Standard FICO roles& profiles

Similar Messages

• Best practice for standard security role

  Hi, I'd like to know which is the best practice for standard role use, some people tell me that a standard role should never be used, that a copy must be made and assign the users to the copy, but then, why should SAP bother creating the standard role?

  They are provided as a template for you, and you can copy them into a different namespace and make changes there before generating the profiles and authorizations.
  Why you should use a copy of them is because SAP will also update them sometimes. If transactions change in the standard menues with SP's and upgrades, then you will find them in transaction SU25.
  If you do a search on "standard AND roles" in the SDN then you will also find more detailed infos and opinions on the use of them.
  Cheers,
  Julius

• Standard authorization role for CRM implementation team member

  Hello,
  We are starting SAP CRM implementation project (7.0) and I would like to avoid giving sap_all authorizations to functional consultants in development environment. Unfortunetly I can't find standard customizer profiles like the ones in ERP system exists.
  So the objective is to have quite broad role or profile with no restrictions in customization and functional area. However it's important not to have Basis authorizations in this role/profile. Hope that someone can give me a hint in this direction.
  Thnak you,
  Jahoo

  Hi,
  as soon as the implementation team member should also do developments my experience is that without SAP_ALL you will have much trouble. Therefore in our dev-system each consultant will have SAP_ALL authorization. Of course only in the DEV-System.
  Kind regards
  Manfred

• Deleting FICO Roles and Authorizations

  Hi Guys,
  i want to Delete some roles and authorizations from a user profile.I have the user id and I want to know what roles are assigned to the user.
  Which tcode can be used for the same and how to delete the fico roles assigned to that sap user id.
  thanks,
  Srikanth.

  Hi,
  I got the solution. It is SUIM.
  Anyways thanks for the help
  srikanth

• Integration of multiple business role profiles in a single Z role profile

  Hi experts,
  I want to see all the work center available in service pro role and interaction center role profiles in a single Z business role prfole on the WEB UI.
  Please advise me the possibilities of the integration of multiple business role profiles in a single Z role profile(Example like Administratoru2019s profile).
  If it is possible what would be the approach please suggest me.
  Thanks in advance
  sameera

  Copy one of this 2 roles which you want to use in Z role and then manualy assign additional workcenters and links to this Z role which you are still missing.
  There is no standard predelivered admin role which would have all workcenters.

• User, Role, Profile Synchronization Job Fails

  Hi Gurus,
  When I am scheduling a job the User, Role, and Profile Sync. job fails giving an error
  "Cannot assign a java.lang.String object of length 53 to host variable 5 which has JDBC type VARCHAR(40)."
  This happens when the synchronization happens with a portal system. We dont have a ruleset for the portal system, So if I put in a "*", it includes this system and results in the error, If I manually select all other system, it works fine. Is there any way to remove this error so that I can schedule the jobs without having to select every system manually.
  Regards,
  Chinmaya

  Hi,
  As per my knowledge, in the Portal system, you should perform only user sync. Roles/profile sync will not work since portal will have workset roles.
  Please refer SAP Note 1168120, which may help you to understand the limitations
  Hope this helps!!
  Rgds,
  Raghu
  Edited by: Raghu Boddu on Nov 4, 2010 7:39 PM

• Solution Manager 4.0 Solution Monitoring User -Roles-Profiles for Satellite

  Hi All,
  I have installed Solution Manager 4.0 (OS -Linux ,Database - DB2) .
  Now i need to connect solution manager to the R/3 4.6C
  Satellite Systems (DEV, QAS ,PRD) for Solution Monitoring
  and Service level Reporting .
  I have read the configuration guide , but unable to get clear idea .
  1) what users (alos type of user -Dialog , Service, Communication etc) do i need create in DEV , and Test in QAS  for solution Monitoring  .
  2) what exact roles /profiles need to be assigned to these users in satellite systems .
  3) what users/roles /profiles needs to be done in SOLMAN system
  i have applied all the required plug ins and support packs
  in satellite systems and solman 40 ..
  Please advice  . Your response will be a great help for me .
  Satish

  Hello Satish,
  Just clarify, if u have meant connecting the satellite systems for EWA reports to be precise. Early watch Reports. If its is the case, then repond so that i can putin my inputs which may be helpful for you in this config.
  Rgds,
  Sri

• What are the roles/profiles required in solman and satilite system.....

  Hi All,
  What are the list of roles/profiles (for SOLMAN and Satellite system) required to create logical instance etc... for monitoring and tasks.
  Regards.
  kumar

  Hello Kumar,
  please have a look at the Configuration Guide for SolMan on the SAP Marketplace. ALso for information on required documentation, see SAP Note 1088980.
  Best regards,
  Annett

• Trying to understand "User/Role/Profile Synchronization" and Batch Analysis

  Hello,
  Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job. 
  I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile  to be included to the full and incremental jobs?
  How the incremental analysis logic is built ?
  br Janne

  Janne,
  In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
  The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
  In terms of CC tables:
  VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
  VIRSA_CC_GENOBJ >> User, Role and Profile master data
  VIRSA_CC_GENACT >> User-action, role-action and profile-action data
  VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
  VIRSA_CC_SAPOBJ >> Action-permission
  VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
  Hope this helps.
  Regards,
     Imanol

• Table used for storing roles/profiles assignment in CUA lansscape

  Hi,
  following is my cua setup
  master client - 999 of SRM 4.0
  child client - 101 of ECC 5.0
  child client - 202 of SCM 4.1
  in cua all distribution works on its logical name assign to respective client.
  here is my question
  lets say user 'XYZ' in master client assign single as well as composite role and composite profiles assigned in the master as well as child system.
  please tell me in which table this relationship is maintain in sap that Composite roles/profile is from which cua client.
  from my finding the tables which store the role and profiles from master and child system are i.e. USRSYSACT & USRSYSPRF.
  but i am not able to find table which store the roles to user and user to profiles assigment in CUA setup,can someone please help me.
  Thanks,
  John.

  Hi Check the tables
  <b>USR10  -role definition
  AGR_PROF   -Profile for Roles
  AGR_TEXTS  - Role descriptions
  AGR_USERS  - Assignment of roles to users
  AGR_DEFINE - Auth profiles</b>
  if needed see other tables with USR* and AGR_*
  Reward points if useful
  Regards
  Anji

• Critical Action and Role/Profile Analysis

  Hi,
  I want to know the purpose of the Batch Risk Analysis back ground job "Critical Action and Role/Profile Analysis" in RAR 5.3.
  I'm assuming that I need not run this job if I do not want the critical roles/profiles like SAP_ALL to be analysed which were defined to be critical in rule architect.
  Please let me know if there is any other purpose to run the BG job "Critical Action and Role/Profile Analysis".
  Thank you,
  Partha

  Hello Partha,
    You got this right. It will analyze the defined critical actions/roles/profiles.
  Regards, Varun

• Best practices / preferred usage of SAP standard (delivered) roles

  Dear Experts,
  When going about designing roles for a new system, what is the preferred usage on SAP standard/delivered roles?  I was thinking of using them as a "base", then tweaking auth objects here and there to make the roles work but the more I work with them, I find it may be better to create roles entirely from scratch.  A lot of the time, I find a lot of inactivated auth objects or objects that seem to not really be needed when looking at the t-codes offered in the menu (S_TCODE).
  In that case, I figured it might be cleaner if I started creating roles and adding t-codes via the Menu and maintaining only the auth objects that are proposed in PFCG (and adding a few if necessary).
  Do people typically build their roles around these the standard SAP role set or is it preferred to create your own and only use the SAP standard roles as reference (i.e. the t-codes offered in the menu, etc.)?
  Thanks for any insights!

  > When going about designing roles for a new system, what is the preferred usage on SAP standard/delivered roles?
  Those are provided by SAP as a reference so that you can consult with the Authorization Structure of a Standard Position / Task for which you are going to create your own role. For e.g. what are the TCodes, values of Objects should be given to users for their tasks.
  I was thinking of using them as a "base", then tweaking auth objects here and there to make the roles work but the more I work with them, I find it may be better to create roles entirely from scratch.
  Absolutely! Please do not use SAP delivered roles for you use and also don't try to alter any values.
  A lot of the time, I find a lot of inactivated auth objects or objects that seem to not really be needed when looking at the t-codes offered in the menu (S_TCODE).
  >
  > In that case, I figured it might be cleaner if I started creating roles and adding t-codes via the Menu and maintaining only the auth objects that are proposed in PFCG (and adding a few if necessary).
  >
  > Do people typically build their roles around these the standard SAP role set or is it preferred to create your own and only use the SAP standard roles as reference (i.e. the t-codes offered in the menu, etc.)?
  >
  Yes.. as reference.. as you say..
  Regards,
  Dipanjan

• Standard AC Roles in SAP GRC AC 5.3

  Hello,
  Can anyone list the STANDARD AC ROLES in SAP GRC AC 5.3 Suite for
  1- RAR,
  2- SPM,
  3- CUP,
  4- RT,
  5- ERM,
  6- GRC PC 2.5
  7- GTS,
  8- GRC Repository.
  I know that the Standard AC Roles that are delivered for CUP are
  1- AEADMIN,
  2- AESecurity &
  3-AEApprover.
  Each role comes with different actions in them.
  I need similar type of standard AC roles for the above listed modules.
  Thanks!!!

  Hello Varun,
  Below are answers to your statements.
  1- There are no portal roles for AC5.3 as such. There is portal role for RM which you have already found.
  **ANSWER 1: *There are portal roles for AC 5.3. Kindly see the link http://help.sap.com/saphelp_grcpc30/helpdata/en/27/c67fe32e684e4c85125645dc5918ee/frameset.htm.***
  *The role I found in from the above link.*
  2- To access AC5.3 applications from portal you would have to create IViews etc.
  ANSWER 2 Since SAP provides the predelivered roles, as seen in HELP.SAP.COM in above link, we need not create iViews. The custom IViews are required for custom roles, not the standard roles**
  Thanks!!!
  Edited by: abdul haleem on Jul 21, 2009 9:44 AM

• GRC AC10 RAR :"Ignore Critical Roles/Profile" option not available in

  Hello Gurus,
  I have configured RAR and the reports are working as usual , but i observed that i could not see two things
  1) Option to select "IGNORE CRITICAL ROLES/PROFILE" during Role/User ANALYSIS under "Reports & Analytic" tab.
  I checked in SPRO>GRC>AC-->Maintain Config Settings
  There is a parameter "Ignore Critical  Roles/ Profiles" which i first set to "Yes" and then checked in NWBC , i was unable to see the option under "Additional Option".
  Later i changed SPRO setting to "NO" , then again it did not show me .
  Where can i find this option , so that if i upload say 10 roles which are assigned to firefighter ID they should not be analyzed for RAR ??
  2) I also could not find any option to upload "DEFAULT roles" which need to be assigned to any "NEW USER" request coming through CUP ??
  Where can we make this setting, so that the basic roles can get assigned to the user when any new user request comes in.
  Will you please put some light on this area ?
  Thanks in advance.
  Regards,
  Victor

  Hi Johanna
  Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
  Regards
  Swarna

• Roles/Profiles for ALEREMOTE

  hi all,
  can anyone let me know all the Roles/Profiles required for the User ALEREMOTE in a production system.
  I understad that the roles sap_all, sap_new , s_bi-wx_rfc and s_bi-whm_rfc can be used in the development and the Quality systems but am told that the roles SAP_ALL & SAP_NEW are not supposed to be used for ALEREMOTE in the Production systems as it would give all authorizations to all the users.
  so, could anyone kindly let me know the various roles/profiles that need to be assigned to the user ALEREMOTE keeping in mind that SAP_ALL & SAP_NEW are not allowed and at the same time all the transactions w.r.t BW3.5 should go through successfully.
  kindly revert back at the earliest as we are in the process of going to the BW Production.
  Thanks & Regards
  Manicks

  hi Manicks,
  check oss note 150315-BW-Authorizations for Remote-User in BW and OLTP. hope this helps.
  Symptom
  1) The ALE user fails security in the BW side
  2) Missing authorizations when executing Customizing of extractors
  3) No IDocs could be sent to the SAP-BW using RFC.
  4) Automatic source system connection failes with error R3220: No RFC-Parameters in source system defined
  5) When collecting content in BW, warning message RSAOLTP035 comes up
  Other terms
  Authorizations, SAP_ALL, S_BI-WX_RFC, S_BI-WHM_RFC, S_RS_ALL, ALEREMOTE, BWREMOTE, RSAOLTP 553, RSAOLTP553
  Reason and Prerequisites
  a) In the BW there exist two user:
     i)  a human administrator, using S_RS_ALL
     ii) a user called BWREMOTE (or similar), used to receive the data from the OLTP, using S_BI-WHM_RFC
  b) In the OLTP there exist also two user:
     i)  a human administrator, needing authorizations to create users and RFC-destinations.
     ii) a user called ALEREMOTE (or similar), used to ...
         1) ... connect the OLTP to the BW
         2) ... extract the data
         3) ... send the data to the BW
         4) ... show monitoring dialogs for tasks 1 to 4, the profile S_BI-WX_RFC is used (<i>however does
  not suffice on some points since some authorizations are
  missing in the delivered profile</i>)
         5) ... make customizing of OLTP extractors
         for this, additionally the authorizations to execute IMG-functionality, to execute Transaction SBIW and to maintain the applications, which shall be customized, must be given during the customizing functionality is used.
  Solution
  1) The profile S_RS_ALL resp. S_BI-WHM_RFC must contain (at least) the following authorizations:
  Profile
  2) The referred functionality is b) i) 5), thus
     the authorizations to execute IMG-functionality,
     to execute Transaction SBIW and to
     maintain the applications, which shall be customized,
     must be temporarily given to ALEREMOTE, if you want to execute the
     functionality from BW-side. The permissions for executing the
     customizing is not included in the profile S_BI-WX_RFC, since
     this is a critcal functionality.
     However there is the possibility to execute the customizing
     in the OLTP by a human administrator by hand, using Transaction
     SBIW.
  3), 4) For sending the Idocs and reading RFC-destinations
     the profile S_BI-WX_RFC is incomplete.
     Please check, if the following authorizations are included:
  Profile
    ---   S_BI-WX_RFC  <PRO> Business Information Warehouse, RFC User
  --   B_ALE_ALL    <PRO> All authorizations for ALE/EDI
  --   S_APPL_LOG_A <PRO> Application log: All
  --   S_BTCH_ADM   <PRO> BC: Batch - Processing authorization
  --   S_BW_RFC     <PRO> BW: Authorization Profile: Other
  --   See above, same sub-profile as in S_BI-WHM_RFC
        ---   S_IDOC_ALL   <PRO> All authorizations for IDoc functions
  - BW AddOn BW-BCT 1.2B:
  These authorizations have been delivered with BW AddOn Patch 2 (see 158489 for the AddOn Patch information), except release 45B. For 45B, the authorizations are delivered with BW AddOn Patch 1.
  - PI2000.1:
  For 4.6B and 4.6C due to delivery errors, this profile also is incorrect. Please transport it from the BW into the Oltp (it is the same in any system and release).
  - PI2000.2:
  For 4.6C due to delivery errors, this profile also is incorrect.
  Please transport it from the BW into the OLTP (it is the same
  in any system and release).
  - PI2001.2:
  For 4.6C due to delivery errors, this profile also is incorrect.
  Please transport it from the BW into the OLTP (it is the same in any system and release).
  Alternatively, import the sapserv* transport BRSK002208 under the directory
  general\R3server\abap\note.0150315 into your OLTP-System.
  For help on the sapserv* transport refer to Note 13719.
  5) If you have PI-Basis 2005.1 in your source system, you need to attach role SAP_RO_BCTRA to your user in the source system. Otherwise, the functionality mentioned in the message is not available. The system continues to function as before, you may ignore the warning.