Structural authorization : role, profile, user group

Dear All,
I am working in OM in Structural authorization, can anyone tell me difference among Roles, profile, user group.
I am mainly concerned with roles and profiles, What exactly is role and what is profile.
Pl give me practical example....
Regards,
Kumar

Hi kumar,
Roles: It is divided in to single role and Composite Role. It is used to maintain your list of allowed transactions and reports as a menu. Once you assigned this role to the user, he / she can access only those transactions, what you maintained in the menu.
Profile: It is based on the authorization object. Unless untill, you generate the profile, the system will not consider the authorization for the assigned menu. You can provide the authorization based on various objects like infotype, transaction code, master record, org key,..
User Group: Used to set the unique set of rules for the specific user. How system should react in case of specific user group.
Good Luck
Om
Reward it, if u feel helpful.

Similar Messages

  • Authorization,roles,profiles

    i want to know how authorization and roles and profiles will be created...
    and the hirearchy of above 3 (authorization,roles,profiles)
    can anyone help me in getting the documens

    Hi,
    The common used t-code for the above is
    PFCG to create the Role.Here we can assign the role to user also.
    You can see the same in SU01 t-code.
    IN PFCG we create the role and it will ask for profile name.
    Basically it contain the  authorization object.
    In BW we hade rssm t-code,now we have RSECADMIN in BI.
    RSECADMIN is basically used to create the auth object.
    For Example: If you want to restrict the user to see their
    company code data then you need to crete auth object for company code
    and give access to user according to therir requirement ie
    you need to add this auth object to their respetive role.
    Thanks,
    Saveen Kumar
    Edited by: saveen kumar on Jan 10, 2011 7:47 AM

  • How to upload authorization role & profile to PFCG

    I have downlaod the authorization role & profile from PFCG at client 100.
    How to upload the authorization role & profile to SAP client 200?

    check with ur basis guys once
    generally it will be dont by them check with them once

  • Assigned Role in user Group

    Dear All
      Please help me assigned Role in user Group  . I create user Group  (  SURG ) . But i can't assigned Role ?
    Regards , Thanks
      Lannguyen

    Hello,
    You cannot assign user groups directly to Roles, however you can do the following.
    Use PFCG transaction
    1. Select the role and switch to change mode.
    2. Switch to user tab.
    3. Put the cursor in the blank line and hit F4
    4. You should get a popup window which asks you to provide search criteria for the user.
    5. Switch to 2nd tab Users by Logon criteria, here you should be able to find the selection field User group.
    6. Select the group you created and hit the green tick.
    7. All the users in that group will be listed in the User list tab on the main screen.
    8. Now to complete the user assignment hit the User comparisor button ( it should turn green once done).
    Regards,
    Siddhesh

  • Analysis Authorization (Role, Profile and Direct Assignments)

    <b>Analysis Authorization Question:</b>
    1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
    2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
    3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
    <b>
    Migration Options:</b>
    1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
    2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
    3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
    <b>Questions</b>
    a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
    b)     Does any one use direct assignment to Users? It is good business practice?
    c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
    d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
    Just want to check how other folks have done migration that can be supported going forward.
    Pankaj Gupta

    Hey Pankaj,
    In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
    Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
    RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

  • What authorization-roles for user login (java stack)

    Hello SAP-Fans ,
    which authorization role needs to be assigned to the users for logging into a java-stack on port 50.000?
    We always get the error-message: "Error 403 forbidden, You are not authorized to view the requested resource."
    I know this is a beginner's question. Java is completely new to us.
    Thanks in advance
    Danny Winn

    Hi Danny,
    Welcome to SDN,
    Logon to the portal with the user Administrator, go to User Administartion and create a user for yourself by assigning Super Admin Role.
    portal Url must be http://<host.fqdn>:50XX0/irj/portal where XX is the system number in this case 00.
    You will able to see at the user admin tab all the SAP standard roles.
    regards
    Juan
    Please reward with points if helpful

  • Provisioning EP roles and user groups through CUP

    Hello experts,
    I am configuring EP provisioning through CUP.
    I created the EP connector as per the instructions in the config guide. But I have not added any parameter values or did any field mapping. I have imported necessary Portal roles.
    My EP connector is tested successful. But when I try to provision a role through CUP, I get this error:
    Error processing your request, Request no: 4 in stage : NEW_AS11.
    In the log it shows,  Field Mapping is not set for Application  (EP)
    But when I go to field mapping, I get this error for EP.
    Data retrieval from system XP1 failed : com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
    I could not find much documentation on fieldmapping.
    Are there any steps that I am missing for EP provisioning?
    Thanks in advance..
    Kee

    Thanks for your response.
    I have set up the parameters while setting up the EP connector in CUP.
    My role search URI is correct  but I am not sure about the last three parameters...
    ASSIGN_GROUPS:OC sapgroup
    ASSIGN_ROLES:OC saprole
    CHANGE_USER:OC sapuser
    CREATE_USER:OC sapuser
    CREATE_USER:password password
    DELETE_USER:OC sapuser
    LOCK_USER:OC sapuser
    LOCK_USER:islocked true
    RESET_PASSWORD:OC sapuser
    RESET_PASSWORD:password password
    ROLESEARCH_URI -  http://portalserver name:port number/UserRoleSearchForAEService_5_3/Config1?wsdl&style=document
    ROLESEARCH_URI_USERNAME -  same user Id I provided for the connector
    ROLESEARCH_URI_PASSWORD See your system administrator for the value.
    UNLOCK_USER:OC Sapuser
    UNLOCK_USER:islocked false
    ROLE_DATA_SOURCE -- ROLE.UME_ROLE_PERSISTENCE.un:   ??? What  is the role data source?? Is the value that is  provided is correct for the UME roles
    SCHEMA_ID SAPprincipals   ?? What does this Schema Id mean???
    USER_DATA_SOURCE  ????  Should we mention the user data source on the Portal system. In our case, it is the LDAP. But what would be the corresponding parameter value for LDAP.
    So when I go to field mapping to create one for EP, I get the following error:
    Data retrieval from system XP1 failed : com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
    Log Details:
    2009-03-03 14:28:48,055 [SAPEngine_Application_Thread[impl:3]_19] ERROR Error in gettting Field Def
    com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:131)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getSchemaAttributes(SchemaRequest.java:142)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getFieldDefinition(SchemaRequest.java:163)
         at com.virsa.ae.configuration.bo.FieldMappingBO.getSAPFieldDefList(FieldMappingBO.java:126)
         at com.virsa.ae.configuration.actions.LoadFieldMapAction.execute(LoadFieldMapAction.java:56)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:425)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:192)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPMessageImpl.<init>(SOAPMessageImpl.java:83)
         at com.sap.engine.services.webservices.jaxm.soap.MessageFactoryImpl.createMessage(MessageFactoryImpl.java:35)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:118)
         ... 25 more
    Caused by: com.sap.engine.lib.xml.parser.NestedSAXParserException: Fatal Error: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)(:main:, row=5, col=18) -> com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
         at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:139)
         at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:173)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.parseDocument(SOAPPartImpl.java:221)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:189)
         ... 28 more
    Caused by: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
         at com.sap.engine.lib.xml.parser.XMLParser.scanAttValue(XMLParser.java:1403)
         at com.sap.engine.lib.xml.parser.XMLParser.scanAttList(XMLParser.java:1577)
         at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1712)
         at com.sap.engine.lib.xml.parser.XMLParser.scanContent(XMLParser.java:2442)
         at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1843)
         at com.sap.engine.lib.xml.parser.XMLParser.scanContent(XMLParser.java:2442)
         at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1843)
         at com.sap.engine.lib.xml.parser.XMLParser.scanContent(XMLParser.java:2442)
         at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1843)
         at com.sap.engine.lib.xml.parser.XMLParser.scanDocument(XMLParser.java:2845)
         at com.sap.engine.lib.xml.parser.XMLParser.parse0(XMLParser.java:231)
         at com.sap.engine.lib.xml.parser.AbstractXMLParser.parseAndCatchException(AbstractXMLParser.java:145)
         at com.sap.engine.lib.xml.parser.AbstractXMLParser.parse(AbstractXMLParser.java:160)
         at com.sap.engine.lib.xml.parser.AbstractXMLParser.parse(AbstractXMLParser.java:261)
         at com.sap.engine.lib.xml.parser.Parser.parseWithoutSchemaValidationProcessing(Parser.java:280)
         at com.sap.engine.lib.xml.parser.Parser.parse(Parser.java:342)
         at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:101)
         ... 31 more
    2009-03-03 14:28:48,055 [SAPEngine_Application_Thread[impl:3]_19] ERROR com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
    com.virsa.ae.core.BOException: com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
         at com.virsa.ae.configuration.bo.FieldMappingBO.getSAPFieldDefList(FieldMappingBO.java:134)
         at com.virsa.ae.configuration.actions.LoadFieldMapAction.execute(LoadFieldMapAction.java:56)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:425)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:131)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getSchemaAttributes(SchemaRequest.java:142)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getFieldDefinition(SchemaRequest.java:163)
         at com.virsa.ae.configuration.bo.FieldMappingBO.getSAPFieldDefList(FieldMappingBO.java:126)
         ... 22 more
    Caused by: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:192)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPMessageImpl.<init>(SOAPMessageImpl.java:83)
         at com.sap.engine.services.webservices.jaxm.soap.MessageFactoryImpl.createMessage(MessageFactoryImpl.java:35)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:118)
         ... 25 more
    Caused by: com.sap.engine.lib.xml.parser.NestedSAXParserException: Fatal Error: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)(:main:, row=5, col=18) -> com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
         at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:139)
         at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:173)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.parseDocument(SOAPPartImpl.java:221)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:189)
         ... 28 more
    Caused by: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
    Appreciate your response.
    Thanks
    Kee

  • Assign SQ03 Abap Query User Group to role

    Please advise how to assign SQ03 Abap Query User Group to a role. Thanks.
    Moderator message: please do more research before asking.
    [Rules of engagement|http://wiki.sdn.sap.com/wiki/display/HOME/RulesofEngagement]
    [Asking Good Questions in the Forums to get Good Answers|/people/rob.burbank/blog/2010/05/12/asking-good-questions-in-the-forums-to-get-good-answers]
    Edited by: Thomas Zloch on May 12, 2011 5:40 PM

    Hello Sunil,
    The problem is that I have hundreds of users to maintain user groups.
    found out that it is possible to assign user group to role and role to user groups. implementing hr authorization with in-direct assignment of auth. So if I could use sq10, user groups could also be link to position in the org chart.
    sq10 does allow you to assign a user group to a role but when you assign the role to a user and the user runs a query, it reports that no user group has been assigned.
    Suspect that there must be a parameter or switch that is not turned on
    Regards

  • SAP HR Structural Authorizations

    Hi Experts,
    I need a help regarding SAP HR Structural Authorizations.
    Currently our HR System is set with structural authorizations were in
    users will be accessing HR Org structure with different pd-profile and HR relationships (with Org units ex:
    assistant relation, manager relation).
    Now we want to design the roles based on company codes, where users should be able to see
    all organization units within company code 'xyz'.
    Do we need to create new pd-profile or new HR relationships or just restrict within existing HR roles for
    accessing organizations units within different company codes.
    Please guide me steps to proceed with this requirement?
    Your early response is highly appreciated, thanks in advance......

    You will need to talk to the HR folks about this and whether any employee grouping on the HR side matches a company code unit on the FI side to use in the authorizations.
    This means that HR data and processes are also aligned to finance processes, which was often the case with local HR systems but less so with global ones.
    The answer is on your side in the data and the processes. There is no single field which you can use for both, let alone an org. level field known to structural authorizations.
    Cheers
    Julius

  • Structure Authorization Issue

    Hi guys,
    I don't have structure authorization implemented or HR system implemented. I was playing with my sandbox system to learn structure authorization by using step by step tutorial.  After I created a structure authorization for two users I deleted everything related to structure authorization but unfortunately, some t-codes related to org chart for example PPOME, PPOMW are not working properly, its not allowing to create new org char.
    We have another team needs to create some org chart for prototyping but they can't create org chart its giving no authorization error when I ran SU53 it's not giving regular auth error its also give failed HR structure authorization error, this is the error in su53 coming (Date 10/01/2010 and time Plan version 01 Object ID 5000075 Action LISD) there are so many different object ID on the list.
    They all already have SAP_ALL in the system. Can anybody give some kind of report so I remove structure authorization completely from the system.
    Please help
    Thanks

    Structural Authorization Check
    Structural authorizations are used to grant access to view information for personnel where HR OM has been implemented as we stated. The Access is granted to a user implicitly by the useru2019s position on the organizational plan.
    On top of the general authorization check, which is based on authorization objects, you can define additional authorizations by hierarchical structures.
    In each area, the combination of start object and [Evaluation Path|http://help.sap.com/saphelp_erp60_sp/helpdata/en/35/26c256afab52b9e10000009b38f974/content.htm] from an existing structure returns a specific number of objects. This exact combination, in other words the number of objects returned by this combination, represents a useru2019s [Structural profile|http://help.sap.com/saphelp_erp60_sp/helpdata/en/0c/49ba3b3bf00152e10000000a114084/content.htm]. So structural authorization check is therefore based on a Dynamic concept: The concrete objects that are returned by a structural profile change as the structure (under the start object) changes.
    Steps to Perform to Set Up Structural Authorization Check in brief:
    (Before start moving for str. auth profile it is assumed that the Switch AUTSW for HR General Authorization check is also activated in table T77S0. Structural Authorization won't give the access for accessing HR data as described in the last posts and works together with General Authorization - to remind you)
    1. Integration:  Control parameters for the integration of Personnel Planning and Development (PD) with other applications (such as Personnel Administration (PA) and Cost Accounting (CO), etc.) are specified in the "PLOGI" group.
    2. Turn on PD PA switch: TCode used is OOPS. Ensure value registered for PLOGI u2013 ORGA is X. No other values need to be checked or changed.
    (Note: PD and PA sub modules of HR are not configured to share data by default in the SAP delivered system. This switch must be on for data to flow between both modules.)
    3. Turn on Structural Authorizations Main Switches : TCode is OOAC. Value for ORGPD is set to 1.
    4. Create Org. Plan (check the first post).
    (Note: Do not create your Organizational Plan without this switch on. If you do, structural authorizations will not work and some org and infotype setup will not work. You cannot turn the switch on and get structural authorizations on an organizational plan, that was created while it was off, to work..)
    5. Create Personnel Master Record: Tcode is PA40. This is time consuming staff.
    6. Create record for Infotype 0105 - TCode is PA30.
    7. Create Structural Authorization Profiles u2013 TCode = OOSP
    8. Create entry for IT 1017 - TCode is PO10 (Organizational Unit) or PO13 (Position).
    9. Assignment of Structural Authorizations: The assignment of the Structural Authorization can be found with good details here in [SAP Help|http://help.sap.com/saphelp_erp60_sp/helpdata/en/97/27973b3ea3eb0fe10000000a114084/frameset.htm].
    Please check and let us know for any query.
    Regards,
    Dipanjan

  • Control Workflow Report output using Structural Authorization

    Is it possible to control output of Workflow Reports using Structural Authorizatins. E.g. Workflow Admins having access to tcode SWi2_FREQ will be able to see project wide data, but i want to restrict the workflow admins at department level from seeing workflow data for other departments. is that possible using Structural authorizations or any other mechanism?
    My understanding is that Structural authorizations pretty much control PA/PD, and not other modules. I did a quick test,
    1) Created a org structure
    2) Created employees, users, and set up structural authorizations
    Now when users are granted authorization to PA20, they are restricted to what they should be seeing, but when they are granted authorization for workflow admin reports, structural authorization don't seem to work, they are able to see data for workflow triggered for other departments as well. Is that the standard behavior or i am missing something. I don't have enough experience with Structural auth.
    I will appreciate any guidance on this matter.
    Thanks,
    Saurabh

    Arghadip, please explain how this will prevent someone from Norway from looking at the workflow log of a workflow for an employee belonging to the Danish part of the organisation.
    <i>Message was edited by Kjetil Kilhavn:</i>
    To explain a bit more in detail: how does this prevent me (Norwegian) from going into SWI1, SWIA or any other transaction, and looking at data from other parts of the organisation. I don't think it will work.
    I think the only way to achieve this is to either modify SAP's standard code and include some structural authorisation checks - or take the standard transactions out from every user role and create your own wrappers or program copies which basically does the same as the modification would have to do.

  • Error Occured when Applying Structural Authorizations in E-Recruitment

    Dear Experts,
    The E-Recruitment functionalities were working fine when no structural authorizations are applied. However, when structural authorizations are configured for the user on the backend SAP system (I configured structural authorizations for the user to have access to only his own department), the E-Recruitment module does not work.
    When I tried to access requisitions-> maintenace, application management->applications, etc, (i.e. when the E-Recruitment module tries to retrieve data from the backend), the the following error message occurred.
    Error when processing your request
    What has happened?
    The URL http://<hostname>:<port>/sap/bc/bsp/sap/hrrcf_start_int/application.do was not called due to an error.
    Note
    The following error text was processed in the system ABC : <b>RAISE EVENT statement nested to deep.</b> The error occurred on the application server XYZ and in the work process 0 .
    The termination type was: RABAX_STATE
    The ABAP call stack was:
    Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
    Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
    Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
    Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
    Method: GET_RECORDS_BY_DATE of program CL_HRRCF_INFOTYPE=============CP
    Method: ON_REQUISITION_UPDATE of program CL_HRRCF_REQUI_BL=============CP
    Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
    Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
    Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
    Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
    Please advice if E-Recruitment supports structural authorizations. If it does, are there additional configuration required to enable structural authorization. Kindly enlighten me on how to resolve this error. Any help will be much appreciated.

    Hello Louis,
    I implemented e-recruiting with structural authorizations for a customer and encountered exactly the same error. Anything in the e-recruiting implementation leads to this problem. When you miss some object authorizations the implementation generates an infinite callstack which results in this short dump.
    So be sure you assigned all necessary objects to recruiters and also candidates (NA, NB, NC, ND, NE, NF, BP, CP, P, Q, QK, VA, VB, VC) but this might be difficult esp. with the P object, when you use structural authorizations for other purposes, too. This usually generates problems in manager involvement (e.g. manager can't choose a recruiter to approve his requisition as he has not the structural authorization for the hr department members).
    It is also a bit strange that candidates need for example change rights for the requisition (NB) although they won't actually change it but without it the relation application->requisition, candidacy->requsition cannot be created correctly.
    Last but not least be always sure that you refreshed the authorization buffers after changing structural authorizations. They are usually switched on for better performance.
    Best regards
    Roman Weise
    PS: be aware that using structural authorizations will keep you busy for some time. we needed ~2 months to set up the system in a way that e-recruiting worked as the custoimer wanted without interfering any other productive hr component (admin, org. mgmnt., managers desktop).

  • Transport User Groups in Portal

    Hi
    In Development Portal i assigned Portal roles to user groups
    How can i transport the assignment.....i mean user groups
    Thanks

    Go to User Administration - Identity Management in your portal.
    In the search criteria, select Group and then select the data source where you created your custom groups.
    If you use a * and search, you can find all the groups.
    You can then select one or multiple groups and click on the "Export" button.
    In the following screen, you can see that the group information and the user to group assignment will be populated as a text file inside a text window.
    Select all the text (Right click and Select All) in that export window and paste it into a notepad and save it.
    Now, in your target portal system, go to User Administration - Import
    Browse and select the notepad which you have saved above and click on the Upload button.
    You can do a similar export function on Users, Roles along with Groups.
    Thanks,
    Shanti

  • Cannnot assign user  to user group

    Hi,
    we have SAP EP connected to ECC.
    i have created a R/3 role, so i can see it as user group in sap portal.
    i have created a user in ECC and asign to him the previous R/3 role.
    When i see in SAP Portal, i can see the previous user and i can see the prevoius r/3 role as user group.
    But the user group is empty, is it normal? for me , i should see this user in the user group in the portal (because it's done in ECC)
    Even, if i tried manually in sap portal to add this user in the user group, the system does not allow that because the button "ADD" is disactivated (I think it's normal because this user group exist in ECC as R/3  role)
    Any help to assign this user (created  in ECC)  to user group (Created in ECC as R/3 role) in SAP Portal ?
    Thanks

    solved

  • List roles/profiles/authorizations for end user

    HI All
    Can anyone please give the list roles/profiles/authorizations
    that needs to be added to our end user id so as to view
    (Only Display) all the BEx Reports.
    Points assured
    Thanks
    Vijaya

    Hi Vijaya,
    Go through this link:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a07122ae-8216-2a10-c9a5-996717a0648b
    Thanks,
    Ajay

Maybe you are looking for

  • Albums in the wrong order since ios 7

    Since I have updated my iPad 2 to ios7 it has put 90% of my albums in the wrong track order. The same albums on my iphone 5 (ios7) are fine.

  • Error when Duplicating the Quote

    Hi, when i am duplicating the Quote it is giving the following error. "Quote total must be a positive amount". But when i execute ASO_QUOTE_HEADERS_PVT.update_quote_total(..) procedure I am getting positive value. If it is negative value only the err

  • Remote monitoring multiple webcams

    I have the webcam instant attached via usb to my computer. The Creative Web Cam Center software uploads images from it to the web every 5 seconds. I'd like to add another webcam instant camera to the pc and have pics from it uploaded to the web too.

  • What is the cost of iPod Touch

    What is the cost of iPod Touch

  • Can't connect MIDI devices in Audio Midi Setup

    In the help for Audio Midi Setup, step 7 says you can connect devices as follows: "7. To specify the connection between MIDI devices, drag the output or input connectors above the device icon to the corresponding connector on the other device icon."