SoD Analysis , tables to relate roles, transactions and auth objects

Similar Messages

• APO roles and auth objects

  Hello all,
  Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
  thanks

  I was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
  http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
  There is a list of useful APO transactions here
  http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
  I can't help with the standard roles as I build my own.

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• Relation between transactions and DTD's

  Hi,
  Is there any relation between transaction, transaction subtypes with DTD's.
  This is the case of 3rd party integration. I want to send an inbound message to the oracle xml gateway. This will be directly enqueued into generic queue - ECX_INQUEUE through AQ api's.
  But for exposing the DTD's and transactions, I am not able to find any relation between them ?
  Can anyone throw some light on this .....

  Same question here.....
  For the Buyer/Seller Sample in C:\orabpel\samples\tutorials\109.CorrelationSets, I found that the sample still works after I deleted the Correlation Set. So, what is the use of Correlation Set in this sample?

• Table for relation between WIP and Production Order

  Dear All,
  Please provide me table having relation between Production Order Number and WIP for it.
  Regards,
  Sachin

  http://www.sap-img.com/
  Free ABAP eBook Download
  SAP MM, SD, FI, PS, PP, PM, HR, System Tables
  Regards,
  Rajesh Banka

• How to find table having relation between opportunity and activity

  Hi All,
  I need to develop an ABAP report where when the user logged in runs the report. The report finds all opportunities to which the logged in user is the sales representative and find out the number of activities attached to the opportunity.
  Only completed activities should be counted. Show the count of the activities based on their category.
  The output should be in form of an ALV where the columns are:
  1) Sales representative
  2) opportunity number
  3) count of call tasks
  4) count of quote tasks etc.
  I need to cross check as to what categories are available to follow up tasks(BUS2000125) to an opportunity(BUS2000111) and based on that add or remove the columns specifying the count.
  Here
  1. How can I find out opportunity data associated to logged in user?
  2. How to get activity data related to opportunity?
  Thanks,
  Anup Garg

  done

• CJ20N: handle Z table's related to project and wbs element

  Hi there,
  The requirement is to handle Z table for project and wbs element.
  Example:
  ZTAB1 has fields: pspnr | field1 | field2 (for projects)
  ZTAB2 has fields: pspnr | field3 | field4 (for wbs element)
  I found an enhancement that can read z table into internal table, i read it into screen and no problem.
  I use it for wbs element too.
  The problem is when the project has several wbs element's in tree, and the user navigate and change them.
  I can't control the data in internal tables, since the user is swithcing.
  How does the standard sap control the memory from each wbs element and project?
  How can i read and save it separatelly?
  Thanks in advance,
  Edited by: orgasmics on Nov 22, 2010 9:37 PM

  Hi,
  try table <b>jest</b> with key = prps-objnr
  Andreas

• Table showing relation between BP and Org Unit

  Hello,
    I need to get the sales organozation for specific business partner .Is there any func module or can u please tell the name of the table which has these two entries.Please consider as ugnt.
  Neeraj

  Hi Neeraj,
  The FM CRM_BUPA_SELECT_BP_SALES_AREAS will get you the Sales Organization for the particular business partner Guids.
  The business partner guids you can get from the table BUT000 using the Business Partner Id.
  Hope this helps.
  Please let me know, if you have found out any alternate solution.
  Thanks.
  Best Regards,
  Arun Sankar.

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• Appraisals object type VA and auth object P_HAP_DOC

  The system is running 2005 version. While running
  APPCHANGE tcode the program ignores values in PD Profile
  for object type VA. Furthermore the program bypasses
  the check against P_HAP_DOC object. Any hints why this happens? F.ex 2005 IDES system we have performs these checks ok.

  Hi Carlos,
  The Otype VA - Template, VB- Criteria group and VC - Criterion.
  The hierarchy is as follows
  VC is blow VB is below VA.
  The objects as such wil be created in the HRP1000 as usual.
  In addition, there are tables which starts with HRHAP* which holds the appraisal document related data.
  But the table contents cannot be seen from SE11 or SE16. Create a SQ01 Quick viewer query for the Database tables.
  Hope this helps.
  Reward points if it helps you.
  Regards,
  Subbu.

• "created by" in SAP transactions and CE BPM

  Dear all,
  In most of the transaction e.g. create Purchase Order - "created by" is field available in BAPI. In case of Investment approval processes "created by" is popultaed by the ID assigned to logical destination "BASIC" authorisation.
  How is this implemented, any guidline?
  If EP user creates transaction on SAP, how do we get report / analysis of EP user wise transaction and noty user specified in BASIS authorisation?
  how does licencing affects if we use BASIC authorisation?
  Ajay

  Hi
  How is this implemented, any guidline : CreatedBy,CreationDate ,Time.. these are some standard Business Attribute which is by default get assigned to BAPI ,EJB. other than our normal field which actually a key attribute for that implementation. We do not need to give any value/implementation for these attribute it take the data automatically from system .
  Hope it helps .
  Best Regards
  Satish Kumr

• Need all transaction codes related to SD and MM

  hi
  i am in need of need all transaction codes related to SD and MM.
  can anyone help me to get it.
  thanks in advance.

  Hi,
  The most frequently used transaction codes are as follows:
  1. VS00 - Master data
  2. VC00 - Sales Support
  3. VA00 - Sales
  4. VL00 - Shipping
  5. VT00 - Transportation
  6. VF00 - Billing
  Others as follows:
  At Configuration:
  1. VOV8 - Define Sales documents type (header)
  2. OVAZ - Assigning Sales area to sales documents type
  3. OVAU - Order reasons
  4. VOV4 - Assign Item categoreies(Item cat determination)
  5. VOV6 - Scedule line categories
  6. OVAL - To assign blocks to relevant sales documents type
  7. OVLK - Define delivery types
  8. V/06 - Pricing
  9. V/08 - Maintain pricing procedure
  10.OVKP - Pricing proc determination
  11.V/07 - Access sequence
  Enduser:
  1. Customer Master Creation-VD01 and XD01 (for full inclu company code)
      VD02 - Change Customer
      VD03 - Display Customer
      VD04 - Customer Account Changes
      VD06 - Flag for Deletion Customer
      XD01 - Create Customer
      XD02 - Modify Customer
      XD03 - Display Customer
  2. Create Other material -
  MM00
  3. VB11- To create material determination condition record
  4. CO09- Material availability Overview
  5. VL01 - Create outbound delivery with ref sales order
  6. VL04 - Collective processing of delivery
  7. VA11 - Create Inquiry
      VA12 - Change Inquiry
      VA13 - Display Inquiry
  Sales & Distribution
  Sales order / Quote / Sched Agreement / Contract
  · VA01 - Create Order
  · VA02 - Change Order
  · VA03 - Display Order
  · VA02 - Sales order change
  · VA05 - List of sales orders
  · VA32 - Scheduling agreement change
  · VA42 - Contract change
  · VA21 - Create Quotation
  · VA22 - Change Quotation
  · VA23 - Display Quotation
  Billing
  · VF02 - Change billing document
  · VF11 - Cancel Billing document
  · VF04 - Billing due list
  · FBL5N - Display Customer invoices by line
  · FBL1N - Display Vendor invoices by line
  Delivery
  · VL02N - Change delivery document
  · VL04 - Delivery due list
  · VKM5 - List of deliveries
  · VL06G - List of outbound deliveries for goods issue
  · VL06P - List of outbound deliveries for picking
  · VL09 - Cancel goods issue
  · VT02N - Change shipment
  · VT70 - Output for shipments
  General
  · VKM3, VKM4 - List of sales documents
  · VKM1 - List of blocked SD documents
  · VD52  - Material Determination
  MM Transaction Code
  All transaction are stored in table TSTC. 
  Transaction for MM module start with M. 
  IH09 - Display Material
  MM01 - Create Material 
  MM02 - Change Material 
  MM03 - Display Material
  MM50 - List Extendable Materials
  MMBE - Stock Overview
  MMI1 - Create Operating Supplies
  MMN1 - Create Non-Stock Material 
  MMS1 - Create Service
  MMU1 - Create Non-Valuated Material
  ME51N - Create Purchase Requisition
  ME52N - Change Purchase Requisition
  ME53N - Display Purchase Requisition
  ME5A - Purchase Requisitions: List Display
  ME5J - Purchase Requisitions for Project
  ME5K - Requisitions by Account Assignment
  MELB - Purch. Transactions by Tracking No.
  ME56 - Assign Source to Purch. Requisition
  ME57 - Assign and Process Requisitions
  ME58 - Ordering: Assigned Requisitions
  ME59 - Automatic Generation of POs
  ME54 - Release Purchase Requisition
  ME55 - Collective Release of Purchase Reqs.
  ME5F - Release Reminder: Purch. Requisition
  MB21 - Create Reservation
  MB22 - Change Reservation
  MB23 - Display Reservation
  MB24 - Reservations by Material
  MB25 - Reservations by Account Assignment
  MB1C - Other Goods Receipts
  MB90 - Output Processing for Mat. Documents
  MB21 - Create Reservation
  MB22 - Change Reservation
  MB23 - Display Reservation
  MB24 - Reservations by Material
  MB25 - Reservations by Account Assignment
  MBRL - Return Delivery per Mat. Document
  MB1C - Other Goods Receipts
  MB90 - Output Processing for Mat. Documents
  MB1B - Transfer Posting
  MIBC - ABC Analysis for Cycle Counting
  MI01 - Create Physical Inventory Document
  MI02 - Change Physical Inventory Document
  MI03 - Display Physical Inventory Document
  MI31 - Batch Input: Create Phys. Inv. Doc.
  MI32 - Batch Input: Block Material
  MI33 - Batch Input: Freeze Book Inv.Balance
  MICN - Btch Inpt:Ph.Inv.Docs.for Cycle Ctng
  MIK1 - Batch Input: Ph.Inv.Doc.Vendor Cons.
  MIQ1 - Batch Input: PhInvDoc. Project Stock
  MI01 - Create Physical Inventory Document
  MI02 - Change Physical Inventory Document
  MI03 - Display Physical Inventory Document
  MI31 - Batch Input: Create Phys. Inv. Doc.
  MI32 - Batch Input: Block Material
  MI33 - Batch Input: Freeze Book Inv.Balance
  MICN - Btch Inpt:Ph.Inv.Docs.for Cycle Ctng
  MIK1 - Batch Input: Ph.Inv.Doc.Vendor Cons.
  MIQ1 - Batch Input: PhInvDoc. Project Stock
  MI01 - Create Physical Inventory Document
  MI02 - Change Physical Inventory Document
  MI03 - Display Physical Inventory Document
  MI31 - Batch Input: Create Phys. Inv. Doc.
  MI32 - Batch Input: Block Material
  MI33 - Batch Input: Freeze Book Inv.Balance
  MICN - Btch Inpt:Ph.Inv.Docs.for Cycle Ctng
  MIK1 - Batch Input: Ph.Inv.Doc.Vendor Cons.
  MIQ1 - Batch Input: PhInvDoc. Project Stock
  MI21 - Print physical inventory document
  MI04 - Enter Inventory Count with Document
  MI05 - Change Inventory Count
  MI06 - Display Inventory Count
  MI09 - Enter Inventory Count w/o Document
  MI34 - Batch Input: Enter Count
  MI35 - Batch Input: Post Zero Stock Balance
  MI38 - Batch Input: Count and Differences
  MI39 - Batch Input: Document and Count
  MI40 - Batch Input: Doc., Count and Diff.
  MI08 - Create List of Differences with Doc.
  MI10 - Create List of Differences w/o Doc.
  MI20 - Print List of Differences
  MI11 - Physical Inventory Document Recount
  MI07 - Process List of Differences
  MI37 - Batch Input: Post Differences
  CT01 - Create Characteristic
  CT02 - Change Characteristic
  CT03 - Display Characteristic
  CL01 - Create Class
  CL02 - Classes
  CL03 - Display Class
  CL04 - Delete Class
  CL2B - Class Types
  <REMOVED BY MODERATOR>
  Edited by: Alvaro Tejada Galindo on Apr 7, 2008 12:53 PM

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• Does "Access Enforcer" only support "role" based SOD analyse?

  Hi Expert,
  In the demo script, when the user create the "Access Request Form", he can choose the "Role" he wanted from "Select roles" list, I'm just wondering whether each role here is corresponding to the role in the backend system? for example,
  If I choose role "Z_AP_ACCOUNTANT" actualy at that time there is a role called "Z_AP_ACCOUNTANT" already in the backend system if the system is a SAP ECC system.
  Another question is, if so, does that mean it can only support "Role" based SOD analyse? as you know, each role may contain several "authorization objects", can it be done from "authorization object" level?
  Thanks and best regards.

  Hi,
  The Roles are normally determined based on the SOD.Using T/code:PFCG the roles are mapped to the system.These Roles are common to all the system,regardless of R3,Virsa etc.
  The roles also can be determined without SOD [but this is not recommended.].
  The SOD is only to ensure that there exist no internal control weaknesses while creating the Roles at an organizational level.Thus it is only an excercise outside the System,be it SAP,Virsa or else.
  At the system level we map only the roles [ using :PFCG].We dont map SOD here.So,SOD or No SOD,the system supports the Roles.
  Hope this helps.
  Regards,
  Ramesh.

• Tables Related to Transactions (OPP)

  Hi
  Our requirement is like this :-
  we need to get all the values of a  perticular transactions ex:-Opportunity
  from the Data base  tables.
  As i checked in CRMD_ORDERADM_H & CRMD_ORDERADM_I, i passed the GUID num but i found few tables only.
  Is there any procedure to see all the relavent tables pertaining to the Transactions.
  As  a functional consultant i dont know much obout on this.
  If Possible pls tell me how to lik the tables
  Please help  me to get out from this issue.
  Thanks in advance
  SK.Ahmed

  Hi Ahmed,
  Use FM 'CRM_ORDER_READ'
  and Pass the guid in Header_guid.
  You will get all the related details of Opp.
  Best Regards,
  Pratik Patel
  <b>Reward with Points!</b>