Transport Release frequency for Authorization Roles

Hi,
At my present customer all system changes are transported via release management. The current frequency of releases is 2 times a year. This includes SAP support packages, customizing, abap AND authorization roles.
Now I would like to establish a different, quicker release 'speed' for authorization roles only (f.i. once a week).
I already motivated my request with many reasons (role changes can be considered as master data changes; the lack of speed leeds to insecure 'workarounds'; role management issues are 'redesigned' to user management issues; etc.) but what I am still looking for are reference documents, best practices, audit reports in which the same advise is described.
Could you please help me with my quest?
Thank you!
Kind regards,
Lodewijk

Hi Lodewijk,
I agree, that is is useful to define a specific schedule for transporting roles in oposite to the schedule for updating the software, however, I do not have a document described some best practise. Anyway, the following link may help you to convince the management, that you can setup a process including 4-eyes checks on the transports:
[TMS Quality Assurance|http://help.sap.com/saphelp_nw70ehp2/helpdata/en/9c/a544c6c57111d2b438006094b9ea64/frameset.htm]
Using this process you would accept transports only which cointains roles (R3TR ACGR...).
Kind regards
Frank

Similar Messages

How to track the transport request number for the Role/Composit Role

Hi,
How to track the transport request number for the Role/Composit Role.
Thanks,
Ravi

Use transaction SE03 Transport Organizer Tools
Execute "Search for Objects in Requests/Tasks" with objects of types:
R3TR ACGR Role
R3TR ACGT Role - User assignment
Regards

Transporting "Release Necessary" for Parked Documents

Good evening everyone,
I developed a workflow in our developing servers which servers to RELEASE parked documents prior to posting. I set up the configuration necessary in SPRO in order to archive this, but once it got moved to Quality servers for further testing it is not working. Transports were successfully moved and the configuration appears to be identical. Any ideas or experience with this precise situation?
Will appreciate any kind of response, and thank you!

Hello Alexander !
            You have stated as follows in your reply :
The workflow is being executed, but the release method cannot be done
            From the above statement, it implies that document is not getting released.
            Please make sure all necessary parameters are passed to release method and binding is perfect.In the workflow log, please check the parameters required for successful execution of RELEASED method is populated with respective values.
           Hope you have transported the objects in the sequence they're created.
Regards,
S.Suresh

Transport Release Issue For Process Chain

Hi Gurus,
While trying to relase my request, which has Process Chain to be imported to testing environment i am getting a message like below:
Check Objects before release and msg as
key :R3TR TABU RSCOMPTLOGOT ERSPC*(Application Component Of Process Chain)
If i click release anyway the information i get is "You have to be an approver to bypass this check" and it is not released.
I have checked the request and it is consistent and "ok".
Not able to understand why i am not able to release this request.
Please guide me on this.
Thanks

Hi Vijay,
Can you check your process chain or any part of proce chain (diff process type) are not locked in two different transport request ?
If so then delete the object from one request and add same object in another request and release.
Regards,
Kiran

Authorization roles for release strategy FRGSX

Hi guys,
we are using R/3 4.7. We are going to implement release strategy for Purchase orders in our company .
We have customized different release groups, for several release strategies and release codes, without implementing any workflow.
We have a problem on authorization roles because we assigned for each combination of release group and release code a authorization role but it is not sufficient to restrict the role for users because we don't take into consideration the release strategy.
We had a look on the system but we didn't find any object related to release strategy (techical name FRGSX).
Could you someone help me?
Thanks in advance
Vir

When assigning user authorization for PO release strategy each user is assigned to release group and release code. You cannot make a connection between specific release strategy to user.
Pay attention that the authorization needed are also for change PO (ME22N) - meaning you can limit the users by all the authorization values of the ME22N objects.
Use t.code SU24 to explore what auth. are checked in each transaction.
Nir

Authorization roles for Release Codes

Hi,
We have a requirement wherein the release codes for the PO release strategy are about 100. The roles are repeating itself i.e. Buyer, Manager, Director etc for different countries and other attributes. Is there any way by which we can reduce the authorisation roles.
Regards,
Mohit Sehgal

If you have implemented the Work flow than you don't need the repeated code for manager or buyer etc.
you can just define the oce code for each position and use them in release strategy and based onthe workflow with combination of HR org structure you can send them to appopriate manager
e.g. you have 10 manager and each manage has 10 buyer
so you create one manager relese code e.g. MG and one Buyer code BY
now you have create many release strategy where you enter the MG code and BY code but you want send the PO for approval based ont he buyer
so you have to set up the HR ord sturcture in the tcode PPOCE and create teh tree for the buyer code and manager relation ship
now when you create the release strategy you will enter the purchase group in the release strategy which is assigned to the buyer code and based on the HR org structue it will find the appropriate manager whitout defining many manager code and buyer code.
or if you don't have the workflwo than you have to create diff buyer code and manager code.

Transport of translation authorization role menu

Hello,
I have translated node of authorization role menu with transaction PFCG.
How to make to transport this translation in others systems ?
Is it necessary to put the role in a transport request with PFCG or with SLXT ?
Thanks for your help.

I dont think so that there is a way doing this in ABAP.

Transporting BI 7 Authorization roles

Dear All,
I am using new analysis authorization:-
Scenario:-
I have created Authorization object and analysis role in development server.Then assigned authorization object to role and then finally role to User.
Now in development authorization is working fine. I have transported all the roles to quality system.
Problem:-
But in Quality server i have a problem. I have assigned user one role for testing. But during testing it display that no authorizationfor infoprovider.
When i check the particular authorization object for a particular role i dont find that object availabe in quality system. Infact i dont find any authorization object available for any role in quality system. I guess this is the reason i am getting authorization issue in quality system.
How do i transport role and authorization object to quality system?
Appreciate your help.
Thanks in advance
Anup

Hi Ajay,
Thanks for the link. It really show how to use authoriztion ... but my problem is different... My authorization are working fine in development server, but in quality it does not...
Actually there are no authorization object available in quality system so only i am getting the error...
I need a way to find way to transport the authorization object thru rsecadmin tcode...
Thanks & Regards,
Anup

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

How to create authorization role for just displaying query prefix Q and X.

Hi Expert,
I hope someone can help me on how to create authorization role for just displaying and executing BEX Queries prefix Q and X. I'm currently using SAP BI 7.1.
Actually, I already created one role called : Z_FORINDO_ONLYDISPLAY_QX
where I only put in the Authorization Component (in the Role Maintenance - Tcode 'pfcg'):
-->Manually Business Information Warehouse
--> Manually Business Explorer - Components
Activity : Display, Execute, Enter, Include, Assign
InfoArea : *
InfoCube : *
Name(ID) of a reporting component : *
Type of a reporting component : Calculated key figure, Restricted key figure, Template structure
--> Manually Business Explorer - Components
Activity : Display, Execute
InfoArea : *
InfoCube : *
Name(ID) of a reporting component : Q* , X*
Type of a reporting component : Query
But, the problem is I still can make changes on that queries (Q* and X*). Even, I still can run query with prefix Z. I use S_RS_RREPU Tamplete for Query Display and execution.
Please assist. Very much appreciate your help. Thanks.
Edited by: nadiyah salleh on Mar 18, 2008 11:22 AM

Question close. This issue has been resolved.

Need FM which create authorization for a Role

Hi,
i neeed to create authorization for the roles. can anybody tell me , is there any FM to create authorization for a Role.
it is done through PFCG transaction.
i need a FM which creates authorization for a Role.
Thanks in advance

Hi Sami
Try this link.
Re: Programatically create Security Profiles via BAPI/FM in R/3?
Regards
Neha

Release strategy for Transport requests

Hi,
Can anybody give me the detail steps to configure release strategy for transporting requests?
we are having Dev and Prd systems.
Regards,
Vinnu.

Hello,
I hope you have configured TMS for two system landscape.
Just make the transport routes also, make DEV system as a Domain Controler.
Then transport requests will automatically come in to the request queue.
Using tx stms_import , import those request sequentially !!
Note: Points always encourage me to reply !!

What authorization-roles for user login (java stack)

Hello SAP-Fans ,
which authorization role needs to be assigned to the users for logging into a java-stack on port 50.000?
We always get the error-message: "Error 403 forbidden, You are not authorized to view the requested resource."
I know this is a beginner's question. Java is completely new to us.
Thanks in advance
Danny Winn

Hi Danny,
Welcome to SDN,
Logon to the portal with the user Administrator, go to User Administartion and create a user for yourself by assigning Super Admin Role.
portal Url must be http://<host.fqdn>:50XX0/irj/portal where XX is the system number in this case 00.
You will able to see at the user admin tab all the SAP standard roles.
regards
Juan
Please reward with points if helpful

Required Authorization Role for E-commerce manager

Hi ,
Could you please tell me required Authorization Role for E-commerce manager and catalog administartor?
Thanks.
Regards,
PV

SAP_CRM_ECO_ISA_WU_B2B_FULL           CRM-ECO: ISA Internet User (Full Document Authorization)             ISA_B2B_FULL
SAP_CRM_ISA_UA_SUPERUSER              Internet Sales User Administration Authorizations                              Superuser
*SAP_CRM_ISA_WEBSHOP_MANAGER     *    Authorizations for the Internet Sales Web shop Manager         Webshop Manager
SAP_CRM_ECO_ISA_WU_B2C                  Internet User for B2C

Authorization Role for S_ALR_87099918

Hi all,
I am not sure if this is the right place to post this one (if it is not, please tell me which one is, i have tried to search the forum, but can't seem to find the place to post about this "security" problem)
Currently having a trouble while creating the authorization role for transaction s_alr_87099918 (primary cost planning : depreciation / interest).
I have already maintained the authorization objects:
- A_A_VIEW and
- A_PERI_BUK
Checked with Su53, but no missing authorization object or anything
While executing the transaction, the system said "no records were found", when i execute it with another ID, there are results. I have checked the parameter input-ed, both are already the same.
I am wondering if anyone has ever experienced this before?
What can be the possible cause and the solution?
Thank you so much
Regards, Erwin
Edited by: Erwin Hartono on Dec 3, 2010 9:39 AM

Sorry, my deepest apologies, i think i found the right place to post this

Transport Release frequency for Authorization Roles

Similar Messages

Maybe you are looking for