SAP roles and BW
I am new to SAP and BW. A goal of mine, straight from my GEM form, is to "Increase my knowledge of the security in the SAP application by understanding SAP roles and how they apply to Business Warehousing". Please point me to websites, books, white papers, etc.
[email protected]
Zip
Please check these links and hope it helps
http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
http://help.sap.com/saphelp_nw04/helpdata/en/52/671595439b11d1896f0000e8322d00/frameset.htm
Thnaks
Sat
Similar Messages
-
SAP Roles and Access for SAP Implementation team members
Hi,
Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
If not, what is the correct practice?
Kindly let me knowMadhu,
It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
But I know just how demanding they can be....
Best of luck
Tony -
SAP Roles and Profiles provisioning
Hi all,
I am trying to provision SAP CUA using the SAP UM Connector.
User gets provisioned, but its role and profile do not get assigned.
The tasks "Add Role" and "Add Profile" are seen as completed.
But the roles and profiles are not seen in SAP.
Thanks in advanceAny inputs from anyone ???
-
SAP, AGR_NAME and AGR_TEXT
Hi all,
If you give a look at idm\sample\forms\SapUserform.xml you'll find line 525 (in the code below "name" is the name of the SAP resource):
<Field name='agObjs[$(colName)].AGR_NAME'>
<Display class='Select'>
<Property name='required' value='true'/>
<Property name='allowedValues'>
<invoke name='listResourceObjects' class='com.waveset.ui.FormUtil'>
<ref>display.session</ref>
<s>activityGroups</s>
<ref>name</ref>
<map>
<s>templateParameters</s>
<ref>accounts[$(name)].templateParameters</ref>
</map>
<s>true</s>
</invoke>
</Property>
</Display>
</Field>AGR_NAME is the technical name of a SAP Role. If you look more carefully at the object agObjs[$(colName)] you can see that there is also an AGR_TEXT element which is the description of the SAP Role.
If you need to get the AGR_TEXT value you'll have to do:
<Field name='AGList-$(name)'>
<Default>
<invoke name='listResourceObjects' class='com.waveset.ui.FormUtil'>
<ref>display.session</ref>
<s>activityGroups</s>
<ref>name</ref>
<map>
<s>templateParameters</s>
<ref>accounts[$(name)].templateParameters</ref>
</map>
<s>true</s>
</invoke>
</Default>
</Field>
Problem: AGR_TEXT is only present for an already existing SAP role and if you add a role using "addAGRowButton", AGR_NAME doesn't have any value (it will only if you checkin and checkout the addition of the role in the SAP resource).
My need: replacing "allowedValues" of the "AGR_NAME" Select code given above by a "valueMap" which would have "AGR_NAME" as a key and "AGR_TEXT" as a value, so that it is more understandable for the user.
Question: How can I get the "AGR_TEXT" value that is associated with an "AGR_NAME" value without doing a checkin/checkout ?
Thanks a lot for your help,
Benhello Michael,
I could fix the transport system, was a network issue, but the DB13 error continue, now when I test the DB connection the following error is show by the PRD system.
Connect. test with "dbmcli db_state" Unsuccessful
I decided to close this message and open another in MaxDB forum.
Thanks
HEPC
Edited by: Hernando Polanía C on Oct 18, 2011 6:32 PM -
Roles and Authorization strategy for SAP BIBO
Hello All,
We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
Current structure is like,
User 1 belongs to Plant1 of Country1
User 2 belongs to Plant2 of Country2
user 3 belongs to Plant3 of Country1 etc..
We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
The options we considered are,
1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant 1, 2 or 3 and provide necessary authorizations.
2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
We are also forced to avoid Bex queries in BW and hence, trying to connect Multiproviders directly in BO universe.
How should we go forward in designing the authorization concept? Any better ideas?
Thanks and Regards,
SrinivasThere are two ways which we can implement this kind of authorization based on my knowledge.
1. Data Security purely at BW
If the data is secured based on roles and users, there is no need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
2. Data Security from BO
Let's assume that, if nothing is set at BW and every thing to be take care from BO.
Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
So you would need to create many restrictions for different permutations and combinations.
I never tries this option with Multiprovider. But It worked well with NON-SAP data.
Hope this helps!
Regards
Gowtham -
SAP Technical roles and IDM Business roles mapping
Hi Guys
Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
Cheers
LeoThanks Matt,
I think get I the picture now
One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
Here is what Ive done so far
1. HCM data loaded into productive identity store via vds
2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
Thanks again for all your help!
Leo -
The FIM team is pleased to announce the availability of some additional Connectors for FIM2010R2.
General Availability of PowerShell Connector
The PowerShell Connector can be used to communicate with a system through PowerShell scripts. This allows an easy and flexible way to communicate with other systems but also to pre-/post-process data and files before handed over to the FIM Synchronization
Service. We believe the community will help providing scripts for this Connector for various systems and will open a place where scripts can be published for reuse.
TechNet docs:
http://go.microsoft.com/fwlink/?LinkID=393057
Download:
http://go.microsoft.com/fwlink/?LinkID=393056
Release Candidate of Generic SQL Connector
The Generic SQL Connector will allow you to connect to any database where you have an ODBC driver available. It enables new features compared to the built-in MA such as support for Stored Procedures, running SQL scripts, built-in delta import support, import
multiple object types, connect to multiple tables, and much more. This Connector is built on ECMA2.3 which allows schema discoverability to be customized in the Sync Engine UI. A pre-release of the next Sync Engine hotfix is included with the Connector download
and is required for the Connector to work.
Download:
https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52652
Release Candidate of SAP Users and Roles/Groups
The updated SAP templates for Users and Roles/Groups allows you to manage Users, Roles, and Groups in SAP. This also include password sync for Users to SAP. The Connector will make sure roles are represented as groups to make it possible to manage these
with bhold. This template will require the previously published WebService Connector:
http://go.microsoft.com/fwlink/?LinkID=235883.
Download:
https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52651
If you have participated in any other Connector preview program you will have access to the Release Candidate downloads. If you have not participated before then to get access to the preview programs on Connect either join the program “Identity and Access
Management”, “FIM Synchronization Service Connectors Pre-release” on
http://connect.microsoft.com/directory or follow this link
http://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6709&pageType=1
We have also published an update to the Generic LDAP Connector adding support for some additional LDAP directories, see
http://support.microsoft.com/kb/2936070/. If you have additional LDAP directories you think we should support, please feel free to contact me.
On behalf of the FIM Sync team,
/Andreas KjellmanOn Tue, 18 Mar 2014 08:09:43 +0000, David Burghgraeve wrote:
We've been using the OpenLDAPXMA to be able to connect to ACF2 CA-LDAP (from Computer Associates) running on a IBM Z-OS Mainframe System. We've been using it for password synchronization since 2004 on MIIS. Today it's still used via the
OpenLDAPXMA (64bit) on FIM 2010 R2.
We had to tweak the password management component in the OpenLDAPXMA to support the error messages we get from the ACF2 System, as we support a multi-master password setup between Mainframe and Active Directory (one can change the password on
MF and/or on Windows). by example "LDP0406E ACF2 error modifying lid(ACF00155 NEW PASSWORD CANNOT BE THE SAME AS CURRENT PASSWORD)".
Additionally, we cannot get the delta import to work with the CA-LDAP, there's no capability in it and we tried to use the time attribute to use in the query for recent changes, but it does not work. (I think we need it in a large integer format
or unix time integer).
Would be great to have Microsofts' support in this :)
In a case like this where your follow-up has nothing to do with the
original post you should create a new thread.
Having said that, neither of the MAs to which you refer are official
Microsoft MAs and as such there is no support from Microsoft available.
Also, keep in mind that the ECMA1/XMA extensibility framework has been
deprecated and replaced by the ECMA 2.0. You should plan on replacing
existing ECMA1 management agents with ECMA2.0 connectors.
Paul Adare - FIM CM MVP
"It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
a half a pack of cigarettes, it's dark, and we're wearing visors."
"Hotsync." -- Paul Tomblin & Peter da Silva -
Sap-abap Technical Team Leader Roles and Responsibilities
Can u give me Sap-abap Technical Team Leader Roles and Responsibilities.
Yes I can, but I don't think I'll share my experience with you.
Here's a tip for you though, how about only applying for jobs you are skilled at and not try to lie yourself into a job.
Warm regards, Rob Dielemans -
Sap b1 roles and responsibilities
Hi can anyone give me roles and responsibilities of SAP BUSINESS ONE Co-ordinator.
cheers,
srikanth.Hi Paul,
I just wanted to know what are SAP CO-ORDITATOR Roles and Resposibilities. what he does in a corporate company. He is responsible for what.
In a company where SAP is implemented by their Client Company, and now supporting by the same client.
Cheers,
Srikanth. -
SAP instance dies when I try to make a change to the role and save
Hello Friends
I am an ABAP and XI guy, but am working on Enterprise Portal.
I have created an IVIEW (URL) and am trying to associate it with a user and role. I have created user and then when I try to assign role by clicking on AssignROles and then select a role and try to save, it consistently kills the SAP instance (dm36939 0) and this instance turns to yellow (instead of staying green). I have to restart this again. I have installed ECC and EP on this server and ECC (ABAP programs tables etc.,) works without any problem. EP also works most of the time, but consistently fails at this point as explained above.
I am not sure if there is any specific settings I should be looking at. Any feedback will be highly appreciated.
Thanks
RamNOone responded and so closing here to open it again in a relevant area.
-
Please tell me sap bw consultant roles and responsiblities in immp project?
this is shyam plz inform
Hi,
Please go through the below link.
http://mysap.wordpress.com/2006/09/18/sap-bw-consultant-roles-and-responsibilities/
Assign point if this is useful. -
Role and responsibilities of SAP BW support consultant
Hi Guru's,
What is the Role and responsibilities of SAP BW support consultant?
Regards,
Sabari kannan.SXI Architect:
He plays the role in the analyzing the landscape for which XI will be used...will take the special not on the number for legacy systems involved...type of system...how much amount of data will flow what has to be taken care for better performance etc........
1. Design the XI for the currentl lanscape for high performance...
2. Idebtiy the bottle necks which can appear.
3. understanding the busnies requirement withrespective to XI
4. Configure the XI according to the standrds
5. Lays ground rules on the developemtnenv till golive.
6. what's the good appproach of design when systems like CRM,BW etc are invloved.
7 tranports methods till production and so on -
What are the Roles and Responsibilities of SAP Testing Consultant?
Hello,
i want to know about The Roles and Responsibility of SAP Testing Consultant,,pls anybody guide me Real time scenarios.
regards,
BalaramUnderstanding the business scenarios
Organization Structure to incorporate the tune of the script.
Preparation of test scripts
Execute and record results to see if it is fine before going to approval.
Make changes to your test script if required.
What is Test Script (Scenario Testing)
Header Data
Step in Process
Transaction Code / Program (FB60)
Menu Path
Description
Field Data and actions to complete
Expected Results
Actual Results
TPR
Closing Period
F.19 Clearing GR/IR Account
F.13 Adjustments GR/IR Account
Using of these above two accounts will help us in clearing the balances and adjustments to those respective clearing accounts so that the GR/IR account will be zero balance and the balances will appear in respective reconciliation accounts accordingly the balances will be carried forwarded to next fiscal year.
GR/IR Clears the following Documents
GL Document
Customer Documents
Vendor Documents
Assignment Field is important in any document (ZUONR), Amount (DMBTR)
Foreign Currency Valuation
Lowest Value Method, If we are in loss then only we will account for it.
GL Accounts which are important in Testing
Enjoy Transaction - FB50
Normal Transaction - FB01
Document Parking - FV50
Post with Clearing - F-04
Incoming Payment - F-06
Outgoing Payment - F-07
Document Related
Reset Cleared Items - FBRA
Parking Document Posting - FBVO
Reversal Documents - F-14
Company Code Clearing A/C
(Trial Balance purposes) reversal - (FBUB)
Clearing Account
Partial clearing Invoice - 100 - Open Item
Paid - 70 - Open Item
Balance - 30
In Partial Clearing you can see 100 and 70 are cleared line items and 30 as balance and if it is in Residual you can only 30 as balance as it creates new line item and you canu2019t see the other cleared line items.
As no company will use residual clearing as it affects on ageing reports.
Open Items in Foreign Currency in all Modules GL/AP/AR - F.05
Master Data
Company Code
Currency
Only Balances in local currencies
Reconciliation Account Type
Year End Scripts
Re Grouping Receivables / Payables - (F101)
Bad Debts Provisions u2013 Scripts
We assume that the customer has not paid at the end of the year you doubt whether this receivable will ever be paid. So you make a transfer posting for the receivables to an account for individual value adjustments using special GL Indicator E and Transaction Code F-21
Carry forward Balances
Sub Ledgers and General Ledger balances to be forwarded to next Fiscal Year
Accounts Payables
Vendor Down Payments
Invoice
Parking
Reversal
Outgoing Payments
Automatic Clearing
Manual Clearing
Advance (Down Payment)
Post with Clearing
Post without Clearing
Reset Clearing
Carry forward
Regrouping
Foreign Currency Valuations
Accounts Receivables
Customer Down Payments
Invoice
Parking
Reversal
Incoming Payments
Manual Clearing
Advance (Down Payment)
Post with Clearing
Post without Clearing
Reset Clearing
Carry forward
Regrouping
Foreign Currency Valuations
Other than that, it is important to know the following:
Unit Testing
When you test every single document is called unit testing.
String Testing
One transaction full activity is called string testing . For example Vendor invoice, goods received and vendor payment.
Integration Testing
It is purely with other modules and we have to check whether the FI testing is working with other related modules or not.
Regression Testing
Testing for whole database. Bring all the data into another server and do the testing is called regression.
UAT
When we test any particular document with the user and if it is ok immediately we have to take the signature on the document, which is signed off and can be forwarded to the immediate boss. There are some steps to be followed when we go for user acceptance testing.
Transaction u2013 Script Writing u2013 Expected Results u2013 Compare with Actual Results
TPR (Transaction Problem Reporting)
While doing the user acceptance testing if we get any problems then there are some methodologies to be followed according to the companyu2019s policy and normally as a tester we always need to write on Test Script itself.
Hope this helps you.
Regards,
Rakesh -
Roles and responsebilities of sap sd implementation consultant?
what are the roles and responsebilities of sap sd implementation consultant?
Hi,
Refer to this website for roles and responsebilities of sap sd implementation consultant.
http://www.sap-img.com/general/role-of-a-sap-functional-consultant.htm
Simple - he is responsbile for implementation of SAP SD Module.
Regarding Implemenation
http://en.wikipedia.org/wiki/SAP_Implementation
Please let me know if you need more information.
Assign points if useful.
Regards
Sridhar M -
Roles and authorisations in SAP BI...
CAN ANY ONE EXPLAIN ME THE ROLES AND AUTHORISATIONS IN SAP BI /BW...???
THANKS IN ADVANCE...Hi Anand,
Refer these links from help.sap.
BI Authorisations
http://help.sap.com/saphelp_nw2004s/helpdata/en/be/076f3b6c980c3be10000000a11402f/frameset.htm
BI Analysis Authorisation
http://help.sap.com/saphelp_nw2004s/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm
Regards,
Hari
Maybe you are looking for
-
How to Open PDF Files Embedded in an Excel File
This is a solution for Mac users who need to open .PDF files that are embedded inside an Excel file created in Office for Windows. I hope this solution works for other file format combinations. I am doing some experimentation to find out and will rep
-
How to connect some camera to iPad1?
I have tried to connect Logitech through USB adapteur but no success - only warning that the device realista too much energy.
-
Migrate Infopath forms from MOSS 2007 to SharePoint 2010
Hi, Please provide help Migrate infopath 2007 forms in MOSS 2007 to SharePoint 2010
-
Hp 6510 prints fine from laptop but only prints blank pages from ipad
Printer prints fine from my laptop but will only spit out blank pages from my ipad. It used to print fine from the ipad.
-
Hello Friend, Need ur help on MPLS over-relay setup encryption. I have 10sites across world which will connect via MPLS, were ISP will participate in customer routing they will do the optimized routing. CE routers are managed my ISP, i need to encryp