Tcode within a role
Hi all,
How can I find out in which role that a tcode exist in? For example, I have:
Roles: 1) Roles1, 2) Roles2, 3) Roles 3, ... N) RolesN
and I also have a tcode, say: ZFIUPLoad, and I would like to find out that in which roles that this tcode assigned to?
Any idea?
Thanks
Check transaction code SUIM with options available.
> Roles
>> Roles by complex Search Criteria
Enter transaction code, Execute
Check other options for additional searches. This transaction should cover all.
Hopethishelps
Hein
Similar Messages
-
How to fetch iView Properties within a Role?
Hi,
I have Role-A. PCD path of this role is known. With this information, programmatically I should be able to fetch a few properties of all the iViews within this Role. An iView can be at any level with in this Role-A ( like RaleA- Workset-Page-iView or Role-Page-iView) . Is it possible to fetch the properties dynamically? Do we have APIs to do this? Any help is much appreciated.
Regards,
Nag.A Good starting point is this:
Browse Roles, Folders, Pages & iViews assigned to a user: EP6 SP2
Once you get the iView object it's not difficult to get the properties.
Thanks
Prashant -
Table for tcodes for a role at object level
Hi Expert,
In production we have one role that doesnot have any tcodes at menu level.We are able to find tcodes at object level s_tcode.
I have tried in agr_tcodes table i am getting zero tcods for that role.
Is there any way to find out tcodes for particular role which is maintained in s_tcode object.
Thanks,I know you already got the answer from akshay..Still wonder why the thread is still open.. I could not resist my self to say few words....
AGR_TCODES - Gives transaction that is added in role menu and appear in S_TCODE with standard status.
AGR_1251 (with role name and S_TCODE) - Gives you above as well as manually added S_TCODE values.
Also keep eye in the status for S_TCODE in output of AGR_1251 (Rest for you to explore) so no need to enter the role manually to see whether the object is added manually or standard....
Arpan -
Cannot trace the transaction code within a role
Hello All,
We, in our project trying to trace out various transaction codes assigned to each of roles.
I have an issue tracing an transaction code FB60. When i searched in suim for transaction codes within the role, I could see FB60 listing in the results.
But when i go to role through pfcg and see in the menu tab i cannot find the transaction code there.
what went wrong here? Now i want to remove the transaction code from the role so that next time when i use suim it wont be listed in the results.
Kindly advice.
Regards,
Brahmeshwar PolojuHERE IS THE OUTPUT.
OBJECT AUTH VARIANT FIELD LOW HIGH
S_TCODE T-DC84003900 TCD SCPE*
S_TCODE T-DC84003900 TCD SDD1* SE03
S_TCODE T-DC84003900 TCD SE07 SE16N
S_TCODE T-DC84003900 TCD SE17 SECQ*
S_TCODE T-DC84003900 TCD SEEF* SI24_12
S_TCODE T-DC84003900 TCD SI2414 SIBU
S_TCODE T-DC84003900 TCD SIC_* SLAT
S_TCODE T-DC84003900 TCD SLG0 SLIB_*
S_TCODE T-DC84003900 TCD SLIN SLXT
S_TCODE T-DC84003900 TCD SM30
S_TCODE T-DC84003900 TCD SM31 SM37
S_TCODE T-DC84003900 TCD SM50
S_TCODE T-DC84003900 TCD SM51
S_TCODE T-DC84003900 TCD SMAR* SMEZ
S_TCODE T-DC84003900 TCD SMTH* SNLS
S_TCODE T-DC84003900 TCD SNRO SO99
S_TCODE T-DC84003900 TCD SOACARRY* SOTR*
S_TCODE T-DC84003900 TCD SP02
S_TCODE T-DC84003900 TCD SCUS* SDCA*
S_TCODE T-DC84003900 TCD /* DA_*
S_TCODE T-DC84003900 TCD DC* PFCF*
S_TCODE T-DC84003900 TCD PFD* RYZ*
S_TCODE T-DC84003900 TCD RZZ* SAIM*
S_TCODE T-DC84003900 TCD SAIO* SAK*
S_TCODE T-DC84003900 TCD SAM* SAPTE*
S_TCODE T-DC84003900 TCD SARJZ* SARTN*
S_TCODE T-DC84003900 TCD SASAPCATT SBEA
S_TCODE T-DC84003900 TCD SBI* SC2_*
S_TCODE T-DC84003900 TCD SCA* SCBZ*
S_TCODE T-DC84003900 TCD SCDO SCI*
S_TCODE T-DC84003900 TCD SCTS* SCU3
S_TCODE T-DC84003900 TCD SWF_TR* SYNT
S_TCODE T-DC84003900 TCD SZG* TRBS
S_TCODE T-DC84003900 TCD TRCM* UR_M*
S_TCODE T-DC84003900 TCD USRM* _Z*
S_TCODE T-DC84003900 TCD SWF_CN* SWF_RE
S_TCODE T-DC84003900 TCD SPEC* SPERS*
S_TCODE T-DC84003900 TCD SPP* SPROJE
S_TCODE T-DC84003900 TCD SQ00 SRT*
S_TCODE T-DC84003900 TCD SSC SSDZ*
S_TCODE T-DC84003900 TCD SST0 ST05*
S_TCODE T-DC84003900 TCD ST14 ST62
S_TCODE T-DC84003900 TCD STCU STKZ*
S_TCODE T-DC84003900 TCD SV* SWF_BA
S_TCODE T-DC84003900 TCD SURAD SURVEY
S_TCODE T-DC84003900 TCD SU50 SU52
S_TCODE T-DC84003900 TCD SU3
S_TCODE T-DC84003900 TCD SU2
S_TCODE T-DC84003900 TCD SU0
S_TCODE T-DC84003900 TCD STS* STYLE*
Regards -
Hello Gurus,
I'm trying to delete a tcode vk11 from a role.
To find which all role has this tcode, i used SUIM.
Under one role i found this tcode in s_tocde field, but when i assigned this role to a dummy user( without removing the tcode)
I was not able to execute tcode VK11. It says you are not authorized.
Should I still remove this tcode from a role or its ok to leave it there?
Thanks for your help!>
Jurjen Heeck wrote:
> > If the tcode is in S_TCODE auth object then you should be able to execute it.
> Some transactions (or rather programs) fail immediately after starting because other required authorizations are missing.
>
> So technically you may be able to start it but it can still appear as if it didn't start at all because the initial screen failed to load. This is when the message becomes confusing.
>
> SU53 and/or ST01 may help in your research.
Thanks Jurjen ...now I remember that, we had this problem with a t-code when we were installing Informatica...thanks again.
but for the OP question, I tried with manually adding VK11 and it works..atleast the first screen load..so for his issue my guess is profile is not generated.......but then I may just be speculating. -
Segregate access to Plant within same role (Organisation level)
Hi
I don't seem to find out whether it is possible to segregate the access to plants in the same role
I have a role which gives Full Access to all plants. One of them now is being closed down therefore needs to be locked down for changes and can only be given with display
We have about 150 roles like this so the option of creating a new role to display that specific plant is not an auspicable...
How can I do so?
Thanks for any hint!
NadiaSegregating the access within a role itself doesn't seem to be feasible.
If you want to restrict access to that plant, you need to update the roles to exclude that plant value
and setup a display role for that plant value.
Regards,
Zaheer -
Role within a role, seperate permissions
Hi there
I have a role, HR, which must appear in the top level navigation. That is simple to do ... create the role, add iviews etc., mark as entry point and assign users to the role ... displays nicely.
Now, as part of the HR section, we would like another section, namely Payroll, which is only accessible to certain people.
I can create a new role, called Payroll, and assign certain users to that role.
I then add the Payroll role to the HR Role ... Payroll now appears in the detailed navigation as required, but all users have access to the iviews within the Payroll role, which is not what we want.
If I mark the Payroll role as an entry point, then it only appears in the top level navigation for users who have been assigned to the role.
This makes me think I have the permissions configured correctly.
What do I need to do to make detailed navigation rely on the role permissions? It would appear the permissions are being "inherited" from the parent Role, which is not what I want.
Is there a way to get a role within a role to keep its permissions and ignore the parent permissions?
Can I do this in the detailed navigation, or should I be trying something else?
Should this perhaps be done at a workset level instead?
Any help would be greatly appreciated (and no doubt points awarded)Thanks Marty
I had forgotten about Merging, and that seems to have gotten me most of the way.
I can successfully merge, and the new item only appears for the relevant users, but it merges quite high.
I would like the merging to happen in the detailed navigation, but I can't seem to get this right.
At the moment, I have 2 worksets, namely Home and Payroll. I set the merge properties on these 2 worksets. Home workset is then assigned to the HR Workbench role. When I log in as a user who has access to the Payroll role, then I see the HR Workbench role, and in the second level navigation, I see Home and Payroll (worksets).
What I would like, is to have the Payroll workset appearing in the detailed navigation.
I have tried merging on the folders in the Home workset, but still don't see anything in the detailed navigation.
Do you know if it is possible to merge in the detailed navigation, or only top level navigation?
Thanks for the answer ... I will reward points now -
Hi,
I have a room which should be accessible to all users.So I am thinking of assigning it to a role which a user can access easily. I did this by using a url iview,But the problem is within that role the masthead and all the roles are displayed once again. I want only the room content to be displayed in that role. Can anybody tell me how to go about this?
Regards
VineethHi Vineeth,
Almost right.You have to modify the PCD ID in order to call the object via URL.
You should replace the colon by "!3a" and each slash by "!2f".
<b>Example</b>
PCD ID:
<i>pcd:portal_content/FolderA/com.sap.iview</i>
Modified PCD-ID:
<i>pcd!3aportal_content!2fFolderA!2fcom.sap.iview</i>
URL prefix:
<i>http://<portalserver>:<port>/irj/servlet/prt/portal/prtroot/</i>
Final URL -> check with new browser instance:
<i>http://<portalserver>:<port>/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fFolderA!2fcom.sap.iview</i>
In earlier versions of NW you could get this URL by clicking on the preview button of an iview... And be sure to have the right security settings to execute an iView in this way.
Hope this helps.
Stefan -
Illegal Tcodes error while role generation in BRM GRC 10.0
Hi Experts,
I am working on SP11 GRC 10.0.
In BRM, after following all necessry steps for role creation, when I enter last stage "Role Generation" and try to generate it, I am getting error "Illegal Tcodes (system name)" as shown in below screenshot.
I am adding SAP standard t-codes only (e.g. SU53) which are existing in the backend system but still it throws error.
Your suggestion is highly appreciated.Hi Swati,
Thanks for your reply.
I had already applied note: 1066687 but it didn't resolve my issue.
Note: 1441463 is valid till release 720 and I am on release 731 and SP11.
Thanks
Jayesh -
Know the tcodes of a role assigned to user
Hi
I assigned buyer role to myself and now i want to know the tcodes of the transactional iviews running in those particular tasks.
like in Purchasing--overview worklist and Purchasing groupanalysis iviews displayed.
How do i get to know about there tcodesHi Neel,
When transactional iviews get execute from that window bottom right you can get the program name details .
Or go to the iview properties added to the buyer role here also you will get all details like t.code , system used in portal,
System client and all.
Regards,
Piyush -
RT- not flagging violations when new tcode added to role
Hi,
I am using Access Enforcer and Compliance Calibrator and maintaining roles through PFCG. What I am finding is- AE picks up violations of role assignments to users as does Risk Termiantor. However if I add a new transaction code to a role through PFCG that causes a violation not in the role itself but when combined with other roles that the user already has on their account, this is not being flagged. Therefore I could have an unmitigated risk going undetected until I next run CC, which would pick it up. Has anybody else experienced this? Does Risk Terminator not pick up violations at user level when a role is updated?
1) create role ztest1 with tcode IW32
2) create role ztest2 with tcode MIGO
3) assign both roles to user- testuser
4) Edit ztest1- add tcode ME21N. Click Save
5) Risk violation for user not flagged
Thanks"I should perhaps add that I'm working here with .doc files (not .pages files) and that I edited the info.plist of Pages to give it the role of 'editor' instead of 'viewer' for all ".doc" files. Mainly to ensure that if I work on a .doc file which I want to remain a .doc file, I don't have to Save As (.doc copy) all the time but can just save in the normal way. Could this interfere with the above problem?"
Here is your problem. Every time you open a .doc to Pages it is a new document. When you work on in Pages it is a Pages file and not a .doc file. If you want to work in PAges save the file as the generic .pages and do the export for .doc. Keep that name and next time you Save as Word or export as word in the same location the .doc file will be overwritten with the new one. and you'll only have on .doc file and one .pages file.
If you want only have .doc files don't use Pages. -
Maximum Number of tcodes in a role
I would like to know whether there is any SAP reccomendation on the maximum number of tcodes in roles. I have Security consultants colleagues who suggests that the maximum number of SAP transactions in a role must be around 40, though I have not found or heard anything from SAP or someone on such recommendations.
We are redesigning some large roles,and divding them with 40 tx each doesnt looks a good idea to me as they will result in lot of roles and managing them would not be feasible.
Can anyone share their experience regarding the same. Does SAP recommend anything related to it.Sameer,
I was "assured" that the key finance person would need access to all of the t-codes in a very long list - about 1300 in total.
Checkig out what she actually uses, there are just over 30 that she uses at least once a day, another 8 she uses at least once a week, and another 7 she uses once a month. There are 4 she will use very occasionally, and I suspect we will find maybe another 2 or 3 she will use once a year (possibly a few more, but I doubt more than half a dozen).
Although we haven't done the same work for all roles, I suspect we would find the same in several others.
The problem is that once you have given someone access to a t-code, they will fight to keep it, even if they don't use it. Better to start with the absolute minimum, and then let them have the others, if they really will use them. -
Restricting SCC4 Tcode, from the Role that was extracted from SAP_ALL profile
Hi,
Recently we have created a role extracting from SAP_ALL profile. We have deactivated many Basis, and other Critical Tcodes for our Dev & QTY systems by identifying the authorization objects.
But- for SCC4 we want to know if there is any other way to restrict the access.
Since we created the role by extracting the profiles from SAP_ALL. S_TCODE has * value, and S_TABU_CLI: has "X" value.
- problem is we cant deactivate or limit the usage of S_TABU_CLI:X as we have many ZTcodes for direct maintenance, which needs this AO.
- At the same time, we are trying hard to restrict SCC4.
So, please suggest if there is any other alternative way to restrict Tcode SCC4, by not being able to run using the New Role.
Regds,
Satish.First of, let me say that I fully agree with Sunil Bujade. The building block approach is the way to go when designing roles.
But if we're being practical, you could use authorization groups for tables (T-code SE54) and assign a custom auth. group to table T000. Then use this group to authorize (or actually not authorize) with object S_TABU_DIS.
Again, this is just a practical tip. The whole "create a role from SAP_ALL" thing is a totally different subject altogether.
Good luck!
Dimitri. -
Can PID (Parameter ID) be set as a default by TCODE or Role Level
Hi, Any one has any idea if PID (Parameter ID) and its value can be set as a default at TCODE or at Role Level?
Thanks in advance.
Syd.
Addendum:
Re: Can PID (Parameter ID) be set as a default by TCODE or Role Level
Posted: Oct 17, 2006 9:38 AM Reply E-mail this post
Thanks for the reply, you have mentioned try creating a Transaction variant or a Transaction parameter.
Here is my question?
1. Can we set a default Parameter ID at TCODE level so, if any user execute a transaction who has access to execute it, he will have Parameter id and its value as a default?
2. Can PID be set as a default for SAP TCODE or Custom TCODE, or can be done for both, if it can be done then, How?
3. Can PID be set as a default for a particular Role or profile?
Message was edited by: Syed Alam
Message was edited by: Syed AlamHi JC,
Yes, I agree.
A small disclaimer however is that we dont know which transaction is being refered to.
Creating a transaction variant with the parameter set for it could enable the use to navigate further and back again and in doing so "shed" the screen which the transaction (initially with variant parameter and skip screen) originally gave them.
Using a user-exit to set the parameter can in some cases be closer to the functionality (irrespective of how the user gets there) and be more reliable. But in this case an adventurous user will be likely to trick it anyway if they want to.
If the decision is made to use PIDs in the coding, then it is a decision that the user can influence the value (in my view). If coding makes insecure use of PIDs, then it is a design error in the coding.
Cheers,
Julius -
Mass role creation and addition of tcodes to role menu
Hi Folks,
We've a requirement of building 1000's of single roles for an implementation. Our security matrix is ready with the role names and the list of tcodes to be embedded in each of these roles. What I would like to know is if we can automate a part of the process of role building i.e the following 3 steps only.
1. Creation of the Role
2. Addition of the tcodes in the role menu
3. Save
I'm aware of Ecatt/LSMW through which we can create the roles but i'm not sure if we can add the tcodes to the menu of the roles since the number of tcodes to be populated in each role will vary.
Could anyone of you shed some light if it is possible to automate the addition of tcodes to the role menu taking into consideration that each role will have different number of tcodes to be added to the menu and what's the best possible way to achieve this if there exists one.
Thanks in advance for your time and suggestions!
Guest...Whilst I agree that there are probably too many roles being built here, which is more of an issue with the role design / strategy, the issue of how to easily create a role for a given list of transactions is something that SAP supports via the import menu from text file option in PFCG.
Yes you may need to write a script to cycle through all the possible role names, but we have recently had to build some roles based on actual usage, so exported transaction usage history to excel and then formatted the transactions into text files that could be imported to build the role menu.
You will still then need to ensure any object authorisation object have the correct values set - i.e. not just starred in - but as one of the pains in build a role is getting the menu to look reasonable, I'd suggest having a look at this approach.
Copy Menus -> Import from File is the function in PFCG in the menu tab for the role you are building
OSS note 389675 has details of what the text file of transactions for the menu should look like.
That should answer the question posed, rather than criticising the role design being followed.
Maybe you are looking for
-
Unable to install CSS3 Mobile Pack on Windows 7 computer
Adobe Extension Manager says: "This extension cannot be installed, it requires Fireworks version in range inclusively between 11.0 and 11.1." Windows 7 Home Premium 64bit Service Pack 1 Intel Core i7 1.60 GHz Installed memory: 6GB Fireworks CS5 - 11.
-
Hard Drive upgarde 40G to 160G looked good, except can't install new system
I mistakenly posted on the G3 forum. Here is my last post in that thread, and a summary of my problem (note that this computer came with OS 10.4.2 and that is what I am trying to install). We have a mac book pro and its install CDs, and a macbook 10.
-
How to pause/stop updates from App Store on iPad?
Currently, I am on holiday making use of a prepaid mobile Internet connection. By accident I pushed the button "Update All" in the App Store. Then it started downloading 18 apps and consumed more then many MB's in just a few minutes. My prepaid Inter
-
20" or 24" imac with a Air Desk?
I have been using a Air Desk with my PB 17 and love its ergonomics. I was wondering if anyone has tried to set up a imac on the air desk system of supports and stands. Thanks Razz
-
Limit change access to all useres exept the one that created the document
Hi, I wonder if it's possible to limit the change access only to the user that has created the document when it's in a specific status. This is what the customer wants: When a document is set to status K the document should be locked and no other use