Shell Role Concept

Similar Messages

• Role concept - CRM - EP

  Hi All,
     I imported the business package for CRM in enterprise portal.rightnow i am dealing with security aspects. I have some conceptual doubts related to role concepts with this Business package.
  I have a role for sales manager in business package, com.sap.pct.crm.SalesManager,which have some iviews and external services. from the documentation, i came to know that this role corresponds to "SAP_PCC_SALES_MANAGER" in BW system and  "SAP_PCC_SALES_MANAGER" in CRM system.
  I just want to know, which strategy, I should use for Role, user to role assignments in my scenario i.e.  either "EP as leading system" or "ABAP system as leading system"
    I was thinking of having ABAP system as lead. i.e. getting the role menu and user to role assignments from CRM system and BW system and adding this to the delta link of portal role that came with business package, so that i could get the user assignements from both the CRM and BW systems. but later i came to know that this role, SAP_PCC_SALES_MANAGER is portal specific role in BW and CRM, so i was worried of how to get the user assignments of the original sales manager role in crm system and  bw system to the portal.
  right now, i am totally confused and have no ideas. I thought that some one could help me in this regard with thier experience.
  Thank you

  HI
  please ensure that user is present with same userid as that in portal with both BW and CRM system and then use com.sap.appintegrator.portal component  for creating transactions of any type ussing template iview as well get user autorization for user for both the roles in BW.
  hope this helps
  With Regards
  Subrato kundu

• Master role & Derived role concept

  Hi Friends ,
  We have master and drive role concept in our project . ABC_XXXX (Master role )  ABC_1000(Derived role) (1000= company code)
  Now we need to maintain some values in master roles lets say display :03 .  Should we regenrate deived role  as well ?
  If we regenrate derived role  , Do inhertiance relatioship breaks? and we need to maintain company code =1000 value again ?
  Please suggest.
  regards

  Forgot to answer some more questions you had asked. Adding them here:
  Now we need to maintain some values in master roles lets say display :03 . Should we regenrate deived role as well ?
       - use the steps I mentioned in my earlier reply to re-generate derived roles from the Master role.
  If we regenrate derived role , Do inhertiance relatioship breaks?
           - please use the steps I suggested, the inheritance will not break. And this is an advantage of Master-->derived role.thats the meaning of having this concept in SAP.
  and we need to maintain company code =1000 value again ?
  --- No you dont need to. (you can check and see this manually).
  Hope it helps...
  Soumya
  Edited by: Soumya Thomas on May 20, 2010 12:34 PM
  Edited by: Soumya Thomas on May 20, 2010 12:35 PM

• Value Role Concept

  I tried searching for documents on Value Role concept. Please reply if anybody has any documents or links about this.
  Thanks.

  There is not a lot of info in the public domain on the value role concepts.  I know it has been covered on a couple of the other security forums.
  Subbiah - generally the value role concept is where you split the functional and the data access.  This is also referred to as the enabler concept.
  You create 1 role with your transactions but don't populate org data for example
  You then create another role with the auth objects that contain the org data
  When you combine the two you get the access that is required.  If you require lots of org data variants,  you can have lots of org data value roles and assign as required.
  There is no need to restrict it to org data either.  Anything that needs differentiation can be catered for using the value concept.  A example that is quite common is where a separate role is created for object F_BKPF_BUP which is then assigned as an extra value or enabler
  Like any approach there are pro's and con's.  Value roles take a while to set up.  You need to manually import the relevant objects into the value role, and make sure the corresponding objects in the master role are deactivated or not populated etc.
  It isn't a common approach so you need to ensure that your documentation is up to standard.

• Enterprise Role Concept in ERM

  Hello,
  We want to implement Enterprise Role(Not Portal) concept in ERM. Anybody has implemented this concept of composite roles from different single roles belonging to different SAP components.
  Ex : Marketing Management Enterprise Role is a collection of single roles from ECC and SCM. We want to have cross system risk analysis performed on the same.
  Thanks in advance,
  Ashutosh

  Hi Sri,
  Is the role status set to "production" ??
  Cheers,
  Diego.

• Master role and derived role concept

  Guys,
  1) How to assign the organizational levels for the derived role?
       Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  Greatly appreciate for some body's help.

  >  1) How to assign the organizational levels for the derived role?
  >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  Only if you assign the master roles to users. (and maybe for testing, see 3)
  >
  > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
  >
  >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
  >
  >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  See 2, it goes there automatically. No choice.
  Jurjen

• Master role-derive role concept and FICO role in dev system!!!

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
  Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
  Thanks in Advance
  Regards,
  Souren

  Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
  One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
  If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
  For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

• Master role-derive role concept?

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  Thanks in advance
  Regards,
  Souren

  you should refer to the SECURITY forum at Security

• Concept of groups vs concept of roles

  Hi!
  I'm designing an LDAP structure mainly for authentication and authorization of users. I want to use the LDAP server for applications, intranet (different platforms like linux, NT, ...) and portals.
  I read the Admin guide about groups and roles and found, that there aren't that many reasons for using roles instead of groups. The only real difference is (as I understood) that when using roles, I don't have to search for the the groups a user is member of, because every user contains the nsrole attribute with all the roles he is member of.
  One big reason for not using roles is, that they are quite specific for iPlanet Directory Server. If one ever changes to another product (for example OpenLDAP) the roles concept may or may not be the same. When using groups I don't have that problem.
  (If my information about that is incorrect please conradict!)
  A mixture of groups and roles is a quite bad idea because if I put a group in a role, the "nsrole" attribute is added only to the group but not the the members of the group, so if I use roles, I should stick to them and should not use any groups.
  As I told at the beginning, I am planning an LDAP structure. I don't have any "real life LDAP-experience" so if your experience is different, please tell me.
  Thanks in advance for your opinion!
  Florian

  1. Why there could be a problem without scopes in
  groups. If I have two companies and each of them has
  a group "employees". Two companies would probably be
  separated in two different subtrees, so I just use a
  dynamic group, where I can specify a subtree where
  groupmembers can be located or I use static groups,
  where I define each entry.You see, you had to make a choice on which group type you could use - not because one was more convenient for defining members for the problem at hand, but because only one would work at all.
  One thing I did not mention about roles advantages: they all work the same way - if a new role type were invented, applications written to work with roles prior to the new role, would still work with that role type. Groups types are so different that forward compatibility is not possible - mostly because to even use groups, applications have to do all the work to do common things like, enumerate the group, enumerate the groups an entry belongs to, test for group membership etc.
  >
  2. The coding logic for group evaluation with dynamic
  and static groups and even mixtures of it is quite
  complicated, it is much easier to ask an entry for a
  roledn and thats it, but do most clients support
  roles? Probably not. But then roles have not been around as long. I don't have any hard data on how many apps use roles - you would be surprised how hard it is to get that data for a developer.
  As far as I know roles are not used in any
  other LDAP Server. Well, the Sun DS, and the Netscape DS (which admittedly were once the same thing) both support the same roles.
  So you can optimize an
  applications implementing a role based queries, but
  if you have a OpenLDAP environment you also need a
  possibility to use groups. Talk to the OpenLDAP people about that. I believe they (at one time at least) decided to support the Netscape slapi interface - roles have interface components in that api.
  I do understand what you are saying - there isn't an RFC, so other servers don't support roles. Well, I'm sorry, I never got around to it. To be perfectly frank, a lot of LDAP RFCs/Drafts merely describe some proprietary mechanism which other servers never adopt. Some even describe mechanisms that nobody has ever implemented.
  When it comes down to it, it is only you who can decide whether being able to move to OpenLDAP or some other server without any reimplimentation is an important consideration. Every server will have features not supported by others, and if your choice is to use only those that are commonly supported, then that is your choice.
  Roles will allow much less complex coding in order to use them and they are much faster than equivalent client side operations, but the price is non-comformance with other servers. But when that non-conformance simply boils down to entries which merely "describe" the groups without adding application level functionality - how much have you really lost? Well, until you need to change server vendor you have only gained, and then you'll need to put in the effort you saved ealier.
  On the other side, what
  application do support roles right now? (I really
  don't know)Apart from applications by vendors that also supply DS I don't know either - but support for features such as this need to come from customers of those products. It is surprisingly simple to add support for roles in a product (for most it will almost be free) - much simpler than for groups.

• Concept of Value, Task & Template Roles

  Hello,
  Can anyone explain the concept of value roles, task roles & Template roles in SAP? I have heard about single, composite, derived roles in sap.
  Also, can there be a transaction in derived roles independent of the parent role? i mean that a transaction that i could add to derived role only in addition to the transaction that derived role with inherit from the master role. if yes, what will be its affect on auth. objects etc..
  Kind Regards, Ben

  Hi
  Single, composite & derived roles are technical role types.  Value, task & template are descriptions of how roles can be used and can often have different meanings. The most common ones are:
  Task: A single role (or could be a derived role) that represents a small piece of functionality such as create PO, display SO, create journal, change material etc.
  Template: Is sometimes used to describe a parent role or if derived functionality is not used, the transactional template for variants to be created that have different org level and / or field level restrictions.  It is also used for composite roles where you have the "shape" of the composite role defined with dummy roles and these are replaced with equivalents that represent the access required for the relevant org levels.  There are probably a few other uses for the term template - like task and value, it is not a standardised term.
  Value: There is a design concept that has transactional content in one role and org level content in another role.  The org level/key restriction part is designed to reduce the number of variants created but this introduces complexity in other areas, e.g. it breaks SU24.
  It also describes a concept where you have small pieces of authorisation (e.g. cost centre, access to posting periods) where you can supplement the role build with discrete authorisations.
  Different transaction in a derived role: As Soumya said, this is not recommended.  You could do it by manually adding an instance of S_TCODE and adding the transaction in there however it breaks the derived role concept and as soon as you push changes down from the parent, the change will be overwritten.

• Business Partner Role Specific Field View in WebClient

  Hello to everyone,
  I have a question that really needs a answer.  We are upgrading from SAP CRM v4 to SAP CRM v7.0 and as such we have a number of custom Business Partner Roles within the Person BP Type.  Against these custom roles we have developed custom field and tabs in order to separate the content within the BP Role further.
  After rolling off an implementation of SAP CRM v6.0 [2007], the following seems apparent:
  - Assignment of Roles is done via an assignment block in the Customer Maintenance view.
  - You can create Business Partners in different roles initially.
  - You cannot maintain Business Partner details in specific roles
  However, you cannot display the role specific fields as you can in the WinClient.  As an example, a Citizen Role BP will have different fields to that of a Teacher, but these roles could be assigned to one Business Partner.
  There does not seem to be any guidance as to how this is managed in the WebClient and as it seems a fundamental part fo the SAP CRM offering, you would have thought that this questions has been asked, but I have found no answers.
  I really hope anyone can help and appreciate any time and effort put into solving my question.
  Many Thanks,
  MatFlat.

  Hi MatFlat,
  Yes, your observation is right - in the Web UI, fiel grouping is not implemented for roles. This is because the role concept is quite different between SAP Gui and Web UI.
  In SAP gui, (CRM 4.0) roles had a functional meaning as well as a UI control. However, the concept was changed with Web UI. Now, roles have only a functional meaning, and no effect on the UI at all.
  If you want to implement role based field grouping in Web UI, you need to define your own methods in the implementation class.
  E.g : you can write code to influence the field properties based on the roles. I guess you can redefine the DO_PREPARE_OUTPUT  methods of the impl class.
  In order to get info about which roles the BP is maintained , you can use FM BUPA_ROLES_GET_2.
  Hope this helps you.
  Cheers,
  Rishu.

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• Publishing Queries to Roles

  Hello Gurus,
  I would like your take on the practice of publishing BW queries to roles? For an example there are 10 sets of queries and these 10 are published into a role for each company that exists. So in essence if there were 20 company codes we will have 20 roles containing 10 queries hardcoded with a company code. I spoke to our BW developer to get an idea as to why this is being done instead of restricting access through S_RS_COMP. Response was that this was done due to performance reasons (something to do with the queries linking directly to the infoprovider containing the information rather than going through all of the infoproviders). So,  Rather than leaving the query open and the user entering the parameter themselves it was decided that the queries were to be hardcoded to cut down the time it takes for systems to display the results.
  Anyone experience this issue before? My goal is to setup a derived role where the child roles are restricted by S_RS_AUTH for the company codes and query access through S_RS_COMP instead of being published to a single role. Before I do this I would like to figure out a way to move away from this practice without affect performance for end users.
  By the way our users access these queries through the Bex Analyzer. 
  Thanks,
  Wes

  Wes,
          Using derived roles in BW or S_RS_AUTH may not be the best design as field for S_RS_AUTH does not appear as org level. So you are not really going to have any advantage by going with derived role concept in terms of maintainence effort.
          With 10 queries  - 20 Company Codes - you will not need 20 roles  because of Company Code, just update the queries with appropriate authorization variable for company code and restrict users on company code. Just 20 company codes should not cause any performance issues
          Also with hardcoding the queries for each single company code - how are you resolving the scenario when user has access to more than one company code/ or global access. 
  Regards

• Business role in IC

  Hi experts,
  I have a confusion on understanding Business Roles in interation center.
  scenario:
  call center set up is there with 100 CSR's, where everyones role is same.
  here my confusion is Do we have to create different business role for each CSR or, only one role we can assign to Org for all the users.
  if am assigining one role to all users how it is going to differentiate with each other.
  Ex: one CSR created Search criteria differently and other created differently, like if 100 creating, will all 100 search options will be available to all ? if yes searching this search criteria itself is a problem ?
  how about the recent items.
  If we are using only one business role, how we are going to differentiate b/n the users.
  How the Business role concept used in IC ?
  Regards

  Hi,
  Thanks for your reply.
  Here is the scenario am explaining again:
  call center set up is there with 100 CSR's, where everyones role is same.
  1. here my confusion is Do we have to create different business role for each CSR or, only one role we can assign to all users(as i know we can assign from Org)
  2. if am assigining one role to all users how it is going to differentiate with each other users.
  Ex: one CSR created Search criteria differently and other created differently, like if 100 creating, will all 100 search options will be available to all ? if yes searching this search criteria itself is a problem ?
  3. how about the recent items.
  4. If we are using only one business role, how we are going to differentiate b/n the users.
  How is the Business role concept used in IC ?
  My confusion is with Business roles, how this is differentiated b/n the users if it is only one role.
  Thanks in advance.

• Business Partner Role  and Business Partner Grouping

  Hello Everybody!
  Business Partner Role  and Business Partner Grouping.
  Which correlation ist between this attributes existing.
  In which table are this infos stored, In order create I can use
  e.g. BUPA_CREATE_FROM_DATA
  but how is the way inversely. Suppose I want to abtain the information
  about a existing business partner which group he has etc.
  Regards
  sas

  Dear Sas,
  Business Partner Grouping is used to determine the number ranges to be used by the business partner at the time of creation.
  Business Partner Role determines the subset of all the data available to be shown and edited.
  I will give you a very simple (but imaginary) example for understanding the role concept: the business partner in a role of employee might allow you to enter a department id. So this field should be available to you for input when you edit the business partner in the role of employee. But suppose the same business partner is also a person who is your customer. And your customer will require a default payment term. So this field should be available for input when you edit the business partner in the role of a customer. Also, some applications use these roles to determine if the business partner is suitable for particular transaction. In the above example, Payroll application will only allow those Business Partner to be used if they are maintained as an employee. Similarly the sales application can mandate that you can only sell a product to a business partner if he is maintain in a 'customer' role.
  Please understand the example above is not real but given for the understanding of the concept of role.
  You can use the function module 'BUPA_CENTRAL_GET_DETAIL' to find the business partner group. And you can use the function 'BUPA_ROLES_GET' to find the role assigned to a Business Partner.
  Regards, Rakesh