SAP Role Security for BSP

Hello Experts,
I am developing BSP application in BW Environment for some custom table maintenance which doesn't involve Portal.
I call the BSP Application with "CALL_BROWSER" FM from Programs.They want to control the access to the users based on Role or Auth Objects or others inside the system.
Because, if some user knew the URL for the BSP the security is pretty open.
Is there anyway to do security for BSP based on roles?
Best Regards
Arun Prasad

Hi,
Here are the step:
1. Create the Role in PFCG with following detail Auth Obecjt:
2. Create the Authorization Check for ICF Access Internet communication Framework (S_ICF) & with Field ID is <b>ICF_FIELD</b>. Chcek the checkbox <b>SERVICES</b>. For the same Auth Object create another Field ID "<b>ICF_VALUE</b>", here assign you BSP Application ID lets say MYBSP.
3. Then goto <b>SICF</b> transaction, goto your BSP Application node, undere service data mention this ID as MYBSP against SAP Auth.
4. Now you need to check Auth obejct before calling the FM CALL_BROWER the way you do if for normal ABAP Report.
Hope this will solve your problem. Let me know if you have any questiion.
<i>* Reward each useful answer</i>
Raja T
Message was edited by:
        Raja T

Similar Messages

  • SAP Roles and Access for SAP Implementation team members

    Hi,
    Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
    If not, what is the correct practice?
    Kindly let me know

    Madhu,
    It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
    You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
    Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
    But I know just how demanding they can be....
    Best of luck
    Tony

  • Row level Security for BI Author Role

    Hi All,
    We are using OBIEE 11.1.1.5 in our project. We have a requirement where we need to configure row level security on certain column.
    We are currently using external table and session variable approach to configure this. This security works fine for the users with BI Consumer
    roles. But we are facing issue with configuring row level security for BI Author role.
    BI Author can create any analysis in BI Answers and suppose he/she creates a report which does not contain the column on which row level
    security is applied than he can see all the data. For eg.
    We have one dimension Products having two levels Product Division and Brand. I want to configure security based on Product Division column.
    But if BI Author create a report with only Brand and Measures than row level security is not working.
    Does anyone has face this issue before.
    Please let me know if you want any other information from my side.
    Regards,
    Vikas

    If you are using a multidimensional cube you can use the "permit" command to control access to dimension members or provide cell level security within the cube. The OLAP database documentation provides on how to use the PERMIT command.
    If you are using relational tables and/or views with additional CWM metadata mapped using OEM then you need to refer to the database documentation relating to Virtual Private Databases and Label Security
    Business Intelligence Beans Product Management Team
    Oracle Corporation

  • Role Menu for ESS (WDA) in SAP NWBC

    Dear experts,
    I am implementing ESS&MSS using SAP NWBC. For this use the following documentation:
    Configuration of the Role Menu for ESS (WDA) in SAP NWBC - SAP Documentation
    SAP delivers the composite role SAP_EMPLOYEE_ESS_WDA_2.
    1. Call up transaction PFCG and create or copy your customer-specific role based on the standard shipped composite role for ESS (WDA), SAP_EMPLOYEE_ESS_WDA_2 in the customer name space (Z_*.
    I have copied this role with the singles roles
    My first question: Should modify my composite role for add a new folder that content two applications WDA customer or this should do it in the single role ? How Can do it?
    My second question:
    What I dont can display the folder in top screen "Employee Self-Service"---"Employee Self-Service XX"---"Employee Self-Service2"(See Image leff)
    Thanks

    Hi Armin,
    For NWBC you must place transactions under the second folder down (or at least this is how its works for NWBC for ERP roles). Standard NWBC roles have 'Role menu' as top folder and then (generally) one main folder under that - like 'Purchasing'. Transactions should go under this folder or under subsequent sub-folder.
    There are additional parameters using right click 'Details for Net Weaver Business Client' under PFCG also - but assume your documentation has explained this to you.
    Regards,
    Craig

  • "standard" SAP roles for Sales and Operations Planning (SAP SOP)

    Hallo,
    I´d like to ask SOP specialists, if there are any "standard" SAP roles, which could be created when SOP is implemented into the SAP system.
    If not, could you please send me advice, what is (are) the general role(s) for SOP (which SOP transactions and roles)?
    Thank you for your effort,
    Martin

    -->
    If you dont have the role --> open OSS
    if you dont find it because there are so many:
    Good luck :-)

  • Video Tutorials for SAP Basis & Security

    Hi,
    Is Any CBT Nuggets/Video Tutorials are also available for SAP Basis & Security???
    please provide me the link if it is available

    Saurabh,
    You cannot expect A to Z of SAP Basis and Security tutorials in videos. May be you can find some basic to important information.
    Refer to the links though
    www.youtube.com/watch?v=OT4PQarbT0k
    www.learnsap.com/config/basis.html
    http://sapdownloads.blogspot.com/.../sap-basis-training-for-beginners.html
    Just google it, you will find loads of information.
    Good Luck
    Regards,
    Arjun

  • SAP HANA Security - Best Practice for Access to Schemas??

    Hi,
    Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
    I want to understand what best practices are followed at other customers for defining security for Schema.
    1. Who should be creating the schema for Developers / Modelers?
    2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
    Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
    We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
    Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
    Thanks for the help in advance.

    Hi,
    I created a project (JDeveloper) with local xsd-files and tried to delete and recreate them in the structure pane with references to a version on the application server. After reopening the project I deployed it successfully to the bpel server. The process is working fine, but in the structure pane there is no information about any of the xsds anymore and the payload in the variables there is an exception (problem building schema).
    How does bpel know where to look for the xsd-files and how does the mapping still work?
    This cannot be the way to do it correctly. Do I have a chance to rework an existing project or do I have to rebuild it from scratch in order to have all the references right?
    Thanks for any clue.
    Bette

  • Security for creating web templates using web application designer

    I work for ChevronTexaco as a BW Security Analyst. I have a request to set up roles for web template creation using the Web Application Designer. Where can I get help in setting up the security for these types of roles? My experience is in setting up roles for running and creating queries in BEX. I need to know what additional authorizations will enable web template creation. Setting up a trace in ST01 has been less than helpful since it dumps out tons of RS_COMP tracing that doesn't help me much.
    The user wants to be able to create web templates for existing queries in BEX and restrict by rs_comp infocubes/areas/reportid, etc. and to be able to save to restricted role names. Are there new auth groups specific to this type of activity that I need to code for in addition to the basic end user or report builder authorizations?
    Any help would be greatly appreciated.
    Jeff Ehritt
    925 827-6012
    ChevronTexaco

    Thanks Marc, I'll check it out. My problem was that I was trying to create the role by granting a userid sap_all, sap_new and s.a_system as well as power user auths for a specific application. I set up a trace in ST01 for authorization cking on the ID while one of our BW Central Support people went into Web Designer to create a template and everything else they wanted to do.
    The resulting trace spewed out so much stuff from S_RS_comp and comp1 as to be virtually useless since it named scores of different cubes and infoareas that the analyst wasn't even interested in. The results puzzled me and made it extremely difficult to pin down the required authorizations. Usually ST01 can be used as a blueprint to create the role,ie; everything that the user touches is traced but no more than that. Have you seen this before? With just the new role I had set up the user could not save to a role unless I coded the fully qualified role name such as YRH_SENDAT_USER. YRH* would not work.
    Thanks,
    Jeff Ehritt
    ERP COE SAP BW Security

  • Difference between SAP CRM Security and SAP ECC 6.0 security

    Hi
    I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
    Can anyone please let me know the difference between CRM security compared to  ECC security.
    Thanks...

    I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
    really sad.....
    The big  difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
    1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
    2)  If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
    E.g. transaction code BP allows you to create/change/display  any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
    another example is business transaction processing...which can be launched by:
    a very generic transaction code: CRMD_ORDER
    transaction category related transaction codes :e.g.
          > CRMD_BUS2000126 for activity management
          > CRMD_BUS200115 for Sales processes
    Again...allowed activity is not controlled by the tcode, but on authorization object level...
    3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links....  controlled by object UIU_COMP.
    However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
    Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
    STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
    4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
    This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
    You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
    cheers
    Davy Pelssers

  • Making existing roles watertight for HR data

    Hello,
    I hope to get nudged in the right direction in here. I already descended pretty much to the end of my rope and ... well ... I need some more rope
    The situation is like this - I inherited everything that has to do with maintenance of authorizations on our system half a year ago, the guy that did that before me is no longer in the company (so there's no use in asking what he was thinking (if anything) when he was putting the roles together). Documentation is scarce/non-existing. When it exists it's usually not up to date. I'm not exactly a newbie in authorizations field, but at the same time I'm not really that far away from being a newbie yet, so I'm not beyond listening to basics being pointed out to me.
    <u>The Utopia</u>:
    There are five single roles built for all users of our system (say R1, R2, ... , R5). They're supposed to build on one another, R1 being the basic role, R2 having a couple more authorizations than R1, and so on until R5 which is the role that also has all HR authorizations.
    <u>The Reality</u>:
    The roles have been designed in a hurry and from the top down starting with the sap_all profile and removing some (or most of the) CA, BC and HR authorizations. They were not properly tested. They do not derive from one another in any way ... R2 for example is a complete copy of R1 with some additional objects and values, same for all the others. Every problem needed to be fixed five times, once for every role. That of course resulted in chaos, things got changed just in one place and the basic role suddenly got more powerful than all the rest. These roles are in use in the production system and there are no plans to substitute them with something better in the very near future.
    <u>The Problem</u>:
    Suddenly (yeah, right ) the need arose to have these roles watertight with regard to HR data. I did some rudimentary testing and sure enough they're nowhere near watertight even for the most common HR transactions. There are ranges defined in S_TCODE for which I have no idea why they are as they are, there was access to SA38 given where SAP HR programs with no authorization group (and no transaction code) assigned could be run by everyone ... there's god knows how many other security holes. The only help I got from the HR consultants was the list of all 2000 or so HR transactions (taken from the SAP menu tree) which shouldn't be accessible to a normal user. I suspect I might be in need of a typing monkey to check them all five times
    <u>Question</u>:
    How do I close as many security holes in these roles as possible? What's the strategy when dealing with such tasks? I've made it clear to the management that we probably won't have watertight roles if we don't create new ones, but making a set of new roles created properly from the bottom up is out of the question at this moment.
    I'd be extremely grateful for any advice or if anyone could point me to any kind of documentation about making roles like ours more secure for protecting HR data (and also keeping the users away from any BC stuff).
    In the meantime, I'm off to searching through the archives of the forum.
    ursa

    Mopping the floor with the water running is a spot on description
    Actually we're in the process of setting up new and improved authorizations but (of course!) the testing phase turned out to be much more time consuming than anticipated. No surprise to me, however someone obviously thought authorizations are a matter of defining roles and their menus and the system does everything else by itself. Riiight.
    What I did so far - first I educated myself on the specifics of HR authorizations. I never had to deal with those before, so (for example) it was a surprise to me that there's actually a separate SAP course dealing with HR authorizations Then I compared the existing roles to each other like you suggested and figured out a way that allowed me to do all the modifications with least amount of work. I cleaned most of the infotypes out of P_ORGIN and (to cover my behind), adjusted the ranges in S_TCODE to exclude the 2000 HR transactions our HR consultant listed for me.
    Most importantly - I made it clear to the guys above me, that with the roles we use I can't guarantee HR data to be inaccessible for people who should stay away from it. So ... back to the testing of the new authorizations
    Thanks for your help! It always makes a huge difference to get something like a second opinion when one can't decide if left is better than right or if it's the other way around.
    ursa

  • Duet Enterprise 1.0 SP2 - SAP Role based authantication

    Hi All,
    We have implemented Duet Enterprise 1.0 SP2 in our landscape. Now we try to implement SAP Role based authantication.
    But don't know which role to assign for which authorisation. In my scenario i have created 2 users. For one user i want to have only read access to all lists (Contact, Employee, etc) and for another user i want to have all acess (read, write, modify, delete) on all lists available at sharepoint.
    Can someone help me to tell what roles (template) need to assign for what operation.
    Which roles i do assign to user in SAP that which ristrict users access at Sharepoint.
    Thanks & Regards
    Virender Solanki
    09818316550

    Hi Binson,
    I want to ristrict the crude operation (create, update etc) by giving roles in backend system. i am able to apply restriction at sharepoint end but i don't want that. i want SAP role based security.
    So i want, according to given roles in backend system user is able to do operations at sharepoint.
    Thanks & Regards
    Virender Solanki

  • BO authorization model with sap roles / access tot folders, functionalities

    Hi Specialists,
    As authorization cunsultant in BI, I have little knowledge of the security setup in Business Objects.
    I have to setup an authorization model were the authorizations are assigned via sap roles in the backend BI system. These roles are imported in BO were they can serv as 'user groups' and access to folders, functionalities.
    Can anyone provide me a overview, guide, training document... on how the authorizations are managed in BO and best practice when they are linked to sap backend roles.
    The goal will be to user the sap BI backend roles and user them to grant users in BO specific access to specific folders. Eg; User A can access folders 1 as "refresher only", User B is able to publish reports in folder 2, User C has only view access in folder 2...
    Any help would be great!
    Thanks very much in advance.
    rgrds
    Kristof

    Hello,
    this is the best approach you mentioned here.
    I prefer to create roles serverd as functionalities in the Backend. For Example you have a "View" role, a "Refresh" role and so on.
    On the other hand i saw some setups where there is only on role in the Backend with all the BO Users. Then you have to create you functional groups in BO and have to assign the Users there to the Groups.
    Check the Adminguide of BO XI 3.1 for more Informations.
    Regards
    -Seb.

  • Screen Level Security for the Material Master

    We need to create security for the material master by screen views. The Purchasing group needs to be able to change the Purchasing and MRP screens but none of the other screens. How would we accomplish this with SAP security?
    Thanks!

    Janet,
    It is hard for us to know how your authorization profiles or roles are constructed.  You really should consult your local authorization expert.
    The Authorization object you are looking for is M_MATE_STA.  It is probably contained in at least one of your Roles or Profiles that are currently assigned to your MM maintenance people. At a minimum, it should exist in standard SAP profile M_MATE_ALL in your system.  You can review all of these types of authorization info in the User Information System (transaction SUIM).
    You would have to create roles or profiles that narrowly define the "User department" fields for M_MATE_STA object.  You would also have to search for existing roles/profiles that contain "*" in this field, and determine if these entries are still appropriate in your new authorization business process you want to begin.
    Below is the SAP help about this authorization object
    M_MATE_STA
    Definition
    Maintenance status authorization for material master records
    The data contained in a material master record is divided into user departments or views (Purchasing, MRP, and so on). The maintenance status is a single-character key for the relevant user department or view.
    This object determines which user departments or views a user is authorized to process; that is, which data he or she may process from this view.
                                                                                    Note                                                                      
    To use material master functions, a user needs the authorization for at least one user department.
    Defined Fields
    Fields               Possible values      Meaning
    ACTVT                01                   User may create data.
                         02                   User may change data.
                         03                   User may display data.
                         06                   User may flag data for deletion.                       
                         08                   User may display change documents. 
    STATM                                     Here, you specify the maintenance status for which the user is authorized.         
    The maintenance statuses possible are as follows:
    User department                Maintenance status
    Work scheduling                   A
    Accounting                        B
    Classification                    C
    MRP                               D
    Purchasing                        E
    Production resources/tools        F
    Costing                           G
    Basic data                        K
    Storage                           L
    Forecasting                       P
    Quality management                Q
    Warehouse management              S
    Sales                             V
    Plant stocks                      X
    Storage location stocks           Z
    Notes
    This authorization object also determines:
    o   Whether a user may flag a material master record for deletion. In this case, 06 must be entered in field ACTVT; the maintenance status is irrelevant here.
    o   Whether a user may change the material type. In this case, 02 must be entered in field ACTVT; the maintenance status is irrelevant here.
    o   Whether a user may process an MRP profile or forecast profile. In this case, the following values must be entered in field ACTVT:
    -   01 to create
    -   02 to change or delete
    -   03 to display
    The maintenance status must be D for the MRP profile or P for the forecast profile.
    o   Whether a user may create an overview of all extendable materials. In this case, 01 must be entered in field ACTVT; the maintenance status is irrelevant here.
    o   Whether a user may call up the materials list. In this case, 03 must be entered in field ACTVT; the maintenance status is irrelevant here.
    o   Whether a user may create or change production versions from task lists. In this case, 02 must be entered in field ACTVT, and A in field STATM.
    Rgds,
    DB49

  • CAreer in SAP BASIS comaprision with SAP GRC/Security

    Hi Everyone,
    I am an SAP BASIS consultant with 2 years of experience working in a MNC company,
    I want to change my career to SAP GRC/SAP Security, i have some basic knowledge on SAP Security,
    COuld you please advice me, which one to choose,?
    Does  SAP GRC/Security has demand , and can we get oportunities to work abroad compared to SAP BASIS ?
    which one has more scope SAP BASIS or SAP Security/GRC ?
    Because in BASIS, i am not getting enough scope to work on some good things like Installation, upgrades, Migration,
    i am doing a very basic kind of work like tranports, job scheduling, monitoring, and other small activities ?
    So request you people to advice me ?
    <removed_by_moderator>
    Read the "Rules of Engagement"
    regards
    Rakesh  Rao
    Message was edited by: Juan Reyes

    Hi Rakesh
    I saw your post in GRC and was waiting of it to appear here
    First up - 2 years is still junior. You may find batch jobs, transports, monitoring, etc all mundane but it is a foundation and learning ground work and foundations to being a good Basis Administration. And one things for sure, an awesome basic (I name my best-techy-friend) makes a huge difference on project timelines and deliverables for the rest of us.
    Installation and Upgrades come with time. Whilst still performing junior tasks you could focus on reading up on approaches in case an opportunity in your job comes us and be prepared to prove to your management that you are ready for a bigger responsibility.
    Switching to GRC/Security would be pointless unless you have a desire to learn GRC or Security. These are my background and they are undervalued until things go wrong (insurance policy in a way).
    If you do switch you will reset your 2 years of domain experience back to 0 and you will start off with password resets and basic user administration
    It takes time to work through the ranks. It was 3 years before I got to build my first role. I spent my first few years in security on email chasing approvals, password resets, user account creation, running reports for audit - sounds familiar to what you are doing now?
    You have to master the basics before you are trusted and ready for the more complex activities. By knowing what you are doing now you will be more successful when the time comes to step up and do migrations, upgrades and installations. Support production by mastering you technical analysis skills is how you can break through being a fresher/junior
    Regards
    Colleen
    Ps - if your motivation is more than "good things" happy to answer questions specific to security and GRC.
    Also, boring doesn't mean it can't get interesting nor does it mean it's a worthless activity: SPAU transport imported before patching!!
    Message was edited by: Colleen Lee
    Added link for when transports go bad

  • Erro when importing SAP roles into BO Edge XI 3.1

    Hello,
    I'm currently setting up the SAP Best Practices on a BO Edge XI 3.1 system (32 bit) and trying to link up with an SAP ECC 6 EHP 4 system (64-bit).
    When getting to the authorisation step I go to the CMC > Authentication > SAP > Role IMport.
    There I receive following error: 
    JCO.classInitialize(): Could not load middleware layer 'com.sap.mw.jco.rfc.MiddlewareRFC' JCO.nativeInit(): Could not initialize dynamic link library sapjcorfc. Found version "2.1.9 (2010-01-28)" but required version "2.1.8 (2006-12-11)".
    After closing and re-entering the same tab I receive following message: org.apache.jasper.JasperException
    I have not even the possibility to enter the roles manually. The system doesn't allow me.
    There is no specific SNC security set up for my SAP system.
    I have been able to connect to the logical system of SAP because when I updated on the tab: "Entitlement Systems" it proposed my logical system name that I created in SAP.
    As I found on another SAP forum the version 2.1.9 should also be the good version.
    Can someone help me out with this one (does anyone has still the older SAP Java connector version 2.1.8)?
    thanks in advance
    Thierry

    Hello,
    That's what i did but didn't help.
    I finally managed to find the problem. I had also to install a file named librfc32.dll in the same directory. When installing the necessary files apparently the version of this file librfc32.dll was not the correct one because it didn't match with the version that is installed together with the Sap gui (I presume). So by re-installing the former version of this file librfc32.dll it finally worked.
    thanks anyway

Maybe you are looking for