside both the schemas is same.
  We have created several data security profiles in Dev
  environment. So now when we migrate via Promotion Management, the universe from Dev to Prod, “data
  security profiles” also gets migrated.
  So once migrated we change schema name from test to testABC
  in data foundation layer which makes our dfx to point to testABC schema in
  Prod.
  Once above process is done when we go to data security
  profiles, table names gets changed from test to testABC But inside WHERE
  Clause, schema name is still test it doesn’t gets changed to testABC.
  Now question is  :
  Is there any way so that schema name inside
  WHERE Clause should get changed automatically from test to testABC?
  Is there any way we can restrict Data Security
  profiles to get migrated when we are migrating the universe?

  What is your data source? Did you try to edit the security profile in where clause?
  Is there any way we can restrict Data Security
  profiles to get migrated when we are migrating the universe? - You can only exclude to promote User/Folder/Object security, not inside the Universe.

• Export - custom queries and reports, and security profiles

  We would like to keep a copy of our customizations to the application. 
  There are ways to import queries, reports and profiles into the app.  Is there any way to export the following to something like a CSV file for the following:
  - custom queries (all tabs)
  - custom reports (all tabs)
  - security profiles (custom and out of box u2013 all access rights)
  Thanks,
  Jerry

  Jerry,
  There are no standard queries that extract security profiles, Query Groups, Reports or Query Defintiions from the system. 
  However you can build custom queries that support this functionality.  During an implementation project I created some custom queries which allowed you to extract these objects for documenting purposes  We likely could supply these to you through SAP Consulting.  Please reach out to your SAP rep and have them Contact Me.  I have created some instruction that explain how to create these.
  Regards,
  James

• Service Interface Security Profile & Idempotency

  Dear PI Experts,
  Based on the information given in the following link:
  https://help.sap.com/saphelp_nw73/helpdata/en/48/5b14cf63424992e10000000a42189c/frameset.htm
  - Quoting the link The security profile "... form the metadata descriptions which influence the behavior during implementation of this service definition."
       => Does this mean the implementation should be handled by the application programmer?
  - The Security Profile section shows that there are some values available for the security profile and the default value when we create a new SI is Low.
  From the link above, it is stated that "Low - Basic Authentication using user ID and password and no transport security."
       => Does this mean I can configure the user ID and password to be used at the interface? If yes, where can I configure it?
  - From the same link above, from what I get at the Idempotency section.
       => Does the Idempotency mechanism is handled by PI or should be handled by the provider application programmer? If it is automatically handled by PI, what is the transaction ID used for to check if the message has been sent before? If not, what is the advantage of ticking the Idempotency for the provider application programmer?
  Any advise would be appreciated.
  Thank you,
  Suwandi C.

  Hi Suwandi,
  - Quoting the link The security profile "... form the metadata descriptions which influence the behavior during implementation of this service definition."
       => Does this mean the implementation should be handled by the application programmer?
  ----->>>> The service interface configuration needs to done by application developer and it should be as per given scenario. In most of the cases this configuration is same (unless a specific scenario).
  - The Security Profile section shows that there are some values available for the security profile and the default value when we create a new SI is Low.
  From the link above, it is stated that "Low - Basic Authentication using user ID and password and no transport security."
       => Does this mean I can configure the user ID and password to be used at the interface? If yes, where can I configure it?
  --->>> you do not need to configure the user id or password. this is for the consumer, when you expose your service interface as service and consumer needs to use the service with user id and password (for Low) and needs certificates for SSL connection.
  regards,
  Harish

• Minimum Security Profile for CCMS?

  Does anyone know the minimum security profile or roles needed to read counters for CCMS?
  I have added the following roles to a test user:
  SAP_BC_BASIS_ADMIN
  SAP_BC_BASIS_MONITORING
  SAP_BC_CSMREG
  I have added NO profiles to this test user.
  I noticed when I try to retrieve data using an in-house program operating under this user, all values are always 0.00
  However, once I add the profile S_A.SYSTEM, I can see actual values of 25.00 or 8.00, etc.
  Unfortunately, S_A.SYSTEM is too powerful to use -- is there a different, minimum profile I can use to access CCMS metrics from a in-house program?
  Much appreciated.

  Hi,
  S_RZL_ADM authorization is required to administer CCMS. Please check if the SAP PDAGs that you are assigning have this authorization object. If not, you may experience similar errors.
  Also, refer SAP Note 135503 to identify the configuration parameters information required to work with CCMS.
  Hope this helps!!
  Regards,
  Raghu

• Security Profiles - Difference between SYSTEM and TENANT admin user?

  Hi,
  In the OnDemand Enterprise workbook, some defualt security profiles have been configured.  This includes one called 'Tenant Admin'.   When I look in the system there is also a profiule called 'System Admin'.  Could somebody please explan the differences between system and tenant regarding these profiles?   I assume we shoul drarely use System Admin, and Tenant Admin is the safer option?
  Thanks
  John

  Hi,
  As you mentioned there are 2 status can be maintained for documents like Equipment Master, Notification, Maintenance Order & other important business documents.
  In case, client feels that system status is not enough to capture the details of the object, then user status can be used.
  System statuses will be updated automatically based on business transactions which will be done on SAP.
  For example, once the equipment is created, System status would CRTD (Created). If you install the same to some superior equipment or FL, then status would be INST (Installed).
  If you keeping that equipment in Spare, then for that, you have to maintain separate User Status like AVLB (Available in Stock / Spare) so that through IH08, by using User status, you can the report which is available as spare.
  These user status as per the name, should be updated by the user manually.
  Regards,
  Maheswaran.

• Importing custom created security profiles from a .csv or .xls document

  Hi Experts,
  We have a prerequisite where we need to create custome security profiles as per the requirement.
  These security profiles I have created in an excel sheet and wish to import it in the server.
  The reason behind creating the security profiles through excel sheet is that in the future we will be working on a new server. So instead of doing any rework we can directly import from this excel sheet.
  For creating a security profiles through an excel sheet, I have mentioned the following things in the excel sheet.
  1. In a "eso_security_profiles" i have mentioned the profile name,description,internal ID, etc..
  DISPLAY_NAME       DOCUMENT_DESCRIPTION    INTERNAL_NAME     CATEGORY  COLLAB_PROFILE    INTERNAL_TYPE     RESTRICTED
  DISPLAY_NAME:Category Manager    
  DOCUMENT_DESCRIPTION   : This profile is for the user who has full rights only at project business document but cannot approve and have no access rights to the master data
  INTERNAL_NAME  :  fci.profile.doc.category_manager
  CATEGORY  :   BUYSIDE     
  COLLAB_PROFILE    :   TRUE     
  INTERNAL_TYPE     :   
  RESTRICTED   :  
  2. And in the "eso_security_rights" I have mentioned the access rights as per requirement.
  RESOURCE        SECURITY_PROFILE                               ALLOW_PERMISSIONS       DENY_PERMISSIONS
  rfx.RFXDoc        fci.profile.doc.wft_category_manager     ODP_READ
  Please give some inputs on this. Am not sure if what I have done is the right way.
  Thanks.
  Vaishali.

  Hi Vaishali,
  I understand that you need these security profiles in another server going forward. I would suggest another way around rather.
  Please create the Security profiles in SAP Sourcing itself, then export the OMA file. When you move into another server please import this OMA file. This will serve the purpose of having the new security profiles in the new server.
  If you are modifing something in the workbook, then you should carefully review field details. As I am not sure which version of SAP Sourcing and details of workbook, so I would suggest the above way to try out.
  Hope this helps
  Thanks
  Jagamohan

• In R12.1.3, MO:Security Profile Vs HR:Cross Business Group precedence

  Hi All,
  In R12.1.3, Which profile option has higher precedence in MOAC structure.
  If i set the HR:Cross Business Group to NO at resp level and MO: Security Profile, which is associated to Global Security Profile which has two OUs of two different BGs.
  For example:
  I have BG1 - OU1
  BG2 - OU2
  Case 1:
  Global Security Profile - XXGSP has both OU1(BG1) and OU2(BG2) associated.
  HR:Cross Business Group - NO
  HR:Cross Business Group - BG1
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU1?
  Case 2:
  Global Security Profile - XXGSP has both OU1(BG1) and OU2(BG2) associated.
  HR:Cross Business Group - Yes
  HR:Cross Business Group - BG1
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU1?
  Case 3:
  Global Security Profile - XXGSP has both OU1(BG1) associated.
  HR:Cross Business Group - NO
  HR:Cross Business Group - BG2
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU1?
  Case 4:
  Global Security Profile - XXGSP has both OU1(BG2) associated.
  HR:Cross Business Group - Yes
  HR:Cross Business Group - BG1
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU2?
  Regards,
  Soorya

  Hi Soorya,
  We are in a similiar situation and I was wondering if you have received an answer or how you proceeded?
  Thanks,
  Cathy

• Override Security Profile for one employee

  Hi
  I have one employee who works in 'Accounts Department' and the HR user of accounts department can see only the employees of Accounts Department based on the security profile. This is working fine. But theres a different requirement. Some employees are transferred to other departments for 3-6 months for different purposes. During this time also the HR user of accounts department needs to view this employees details due to HR policies and procedures. Can we achieve this? If yes, how?
  - Gulzar

  Q 1 - When Employee is transferred from Dept 1 to Dept 2 for 6 months, Should the HR for both Dept 1 and Dept 2 be able to see his details for 6 months?
  Q 2 - After 6 months period, employee's organization is again updated to Dept 1, should again HRs of both Dept 1 and Dept 2 be able to see his details even after the 6 months period?
  Q 3 - If answer for Q 2 is - "after 6 months period, only HR of Dept 1 should see his details" , how to identify Employee's home department? Will it be the Employee's Organization effective as of Employee's hire date?

• Creation of custom security profile

  Hi,
  During creation of the security profile, there is field 'internal name' .
  What is the significance of this field and how the internal name should be maintained. As this field becomes display once the security profile is created.
  Pointers will be appreciated.
  Rgds,
  Madhan

  Hi Madan
  Internal name is used by the system to identify a profile. While creating a new profile e.g. System Administrator_XYZ which is lets say based on the original system admin profile but with limited rights (to be given to a few users), you can extend the original internal name and extend it for e.g. fci.profile.admin.xyz
  Hope this helps!
  Regards
  Mudit Saini

• SQL Query in Custom Security when creating Security Profile

  Hello all,
  I've created a security profile with Custom security and provided a simple query in Custom Security tab-
  PERSON.PERSON_ID = FND_GLOBAL.EMPLOYEE_ID
  Custom security option is "Restrict the people visible to each user using this profile"
  I am not able to see the record as expected.
  If I Hardcode the person ID "PERSON.PERSON_ID = 13449" with "Restrict the people visible to each user using this profile", I am able to see the record.
  If I Hardcode the person ID "PERSON.PERSON_ID = 13449" with "Restrict the people visible to this profile", I am able to see the record after running PERSLM and same is in PER_PERSON_LISTS.
  Am I correct in checking with FND_GLOBAL.EMPLOYEE_ID?
  (This was mentioned in system administrator guide :
  "+Oracle HRMS assesses the custom security when the user signs on. In addition, the custom security code can include references to user specific variables, for example, fnd_profile.value() and fnd_global.employee_id.+"
  docs.oracle.com/cd/E18727_01/doc.121/e13509/T2096T2098.htm).
  I have tried with FND_GLOBAL.USER_ID / FND_PROFILE.VALUE('USER_ID') / :ASG_ID (seeded query has a join with this bind variable) - not happening.
  I've given options as below :
  Employees = None
  Contingent Worker = Restricted
  Applicant = None
  Contacts = All
  Candidates = All
  All other options - Defaulted
  Thanks,
  Sumanth

  Resolved this - One cannot see self's employee record in the form for which this is setup.
  Hence the below query though correct in syntax did not show any data.
  PERSON.PERSON_ID = FND_GLOBAL.EMPLOYEE_ID
  My original requirement was that all employees belonging to one's Organization should be displayed, and this is working fine with an updated query for the same.
  Thanks,
  Sumanth

• Warning while uploading file into SAP - SAP GUI Security

  Hello Experts,
  When ever I am uploading any file to SAP from desktop, system asks me:
  "Do you want to grant access to this file - Yes or No"
  Also there is check box "Remember my decision"
  Refer screenshot
  Please note: This warning is given to me only. My other colleagues does not get this warning. How can I remove this
  Moreover, it is showing as "SAP GUI Security"
  Meena

  Hi Meena,
  It is just a warning message and so you can ignore it. Also, be informed that nothing is skeptical here. Things are working as it should work.
  You other colleagues must have clicked Remember my decision so now it is not asking them. You can click on remember my decision and then can click on yes. From next time on it wont ask. And even if it asks you just follow the same process.
  Hope this helps!
  Regards,
  Sanket Sachde

• REQIMPORT errors when security profile set using 12I

  I am submitting the purchase requisition import using the following script in release 12I. The request is submitted but completes with an error.
  declare
  l_request_id NUMBER;
  l_batch_id NUMBER := 1027;
  l_ou_count NUMBER;
  l_org_id NUMBER := fnd_global.org_id;
  l_ou_name VARCHAR2(200);
  BEGIN
  fnd_global.apps_initialize (1759 -- User ID
  ,50557 -- Responsibility ID
  ,201); --Application ID
  mo_global.init('PO');
  mo_global.set_policy_context('S', l_org_id);
  mo_utils.get_default_ou(l_org_id, l_ou_name, l_ou_count);
  dbms_output.put_line('OU Name: '||l_ou_name||' OU count: '||l_ou_count||' ORG ID: '||l_org_id);
  l_org_id := mo_utils.get_default_org_id;
  dbms_output.put_line('Default ORG ID: '||l_org_id);
  l_request_id := fnd_request.submit_request
  (application => 'PO'
  ,program => 'REQIMPORT'
  ,description => NULL
  ,start_time => SYSDATE
  ,sub_request => FALSE
  ,argument1 => 'CONSIGNED MANUAL'
  ,argument2 => l_batch_id
  ,argument3 => 'LOCATION' --'Location'
  ,argument4 => NULL
  ,argument5 => 'N'
  ,argument6 => 'Y');
  dbms_output.put_line('Request ID: '||l_request_id);
  END;
  The MO: Default Operating Unit and MO: Operating Unit profiles are setup for the given responsibility with an operating unit value. The MO: Security Profile profile is set to a given profile at the site and responsibility level.
  When I remove the MO: Security Profile at the site level the purchase requisition concurrent request completes successfully. Only when the MO: Security Profile is set at the site level is the purchase requisition concurrent program submitted using the attached script erroring out.
  I can submit the purchase requisition import using the submit request form without any errors. I believe this is because the operating unit field is being populated.
  Has anyone run into this issue? Am I missing any commands that define the operating unit used in the concurrent program submission in release 12I?
  Any help is greatly appreciated.
  Charles

  Hi,
  Only when the MO: Security Profile is set at the site level is the purchase requisition concurrent program submitted using the attached script erroring out.Please see if the guidelines about this profile option in the following documents help.
  Note: 784609.1 - How Does R12 MOAC Defaulting Rules and MO: Security Profile Work?
  Note: 397362.1 - Multi Org Access Control (MOAC) in Oracle Purchasing
  Note: 420787.1 - Oracle Applications Multiple Organizations Access Control for Custom Code
  Regards,
  Hussein

• Difference between SAP CRM Security and SAP ECC 6.0 security

  Hi
  I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
  Can anyone please let me know the difference between CRM security compared to  ECC security.
  Thanks...

  I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
  really sad.....
  The big  difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
  1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
  2)  If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
  E.g. transaction code BP allows you to create/change/display  any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
  another example is business transaction processing...which can be launched by:
  a very generic transaction code: CRMD_ORDER
  transaction category related transaction codes :e.g.
        > CRMD_BUS2000126 for activity management
        > CRMD_BUS200115 for Sales processes
  Again...allowed activity is not controlled by the tcode, but on authorization object level...
  3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links....  controlled by object UIU_COMP.
  However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
  Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
  STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
  4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
  This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
  You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
  cheers
  Davy Pelssers

• Empty line at the end of  SAP Java instance profile

  I saw this today in help.sap.com, which says that an Java instance profile must have an empty line at the end of the file, would anyone know what is it for ?
  The instance profile (/usr/sap/<SID>/SYS/profile/<SID>_<instance name>_<hostname>) u2013 this file contains settings that apply to the instance as a whole. For a Java-only installation, the file can be edited with any text editor (beware that the file must have an empty line at the end.);
  http://help.sap.com/saphelp_nw04s/helpdata/en/2e/611724f410254ca12a3f396ec5ae85/frameset.htm
  thank you
  Jonu Joy

  I have heard many "explanations" for this, but never really any solid answers.
  From experience, however, I can tell you that the SAP profiles (both ABAP and Java) will miss the last parameter if it is located on the bottom line of the file.  I have always put in two or three blank spaces at the bottom of the profiles in order to avoid this.