Security Objects Migration(UJT_TRANS_CHG)

Hello All,
In BPC 7.5NW, during appset migration, does only security objects, Task profiles and member access profiles get migrated? Do teams and users do not get migrated? Also in UJT_TRANS_CHG, if I set TLOGO:SECU to P, will it not transport even the member access profiles & task profiles?
Is the best practise to maintain them in Prod Environment? I also see that a HTG exists to mass download and upload security information across landscapes. I can probably use that for teams & users.
Please advise.

Hi,
The security profiles overall don't get transported properly. Some of the suggestions could be:
- You could have the setting in UJT_TRANS_CHG as 'D'
Like you mentioned about the mass user management guide, if you have all the users, teams and the required profiles ready with you, you could add them in your development system , test them thoroughly and use the tool mentioned in the guide to transport across.
- There is also some inconsistencies if you want to transport reports & schedules assigned to the team folders. Not everyhting gets transported. You need to check the settings in the config table UJT_TRANS_FIL.
If you look at this table, this may probably have nothing for 'SECU'. This probably explains to some extent about the security related incosistencies.
Better option would to maintain them in P if you dont have all the secuirty related things ready now. For testing some task profiles and member access profiles, you could create them in D and can also use the tool to transport.
Note: Please refer to the latest version of the user management guide.
Thanks

Similar Messages

  • Transport of Security objects in BPC 7.5NW

    As a part of NW BPC transports, changed the entries in table UJT_TRANS_CHG. For the 1st transport (from DEV to QA)wanted to transport ALL objects including Security and Teams. So, selected 'Development' for ALL objects under this table.
    After the transport collection via tcode UJBPCTR and importing into QA, found that 'Users', 'Teams'  and 'Task Profiles' did NOT transport. 'Member Access Profiles' did transport to QA.
    I expected 'Users', 'Teams'  and 'Task Profiles' also to be transported. We are on SAP BPC 7.5NW, SP4.
    Am I missing something here ?
    Thanks in Advance.

    Hi
    we had the same problem and didn't know if Security objects could be transported, but we found the BPC User Mass Management Tool.
    http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/d0cdbccf-0def-2d10-298d-f4223de9a6ed&overridelayout=true
    This could help you to export the security objects in DEV and import the objects in PRD.
    The transports you need for the ZUJE_MASS_USER_MGMT   Programm you found on page 46 in the document mentioned above.
    Please let me know if we could help you.

  • Only want to transport security objects in BPC

    Hi,
    I only want to transport Security objects in BPC from DEV to QAS
    Is it possible ?
    I setup the UJT_TRANS_CHG table entries in DEV the following way -
    - Security - Development
    - All others  - Production
    Will that work ? Is it going to mess up anything in QAS system ?
    Do I need to have the same setup in QAS system also ?
    Any help would be highly appreciated.
    thanks
    J

    Basically what it is saying is that you always need to have the following TLOGO objects in the UJT_TRANS_CHG table set to "Development".  This is required by the framework,  If they are not set this way, you run the risk of messing up the objects in the target system.  Also, I bellieve that as of SP7 and above, you don't have to worry about this, as these 4 TLOGO are harded coded in the framework to always be triggered regardless of the setting in the UJT_TRANS_CHG table.
    ASET
    APPM
    DIME
    DIMA
    So again, all you need to do is make sure that these TLOGOs are set to Development, as well as the security ones, and the security data will be transported successfully.  Remember that you must transport your UJT_TRANS_CHG records to the target system before transporting the AppSet.
    Regards,
    Rich Heilman

  • Service Entry Sheet in ECC 6.0 shipment costing security object?

    Does anyone know what security object is being checked during service entry sheet creation?  When I run the shipment cost create process in foreground (RV56TRSL) VI04, the program creates and settles the shipment cost, but in background only the shipment cost doc creates the settlement remains open (status A) and I get a message:
    You have no authorization for this transaction with movement type 101
    My assumption is a different object is being called in background versus foreground but my traces are not showing me anything useful. 
    thank you

    Shipment settlement in ECC 6.0 requires the users to have some version of the MIGO object to prefrom the goods movement.  this is a change from 4.7 and prior.

  • DMS security object c_drad_obj

    Hi DMS Gurus,
    I'm hoping someone can help me.  I've been testing different scenarios all day and just did a web search to see if anyone has posted anything about this in the past.  I came up with zero on both counts.
    We are new to DMS at my company.  Our objective is to give some users full access to DMS and others no access.  I have found that our existing user roles already pull in Document Management security object CV, I think because the user has access MM03.  For example our sales role has the c_drad_obj object assigned, but we don't want this role to have access to DMS.  No matter what I change the options to in the security object, it doesn't have any effect.
    I was under the impression that I can restrict the activity / document type / linked SAP object / document status in the c_drad_obj object.  But as I previously said, no matter what I set these to, even to disable the object itself, it doesn't seem to matter.
    Thanks for your consideration.
    Regards,
    Julie

    You do realize that C_DRAD_OBJ is relevant only for Object Links stored in table DRAD? Not all documents will have Object Links. See Authorization Objects for Documents - Document Management - SAP Library for details on DMS authorizations. The main table for documents is DRAW.

  • Security object for check against Lab office in DIR

    Hi,
    We are running R/3 46C and use DMS to store our business documents via online vault. I have a requirement to set up access based on Lab office (department) that is used in the Document Information Record. Is there a standard security object that I can use in security roles to build this.
    Any info would be appreciated and rewarded.
    Regards
    Nirmal

    Your best option would be to use a user exit, for example badi "document_main01" "before_save" to populate the auth. group field, and then use normal roles/profiles to check on auth. group.
    Regards,
    Espen
    Please reward if useful.

  • How to control partner function through security objects ??

    Hi, theres any way to control witch Partner function are avalilable to assign in support messages ??
    Theres any security object to control that ??
    I have configured rules for automatic determintation, but in certains cases i need to assign manually.
    I need to control this asignation Partner function
    Any ideas ?? CRM_ORD_OP ??
    Best Regards

    I got it fixed my self.
    here is the solution.
    in user exit :EXIT_SAPMM06E_012.
    call below FM: MM_CALL_UPDATE_PARTNERS
    Trick is pass the partner values the one you wanted to below table: x_mmpa and xuekpa.
    you can calculate partner records from wyt3 table depends on your logic/requirement.
    CALL FUNCTION 'MM_CALL_UPDATE_PARTNERS'
         EXPORTING
           ebeln       = wa_ebeln
           bstyp       = 'F'
    *     knuma       = wa_knuma
           application = 'P'
         TABLES
           x_mmpa      = it_mmpa1
           y_mmpa      = it_mmpa2
           xuekpa      = it_uekpa1
           yuekpa      = it_uekpa2
           i_mmpa      = it_mmpa3
           u_mmpa      = it_mmpa4
           d_mmpa      = it_mmpa5.
    Thanks,
    Mahesh

  • UME security vs ABAP security object level

    We installed Virsa Compliance Calibrator & Access Enforcer and trying to configure security in UME to control user access so that besides action level security, we need further restriction on for example, Functional Area, cost center & department access. Does UME have lower level authorization restriction capabilities similar to that of ABAP authorization object level security? If not, how can we utilize ABAP Virsa security objects to control JAVA front end access?
    Your advice is much appreciated.
    Thanks,

    I'm not aware of a way to limit requestor access (you can request anything visible); however, you can provide direction by populating an attribute field (i.e. company) with valid company values for each role.  When a requestor searches for a role, if they filter by the appropriate company, they will only see valid roles for the request.  I did, however, point the request authentification towards a 'fake LDAP'.  This prevents individuals without specific UME credentials from submitting a request.
    However, you can restrict approvers using a custom approver/determinator.  In my case, I wanted to use a combination of "role" and "usergroup" to determine approver, rather than use one approver set for all requests.  I have implemented and confirmed this works.  The unfortunate side affect, is that you have to maintain a seperate file for this custom A/D (which you have to refer to /append for any request for role approver information).

  • Security object for shipping conditions (T-Code VA02-sales order)

    Hi
    I need to gray out filed-VSBED (shipping conditions) in T-code VA02 (sales order change) for users, what could be the security object to be used for this requirement?
    Regards
    sri

    The functional requirement till doesnt seem very clear to me , why would someone want to grey this field? (unless you have a strong case that you use different document types for normal orders, express deliveries, normal service, free of charge and a whole lot of possibilities)
    Your SD consultant should guide and let you know that:
    Shipping conditions are defined in customizing
    you can eithe assign particular shipping conditions to particuar sales document types to make it as a default
    (or) you can have the shipping conditions defined in the customer master
    the ones set up in SPRO take a preference, but as you rightly noticed - if a use wishes to change the shipping conditions proposed by the system he would be able to do that, and this CANNOT be controlled with authorization objects
    The only option you would have, is to find out if the users who are not suppposed to change the conditions beong to the same user group (or make a logical assesment on the common binding feature in the set of users)
    then evaluate if you want to make the program changes such that the changes affect only the particular set of users
    Note: Changes you make in ABAP do not necessarily apply to the complete user base - it depends on how well you analyse and plan the requirement

  • SAP security - changing check maintain setting for security objects

    I am trying to change the check maintain indicator for a couple of transactions
    to alow me to manage access based on security objects that are not currently defined as check maintain.  Specifically, I have updated the check indicator
    (using SU24) to check maintain for object c_stue_ber on transactions MD11 and MD12 (planned order create/change).  The transactions still do not check this object as expected.  Does anything else need to be done to enable checking an
    object that is not set up as check maintain originally?
    Any help is appreciated.
    Thanks,
    Doug Scott

    Hello Kerstin,
    I also wrote a message to SAP and got the following response.  Looks like there are no security checks for this object in these transactions.
    Regards,
    Doug
    Response from SAP
    03.04.2007 - 12:48:38 CET    SAP    Reply 
    Dear Doug,
    An authority check on C_STUE_BER is not possible for the transactions
    CO02, CO03, MD11, MD12, CO26, CO27, CO28, COOIS, COHV, CO05, CO05N,
    CO04N, COMAC or CO46.
    In CO01 we check if the user has the authority to resolve the BOM
    (C_STUE_BER). After resolving the BOM we don't check any longer with
    C_STUE_BER since we don't work with the BOM but with a component list
    in the order (which is actually a copy or the BOM).
    For this component list there is no authority check.
    The component list is visible in CO02, CO03, CO26, CO27, CO28, COOIS,
    COHV, CO05N, CO04N, COMAC, CO46.
    For production orders we use authority C_AFKO_AWA. With this
    authority you can limit the access to CO02, CO03 and the change of
    production orders by other transactions.
    But please note that there are still transactions
    that will display the orders and its components without authority
    checks. For example infosystem transactions (COOIS, COHV, CO26, CO27,
    ...) and other processing transactions (COGI, ...). For those
    transactions you would have to limit access.
    For the creation of planned orders MD11, the authority check C_STUE_BER
    is not used. Here you can use M_MTDI_ORG to check on a MRP controller.
    So you should enter the same MRP controller in the material master
    of the troublesome products and only this MRP controller will be able
    to create a planned order for this material.
    I am sorry not to be able to offer you any better solution for this
    problem.
    Kind Regards
    Eoin Donnelly
    SAP Support Consultant (SCM)
    SAP GSC Ireland

  • Deactivated objects after transport of Analytics Security Object

    Hello Experts,
    We made a release Upgrade to 7.3. To garantee the access to our reports I implemented a lot new Analytics Security Objects. In our development system they are all activated. After transporting them into the quality system, all of them are deactived and not usable.
    Do you have any ideas?
    kind regards
    Frederike

    Hi Sujai,
    Just check is your ODS object Locked or any process job is running on it.
    Was your transport successful.
    Thanks
    CK

  • Secure object sharing in java card

    Who has the complete code in secure object sharing in java card which is written by Michael Montgomery. I want to look at the code in this article. I wish somebody can help me!!!

    Who has the complete code in secure object sharing in java card which is written by Michael Montgomery. I want to look at the code in this article. I wish somebody can help me!!!

  • RPD Security and Migrations

    We have a Subject Area where up to 25 columns in the Presentation Layer have security applied. They are denied to the System-level Everyone group and access is provided to Group1.
    The way our migrations to the environments work is the Developer provides the RPD and we do a 3-way merge. The issue is the security does not get merged correctly. So if Group1 exists in the Master RPD when we do a 3-way merge groing from the Developer's RPD to the Master it creates another security group called Group#1.
    I thought I could use UDML generation to apply the security but UDML does not generate the system-level EVERYONE group so when applying the UDML (nqudmlexec) to the Master the columns have the EVERYONE group defaulted back to Read access.
    I am working with Oracle on their best practice for migrating RPD security but I'd like to see how those on the forum handle the migration of RPD level security. So any permissions applied to Presentation Layer catalogs, tables, columns, Phycial connection pools, etc.
    How do you maintain that security going from a DEV to a Test to a Prod environment?
    Love to hear how others are doing this

    Yeah..... In 11g you have separater password for RPD which is not releated to any user. Unless you share the RPD password with user they can not open it in the offline mode. But still this problem persists if a ProjectA user log in and still he could see the project B details.
    You are looking at object level security on the Tables. I guess you can implement for the presentation layer.

  • AD object migration

    We are planning to migrate AD objects from x.com (Global forest) to y.com (Single domain forest).
    There are two parts of migration :
    part 1)  Users, compauters and profile migration.
    part 2) Application server and service account migration.
    in part 1 - Can some help me to get best approaches / tools / procedures.
    In part 2 - Please help me to get application testing procedures during domain change of application servers, and how to troubleshoot them in case of any issues.

    Hi, Thanks for update can some help me to get more information on part 2 of my question. thank in advance.
    "part 2) Application server and service account migration"  - Please help me to get application testing procedures during domain change of application servers, and how to troubleshoot them in case of any issues.
    I'm not sure what is meant by this.  You would want to build out a test lab to test the migration, to me it sounds like you want to just press forward without the test lab and know of a way to backout in the event someting doesn't work. 
    Specific issue testing would be just that, you would test the system once the migration has completed.  If you are having issues you would have to know in what area there is an issue.  Perhaps running WireShark and verifying that the server is
    requesting a ticket, etc...  Open the Event Logs and see if there are errors arising.
    If you have to rollback on a situation you could use a tape recovery with authoritative restore but that would have to be a last ditch effort.
    I really think it be best you build out a test lab, if you have a virtual environment you can just clone the two forests but ensure they can never talk and you should be able to test this all out. I have an old world example that can easily be redefined
    as a virtual setting.
    http://blogs.dirteam.com/blogs/paulbergson/archive/2012/07/03/create-a-test-domain-old-style.aspx
    Just remember the old adage, "A production system becomes a test lab if you haven't tested your updates first."
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

  • Converting AD security object to Exchange object

    Hi all,
    We have created Universal Security Groups in AD,then add members to the Group so they can get FULL or Send As permission in Shared mailboxes.In ECP Exchange doesnt see these Groups,so we have to use PowerShell to add those permissions.
    Now we will migrate over 1k mailboxes to Exchange Online and as far as i know all permission will be gone,since these Security Groups are not Exchange Object.
    Is there a way we can convert existing AD Object to Exchange Objects?
    Thanks and sorry if posted in wrong section.
    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Hi,
    You can use the Set-ADGroup cmdlet to change the group's GroupCategory property from security group to distribution group. Note that the LDAP attribute is GroupType.
    What's more, you can also do this using ADUC, here is the steps for your reference:
    Open ADUC -> Microsoft Exchange Security Groups -> right click the group you want to change -> Properties -> click Distribution -> Apply
    For more information, here is a thread for your reference:
    Change security groups to distribution groups
    http://exchangepedia.com/2012/08/exchange-2010-change-security-group-to-distribution-group.html
    Note: Microsoft is providing this information as a convenience to you. The site is not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any information found there. Please make sure that
    you completely understand the risk before retrieving any suggestions from the above link.
    Hope this can be helpful to you.
    Best regards,
    Amy Wang
    TechNet Community Support

Maybe you are looking for

  • Can I connect multiple devices to one thunderbolt port?

    I have the need to connect an external monitor and a firewire cable to my Macbook Air, but with only one Thunderbolt port I am trying to determine if this is possible.  Is there such an adapter that would take my single Thunderbolt port and 'split' i

  • Simplest way to modify properties from web.xml

    I'm testing a very small Web application which uses init-params in web.xml for configuration. For manual testing purposes, I need to be able to change the values of these as easily as possible, preferably from the WebLogic admin console. (I can do it

  • Initialization parameters not getting populated correctly during DBCA

    This problem is observed on Oracle 10.2.0.1 Linux x86 and RedHat Enterprise Linux 4 ES Update 5. I tried to use DBCA template file to create an Oracle database (see below for the template file content). The DB creation was successful, but the initial

  • Pagination on ADF DVT Bar graph

    Hi I am using ADF 11.1.1.5. I am trying to do pagination on dvt bar graph component. The pagination is like << 1 2 3 >>. The default range size in page definition is suppose 5.The things are working fine on all links except 2. I get 1-5 record on fir

  • Email text format

    I am triggering an external email from a workflow, the formatting of the mail is coming wrong, the lines are getting truncated. the internal mail that is being triggered in formattted correctly. I implemented the following oss notes 690930, 662941, a