Transactions available to different roles
Hi all,
I've been asked to do some research on the transactions available to different roles and would greatly appreciate any help anyone can give.
What I am looking for is a full list of transactions/rights attached to
SAP_CA_AUDITOR_SYSTEM user
SAP* user
DDIC user
If anyone could point me in the right direction that'd be great
As far as i know...T.Code --> SUIM should give you your desired results.
I am working on 4.6 B so change the nomanclature of Authorization Group as Roles in your system.
Just follow the path
SUIM --> Activity Groups --> By Activity Group Name --> enter your activity group "SAP_CA_AUDITOR_SYSTEM" --> Execute (F8) --> then click on "User Assignment" option.
Reward Points if it helps,
Regards,
N
Similar Messages
-
Transactions assigned to audit role
Hi all,
I've been asked to do some research on the transactions available to different roles and would greatly appreciate any help anyone can give.
What I am looking for is a full list of transactions/rights attached to
SAP_CA_AUDITOR_SYSTEM user
SAP* user
DDIC user
If anyone could point me in the right direction that'd be greatHi Jasper. Thanks for the help. I don't actually have the system in place here. I'm an auditor and quite new to SAP personally.
Our main SAP guy is on holidays and theres a dispute about whether or not we should have had access to the transaction SCC4 with the Auditor role so thats the one i'm looking for answers for.
I wasn't too sure where to put this question in the forum so if anyone could direct me to a more appropriate board i'd be grateful -
Different role types. Was: "Hi sap gurus"
define and differentiate the following types of roles
1.single role
2.composite role
3.derived role
4.child role
5.parent role
Message was edited by: Moderator
Please use meaningfull thread subject titles.Hi
There are 5 types of Roles:
1) Single Role.
2) Composite Role. (Max 164 Single Roles can be attached to one Composite Role)
3) Derived Roles.
4) Orphans Role.
5) Reference Roles.
<b>Composite roles </b>
A composite role is a container with several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.
Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role. Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group. The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.
The menu tree of a composite role is, in the simplest case, a combination of the menus of the roles contained. When you create a new composite role, the initial menu tree is empty at first. You can set up the menu tree by choosing Read menu to add the menus of all roles included. This merging may lead to certain menu items being listed more than once. For example, a transaction or path contained in role 1 and role 2 would appear twice. If the set of roles contained in a composite role changes, the menu tree is also affected. In such a case, you can completely rebuild the menu tree or process only the changes. If you choose the latter option, the Profile Generator removes all items from the menu, which are not contained in any of the roles referenced. It is possible (and often necessary) to change the menu of a composite role at any time. You adjust these menus in the same way as the menus for roles.
<b>Derived roles </b>
Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.
The higher-level role passes on its authorizations to the derived role as default values, which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either. Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.
The menus passed on cannot be changed in the derived roles. Menu maintenance takes place exclusively in the role that passes on its values. Any changes immediately affect all inheriting roles. You can remove the inheritance relationship, but afterwards the inheriting role is treated like any other normal role. Once a relationship is removed, it cannot be established again.
In real time scenario Roles and Authorizations are primarily based on Company codes in many cases and in some scenarios are also based on Cost centers or divisions etc. IN such scenario, a Master role is created and many child roles are created with relevant Organizational levels added to the same. So any change to the master role would be drilled down to Child roles and hence it would avoid a lot of Maintenance overhead.
E.g.: Master Role -- Z_SAP_FI_BUYER_000
Child Role1 -- Z_SAP_FI_BUYER_CC1
Child Role 2 -- Z_SAP_FI_BUYER_CC2
Child Role 3 -- Z_SAP_FI_BUYER_CC3
<b>Orphans Role</b>
Orphans Roles are Stand-alone roles and are many a times required for IS uses/. So a System Admin role, a Security Auditor role and many other special roles mainly not used in Business side are created as ORPHANS. This role limits the user to a particular organization.
<b>Reference Role</b>
They are SAP standard Roles.
Reward points if helpful -
Same user different roles within different organizations
Hello All,
We have requirement where Same user has to have different roles within different organizations.
What will be the solution to handle this situation using SUN IDM ?
Any inputs are greatly appreciated.
Thanks,
AkeelLet me simplify this,
We have requirement where a user can work for different organizations , which can be achieved in SIM using membership rules.
Say a user works for two organizations Say Org1 and Org2.
The user can have different roles in these 2 different organizations. For example user can have Role1 in Org1 and Role2 in Org2.
Role1 and Role2 both are available for assignment for respective admins of both Org1 and Org2.
Suppose Admin of Org1 assigns the user Role1; and admin of Org2 assigns the user Role2.
Now waveset.roles will have Role1 and Role2, but it can not tell the user has which role in which organization.
How do i specify the relationship between the role and organization ? The number of organizations are very large 70000+ and Number of identified roles around 51.
I dont think this can be implemented in Sun Identity Manger. Anybody has done this? Or any inputs are highly appreciated.
Regards,
Akeel -
Multiple UWL for the single user with different Role
Dear SAP Gurs,
We have one critical requirement on the Universal worklist, as a functional requirement like some Approvers will play different roles as approver, needs to track saperately the approver inboxes for the same person.
For Example :
Approver A - is an Purchase Exicutive(Role)
Approver B - Is an Purchase Manager(Role)
Every time Apporver A has to access his approval requests seperately ( Belongs to Approver A) and take action, as well Approver A has to see Approver B's actions items seperatly and take action.
currently we have 4 levels available and single person has to take action on based on the 4 different Approves(Role)
Is there any work around for the abobe requirement.
Thanks in advance,
Vinod
Edited by: Vinod Malagi on Jul 20, 2010 3:33 PMHi Karri,
The same requirement i want to tweak in by adding one more column in the UWL by enhancing the BOR.
i have try with below , can you please suggenst can be done by Virtual attributes.
Once data is comming in the UWL i will put 3 custome filters
We need to add a new column in UWL, which is present as a Table SWWORGTASK, in this we have to pass WI_ID and get ORG_OBJ populate it as a column in UWL.
Please suggent how can we impliment this ? do we needs to create virtual ttribute in the BOR from the same.
as we have reffered the below link, we are not able to implimant the same. Kindly suggest.
http://www.erpgenie.com/sap/abap/bor.htm
Thanks in advance
Vinod -
*How to Delet one same object from different roles*
I need to delete one auth object from different roles, Couls any one please advise me how can i do this and if there will be any complications involved with tis.
Best regards:
MaqIn PFCG, it may be that you have added some objects manually. To remove them you will have to go to pfcg.
Even if you first remove the objects from su24, you will have to go to all the roles through pfcg to generate them in expert mode by selecting the third option (edit old status and merge with new data) -
Sequence of the transaction list look different in ECC6.0 user menu
The sequence of the transaction list look different in ECC6.0 than SAP 4.6c(User Menu & SAP Menu).Is there any provision to make similar view as of SAP 4.6c in ECC6.0.
Thanks
Manojnot that i know of. and: you wouldn't want to do that: you'll be missing all the good new parts. for more information on new transactions, deleted transactions etc. make sure your read the release notes.
-
1 workbook in 2 different roles in BI7.0
Is it possible to publish the same workbook in 2 different roles in BI7 ?
I would like that all modification done on the workbook in the first role would be automatically done on the workbook in the second role (because it's not a copy but just a publication).
Please, give me a solution in NetWeaver ?HI Srikumar,
Yes I understood your requirement. We cannot use Static ID.
My method should work.
You have to create two buttons for 2 different regions.
and use the button requests in your MRU process as mentioned above.
So if Administrators log in and click the button in region X, it will call the MRU process.
If end-Users log in and click the button in region Y, it will also call the MRU process.
You dont need two processes.
Sreenithi -
System needs to approve automatically when the same user has different role
Hi Gurus,
My issue relates to approval in Shopping cart.
Say this is my Issue.
This is the Approval detemined by the system.
1 - X
2 - Y
3- Z
4- X
5- Y
X & Y are the Same user but with different role in the Approvals.
First time 'X' would get the cart to approve it manually but second time system should automatically approve it. Same should happen for 'Y' as well. So now both X & Y needs to approve the cart only once.
Please advice me how to approach this issue or If anyone experience the same kind of issue please let me know how to resolve.
Thanks for your time to spend on it.
Thanks,
SNMPkumarHi,
You can handle it with N-Step BADI Workflow.
Regards,
Masa -
Different Transaction Types for Different Depreciation Areas
Dear Friends,
When I am viewing the asset explorer for the asset, it is oberved that for book derpreciation 01, the asset transaction type "acquisition value" is updated and am able to view the same.
However when I am going through the tax depreciation area, the transaction type intercompany transfer" got updated and the acquisition values are not updated.
I would like know the reason of how the system is going to update different transaction types in different depreciation areas since the postings only takes effect in book depreciation and same should be diplayed for tax depreciation.
Thanks in advance!hi
go to OAYA
select "Limit Transaction Types to Depreciation Areas"
select the trnsaction type you using .
select depreciation area specification
and maintain entries for every dep area you want to maintain for transaction type.
regards -
Users stills appear to have transactions assigned even though roles have been removed.
Hi,
I'm currently looking at a number of users with access to sensitive transactions (e.g. SCC4).
When looking at a combination of the AGR_ROLES and AGR_TCODES tables I can see there is currently only one active role and one active user assigned this access which would fall in line with what was to be expected based on the population I am looking at (we're not concentrating on auth object level for now).
However when I go through SUIM and filter on users by complex criteria and enter transaction code SCC4, about 20-30 users pop up (this is how many people used to be assigned access to SCC4).
When access was removed for these 20-30 users, it was done at 'role level' so my question is, even if roles have been removed, when looking through SUIM would a user still appear to have transactions associated with that role assigned - if so, why does this happen? I assumed once a role is removed it would removed the underlying transactions etc with it?
My assumption at the moment is that even though SUIM is showing users still have access to SCC4 they can't actually use it as the role it was associated with has been removed.
Any help/clarity on this would be greatly appreciated.Hi Johnny,
Please do perform the User comparison.
Goto PFCG -> Role Name -> user comparision
then check in SUIM still user is having that Tcode or not .
for detail
Go to SUIM
Roles by complex selection criteria -> put Tcode there
it will give you Roles name having that tcode . and then you go to that Role and you will get list of Users in PFCG (User assignment Tab) .
same goes with User
SUIM - Users by complex selection criteria - > put tcode -> Profiles associated with - > roles assosiated with it .
But i suggest after you make any changes to Role / Profile you please do user comparision .
Regards
Dishant Pathak -
How can create report to get the all SAP transactions available to CSRs
Hi,
The user like to have the format of report as follows:
SAP transactions Transaction desription CSR 1 CSR 2 CSR 3 u2026etc.
VA01 order entry Yes No No
VA02 order change Yes No No
VA03 order display Yes Yes No
u2026etc.
( Of course the above entries donu2019t make any sense as u2013 Itu2019s just an example )
1) I think CSR means Customer Service Representative, where it is residing means in which table ?or How can I get CSR1,CSR2.....?
2)How can I get the all SAP transactions available to CSRs ?(first column)
3)How to find the which transaction is available to CSRs ? so that I can mark it is as Yes else NOI am not able to show the correct format as all get mixed when I post thread:
SAP transactions Transaction desription CSR 1 CSR 2 CSR 3 u2026etc.
VA01 order entry Yes No No
VA02 order change Yes No No
VA03 order display Yes Yes No
u2026etc.
( Of course the above entries donu2019t make any sense as u2013 Itu2019s just an example )
First column is Sap transactins,
second column is Transaction description
third column is CSR1,
fourth column is CSR2,
and soon.
In the first column I need to display list of all sap transactions available to CSR,
In the second column I need to display the transaction description
from third onwords I need to display CSR1
in fourth CSR2 and soon .
Please let me know for any questions,I appreciate for the reply . -
Cannot trace the transaction code within a role
Hello All,
We, in our project trying to trace out various transaction codes assigned to each of roles.
I have an issue tracing an transaction code FB60. When i searched in suim for transaction codes within the role, I could see FB60 listing in the results.
But when i go to role through pfcg and see in the menu tab i cannot find the transaction code there.
what went wrong here? Now i want to remove the transaction code from the role so that next time when i use suim it wont be listed in the results.
Kindly advice.
Regards,
Brahmeshwar PolojuHERE IS THE OUTPUT.
OBJECT AUTH VARIANT FIELD LOW HIGH
S_TCODE T-DC84003900 TCD SCPE*
S_TCODE T-DC84003900 TCD SDD1* SE03
S_TCODE T-DC84003900 TCD SE07 SE16N
S_TCODE T-DC84003900 TCD SE17 SECQ*
S_TCODE T-DC84003900 TCD SEEF* SI24_12
S_TCODE T-DC84003900 TCD SI2414 SIBU
S_TCODE T-DC84003900 TCD SIC_* SLAT
S_TCODE T-DC84003900 TCD SLG0 SLIB_*
S_TCODE T-DC84003900 TCD SLIN SLXT
S_TCODE T-DC84003900 TCD SM30
S_TCODE T-DC84003900 TCD SM31 SM37
S_TCODE T-DC84003900 TCD SM50
S_TCODE T-DC84003900 TCD SM51
S_TCODE T-DC84003900 TCD SMAR* SMEZ
S_TCODE T-DC84003900 TCD SMTH* SNLS
S_TCODE T-DC84003900 TCD SNRO SO99
S_TCODE T-DC84003900 TCD SOACARRY* SOTR*
S_TCODE T-DC84003900 TCD SP02
S_TCODE T-DC84003900 TCD SCUS* SDCA*
S_TCODE T-DC84003900 TCD /* DA_*
S_TCODE T-DC84003900 TCD DC* PFCF*
S_TCODE T-DC84003900 TCD PFD* RYZ*
S_TCODE T-DC84003900 TCD RZZ* SAIM*
S_TCODE T-DC84003900 TCD SAIO* SAK*
S_TCODE T-DC84003900 TCD SAM* SAPTE*
S_TCODE T-DC84003900 TCD SARJZ* SARTN*
S_TCODE T-DC84003900 TCD SASAPCATT SBEA
S_TCODE T-DC84003900 TCD SBI* SC2_*
S_TCODE T-DC84003900 TCD SCA* SCBZ*
S_TCODE T-DC84003900 TCD SCDO SCI*
S_TCODE T-DC84003900 TCD SCTS* SCU3
S_TCODE T-DC84003900 TCD SWF_TR* SYNT
S_TCODE T-DC84003900 TCD SZG* TRBS
S_TCODE T-DC84003900 TCD TRCM* UR_M*
S_TCODE T-DC84003900 TCD USRM* _Z*
S_TCODE T-DC84003900 TCD SWF_CN* SWF_RE
S_TCODE T-DC84003900 TCD SPEC* SPERS*
S_TCODE T-DC84003900 TCD SPP* SPROJE
S_TCODE T-DC84003900 TCD SQ00 SRT*
S_TCODE T-DC84003900 TCD SSC SSDZ*
S_TCODE T-DC84003900 TCD SST0 ST05*
S_TCODE T-DC84003900 TCD ST14 ST62
S_TCODE T-DC84003900 TCD STCU STKZ*
S_TCODE T-DC84003900 TCD SV* SWF_BA
S_TCODE T-DC84003900 TCD SURAD SURVEY
S_TCODE T-DC84003900 TCD SU50 SU52
S_TCODE T-DC84003900 TCD SU3
S_TCODE T-DC84003900 TCD SU2
S_TCODE T-DC84003900 TCD SU0
S_TCODE T-DC84003900 TCD STS* STYLE*
Regards -
Urgent ! Assigning (or Linking ) the same workbook into two different roles
Hi Gurus,
Coul you tell how to link the same workbook to two different roles.
I am assigning the same workbook to two different roles, but in the second role the workbook is displaying with different structure than in the first role. I want the workbook should be displayed with same structure in both the roles.
This is Urgernt.
Thanks in advance.
Best regards
HariHello hari,
Both the roles should diplay the same layout for a single workbook.
please ensure that both the users(with these 2 roles) have similar (all the other)authorisations.
it's possible that one of the users may have further restrictions in authorisations. check out for z-authorisation objects if any.
hope it helps..
thanks,
(*Don't forget to Assign points on SDN) -
Remove transaction codes from multiple roles at a time
Hello,
how to remove transaction codes from multiple roles at at time?
Thank you in Advance.Hi Vanita,
Why do you want to remove a t-code from all the roles. Are you no longer going to use the t-code. If this is the case then you can lock the transaction code in T-code SM01 so that no one can use it. But this would effect other users as well, it should only be locked if no one should use the particular T-code.
Another alternative is to write a program to remove the particular T-Code from the table AGR_TCODES where the relation ship between the role and t-code is stored.
Thanks.
Maybe you are looking for
-
How do I see powerpoint presentation on VGA projector?
I have the mini DVI to VGA adapter. After I connect my macbook to a vga projector what function key or command do I use to see my powerpoint presentation on the VGA projector?
-
BW upgrade to 4.0 and UNICODE
Hello, we are planning to do a BW upgrade to 4.0. Is Unicode required and what if the R/3 system is not using Unicode because it it still on 4.6C Thanks, Alex
-
When I click on Download, It gives me this:
-
SMQ2 - Queue blocked EVENT??
Hi there, I am working on an SAP XI system and was wondering if anyone knows of a way to catch some sort of EVENT when a queue in SMQ2 gets "blocked"? I have looked for a Business Object but now luck......I know I can possible schedule a background j
-
Time Capsule in Yosemite disconnects half a minute after power up
Have recently upgrade to Yosemite (OS X 10.10.1). Unfortunately now Time Capsule does not make any more backups, as it seems to loose connectivity to the wifi after about 30-60 seconds. My router is a Cisco EPC3925. Connecting the TC to my iMac via L