SECATT to create a composite role

Similar Messages

• Assign single role to composite role with alternate logsys assignments

  Dear gurus,
  In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
  Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
  But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
  Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
  Cheers,
  Julius

  Hi Martin and others,
  I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
  While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
  Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
  You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
  There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
  That is a bit of a bummer because it means that you also cannot ever test anything...
  Did anyone ever try to actually use this?
  Cheers,
  Julius

• Reg :Composite role

  Hai..       how to create a composite role..and how to assign for perticular user..? am created composite role for ABAP.and assigned to user these roles.when i compare to user comparision the system shows these roles are does not exist for ABAP.
            I assained exist roles. ( sap providing single roles ).
       i could not find out where i do wrong..plz provides solutions for this one.and provide any documentation r step by step procedure.
  Thanks and Regards.
  MANNY

  Hi
  Create the role in PFCG, then assign the roles from the copymenus i.e from roles, assign the authorization data, mention the users to get effected and do comparision.
  So that composite role is assigned, before that check that whether the single roles are existing or not, and having right access or not.
  Check the ROLE_PFCG_DEPENDENCY is scheduled or not.
  Regards
  Bhaskar.
  Edited by: bhaskar1818 on Jun 5, 2008 3:03 PM

• What is the need of workflow tab in composite role.

  I have created one composite role. For that i have assigned two user defined roles. By clicking those roles it is showing one extra tab called workflow. Then what is the need of this workflow tab in a role and what it contains.

  Hello Kumar,
  Check these links for this
  http://help.sap.com/saphelp_nw04s/helpdata/en/07/5430fbdb39fb4d9abb56754e039d0d/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/ab/e70538389511d5974400a0c930dcc1/content.htm
  Award points if helpful,
  Regards,
  Raju.

• Translations in composite role

  I created single roles, translated in 3 languages (EN / FR / ZH).
  When I assign these roles to users, the menu appears in the logon language of the user.
  I wish to create composite roles from my single roles.
  When I create my composite role in EN, only English is included in the translations.
  If I log in FR and reread the menu (PFCG), I have in this case translations EN and FR but not ZH.
  If I try the same manipulation in Chinese, I have the menu in EN and ZH but not in FR...
  How do I keep all the existing translations in single roles when I create my composite roles?
  Thanks a lot !

  Yes!
  I maintained those blithering menus for 3 years until another chap (hi Martin) found it didn't need it in BW
  Just add singles and save - avoid that read menu from etc at all costs 
  Cheers
  David
  Edited by: David Berry on Nov 3, 2010 6:48 PM

• Composite role not showing in Access request screen. (BRM not used)

  Dear All
  I have created a composite role in backend system with 2 single roles.
  a. I have imported the single roles using the NWBC screen.
  b. run the auth sync job.
  c. imported the composite role as a techincal role using the NWBC import screen.
  the import procedure was successfully completed.
  But when i try to search for the role in Access request screen for a user - i can only see the single roles & not the composite roles?
  Pls advise
  Raju

  Hi Raju,
  In addition to Alessandro's valuable inputs, you need to be sure whether or not you were able to generate the composite roles (in NWBC).
  The final stage of the composite role has to be in complete status.
  Regards,
  Ameet

• ERM - composite role is requiring profile name

  I am configuring ERM (AC 5.3 SP8) and have imported all single and composite roles.  I have naming standards set up for all Single roles, composite roles, derived roles, and profile names.  However, when I try to create or change a composite role, it thinks a profile needs to be there (I blank it out on the create).  Composite roles don't require profile names.
  If I delete the naming standard for profile, it doesn't require a profile for composite.  But then when I create a single role, it isn't there either.  I really want to maintain a naming standard for profiles for single and derived roles.  How can I do this without needing it for my composite roles?
  Thanks!

  It is a bug with SAP.
  You can have naming standards for profiles as long as you have ENFORCED=disabled.  So, basically, as long as you don't enforce your (profile) naming standards you can delete the profile name when you are creating a composite role.  It sort of defeats the purpose of enforcing naming standards but at least it's a work around.  SAP has this in development right now and it is being looked at.
  Regards,
  Peggy

• Reg derived roles combination into composite role

  Dear All,
  We have a role called GR Clerk. This will be available across all stores and DC for our retail customer. We have devised a strategy wherein we will create one global role with * in org level for site. Then we will
  create derived roles for individual DC and stores (from global role) and maintain site for each derived role.
  Now our customer wants following:
  Example: Store 1's GR clerk shall have required authorizations on transaction for Store 1, plus, one
  additional authorization/transaction for Store2.
  What we initially though that we will create two individual global roles: One for all authorizations and
  second for additional authorization.
  Global GR Clerk role: GRC
  Transactions: t1, t2, t3          
  Global GR Clerk role: GRC_additional
  Transactions: t4
  Derived Roles
  for GRCStore1:     
  1. GRCStore1 with org level Site= Store1     
  2.GRCStore1_additional with org level Site= Store2
  Now I will assign both derived roles to user who is GR Clerk on Store1.
  Is this approach correct?
  Also, customer wants that only one role should be assigned to user. So shall I create a composite role out of 2 derived roles?
  Will the respective site org levels be maintained after combining derived roles into composite one?
  Thanks for your time in advance.
  regards, Sean.

  Hi,
  Regarding the transaction roles and authorization roles, it is also a good approach, however, you would still have to consider the above point in case the authorization objects overlaps and make sure that both are restricted to appropriate "stores".
  Whether it's a good approach or not, per me, depends on the overall scenario and the fact that how much maintenance would be required in long term.
  Like say, if it is a case that the transaction codes (t1,t2 and t3) are for specific stores and transaction t4 is like display activity of other store and not just store 2. Then creating a common role for transaction t4 and including it in the composite role apart with the store specific role with tcodes (t1,t2 and t4) would also be a good approach.
  ZZZ:STORE_CLERK_STORE1             (Composite Role)
  ZZS_STORE_CLERK_STORE1                      transaction code t1, t2 and t3
  ZZZ_STORE_CLERK_STANDARD                  transaction code t4 (Either no org level restriction or all store access)
  ZZZ_STORE_CLERK               (Parent Role)
  ZZS_STORE_CLERK_STORE1                  Org level Restricted to Store 1
  ZZS_STORE_CLERK_STORE2                  Org level restricted to Store 2
  and so on
  PS: Naming convention are for illustration only
  Cheers !!
  Zaheer

• Add a single role to different composite roles in one step

  Hello everybody,
  I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
  Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
  I don't want to believe that there is no easier way. Any ideas?
  Thank you
  Flo

  Hi Soma,
  great to find a place to be welcome..Thanks
  What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
  The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
  And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
  -> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
  or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
  -> Which again... our security manager disallowed me...
  So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
  And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
  Comments?
  Cheers
  Florian

• GRC 10 ERM Not able to create Business/Single Role

  Hello Experts,
  In GRC 10, ERM, i have completed all the pre-requisites i.e. Maintaining Connectors, Configuration for Role Management, Maintained and generated the default MSMP workflow (methodology), maintaining role owners.
  Now when i am trying to create a business role or let's say a single role i am unable to to do so as the edit button is disabled.
  I just can't get through this.
  Have i missed anything, and for the record when i tried to Import the Role(Under Role mass maintenance) from backend system i was successfully able to do so and that way only i could get my first role in GRC via import.
  Now if i open this role and try to edit it, can;t do again, because edit button is disabled. But if i perform Role Update(Under Role Mass Maintenance) i can successfully change the attributes and other information and am able to see the new values.
  Why is it like this, i am not able to create Roles in GRC, just i am able to import and update from backend.
  This is really frustrating..what i am missing over here.
  Experts pl. Kindly help!

  Hi Triera,
  1) After opening BRM, Create button is not greyed out. Its available, and if i click on it, then i see all the possible type of Roles that i can create i.e. Business role, composite role, Group, PD Profile, Profile, Single Role, Template etc.
  2) When i try to edit a role by clicking on "Open" , and when the role opens, and then if I click on "Additional Details" (you said "More Details" , i believe you meant that only) link, then also the Edit button is not enabled. Its still greyed.
  What else could this issue be possibly about.
  Configuration- Check.
  Authorizations- Check.
  Workflow- Check.
  Should i raise it with SAP.
  Thanks.

• Profile for a composite role

  Hello Experts,
  We are having a problem dealing with a composite role.
  Whenever we add the composite role to a user master; a profile appears for each of the single roles (which is normal) BUT we also get a profile for the composite role.
  We verified in the table AGR_1016  and found that there is a profile asocited to the composite role.
  We tried the clean-up option of the transaction PFUD which did not work in our case.
  We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
  Any answer is most welcome!
  Thanks & Reagards

  > We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
  Sounds to me as if there has been an import of a composite role overwriting a single role with the same name. The pfcg import facility has very few checks in them so something unwantend could have happened. I think it is not possible to change a role from single to composite with the PFCG or other tools. What does table AGR_PROF say about this role?
  I would suggest to copy the composite to a new name (without copying the singles) and see how that looks. If it is OK you can delete the corrupted role, check wether it is completely gone and copy the new role back to it's original name.

• Adding transactions in a composite role menu

  Hello All,
  I want to add transactions in the menu for a composite role. but I do not see the option to add it. Please guide how would it be possible. Do I need to create single roles and merge the menus for them or can I create aa separate menu for the composite role?
  Thanks in advance.
  Regards,
  Anju

  Hi There,
  No first of all you cant add transactions to the menu of a composite role as a composite role is a collection of several single roles.
  What you can do is create a single role, make addition/ deletions of tcodes inside the single role which will automatically reflect in the menu tab of single role and then you can add this single role to the composite role.
  If you want to make changes to the tcodes from the menu tab you need to go to the single role and make changes which will reflect automatically, but thru composite role its not possible to make changes to the menu tab simply because the composite role takes all the tcodes from the single roles contained within it.
  Hope this answers your query
  Best ,
  Suchitra

• How to create Cross system role - Access Enforcer

  Hi,
  What is mean by cross system composite role, how should we create that.
  Thanks&Regards,
  Vijay

  This would be a reference to CUA.  You can define a composite role in the CUA system that contains single roles from the child systems.  When a user is assigned the composite role, CUA automatically provisions the user and appropriate single role assignments to the appropriate child systems.
  This simplifies things for the AE end user.  Rather than having to select multiple single roles from multiple systems in the request, they can select one role from the CUA system (representing their job).  CUA takes care of the rest.

• SAP Security Report for single and composite roles

  Hi
    I have a requirement to create a cutomize report in SAP Security.
  I have to display Composite roles,corresponding single roles,the tcodes assigned to those single roles and the description of t- codes. The selection screen has composite roles,single role and T-code which are optional.User can enter selection in any of the selection critreria.How should I go on this?If user gives only composite roles on the selection for e.g 'TEST'. for this role I get suppose 3 child roles 'TEST1' 'TEST2' 'TEST3' from table AGR_AGRS.Now to get the tcodes i go to table 'AR_1251' and I get the tcodes.
  But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.for e.g, 'TEST' 'SAP1' 'SAP2' etc..Now if go to get the tcodes for this single role in AGR_1251,I will ceatainly get the tcodes for eg MM01,FB01,etc.But then how would I know whether MM01 belongs to composite role 'TEST' SAP1' or SAP2' for the single role 'TEST2'.
  Please advise.
  Thanks
  Edited by: Julius Bussche on Aug 13, 2009 4:52 PM
  Subject title improved

  I though of seperate selection options for singles and composites, but you also said:
  > But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.
  My suggestion would be to build better single roles, but that is just me...
  Cheers,
  Julius

• SIngle riole that belong to composite role with user

  HI,
  There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
  BR
  Nina

  There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
  SIngle role is created by pfcg where you assign the role name n safe it as single role n then after t codes been provided the user has been assigned accordingly
  Composite role is same just it contains many roleson to one and similarly the user has been assigned
  Thx
  Mysterious