SOX report containing only composite, without single roles.

Similar Messages

• HTTP 400 Bad Request Invalid URL error when URL contain only percent "%" without any Hexadecimal

  Hi All, I'm trying to redirect a custom error page when URL contain percent "%" symbol. But when I use percent "%" symbol in URL (https://mctest.aspial.com.sg/%), its saying below error. I don't want to show this error message. I want
  to redirect users to custom error page.  I already added custom error page in IIS & Web.config file for status code 400. But It's now working. It's still showing the same error.
  Bad Request - Invalid URL
  HTTP Error 400. The request URL is invalid
  Is there any way to redirect custom error page when URL contain only "%" symbol? Anyone please help me on this. Thanks advance.
  Below are my server details:
  IIS version 7.5
  .Net Framework 4.0

  I see, so the issue isn't with the % in the query string but rather the URL path itself.  In that case I don't believe this is anything related to your app but rather the web server.  When you provide a URL the web server has to map that to an
  application.  Depending upon where the character falls determines who gets to handle it.  Since the % is next to the domain name it is most likely not being mapped by the web server so you get the general 400 error.  Since this isn't an app
  issue but a server level issue you'd have to redirect at the server level (in IIS: Server\Error Pages). If the % is inside an application's virtual directory then it becomes an issue for the application (in IIS: Site\Error Pages).
  But things can get more complicated.  The web server generally has filters so it won't support requests for certain things (like web.config in ASP.NET apps).  Filtering can be done anywhere between the server and the application.  Complicating
  this is virtual path providers (like MVC). 
  To be honest I don't think you should be worrying about this scenario.  An invalid % in a URL is a bad request so you shouldn't try to treat it differently than a regular 400 error.  In fact I'd say that it could be a security hole (depending
  upon what you're doing).  So you can customize 400 errors at the server or app level if you want but I wouldn't bother trying to distinguish bad URLs from bad requests.
  I recommend you post this question in the ASP.NET forums (http://forums.asp.net ) to see if anyone has a better answer.
  Michael Taylor
  http://blogs.msmvps.com/p3net

• Report to view composite  and master role changes

  Dear All,
  i would like to know list of master role and composite role changes, i searched in SUIM for change document for roles,which gives all role changes, which is not solving the pupose.my requirement is past perticular period any composite role got changed and new tcode got added to master role

  ramesh,
  try SUIM-change document -> For roles  / or reports
  Role:    RSSCD100_PFCG
  for  User         (RSUSR100)
    A profile    ( RSUSR101)
    An authorization (RSUSR102)
  A role assignment (RSSCD100_PFCG)
  just wanted to let you know that SAP meanwhile developed a new report RSUSR100N. I think it's only available with a certain SP level (at least in ECC 5.0).
  Thanks
  sri

• Role prefix for XI custom composite/single roles

  We have XI custom composite roles which start with TI_XI_* and contain single SAP roles (SAP_) and single custom roles (AAW:). Are we forced to use a certain XI role naming standard at the composite and single role levels due to Java authorizations?
  Thanks,
  Brad

  Just transport it rather than upload it.  The generated profiles will be carried through with their existing convention.
  If you need to have different profile names due to the naming constraints then LSMW or SECATT will let you do this easily.  If you are not familiar with the tools then 1. Take time to learn one of them (they are very useful) or 2. Do it manually.  60 profiles can be named in 30 minutes or less if you already have created the profile names in a spreadsheet, text file etc.

• Role prefix for custom composite/single roles

  We have custom composite roles which start with TI_XI_* and contain single SAP roles (SAP_) and single custom roles (AAW:). Are we forced to use a certain role naming standard at the composite and single role levels due to Java authorizations?
  Thanks,
  Brad

  Just transport it rather than upload it.  The generated profiles will be carried through with their existing convention.
  If you need to have different profile names due to the naming constraints then LSMW or SECATT will let you do this easily.  If you are not familiar with the tools then 1. Take time to learn one of them (they are very useful) or 2. Do it manually.  60 profiles can be named in 30 minutes or less if you already have created the profile names in a spreadsheet, text file etc.

• Add a single role to different composite roles in one step

  Hello everybody,
  I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
  Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
  I don't want to believe that there is no easier way. Any ideas?
  Thank you
  Flo

  Hi Soma,
  great to find a place to be welcome..Thanks
  What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
  The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
  And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
  -> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
  or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
  -> Which again... our security manager disallowed me...
  So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
  And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
  Comments?
  Cheers
  Florian

• How to find the T-codes that's in a Single Role & Composite Role??

  Hi all,
  Some of the user have authorization to particular t-codes. However single roles are not created for them.
  Now I need to assign authorization to that particular t-code to a new employee.
  Since the single role is not there, I do not know how to find if it is inside a composite role.
  Which table should I find all the t-codes that are assigned to a single role / composite role?
  pls help.
  Regards,
  Pri

  Rakesh Kulkarni wrote:>
  > Table AGRS_TCODES give the roles with their tcode assignment.
  Beware of AGR_TCODES, it only reports transactions entered into the role menu. If you query table AGR_1251 filtered on object S_TCODE you get the actual transaction authorizations.
  Besides that, authorizations are always in single roles, so if you cannot find them there there's no point in searching through the composites.

• Assign single role to composite role with alternate logsys assignments

  Dear gurus,
  In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
  Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
  But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
  Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
  Cheers,
  Julius

  Hi Martin and others,
  I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
  While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
  Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
  You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
  There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
  That is a bit of a bummer because it means that you also cannot ever test anything...
  Did anyone ever try to actually use this?
  Cheers,
  Julius

• Composite menu regeneration from single roles

  Hello,
  When I have to maintain (add or remove tcodes) and transport a "single" role that is part of a composite role, the role menu for the composite is out of synch with the single role's transaction content.
  The manual fix for this is to go into the composite role via PFCG in the destination system and push the Read Menu button. This will read the latest menus of the single roles.
  I would like to know if there is a job that I can schedule that can synchonize the composite role to the single roles assigned to it, or basically a refresh of the composite menus.  Is there any function that can do a mass menu update for a selection of composite roles?
  The only other way I can think of doing this is writing an LSMW or CATT script to do this, but I would like to find a better way of doing this if available.
  Thanks,
  Ryan

  I don't think this is a feasible approach because 1 single role change can be linked to many composites (as designed) in our environment.  I would not want to change every composite and transport them together with the single role.  Also, it seems that composite transports take a lot of time to import, so I don't think our basis guys would be happy with us doing that. I have found that the menus can be re-imported in the production system w/o the need for transport, etc.  I just think that manually refreshing the menus is going to be a maintenance struggle, especially since we have around 200 designed composite roles in our production environment.
  Thanks,
  Ryan

• Domain's "$DOMAIN-diagnostic.log" file contains only incident reports

  Domain's "$DOMAIN-diagnostic.log" file contains only incident reports
  In OSB 11.1.1.4.0, the domain's $DOMAIN-diagnostic.log file contains ONLY lines like:
  [2011-04-18T11:40:55.362+10:00] [CWSOATS2_OSB1] [NOTIFICATION] [DFW-40104] [oracle.dfw.incident] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <WLS Kernel>] [ecid: a9082073e3c17b68:4cae68eb:12f662ee536:-8000-0000000000000634,0] [errid: 16] [detailLoc: e:\wldom\cwsoats2\servers\cwsoats2_osb1\adr\diag\ofm\cwsoats2\cwsoats2_osb1\incident\incdir_16] [probKey: BEA-337 [WebLogicServer]] incident 16 created with problem key "BEA-337 [WebLogicServer]"
  Previously, this file would contain a record of the activity of my JCA DBAdapter polling adapters.
  I have seen this on all instances of OSB 11.1.1.4.0 to which I have access (all on Windows: desktop Win7 and server 2003R2).
  Googling hasn't explained this to me: what this really means; why it occurs and what actions (if any) are needed to rectify this situation.
  Can some kind member of this forum clarify things, please?

  Hi,
  Do you mean that when you remove the user’s workstation computer accout from AD then re-add it, the user still can use these "elevated" privileges to access other user directories? 
  Please check the permssions of the user directory network share on the user’s workstation to see if the permissions are the same with other worksatations. If you enable the offline files on the user’s workstation, please also disable the offline files to check
  the results. 
  Best Regards,
  Mandy 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Access Violation within a Single Role Report displays duplicate data

  The output of the 'Access Violation within a Single Role' report under Incident Reports in GRC includes some rows which repeat with identical data.
  I created a test responsibility with conflicting controls in Oracle r12 instance to find out whether it gets reflectedwhen i run the report. But i didnt find the responsibility.
  Is it a set-up error or is there a logic behind this occurance? Please provide inputs.
  Edited by: 963133 on Oct 4, 2012 5:25 AM

  I believe the conflicts shown would show up as many times as there are violations. So if a particular control had 2 entitlements and those had several access points, I would think a violation would show for each access point. Can you confirm this?
  Also do you have the latest AACG? This will help verify that you have the latest with bug fixes.

• ECATT to mass delete singles roles from a composite

  Hi,
  I am creating an eCATT to delete singles roles from multiples Composites roles. The eCATT takes the same position of the single role for each composite.  And of course the single role may differ per role.
  Could someone help?
  Thank you in advance,
  Yolanda

  HI Garcia,
  I didnot quite get your example as I am not familiar with the roles tables or transactions.
  But, if I understood ur requirement, you want to delete all those single roles (some specific role) from a list of roles.
  I am not sure how the transaction looks here, but a standard way of doing it is to record one execution of deleting the role using TCD or SAPGUI using the position button when available, entering the role name, selecting the delete button on the screen and then save.
  Now, when you check the database table for the number of occurances that this type of role is present, collect the count of the table into a local parameter and execute the earlier script of deleting multiple times using DO command.
  Select count from <tabname> where <role field> is <value> into <Local parameter>.
  and use the earlier script with in
  DO (<local parameter>).
          SCRIPT
  ENDDO.
  This ideally works. You can come back if u need any additional inputs.
  Best regards,
  Harsha

• SRM Roles - Composite versus Single

  Hi Guru's
  I am at the devlopment stage of building roles for an SRM implementation and have been advised to build composite roles as opposed to single roles.
  What are your experiences of composite roles against single roles in SRM ?
  In other modules we have found single roles to be better as they are easier to analyse as far as errors are concerned ,also with the absence of an SU53 type transaction in SRM I would imagine that analysing errors in composite roles will prove more complicated than in single roles.
  Has anyone experience or advice on this issue ?
  Thanks
  Simon

  Hi if you need to do this from  a NON-CUA system  to all other systems in your landscape go to transaction PFCG
  1. Transaction PFCG
  2. Perform mass import of roles  from  other systems to the reference system( or the system you wish to do this analysis)
  3.Click on role tab on the main menu , choose read from other system by RFC
  4. Then You can enter either an RFC destination
  or a variable which points to an RFC destination as target system
  (Define variables in transaction SM30_SSM_RFC).
  5. Now you can follow the instruction as per other Experts instruction ( AGR_AGR ) table
  Follow the above steps if you need to do this for various other SAP systems.
  Basically you are getting all the roles to one central place
  secondly an RFC connection with necessary authorization  is required between each of the systems you are trying to analyze
  Edited by: Franklin Jayasim on Jul 14, 2010 6:54 PM
  Edited by: Franklin Jayasim on Jul 14, 2010 7:15 PM

• FM Assigning of Single Roles to Composite Roles

  Hello everybody,
  I spend the whole day to a find a solution using any source I know and I couldn't find an solution. So sorry if this question has been asked before.
  My Question is:
  Can you tell me a Function Module which assigns/removes a Single PFCG Role to a Composite PFCG Role.
  Regards Max

  Hi,
  You can add the as many single roles but you cannot add the Composite Roles in Composite Role.

• Can't get around this error after adding second dataset...A scope is required for all aggregates used outside of a data region unless the report contains exactly one dataset

  I added a dataset to an existing report and broke an aggregation.  In the old (i.e. single dataset) report, this expression below worked fine.  I wanted to get a distinct count of the vst_ext_id field when my educated field was like "VTE1*"
  = CountDistinct(IIF(Fields!educated.Value like "VTE1*", Fields!vst_ext_id.Value, Nothing))
  After adding a new dataset, this no longer works and I get the error " A scope is required for all aggregates used outside of a data region unless the report contains exactly one dataset".  Having done some research online, I found that I
  needed to specify my dataset explicitly and I thought this new expression might work, but still no success...
  = CountDistinct(IIF(Fields!educated.Value,"DataSet1" like "VTE12*", Fields!vst_ext_id.Value,"DataSet1", Nothing))
  Am I missing something?  Based on online responses, this explicit dataset naming convention seems to help most people, but it isn't working for me. 
  Thanks in advance!
  Brian

  I found the answer.  Apparently, my expression syntax was off.  This expression does the trick...
  = CountDistinct(IIF(Fields!educated.Value like "VTE12*", Fields!vst_ext_id.Value,Nothing),"DataSet1")
  I just happened upon this particular syntax searching online.  I was trying to specify the dataset name after each .value, but I never got that to work.   This is the only time I have found this particular syntax online.