SRM 7 role mapping and authorization queries
Hi all,
We are on SRM 7.01.
Can anyone confirm the folllowing:
When std SAP roles are copied then does all authorization obejcts get copied ?
Also if we need to check which authorization objects are getting called for which transaction then how do I check this in SRM 7??In SRM 7,the transaction cannot be run in backend as all the transactions under a role in PFCG are Web dynpro applications.
Hi If you are trying to build custom roles you have 2 options.
1. Copy the standard roles into a custom role, all authorization objects get copied. Since you are on SRM 7.01 make sure you copy the EHP1 roles which end with suffix *EHP1.
2. Build role from scratch. To do this you can ask your security person to give the minimum Human resource related authorizations to a test user ID (so that he can logon into SRM system to start transaction). Then Switch on the security trace while you run the transaction with the test ID on portal. Using the trace the security member can identify the required authorization objects required for the transaction. this will take a number of trial but you have to be careful to execute every action within a particular transaction.
Hope that helps.
Regards,
Hussain
Similar Messages
-
Use of default XACML with custom role mapper and authorization provider
Hi,
Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
The chosen approach depends on where you're getting the role information from. -
At one point I posted a forum entry and posted a solution for my entry regarding keeping the app deployments around while recreating/overwriting the domain using WLST offline. Keep App Deployments while recreating the domain in WLST offline
Things seems to work, except that I noticed that the XACML Role Mapper and Authorizer that were created the first time around (when there is no domain folder) are getting replaced by default Role Mapper and Authorizer (on subsequent runs when the domain folder already exists and we overwrite the domain)
Basically the first readDomain is causing this. without reading the domain, I cannot get the app list.
System.setProperty("com.bea.cie.script.throwException","true")
appdeps={}
try:
readDomain('c:/temp/basicWLSDomain')
cd('/AppDeployments')
apps=ls(returnMap='true')
for app in apps:
appdeps[app]=ls(app,returnMap='true', returnType='a')
except:
pass
try:
closeDomain()
except:
pass
#=======================================================================================
# Open a domain template.
#=======================================================================================
readTemplate("c:/wls11/wlserver_10.3/common/templates/domains/wls.jar")
#=======================================================================================
# Configure the Administration Server and SSL port.
# To enable access by both local and remote processes, you should not set the
# listen address for the server instance (that is, it should be left blank or not set).
# In this case, the server instance will determine the address of the machine and
# listen on it.
#=======================================================================================
cd('Servers/AdminServer')
set('ListenAddress','')
set('ListenPort', 7001)
create('AdminServer','SSL')
cd('SSL/AdminServer')
set('Enabled', 'True')
set('ListenPort', 7002)
#=======================================================================================
# Define the user password for weblogic.
#=======================================================================================
cd('/')
cd('Security/base_domain/User/weblogic')
cmo.setPassword('weblogic11g')
#=======================================================================================
# Create a JMS Server.
#=======================================================================================
cd('/')
create('myJMSServer', 'JMSServer')
#=======================================================================================
# Create a JMS System resource.
#=======================================================================================
cd('/')
create('myJmsSystemResource', 'JMSSystemResource')
cd('JMSSystemResource/myJmsSystemResource/JmsResource/NO_NAME_0')
#=======================================================================================
# Create a JMS Queue and its subdeployment.
#=======================================================================================
myq=create('myQueue','Queue')
myq.setJNDIName('jms/myqueue')
myq.setSubDeploymentName('myQueueSubDeployment')
cd('/')
cd('JMSSystemResource/myJmsSystemResource')
create('myQueueSubDeployment', 'SubDeployment')
#=======================================================================================
# Create and configure a JDBC Data Source, and sets the JDBC user.
#=======================================================================================
cd('/')
create('myDataSource', 'JDBCSystemResource')
cd('JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
create('myJdbcDriverParams','JDBCDriverParams')
cd('JDBCDriverParams/NO_NAME_0')
set('DriverName','com.pointbase.jdbc.jdbcUniversalDriver')
set('URL','jdbc:pointbase:server://localhost/demo')
set('PasswordEncrypted', 'PBPUBLIC')
set('UseXADataSourceInterface', 'false')
create('myProps','Properties')
cd('Properties/NO_NAME_0')
create('user', 'Property')
cd('Property/user')
cmo.setValue('PBPUBLIC')
cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
create('myJdbcDataSourceParams','JDBCDataSourceParams')
cd('JDBCDataSourceParams/NO_NAME_0')
set('JNDIName', java.lang.String("myDataSource_jndi"))
cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
create('myJdbcConnectionPoolParams','JDBCConnectionPoolParams')
cd('JDBCConnectionPoolParams/NO_NAME_0')
set('TestTableName','SYSTABLES')
#=======================================================================================
# Target resources to the servers.
#=======================================================================================
cd('/')
assign('JMSServer', 'myJMSServer', 'Target', 'AdminServer')
assign('JMSSystemResource.SubDeployment', 'myJmsSystemResource.myQueueSubDeployment', 'Target', 'myJMSServer')
assign('JDBCSystemResource', 'myDataSource', 'Target', 'AdminServer')
#=======================================================================================
# Write the domain and close the domain template.
#=======================================================================================
setOption('OverwriteDomain', 'true')
setOption('CreateStartMenu', 'false')
writeDomain('c:/temp/basicWLSDomain')
closeTemplate()
#=======================================================================================
# Exit WLST.
#=======================================================================================
exit()
So I thought I will create the XACML Authorizer and Role Mapper myself instead of letting the default domain creation process do it. but that is resulting in duplicates on the first run (when the domain folder does not exist) and in the subsequent runs (when the domain folder already exists), I see one XACML and one default.
cd('/')
create('base_domain', 'SecurityConfiguration')
cd('SecurityConfiguration/base_domain/Realm/myrealm')
ls('a')
create('XACMLAuthorizer', 'weblogic.security.providers.xacml.authorization.XACMLAuthorizer','Authorizer')
create('XACMLRoleMapper', 'weblogic.security.providers.xacml.authorization.XACMLRoleMapper','RoleMapper')
I am going no where with Oracle Support. I am wondering if anyone ran into this before.com.oracle.cie.config-wls-schema_10.3.6.0.jar has various SecurityConfiguration XML fragments and the wrong fragment is being used when the domain is recreated.
I am thinking it is a logic issue in domain creation. -
Problem with Security Role mapping and LDAP
Hi,
In Oracle Internet Directory I've created a group called OIDGroup1.OIdGroup1 has 2 users : OIDuser1 and OIDuser2.
OIDGroup1 is mapped to EjbRole1 (is a security role defined in ejb-jar.xml, EjbRole1 can do everything in the application).Now if I login as OIDuser1 or OIDuser2, application said that the user does not
have authorization to execute some method. The mapping in my orion-application.xml is :
<security-role-mapping name="EjbRole1">
<group name="admin/OIDGroup1"/>
</security-role-mapping>
<jazn provider="LDAP" location="ldap://myhost:4032"><jazn-web-app auth-method="SSO"/></jazn>
if I modified orion-application.xml like this :
<security-role-mapping name="EjbRole1">
<group name="admin/OIDGroup1"/>
<user name="admin/OIDuser1"/>
</security-role-mapping>
then login as OIDuser1, it works. But it does not work with OIDuser2.
That's is a problem for me because our customer can not manage the user/group
easily : each time they have a a new user, instead of simply adding this user
in the OIDGroup1 (with graphic interface of OIDAS), they have to modify
orion-application.xml.
Do you have any idea ?
Thanks in advance
regardsI found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).
-
Role creation and authorization objects in sap
Hi
i want to know the full relationship between creation of roles , authorization objects ,authorizations in web as abap
Please explain the process in detail the use of PFCG and all its options and how to create Z rolesAlthough, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
- Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
- The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
For e.g. If a user wants to create a PO we can restrict him on:
u2022 Activity : Create/Change/Display
u2022 Org elements like Company Code, Plant, Purchase Organization etc
u2022 Document type etc.
- Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
- Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
- An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
- Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
- Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM -
OAM manage roles and Authorization in WebLogic integration
Hi
Had anyone done weblogic integration where OAM manages roles and Authorization?
I could read in Oracle WebLogic integration document that,
"The Security Provider only supports authentication for portals."
I wanted to figure out if anyone has done this before or Is it possible to delegate role management and Authorization responsibility to OAM?
Thanks
Kiran ThakkarThanks for the quick response.
Thanks
Kiran Thakkar -
Authentication and authorization for AD users in UCM11g
Hi all
we are using webcenter content server 11g. I read some where that for 11g users authentication is done in weblogic server environment, mean content server for 11g in now managed by weblogic server only, am i right?. we have successfully integrated Active Directory with weblogic sever and user of AD are able to log-in UCM but they don't have any role like contributor or Admin. How to do this role mapping for AD user in UCM i.e. authorization for these users. Please provide any guidence on this issue any doc or blog, we are new to webcenter suite.
Thanks
SomeshAs you already have weblogic integrated with AD, remains only role mapping and Single Sign-On integration. For authorization, AD must contain groups with exact names as roles in the Content Server. Those groups should be where Group Base parameter in the weblogic ActiveDirectoryAuthenticator point (like OU=Roles,OU=Oracle,DC=example,DC=com). Assigning AD user to the AD group named contributor, will add contributor role to logged Content Server user.
As for SSO, refer to the:
http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm
and
http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#autoId21
Procedure steps are:
Create a user account for the hostname of the web server machine in Active Directory
Create krb5.ini file, and locate it in the C:\Windows directory at both machines (Domain Controller and WLS host)
Generate the keytab file
Create a JAAS Login File named krb5Login.conf
Put both keytab and krb5Login.conf files to …/user_domains/domains/my_domain/
Configure the Identity Assertion Provider
Adjust Weblogic Server startup arguments for Kerberos authentication
Redeploy CS (and optionally other servers) server with the documentation given deployment plan
Check web browser configuration (IE and Firefox only)
Take a deep breath and test
If successful have a cake and cup of coffee else goto step one
Regards,
Boris -
Business Explorer Roles and Authorizations
Hi,
I am using Business Explorer Query Designer and Analyzer ( Excel Work book add on) with BI 7.0.
I need to create roles and authorizations for the end users to create queries and view queries in excel by using Business Explorer Query Analyzer.
Kindly suggest me what are the standard transactions, roles and authorizations to be given to the end users.
Thanks and regards
MurugesanI dont have idea about Bi 7.0 ..
If its bw 3.X i jusz used rrmx --->>excel ->addins-->>queries --->pop up window --->here we need rfs object S_RFC
Finally rrmx tcode and general roles which has S_RFC autorisation object and the query .
Regards,
Naveen -
I've just start as an intern in Change Management team that is helping to implement SD. My two tasks are to "develop SAP user roles specific to the new business processes" and "manage the role to position mapping for provision of security roles." None of the real employees in my team has ever done this, and my manager is now on three weeks leave. I'm new to SAP and I don't really know where to start. Can anyone offer any advice, or point me to some references? Thanks.
Intern,
Its a pretty cold manager who will dump a task on a inexperienced subordinate without any guidance or mentoring, and then take three weeks off.
Anyhow, you first need to get some insights as to what the expectations of the client are: What type of users will there be? What tasks will each user be responsible for carrying out?
You also will want to collect a list of names of the actual users. Your Basis people will tell you which bits of data will have to be collected in order to create users on the system
Next, you need to talk to the SD expert on your team about the solutions that will be implemented. Quotes? Consignment? Scheduling agreements? Pricing? Customer Service? Marketing? Customer Master? Material Master? The SD expert should be able to tell you at a very minimum which transactions should be made available.
There are standard roles available delivered in the system. These are pretty much un-usable as delivered, but they make a good starting point. Review http://help.sap.com/erp2005_ehp_04/helpdata/EN/b4/3f9c41919eae5fe10000000a1550b0/frameset.htm
and
http://help.sap.com/erp2005_ehp_04/helpdata/EN/06/57683801b5c412e10000009b38f842/frameset.htm
Once you have all the info needed from the client and your SD experts, you then design the supporting roles at a high level. I usually use an Excel Spreadsheet with two tabs: One tab listing roles to be developed, with all the transactions and authorization object limitations for each one; and another tab listing Users and the supporting data needed to create a user. If you are a Basis expert, you already know the next steps. If not, then you typically hand your designs to the Basis team for creation of the actual Roles.
Good luck. Remember not to treat your interns the same way you have been treated.
DB49 -
Roles and authorizations in BI content
Hi experts,
I'm trying to define a very simple scheme of roles and authorizations for my queries.
So, i'm trying to limit the acess by infocube and DSO, but I'm missing the authorizations objects for Cube and DSO.
I know that authorization object for queries it's S_RS_COMP.
So my roles would be something like
BI_ROLE_FI
Authorization Object Autorization Object Value
Acess query (S_RS_COMP) NA
Infoobject (whats the object???) 0FIGL_C01
DSO (whats the object???) 0FIGL_O14
BI_ROLE_PUR
Authorization Object Autorization Object Value
Acess query (S_RS_COMP) NA
Infoobject (whats the object???) 0PUR_C01
Can you help me find out whats the missing information
Thanks and regards
JoanaHi,
Iu2019ve gave authorization to the object youu2019ve mentioned, but itu2019s still not working.
Basically what I have is the following:
One role that allows me to execute queries, workbooks, etc.
A second role, dependent on the area of work, that should allow me only to have access to queries from cubes/MP/DSO that are specific to users area.
I will then give each user role 1 + the adequate role 2, depending on their work area.
For role 1 I have got:
S_RFC
Activity: 16
Name of RFC to be protected: *
Name of RFC object to be protected: *
S_TCODE
Transaction code: RRMX
S_GUI
Activity: 16
S_USER_AGR
Activity: 01, 02, 03
Role Name: ANLG_BI_01
S_USER_TCD
Transaction code: RRMX
S_RS_AUTH
BI Analysis Authorization: BI_ALL
S_RS_COMP
Activity: 03, 16
InfoArea:*
InfoCube: *
Name (ID) of a reporting component: *
Type of a reporting component: *
S_RS_COMP1
Activity: 03, 16, 22
Name (ID) of a reporting component: *
Type of a reporting component: *
Owner (Person Responsible) for a reporting Component: *
S_RS_TOOLS
Logical Command Name: THEMES
Iu2019ve tested this role, and it works u2013 they can access queries, create workbooks, create permanent model workbooks
For role 2 u2013 Finance I have
S_USER_AGR
Activity: 01, 02, 03
Role Name: ROLE2
S_RS_ADMWB
Activity: 03,66
Data warehousing workbench Object: INFOAREA
S_RS_ODSO
Activity: 03
Infoarea: 0FIGL_ERP
DataStore Object: 0FIGL_014
SubObject for ODS Object: *
S_RS_ICUBE
Activity: 03, 66
Infocube SubObject: *
Infoarea: 0FIAP
InfoCube: 0FIAP_C02
S_RS_MPRO
Activity: 03
Infoarea: 0FIN_REP_SIMPL_1_ERP
MultiProvider: 0FIAP_M20, 0FIAP_M30
MultiProvider SubObject: *
I then gave to my test user this 2 roles, and with that user I can still see every infoarea, and access all reports.
I will have more specific roles u2013 to other areas (SCM, TV, etc), but I chose this one has an example.
First question I have: can I manage my requirement in 2 different roles: one for action that can be performed (role 1) and other for areas that they can access data from (role 2)?
What objects/restrictions am I missing in role 2?
Many thanks
Joana -
Defining BI Power User Role and Authorizations
We are looking for information/best practices/guidelines pertaining to defining BI Power Users and the appropriate authorizations to attach to this role. Our Power Users are asking for approval to access several transactions within BI, specifically within RSA1. I am curious to know how you define your power user role(s) and to what extent they have access to BW itself (i.e. BEx, Web Designer, direct access to BW transactions such as listcube, RSA1, RRI, ability to update custom tables, ability to access the data model structure, etc )? Do your power users have access to develop production queries in DEV and test in your QA environment or are they restricted to ad hoc queries in Production? Have you seen any best practices or guidelines from SAP surrounding appropriate authorizations for Power Users? Any information you would be willing to share with us would be most appreciated.
Hatem,
You have an option to use the old method however it's recommend to use analysis authorizations going forward.
Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
Cheers,
Ben -
Analysis Authorization (Role, Profile and Direct Assignments)
<b>Analysis Authorization Question:</b>
1) In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
2) Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign Reporting Authorizations as per the process defined in BW 3.x system.
3) Customer sometime have 100 + Roles to have 3.X Reporting Authorizations. This is Managed, assigned, approved using role concept.
<b>
Migration Options:</b>
1) New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned Like Company code 1100 not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
2) Analysis Migration Tool - RSEC_MIGRATION does not update ROLES. It creates or changes PROFILES.
3) Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
<b>Questions</b>
a) This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
b) Does any one use direct assignment to Users? It is good business practice?
c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
Just want to check how other folks have done migration that can be supported going forward.
Pankaj GuptaHey Pankaj,
In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce -
Is it possible to modify the tag structure tree and the role map via scripting?
We use unstructured FrameMaker to produce training materials which we distribute as tagged PDF to meet accessibility requirements.
When FrameMaker creates a tagged PDF, it does a fairly good job of populating the structure based on the PDF setup information for the paragraph formats in the FrameMaker documents. However, there are some limitations in the support that FrameMaker provides. For example, almost all paragraphs are assigned to the P role even if they are headings and should be mapped to H1-H6.
We want to be able to easily post-process a PDF that has been generated from FrameMaker to fix some of the tag structure issues (including tag names and the role map) so that the PDF will provide the optimum experience for a user of the JAWS screen reader.
I spent some time reading the SDK documentation but didn't find much information about manipulating a tagged PDF via the API, especially via scripting.
Does anyone have any examples or references which explain how to do it?AFAIK, it's not possible with a script. You might want to ask in the SDK forum, as it could be possible with a plugin.
-
Roles and Object queries tab not visible in MBO attribute properties
Hi,
We have installed the SUP Personal developer edition 2.0 on a windows 2008 server. I am trying to create a sample application for getting the list of sales orders by using the SAP BAPI. Once I have the MBO in place, I see that I cannot view the 'Roles' and 'Object Queries' tabs in the 'Attributes' section of the MBO properties.
Does anyone know why this happens? Is it due to configuration issues? Do help me out as we're trying to get a demo working.
Thanks & Regards,
VaishnaviHi Vaishnavi,
Check whether you have selected "Advanced" mode . You should be able to see it.
Regards,
Viju -
RFC Sender - Logon User - What Roles and Authorizations?
Hi,
Scenario: RFC Sender --> XI --> JDBC
What necessary Roles and Authorizations has to be given for Logon User (in Sender RFC Communication Channel).
It has to be moved to production soon. My Client wants to give only Roles and Authorization that are necessary for the Logon User.
With Regards,
Manikandan RHi ,
U need to give ECC Authorisation
Application server : ECC Server
Sytsem no : ECC system number
Logoon User : ECC any username
password : password for above user
clientr : ECC client ( From which client u are sending to RFC adapter)
Regards,
Jayasimha jangam
Maybe you are looking for
-
Hi, I am getting a "source not found" error while debugging in NWDS. I put a break point in a particular class, but it never gets hit, instead I get an error saying "source is not found". I have tried rebuilding, deploying and even starting the IDE b
-
F4 on LIFNR fails to capture the values in SELECT statement
Hi all, In the last 3 days Ive faced two issues on F4 Helps and its freaking me out. The first issue I chose to ignore because of time-constraints and able to find a work-around. On the second issue Ive hit a brick-wall. Anyways here are my two issue
-
Hi, My user requirement is want to have additional screen in work order screen so that they can enter additional data. I try to find in user exit /badi but cant find one. Pls help.
-
I have recently added Adobe Reader to my PC. It will not run
When I try to run Reader I Get this Message. Microsoft Visual C++ Runtime library This application has requested the runtime to terminate in an unusal way. Please contact the application's support team for more information. Can anyone help me?
-
Hi - new member here - Here are my system specs: -- MB -- Asus Maximus V Extreme Z77 1155 -- VGA-- MSI N660 TI PE 2GD5/OC GTX660TI -- CPU-- Intel Core I7 3770K 3.5G 8M R --CPU cooler -- Cooler Master Hyper 212 plus -- MEM-- 8G ( 4Gx2 mat