SAP Role to limit access to few ledger accounts

Similar Messages

• BO authorization model with sap roles / access tot folders, functionalities

  Hi Specialists,
  As authorization cunsultant in BI, I have little knowledge of the security setup in Business Objects.
  I have to setup an authorization model were the authorizations are assigned via sap roles in the backend BI system. These roles are imported in BO were they can serv as 'user groups' and access to folders, functionalities.
  Can anyone provide me a overview, guide, training document... on how the authorizations are managed in BO and best practice when they are linked to sap backend roles.
  The goal will be to user the sap BI backend roles and user them to grant users in BO specific access to specific folders. Eg; User A can access folders 1 as "refresher only", User B is able to publish reports in folder 2, User C has only view access in folder 2...
  Any help would be great!
  Thanks very much in advance.
  rgrds
  Kristof

  Hello,
  this is the best approach you mentioned here.
  I prefer to create roles serverd as functionalities in the Backend. For Example you have a "View" role, a "Refresh" role and so on.
  On the other hand i saw some setups where there is only on role in the Backend with all the BO Users. Then you have to create you functional groups in BO and have to assign the Users there to the Groups.
  Check the Adminguide of BO XI 3.1 for more Informations.
  Regards
  -Seb.

• Read only access to few users & RW to others for Web Dynpro App in EP

  HI All,
  I am creating few Iviews using custom development and able to display on the EP fine.. Now customers want to have red only to few users and read/write access to few users.. Can any one point me to the right documentation or the steps to be performed to acheinve this.
  Thanks
  Rajeev

  Hi Rajeev,
  Please create role/group for WD applciation which you want to assign read/read & write to the users. Access the role/group in WD application and restrict the access to UI Element properties.
  Refer to below documents for protecting Access to the Web Dynpro Application Using UME Permissions.
  [help.sap.com|http://help.sap.com/saphelp_nw04/helpdata/en/f3/a64d401be96913e10000000a1550b0/content.htm]
  [Exmaple|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/297f35cf-0201-0010-00b2-fe2f3e23d360?QuickLink=index&overridelayout=true]
  Hope it will helps
  Regards
  Arun

• GRC - SOD Conflict Management (SAP Role Substitution)

  Hi,
  I am looking to see how others handle SAP Role Substitution and SOD conflicts.
  For example, a person is going to be out on vacation for a few day and assigns their roles to another employees to continue with daily tasks....SOD risks result because of the temporary assignment and role combinations....what are you guys doing to manage, and monitor this sort of activity?
  Your help and comments greatly appreciated!

  Hi
  As already stated by Martin, one of the option for handling adtional backup access to users could be through Superuser Privilage management(If GRC has been implemented with your client). This would allow detailed reporting at transaction level for audit purposes.
  If GRC is not implemented with your client then any additional access which is resulting in SoD, there has to a proper documentation of temporary access assignment to users(For Audit purpose). Mitigation control should be documented and submitted by the supervisor of the user to the SoD team to ensure proper compliance is in place for the additional access provided to the user.
  Thanks.
  Anjan

• SAP GRC 10 - PSS Access from SAP ECC System

  I have configured Password Self Service in GRC System and is working perfectly fine for all password resets if access provided to NWBC from  GRC System.
  We have requirement to provide end users to reset password using SAP ECC System only. I have tried to access NWBC using SAP ECC System but is giving me error that Menu not configured or roles not assigned.
  Currently Maintain Data Sources is configured as below
  User Search Data Sources , User Detail Data Sources  & User Authentication Data Sources set to ECC Connector and End User Vertification Set to yes.We are not using LDAP / Active Directory for the User Search Database and instead ECC Only
  Can anyone provide the roles to be assigned in SAP ECC System to access NWBC - Password Reset .

  Hi Anil,
  In support to Colleen's comments, It seems that you have not configured the USER on the End User Services.  You need to make sure that the guest user (not available in GRC) is configured in each of the 10 services in SICF for the end user Login Pages to work.
  Here are the 10 required services to be activated:
  1.)GRAC_OIF_MY_PROFILE_EU
  2.)GRAC_GAF_NAME_CHANGE_SERV_EU
  3.)GRAC_POWL_REQUEST_STATUS_EU
  4.)GRAC_GAF_PWD_SELFSERVICE_EU
  5.)GRAC_OIF_USER_REGISTER_EU
  6.)GRAC_GAF_ACCREQ_WITH_REQREF_EU
  7.)GRAC_OIF_REQUEST_SUBMISSION_EU
  8.)GRAC_GAF_ACCREQ_WITH_TEMPL_EU
  9.)GRAC_GAF_ACCREQ_WITH_USEREF_EU
  10.)GRAC_UIBB_END_USER_LOGIN
  You can refer note#http://service.sap.com/sap/support/notes/1628387
  If the user is not present in GRC system then, they have to go with end-user-logon page to reset their passwords where you can always define the user authentication configurations.
  Regards,
  Ameet
  Message was edited by: Ameet kumar

• Duet Enterprise 1.0 SP2 - SAP Role based authantication

  Hi All,
  We have implemented Duet Enterprise 1.0 SP2 in our landscape. Now we try to implement SAP Role based authantication.
  But don't know which role to assign for which authorisation. In my scenario i have created 2 users. For one user i want to have only read access to all lists (Contact, Employee, etc) and for another user i want to have all acess (read, write, modify, delete) on all lists available at sharepoint.
  Can someone help me to tell what roles (template) need to assign for what operation.
  Which roles i do assign to user in SAP that which ristrict users access at Sharepoint.
  Thanks & Regards
  Virender Solanki
  09818316550

  Hi Binson,
  I want to ristrict the crude operation (create, update etc) by giving roles in backend system. i am able to apply restriction at sharepoint end but i don't want that. i want SAP role based security.
  So i want, according to given roles in backend system user is able to do operations at sharepoint.
  Thanks & Regards
  Virender Solanki

• Adding tcode to role in display access.

  Hello,
  Please can someone suggest how we can add transaction codes to a SAP role with only display access.
  That means users should have only display access when they execute that transaction. Please suggest.
  Thanks.

  >
  adnan shahid wrote:
  > I would like to add the following tcodes in display access. In all the tcodes only auth object present is S_TCODE.
  >
  > OKY9
  > OKYA
  > OKY0
  > OKKM 
  > OKK6
  > OKK5
  > OKG6
  > 
  > Please suggest.
  I suggest that your run an authorisation trace to see what objects those transactions reference.
  Create a role with those transactions and objects in display only mode.  Then get a functional consultant to negative test those roles.
  Don't assign with other roles which give change access to the auth objects you have restricted.

• Third party background ID requires standard SAP role

  We are connecting to a 3rd party through a background ID that we have created on the ABAP side.
  However, in testing this access, we notice that this connection does not work if we assign a custom role (or even SAP_ALL) to it.  It works ONLY if we assign a specific SAP-delivered role (SAP_XI_ADMINISTRATOR_J2EE) to it.
  We have logged into the J2EE UME and assigned our custom group (which corresponds to our ABAP role - ZSAP_BATCH_XI) TO the Administrator Role in the UME.  But this still doesn't seem to fix the problem, and it is still requiring the standard SAP role.
  Can you pls. let me know if there is another step I should do, to force my background ID to use my custom role, rather than the standard SAP role.
  Thank you,
  Ashish

  Hi,
  This is standard in SAP and you would only need to assign the WBS to the Sales Order for which the Material is being Procured for and the Cost / budgets can be tracked through this WBS element.
  This activity can be seen thru PS Reports
  Best regards
  Amit Bakshi

• How to implement Oracle user/role security with Access front end?

  Hi,
  We have successfully migrated our Access database tables to Oracle 10g using SQL developer. We've recreated all the users and roles(i.e., access groups) in Oracle and granted rights to tables.
  In the Access front end database, in the Database window we have saved linked Oracle tables which replaced the Access tables. The forms, reports, queries run fine with the linked Oracle tables. All the linked table use one ODBC DSN to the Oracle database with the same Oracle user id.
  We need to be able to authenticate users into the Oracle database and RE-link the tables based on their own unique user id. By during so we can allow users to use the Oracle standard user id/role and system privileges to control select, update, ect. rights to the database.
  I've been able to use the VB code within Access to logon into the database with a unique id, but I have not been able to find out how to RE-link the tables to the unique user id using VB. There should be some way to relink tables dynamically, based on users login into the Access front end.
  I don't know a great deal about Access projects, but I do know with SQL server allows login into your Access project and link tables dynamically.
  Can someone give me some assistance or point me in the right direction?
  Thanks in advance,
  Larry

  We had one of our programmers here come up with a VB code solution for re-linking table within Access. However the relinking takes 3-4 minutes for 100+ tables.
  In an effort to help you understand the situation better, I will attempt to elaborate on the problem:
  We have an Access 2003 application which currently has a front end using Access(forms, reports, queries, & VB code) and a MS Access 2003 backend.
  We have migrated the backend tables to Oracle. However, we still have a need to maintain the front end in Access, since we have over 60 forms, 40 reports, 200+ queries in Access. Its easy to understand, we have a significant investment in the front end(Obviously, the plan is to migrate the front end also at some future date).
  In order to utilized the existing front end, we have to validate and modify the current front end connections to the new Oracle backend. One of the features of Access is that you can "link" tables and save the link for runtime. Each Access table can have its own link which is a separate ODBC/JET connection. As such, each separate link has its own userid/database information.
  The other issue with using the Access front-end is that Access utilizes a workgroup file to implement user and group security. The workgroup file contains all the users and which groups the users belong to in Access. Then within Access, you allow users access to object(tables, queries, ect) by their userid and or group. When users open an Access database with Access security enabled, they are required to log into Access. The login is authenticated by the workgroup file. Once, logged into Access, users have rights to Access objects based on their rights granted to their userid and groups they belong. The problem here is that when you remove the linked Access tables and replace them with linked Oracle tables, Access has knowledge about Oracle table rights granted to users; nor would you expect it to.
  The dilema is the disconnect between Access and the fact Oracle utilizes a similar but much more sophisticated security model. It creates users and roles(which are similar to Access groups), and again this is independent of Access security.
  Our solution was to still use the Access workgroup file security along with the Oracle security model. By using the Access userid and then creating a similar Oracle userid with similar table rights granted in Access, you could apply security within Access and also with the Oracle database.
  For example, a user BOB logs into Access via the workgroup file, using VB code, Access then establishes a Oracle connection logining into Oracle using the same unique userid BOB into Oracle.
  After connecting and validating user BOB into Oracle, then the Access tables are relinked to Oracle using the user BOB userid and table rights.
  This Oracle userid has been granted table rights specific for this userid.This allows the user BOB to use the Access application and still be authenticated into the Oracle database.
  The problem with this solution is that the relinking of the saved Access tables takes 3-7 minutes for about 100+ tables. This is not acceptable for users each time they log into the application.
  Our current alternative is to use one Oracle userid to login each user, and use Access form restrictions/security to allow/prevent users from updating/viewing data. Obviously, this is not the optimal solution in respect to security, but it at least allows us to control access to the data(via the forms) by using one logon required for each user, and quick startup time for the application.
  I understand SQL server does a better job in integration, but we use Oracle which is what I am trying to work with.
  Larry

• Limit access to Apex login page

  Hi,
  We are deploying an application to our users. I need to limit access to Apex login page f?p=4550 to some predefined Ip adresses. Any ideas on this?
  Best regards,
  Onur.

  How exactly the APEX engine forces a '404' to be returned, I am not entirely sure. Perhaps it sends back the Response with the Header Status set to 404 ?Yes, with this process on the login page.
  begin
    if not #OWNER#.wwv_flow_security.ip_check then
        #OWNER#.wwv_flow.g_unrecoverable_error := true;
        sys.owa_util.status_line(404, 'Page Not Found');
        sys.owa_util.http_header_close;
    end if;
  end;Scott

• WRT54G: How do I limit access to specific ports, only to local IP's

  Using a WRT54G with Windows XP, and I've setup a web server that I'm still testing. Until I understand the security better, I want to limit access from outside IP's to the port that it's running on, but NOT limit access from the outside to services running on other ports. Is there a way to block a range of IP addresses (or conversely, only permit access for a limited range of IP addresses) to a specific port? So for example (assuming server's on Port 99, and IP address to the outside world is 99.99.99.99: Port 99: Blocked IP Range: 0.0.0.0-99.99.99.98, and 99.99.99.100-255.255.255.255 - OR Port 99: Allowed IP Range: 99.99.99.99 Alternatively, I would be interested to permit access to the web server port, only for certain MAC addresses. Is this pretty secure, and if so, how can this be done? I've poked around the router settings and spent a good deal of time researching this; any help would be greatly appreciated...

  Why do you want to block IP addresses:  "IP Range: 0.0.0.0-99.99.99.98, and 99.99.99.100-255.255.255.255" ?   This is everybody on the web, except your router!    If you really want to block all these people, just unplug your router from your Internet connection.  That is a block that cannot be hacked!
  Normally a server is assigned a fixed LAN IP address.  This address must be outside the DHCP server range of your router, and it cannot end in 0, 1, or 255.
  Next you forward a port (for example, 99) to the server's fixed LAN IP address.
  Data arriving at the Internet port of your WRT54G for port 99 will then be forwarded to your server.  If you have other Internet services (i.e. server B) running on port 1297, then data that arrives at the Internet port of your WRT54G for port 1297 will be directed to server B.   Assuming that you only have port 99 and port 1297 open, then any other unrequested data (for any other port) that arrives at the Internet port of your WRT54G will simply be ignored (and thereby blocked).    If you connect another computer to a LAN port of the WRT54G, connect to the Internet, and request data, then when that data arrives at the Internet port of the WRT54G, it will be allowed to pass, and it will be routed to your computer.
  In summary, by default, all router ports are closed.  The only way to get data through the router is either to open a port (using port forwarding, or alternatively, the UPnP function), or for someone (or some program) on the LAN to request data from the web.
  The router cannot limit the use of a port by MAC address.    When you open a port on your router, you are opening your server to invasion from anyone on the Internet.  So, your server must be setup to protect itself.   Rather than limiting server use by MAC address (which can be faked), your server should be setup to require a user name and password. 

• SAP R/3 Easy access

  How to go to SAP R/3 Easy access from BW???

  Hi Ash,
  Just run rsa13 it will take you to the source system part there select your r3 system right click > connec.param. >remote logon.
  Regards,
  ®

• 2nd generation time capsule: how to limit access to wireless network at night?

  I am using a 2nd generation time capsule and need to limit access to my wireless network at night, is there a setting to do this?  I don't want to physically have to shut down my time capsule/router every night but I need a way to turn off the wireless network at night or during specific hours.  Also open to suggestions on how to accomplish this if Time Capsule does not allow it.    This question is for a 2nd generation 500GB, Model A1302 Time Capsule.  Thank you.

  Unless you physically attach an electronic timer to the Time Capsule, there is no way to tell the Time Capsule when to turn on and off.
  Using the Timed Access settings in AirPort Utility, it is possible to define the hours each day that wireless devices will be allowed to  connect to the network.
  For example, you might set the Time Capsule to not allow wireless access between Midnight and 8 AM each day. Devices would be able to connect at other times.
  But, Timed Access will not physically power the Time Capsule "on" and "off".

• User does not appear in group created from SAP role

  Hello --
  I have a user that has logged into InfoView successfully with SAP authentication and is showing in the CMC under the "User List." When I view the list of users in the group that was created from the SAP role he was a part of, he is not there.   When I go to the user account and view "Member of," the group IS shown in the list. 
  Any idea?  Any way I can "refresh" the group or anything like that?
  Thanks
  Casey

  Thanks for the replies.
  We are on XI 3.1 FP1.8 and we do have a CMS cluster.  Server reboots this weekend seem to have resolved the problem. I am curious why this question was asked, though:
  "Did you reassign the user to another SAP role after the user has already logged at least once in the InfoView?"
  Is this something that could have caused the problem or is it a possible workaround if we run into the issue again? 
  Thanks again...
  Casey

• How to synchronize Identity System Roles with SAP Roles?

  Hello, experts!
  Could you give me an advice?
  I'm trying to perform role syncronization between SAP R/3 and Identity Manager, but the default task definition (Resource Role Synchronizer) can't find a
  SAP resource (for example method getResourcesSupportingObjectTypes can't find resource with attribute type activityGroups (SAP Roles)).
  Do you have an experience with syncronization SAP and IDM Roles ?
  How it is possible?
  Thank you!

  May be somebody knows what odjectType attributes like Roles (activityGroups) or Profiles has?