Standard roles, groups, profiles of a rfc-user

Similar Messages

• Standred Roles and profiles for OSS Connection User

  Dears,
  We open OSS connections several times for SAP support in which we also provide login credentials to SAP to login in our system.
  Is there any standred roles or profile for this user in QAS and PRD that we can give to maintain our servers confidentiality.
  Please suggest.
  Shivam

  Not really. A note related to your question popped up in a previous discussion:Re: Exclude T-code from SAP all
  > If you take a look at [SAP Note 1118396 - Roles for support activities|https://service.sap.com/sap/support/notes/1118396] you will see this explained nicely...

• Standard roles & profiles

  Hi All,
  FICO , SD and MM standard roles and profiles avaliable
  please help me
  Regards
  siva

  If you go to transactiun SUIM and look for the reports about roles you'll find one which shows roles by role name.
  All standard roles begin with the letters SAP.
  Here you may find the ones you need, copy them to your own namespace and use the copies.
  Do expect some extra effort on your behalf as the standard roles will not copletely fit your needs. You will need to adjust them.
  Jurjen

• Role or Profile with Full Authorization in DISPLAY MODE

  Hi all,
  Can anyone help me or tell me if there is any standard role or profile which has full authorization in display mode.
  I wanted to assign this to all our support team for the PRD server who shud only have the display auths so that the pre-production client can be safe.
  I have checked many places for this kind of activity, but found no threads on the same and also realted links.
  Can anyone tell me how to get this task done....
  I have also tried few possible ways which never helped me and all my efforts failed.
  Waiting to hear from SDNs, for which i can assure REWARD POINTS.
  Thanks to all in advance
  Regards
  Hari Haran

  Hi,
  By enabling the permission level as 'read', the authorized user/group/role can:
  1. View the object in the Portal Catalog using the browse and search capabilities.
  2. Open the object in its respective primary and secondary editors in read-only mode; the object cannot be modified.
  3. Create instances (delta links and copies) from the object.
  4. Gain access to and choose templates in the object creation wizards.
  This permission level can be used to prevent portal administrators from editing a particular object, while still allowing them create an instance of the source and use the new instance in any way
  Regards
  Srinivasan T

• Assign role, group to Human Task when initiated

  Hi all,
  Currently, when user login to BPM and create new task instance, i can get roles and groups of that user by programming. I want to assign roles of user to that task instance dynamically when user click SUBMIT button (Because i want to restrict users belong role are able to do this task, each user belong to a role and group can do it).
  Somebody help?
  Thanks.

  Hi Ming
  1. If you want to intercept any Actions from a Task like Save, Submit, Approve, Reject etc, you can create your own class like MyAppTaskValidationCallback that implements oracle.bpel.services.workflow.task.ITaskValidationCallback and in this overwrite one method named validateTaskOperation(bunch of parameters). See APIs for this.
  In this method, you can get the action performed on the task. Also you can get the complete Payload of the Task including your custom payload and the standard Task Payload stuff like History, Attachments, Comments etc. You can write some simple XML Parser utility methods to get and set attributes in the Payload xsd schema. So in your case, in this method, get Roles, Groups of the logged in user. Check the action performed. If he is not allowed to do that operation, throw the error from this method. Else continue with your logic. To begin with create java class like above, add this code snippet and just explore the data.
  Now, just curious. If your requirement is really to control the actions based on User Role/Groups, did you try to use the out of box functionality and avoid this custom logic. Say for BPM Applications, we have Swimlanes / Roles. Only users belonging to that Role, can work on that Tasks. Try to use out of box stuff as much as possible, unless you really need custom assignment logic.
  Thanks
  Ravi Jegga
  Just giving the code snippet to get an idea. But do refer the online APIs for more information.
  public void validateTaskOperation(ITaskValidationCallback.TaskAction taskAction, IWorkflowContext iWorkflowContext, Task task, Map<String, Object> parameters, Locale locale, List<String> errors) {
  try {
    Element taskPayload = task.getPayloadAsElement();
    String taskTitle;
    String taskOutcome;
    SystemAttributesType taskSystemAttributes = task.getSystemAttributes();         
    taskTitle = task.getTitle();
    System.out.println("MyAppTaskValidationCallback::validateTaskOperation() Begin For TaskTitle: " + taskTitle + " -> TaskAction: " + taskAction + " -> Parameters:\n" + parameters);
    if(taskAction == TaskAction.ACQUIRE) {
        System.out.println("Inside ACQUIRE");
        //parameters.put("AcquiredBy", iWorkflowContext.getUser());
    } else if(taskAction == TaskAction.OUTCOME_UPDATE) {
      System.out.println("Inside OUTCOME_UPDATE");
  } catch (Exception anException) {
    anException.printStackTrace();
  }

• Issue on copying standard role

  Dear Guru's,
  We're implementing E-rec system and we have two users name as user1 & user2, standard role was assigned to both the users
  User1 - SAP_RCF_EXTERNAL_CANDIDATE
  User2 - SAP_RCT_UNREGISTERED_CANDIDATE
  webdynpro application was working fine with the above roles.
  Once we made a copy of the standard role z-role, we assigned the z-role to those users and removed the standard role. After assigning the z-roles for the above user, the webdynpro application was not funtioning properly. Only I can see the initial screen, the next screen is not responding.
  Could anyone suggestion me on this.
  regards,
  Guna

  Hi,
  the most common reason for this error is a missing change in the customer version of role SAP_RCF_UNREGISTERED_CANDIDATE. The sap standard role contains the name of role SAP_RCF_EXTERNAL_CANDIDATE in the authorization object S_USER_AGR field ACT_GROUP. People often forget to change this to the name of the client role.
  In spite of the e-rec mechanism that the service user assigns the authorization to the external candidates user by assigning a reference user, it still needs the authorization to assign the roles and profiles the reference user has as if it would assign the them directly. If you do not put the name of the customer copy of role SAP_RCF_EXTERNAL_CANDIDATE  into your copy of SAP_RCF_UNREGISTERED_CANDIDATE the user creation can't be done properly and the appiication runs into an error when it tries to switch the session to the user.
  Kind Regards
  Roman

• RFC Users  & Authorisations

  In the profiles of the  RFC users it was noticed  that SAP_ALL was present. In order  to remove this, :
  1.its needed to know what other authorisations need to be assigned.
  2. This is the bottle neck. How does one understand which are the activites  that are being performed.
  Thanks

  george G wrote:george G wrote:george G wrote:george G wrote:>
  > Now here we trip  on a very important question point...How does the Unkown body of users get acess to the RFC id /pwd ?
  Chances are good that they do not need the id / pwd. They only need the name of the RFC destination (for which the id / pwd is saved in SM59, already) and the ability to run "the" or "an" interface (or generate a dialog session).
  Another option is not to save the logon data in the destination, and request that the current user running the interface in the source enter their own (valid) id / pwd for the target.
  >
  > Unless its compromised personally ?
  Not necessarily necessary, but that does often add a new dimension to the risk, as the folks have a wider choice of sources from which they can "run an interface" using the id, and a wider group of folks (who talk to each other...).
  >
  > What specifics are the potential impacts the compromised id do ?
  You mentioned before that it has SAP_ALL?? Go figure what that means...
  >
  > On the sidetrack , the auditors are moved  with RFC users !!  Why would that be , to my auditor I put forth the question the answer was " they are not Dialogue users !"
  See above (SAP_ALL). The user could change itself to a dialog user... I can think of approximatly 300 thousand reasons (just off the top of my head) why your auditors are <removed_by_moderator>
  Most likely they have, much like the interface user owner you described before, been told this and have not questioned it. Or the thought never crossed their minds that the id would not be required at all if it cannot "logon"...

• Authorization : roles and profiles

  Hi,
  I have two questions that I need answers
  - How do I check roles that are assigned to reports and
  - roles and profiles needed to execute reports
  thanks in advance

  Hi,
  Roles or profiles are assigned to user not specific reports or queries, if u need u can check what roles are assigned to u in SU01, provide the user name and go to display mode there u will find profiles tab, u can check .
  Hope this helps u a lot.........
  Assigning points is the way of saying Thanks in SDN
  Regards
  Ramakrishna Kamurthy

• SAP Standard Roles

  Hello everyone.
  What is SAP's best practice for using (customizing) the SAP standard roles? I have always used the standard roles as templates to customize for my customers. Is there a stated SAP best practice for this?
  If I use a standard role, customize it and copy it to the company namespace and the standard role it is customized off of changes, does my customized role change?
  How do release upgrades affect the standard SAP roles?
  Thanks!
  Todd

  Hi Todd,
  If you copy the roles to a your own namespace then they won't be touched during upgrade.
  I can't comment on what happens to standard roles during upgrade as I tend to avoid them.
  There is no accepted best practice around using standard roles, though there is reasonably wide belief that developing your own from the ground up is a better way to develop roles to meet your customers business processes. 
  I find that where standard roles have been used, the end user roles have generally a lot of unused transactions.  Functional & business people see a large list & choose most of them rather than building up from a subset of inscope transactions which are also used for training, BPP's etc.
  There is also the consideration that using standard roles guides you to building in the same way.  That's not to say it is a bad way, just can limit flexibility if you build down to a task level (nasty, nasty, nasty) or higher at a job or function level.
  Cheers
  Alex

• Download all roles Individually and list all the SAP standard roles

  Hi ,
  I have two questions .
  1. I want o download all the roles individually in SAP.
  2. I want to list all the SAP standard roles whose profile is generated.
  Can anyone help me . to achieve this

  Dear,
  I am no sure what kind of problem you have faced that requires revert back. Which took 2 days. If it's for mass role revert back then mass role download should work. If it few selective role then change history should help you out.
  Anyway I might pull this out of the topic.
  Even you download mass role in a single file then also if you want then can upload a single role only with 2-3 mins spending on replace function in notepad!!
  Let say you have taken 1000 role in a single file and want to upload a specific role only. Open the file (copy of the file) in a notepad. Now replace(Ctrlh) LOADED_AGRS with nothing. Find(Ctrlf) the role you want to upload. In begining of that line paste LOADED_AGRS
  Above file will upload the specific role only.
  Regards,
  Arpan Paik

• SRM RFC users for ERP , what are the profile/roles should be used?

  Hi All,
  I have integrated SRM and ERP systems using config wizard. Multiple rfc accounts were created automatically by the wizard but what i did was i skipped on the profile and role field because i don't know what to put. Now, I am battling on what profiles and roles should i put there since the wizard didn't do the automatic placing of authorizations and roles for me.
  here are the users that have been created automatically by the config wizard.
  ERP System:
  SRM2ERP
  SRM2ERPD
  ERPLOCAL
  SRM System:
  ERP2SRM
  ERP2SRMD
  SRMLOCAL
  Please help on what ABAP Roles and Profiles should i place to it.
  Regards,
  Tony
  Edited by: Tony on Jun 9, 2011 12:34 PM

  Hi ,
  The user should have profile SAP_ALL assigned automatically when you run the CTC script.
  Else please assign manually.
  Regards
  Sam

• RFC user profile

  Hello,
  We are on SRM 5 and our RFC user to our backend is SAP_ALL.
  But for Sarbane Oaxley Controle we can't keep this SAP_ALL for this user.
  Does Someone knows wich profile or authorization we have to give to the RFC user?
  Thanks

  Hi,
  I am Putting the same information as per the note as per the note mentioned by Yaan(For those who dont have access for that note)
  <b>Solution</b>
  1. The RFC user should be created as a background user in the back-end system.
  2. If you do not want to use profile SAP_ALL for safety reasons, you can create your own profile with restricted basis authorizations:
  Call Transaction PFCG for the role maintenance and create your own role.
  In the role, go to the 'Authorizations' tab and choose 'Change Authorization Data'.
  Do not select ANY template on the dialog box.
  Choose menu option 'Edit -> Insert authorization(s) -> Full authorization' and confirm the dialog box 'Insert all authorizations' with 'Yes'.
  Choose menu option 'Utilities -> Technical names on'.
  For object class 'Basis  Administration' (BC_A), set the following authorization objects to inactive:
  System authorizations (S_ADMI_FCD)
  Authorizations: Check for roles (S_USER_AGR)
  User master maintenance: Authorizations (S_USER_AUT)
  User master maintenance: User groups (S_USER_GRP)
  Authorizations: Deactivate authorization objects globally (S_USER_OBJ)
  User master maintenance: Authorization profile (S_USER_PRO)
  Users: System specific assignment authorization checks (S_USER_SAS )
  User master maintenance: System for central user maintenance (S_USER_SYS )
  Authorizations: Transactions in roles (S_USER_TCD)
  Authorizations: Field values in roles (S_USER_VAL)
  For object class 'Basis  Development Environment' (BC_C), set the following authorization objects to inactive:
  ABAP Workbench (S_DEVELOP)
  Authorization for documentation maintenance via SE61 (S_DOKU_AUT)
  Maintenance of glossary and terminology objects (S_TERM_AUT)
  Authorization object for translation environment (S_TRANSLAT)
  Transport Organizer (S_TRANSPRT)
  Generate and save the authorizations, profiles and role.
  3. Assign the new role to your RFC user by using Transaction SU01.
  Cheers...
  Santosh

• Need role/profile for ALE system user

  I have created a system user and assigned it to the necessary RFCs in our DEV system.  The RFCs are used to ALE data between our DEV, QAS, and PRD systems.  If I assign profile B_ALE_ALL to the user in the receiving system I do not get IDOCS created in our QAS system.  If I assign SAP_ALL to the user I do get IDOC's created in QAS.  Can anybody recommend another role to assign.  Or a method to troubleshoot this authorization error.  I want to limit this system user in the receiving system to creation of IDOCs only. 
  Thanks in Advance, Jay

  Hi,
  Then I recommend to give sap_all and trace the user in QAS system. Once the data transfers are complete, please anaylyze the trace and see what authorizations it requires. Now build a role with this authorizaiton and remove sap_all.
  Since you are transferring applicaiton data, the programs might also check that access as well.
  Regards,
  Gowrinadh

• 'Standard Role' 'User' 'Business Partner' and 'Internet User'

  hii
  Currently I m working on E-Recruitment 6.0 BSP's..
  Can somebody explain me....
  1)
  'Role' 'User' 'Business Partner' and 'Internet User'
  Kindly help me undertand the relation between the above mentioned IDs and there creation
  2)
  I have created Business Partner(External Person) ID using BP(txn)...Kindly let me know how to create the 'Internet ID' and 'PW'
  So that I can use it for HRRCF_StART_EXT (BSP)
  kindly explian...or mail me any documention related to
  E-recruitment to my id [email protected]
  Looking for a immediate reply
  Regards,
  Raghav

  Role - is the same as the concept of role in R3. SAP Delivers some pre confogured authorisation profiles for some standard roles.
  Roles are assigned to user depending on the client's requirement.
  Business Partner is the same as BP in CRM. basically, the following will be BPs in ur system:
  Each independent user of the recruitment process - as BP Branch.
  All third party recruitment vendors as BP Type Agency.
  All employees will also be BP in the system.
  All external applicants.
  You can create internet user using the t code SU05. You can also use the R3 sytem user credentials to log on to the url application by configuring the system to use the SAP login. (this is done thru t code SICF)
  Hope this helps.

• VIRSA tables for users, roles and profiles sync?

  Hello,
  I am in a customer, implementing CC 5.2. At the first time, we tried CC 5.2 in DEV environment, and when everything was OK, we redirect RFC connectors to QA environment.
  After doing user, roles and profiles sync in DEV and in QA environment too, I have 4.500 user (1.100 from DEV + 3.400 from QA) when I recover all users "*" with "user level - risk analysis" from the "Informer" tab.
  It seems that "users, roles, profiles, sync" works like and "APPEND", but I did a COMPLETE syncronization not an INCREMENTAL.
  If I start an analysis for QA environment, CC works properly and only analyse QA users (3.400). But I would like to clean CC tables (users, roles and profiles) in order to have a clean copy of QA in CC.
  Which VIRSA tables (users, roles and profiles) I need to clean?
  It is necessary to do the same with authorization and text objects? Which would be these tables?
  Thanks in advance,
  Victor

  Hi all,
  SAP GRC Support provides a script which allows you to remove a connector since it does delete all data link to it. Anyway, I would recommend a deep analysis of it and find out if it does what you really want to do.
  Víctor, if what you want to do it is just to remove all user, role and profile master data (stored in tables VIRSA_CC_SYSUSR and VIRSA_CC_GENOBJ) you could upload a text file using data extractor functionality with the delete field set to X. Doing so user, role and profile master data will be removed from CC database.
  In order to use data extraction functionlaity you connector must be of type "File Local".
  Be careful about removing data directly from DB since, as Prem states, you might loose the DB consistency.
  Hope it helps. Best regards,
     Imanol