Upload of SU24 Auth. objects in SAP GRC AC 5.3

Hello,
We are in process of SAP GRC AC 5.3 implementation, and our SAP System is not updated to SU24 (Authorization objects), in which USOBT_C is populated.
In GRC AC 5.3 Pre-implementation checklist, it is mentioned about the above, being necessary.
If the SAP System is not updated to SU24, then what is the other way, to upload authorization objects in RAR Post-Install Steps, after we have already completed SAP GRC Tools ( all the SCA files) install and backend RTA installation?
Thanks!

hi
1. Create file (automated via batch job) from SU24 (report /VIRSA/ZCC_DOWNLOAD_SAPOBJ)
==> SA38 --> Background --> create a variant where you fill out the value for the server + filename (no extension needed for filename) --> schedule periodically
2. convert to UTF-8 format (how can this be automated?)
--> not necessary ; in my system it is UTF-8 by default
3. upload periodically into RAR via background job (from AIX based file system !)
--> configuration tab --> upload objects --> permission --> choose system --> leave local file blank and fill out server location (drive letter) --> click background and schedule the job daily. This is not a heavy job, therefore daily.
Sam Szafranski
Senior Consultant
axl & trax

Similar Messages

  • Is there a listing of all Auth.Objects for SAP and the discription for them

    I would like to know if there is a listing of all the Auth.Objects  for SAP out there somewhere??
    Thank you,
    Robert

    > Auth.Objects  for SAP out there somewhere??
    You want all the customer objects as well in all SAP systems?
    (Or just those in your TOBJ?)
    PS: Please try the F1 key on fields to find their tables (or structures) and give the search a try as well...
    Cheers,
    Julius

  • Role Upload template for SAP GRC CUP 5.3

    Good Morning / Afternoon / Evening SAP Security Gurus,
    I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3.  I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
    According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
    Best Regards
    Steve

    Thanks Ashish,
    Someone else recommended this option as well via another forum. Have tried it out and working fine. 
    Thanks for the reply
    Steve

  • S_PROJECTS auth object

    I am trying to create a role for IMG display access only
    I made ACTVT in all the Auth objects "03" or "display"
    but in S_PROJECTS auth object, in "activity" there is no "display" , how do I make ACTVT in S_PROJECTS object "display"
    Thanks
    Message was edited by:
            Jackofalltrades

    Hi,
    First of all all activities dont apply to all auth objects.(for example generate activity might not be applicable for all auth objects)
    So SAP proposed what activities might be relevant to a particular Auth Object.
    This information is in TACTZ Tables.
    So perhaps u can verfiy the table and u would find that the entries displayed in ur Activity for S_PROJECTS would be the same values as are in S_PROJECTS values in TACTZ table.
    HoweverYou can maintain 03 for this object too.
    Select the pencil button for the activity field.
    It will take u to a dialog box which contains activity fields.
    Now if u dont find the 03 field there. Then right click on the screen and select more values option.
    It would display all the activities.
    However if the 03 field is not mentioned as a proposed activity for that Object by SAP (u can see this info in TACTZ) then make sure that u actually need this object for doing any display activites.
    Hope this helps
    Manohar

  • APO roles and auth objects

    Hello all,
    Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
    thanks

    I was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
    http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
    There is a list of useful APO transactions here
    http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
    I can't help with the standard roles as I build my own.

  • GRC SPM 5.3: Auth. object GRCFF_0001 in the role /VIRSA/Z_VFAT_FIREFIGHTER

    Hi experts,
    According to latest version of "SAP GRC Access Control 5.3 Security Guide" available on SAP service marketplace:
    https://websmp105.sap-ag.de/~sapdownload/011000358700000406492008E/AC53_Sec_Guide_en.pdf
    I should assign the default role "/VIRSA/Z_VFAT_FIREFIGHTER" to FF users. (see page 18):
    Base user authorizations required to logon as a firefighter. The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction. Read SAP Note 1319031 for additional authorizations required after installation of AC5.3 SP07.
    The authorization object GRCFF_0001 field ACTVT is * as per default, and as the Sec. Guide says, see page 22.
    What is this authorization for?
    The documentation of this field (PFCG-> press <F1> on object) states following:
    "Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"
    Iu2019ve removed completely this authorization for the role "/VIRSA/Z_VFAT_FIREFIGHTERu201D and users still can use their FF without problems.
    The problem is in the case of a user having the following auth:
    GRCFF_0001 ACTV *
    S_TABU_DIS  ACTV 02  Table group: Z****
    This combination allows FF users to change all the configuration tables in tx. /n/virsa/vfat.
    What do you think? Is the security guide correct? Why we should give FF users this authorization?. As I said Iu2019ve removed this auth from the role and all works fine anyway.
    Regards
    Diego.

    Hi sunny,
    I've removed the authorization from the users. It means, no user has this authorization. I've checked it using SUIM. I've done a lot of test already.
    If you've a look at the sec. guide, you'll understand what I'm saying. Note for example the role /VIRSA/Z_VFAT_ID_OWNER and compare it with /VIRSA/Z_VFAT_FIREFIGHTER.
    As per the security guide a owner should have ONLY ACTV 02 and 03, while I should give FF users *. This makes no sense at all. ACTV * should be granted only to admins.
    Agian, note what is this authorization for:
    "Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"
    Do u think is correct to give FF users ACTV *  taking into account this definition from PFCG???
    Cheers,
    Diego.

  • SU24 on M_EINK_FRG auth object

    Hello Gurs,
    Requirement
    To make the release code/group to Org filed . Currently is not a Org filed.
    What I have done:
    The auth object is  M_EINK_FRG.
    Before I make it org field, I was cleaning up some tcodes  for eg : Me35 ,ME35K and ME28 to deactivate the object in SU24 ( meaning NO in the proposal u201Ctabu201D  as no users are assigned to this tcode in production.
    Question:
    After capturing in transport I am getting pop up with " Data automatically corrected " message and changes are getting reflected in SU24 once I click on this pop green check mark button. no sure why
    I have problem with this object only not which other auth object
    Please suggestion or did you experience any of this sort
    Damodar

    I think he only wants the proposal flag as 'No', but then SU24 automatically corrects the value based on TSTCA.
    See How to handle unwanted SU24 proposals which are automatically "corrected"? and the post by Keerti Vemulapali, which points to SAP note 1404093.
    PS: What would be very usefull for an "automatic correction" would be in the case of report type transactions to check whether the submitted report has been assigned to an S_PROGRAM group, and fill that with p_action SUBMIT. Any chances..? 
    Cheers,
    Julius

  • How to upload data into SAP BW Info Objects using SAP XI

    Hi,
    I need to upload master and hierarchy data into SAP BW Info Objects using SAP XI as EAI.
    Can anyone suggest me the best solution to do it.
    Thanks in Advance,
    Volker.

    Hi! Have you not checked the BW-XI Integration document? It is available on the main page of the SDN section for XI. Almost all the steps for the integration are there...

  • Upload documents to filenet p8 for sap objects from SAP

    Hi..
    Appreciate if anyone can let me know the process of uploading documents to Filenet P8 from SAP for relevant SAP objects.
    This will also create the link to object and document in the SAP LINK tables..
    Any documents are urls related to this topic are appreciated.
    Thanks.

    Hi,
    The EMC Solutions design center offers a free SAP storage sizing regardless of your current storage vendor.   It can be as easy as providing SAP Earlywatch reports.  See https://community.emc.com/docs/DOC-11310  If you are just looking for the incremental needs from the upgrade to the new release, that is more specific to SAP and your config.  Good Luck

  • SAP GRC Access Control 5.3 .TXT - where to upload it

    Hi Experts,
    can anyone please tell me, I have to deploy/upload the patch:
    SAP GRC Access Control 5.3 .TXT SP04
    As I am new to GRC, can somebody please tell me where I upload/deploy this file.
    Is it on the server at operating system level, or through the application in the Web Browser ?
    Thanks and regards,
    Petr.

    HI ,
    As sahad said that is the right way to extract the *.SAR files the syntax is given below .
    for unix : SAPCAR -xvf /<path>/<filename>
    windows : SAPCAR -xvf <volume>:\<path>\<filename>
    If you donot specify the path then it would get extracted in the path where you are right now means the same location where you the *.SAR file is present and then you can upload .
    Then you can login into RAR portal and then go to configuration tab then click on utilities which would be the last option and then click on import and give the file location.

  • Same Auth Objects CM in su24

    Hi All –
    In SU24 for a Tcode SU01 in “S_TCODE” the following auth objects are CM.
    S_USER_AGR
    S_USER_AUT
    S_USER_GRP
    S_USER_PRO
    S_USER_SAS
    & for Tcode PFCG
    S_USER_AGR
    S_USER_AUT
    S_USER_GRP
    S_USER_PRO
    S_USER_SAS
    I am developing a role initially with SU01 Tcode. For the auth object S_USER_AGR, I am giving 01,02,03,06 field values.
    Later I add PFCG Tcode for same role “P_TCODE”. For the auth object S_USER_AGR , I am giving 22,21 field values.
    My question is if the role is assigned to a user
    1.     will he be able to create, change, display, & delete roles using PFCG ????
    2.     What is the best way to restrict the user’s in create, change, display, & delete???
    3.     For PFCG Tcode none of the Auth. Obj’s (the objects that are added by adding SU01 or PFCG Tcode VIA MENU)are maintained in the role what would be the implication??
    Thanks,
    VJ

    Hi,
    1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
    Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
    You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
    2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
    Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
    3.Is there any T.code,from where i can associate a authorization object with a T.code.
    You can use SU24 itself.
    Hope it clarifies your queries.
    Regards,
    Gowrinadh

  • Not able to upload SAP GRC 5.2 rules

    Hi All,
    We are in the process of performing the Post Installation steps of SAP GRC CC 5.2
    While we are trying to import rule set the system is creating/scheduling a background job. In the log there is a warning regarding the URL  
    WARNING: Cannot get Application URL: null. PLEASE SET 'Background Daemon URL' IN CONFIGURATION TAB
    Pls guide us as to how to import standard SAP rulesets witout getting above warning message.
    Also I dont understand why the background job is triggered when i am still trying to import the rules.
    Regards,
    Kiran Kandepalli.

    Hi Kiran,
       This is a common issue in GRC AC 5.2. Please follow the pre-implementation guide thoroughly which will take care of this issue. Look at the last section in the guide. Here is the link:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/0079de64-f5f1-2910-3688-b16619da82fb
    If this does not help, please follow OSS note # 999785 and 1176262.
    Regards,
    Alpesh

  • Sap grc note require

    Hello all.,
    Can someone tell me how to view java table (on GRC server) to see all tcode and object are there. None our full sod roles not showing any conflictions. we have su24 action and permision level file uploaded but still no confliction.
    can please anyone know the sap note number where they define the procedure how to view java table on grc server.
    Thanks

    Hi Junaid,
    If you're looking for a list of tables and definitions for generating custom reports, check note 1369045.
    But i guess you just look for tables to see if are filled, check some threads like this:
    Most commonly used tables in SAP GRC & SAP HR
    I guess check the database tables could be OK as a first view, but it should not be the way to do the error analysis. The naming convention for the tables is clear.
    Cheers,
    Diego.
    Edited by: Diego I. Yaryura on Dec 15, 2011 4:37 AM

  • Migarting from Approva to SAP GRC AC 5.3

    Hello All,
    One of our client using Approva applications now they are planning to move to SAP GRC Access Controls 5.3, so kindly help me or guide he how I proceed.
    Key doubts u2013
    1-How we upload rules in RAR, because we downloaded the rules from Approva.
    2-Creation of mitigation controls etc.
    It would be great if some share some documents related to above.
    Thanks,
    Jagat

    Hi Jagat,
    Once your GRC system is configured. You have to follow the following steps:
    1. Create system connector
    2. Define Master User Source
    3. Upload text & authorization objects. (Follow the AC53 Configuration guide to download these files from backend)
    4. Now as Frank has suggested you have to convert the downloaded Apporava files to .txt files. There are 9 .txt files you have to create:
    1. Business Process
    BusinessProcessId (CHAR 4)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)
    *fileds are TAB seperated
    2. Function
    FUNCTION ID (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)     FUNCTION SCOPE (CHAR 1 (S:Single System, C: Cross System))
    3. Function-Business Process
    FUNCTION ID (CHAR 8)     BusinessProcessId (CHAR 4)
    4. Function-Action
    FUNCTION ID (CHAR 8)    TRANSACTION(CHAR 20)     STATUS (NUMC 1 (0 or 1))
    5. Function-Permission
    FUNCTION ID (CHAR 8)     T-CODE (CHAR 20)     OBJECT(CHAR 10)     FIELD(CHAR 10)     FROM VALUE(CHAR 40)     TO VALUE(CHAR 40)     SEARCH TYPE(CHAR3 (AND,OR,NOT))       STATUS (NUMC 1 (0 or 1))       
    6. Rule Set
    RuleSetId (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION (CHAR 132)
    7. Risk ID
    RISKID (CHAR 4)     FUNCTION_1_ID  (CHAR 8)     FUNCTION_2_ID  (CHAR 8)     FUNCTION_3_ID  (CHAR 8)     FUNCTION_4_ID  (CHAR 8)     FUNCTION_5_ID  (CHAR 8)     BusinessProcessId (CHAR 4)       PRIORITYDESCRIPTION (NUMC 1 (0=Medium
    1=High 2=Low 3=Critical))      STATUS (NUMC 1 (0 or 1))        RISKTYPE (CHAR 1 (1=SoD 2=Critical Action 3=Critical Permission))
    8. Risk Description
    RISKID (CHAR 4)       LANGUAGE  (CHAR 2)     RISKDESCRIPTION (CHAR 132)     DETAILDESCRIPTION (CHAR 1000)     CONTROLOBJECTIVE (CHAR 1000)
    9. RISK_RULESET
    RISKID (CHAR 4)       RuleSetId (CHAR 8)
    For more information on templates follow the configuration guide.
    Upload these files and generate the rules.
    Hope with this you will be able to continue.
    Thanks & Regards,
    Jitan

  • Custom TCODE-Auth Object Assignment

    Hello All- I see a very weird thing with custom TCODE assignment, here is what I see:
    1)We have Display role which has all functions tcodes in it, which goes to every one on PRD.
    2)Usually we assign custom tcodes which are not critical to this role, and this custom tcode would have no auth objects assigned or checked during access.
    3)When I assign custom tcode to test role, I see its not pulling auth objects in PFCG which is what I expected.
    ***4)However when I assign this custom tcode to 'Display role' which have many standard tcodes in it, I see many of the auth objects "lights turning in to Yellow" (as you know its asking me to maintain value)
    5)I checked in SU24/SU22, to see if its pulling any auth objects...no objects are tied to this tcode.
    I dont know why this is happening?
    Again if I assign to test role, no objects is showing up in PFCG which is what I want!
    Any suggestions of to handle this issue, I will really appreciate your thoughts.
    Thanks,
    AJ

    AJ wrote:>
    > Hello All- I see a very weird thing with custom TCODE assignment, here is what I see:
    > ***4)However when I assign this custom tcode to 'Display role' which have many standard tcodes in it, I see many of the auth objects "lights turning in to Yellow" (as you know its asking me to maintain value)
    > 5)I checked in SU24/SU22, to see if its pulling any auth objects...no objects are tied to this tcode.
    >
    > I dont know why this is happening?
    >
    > Again if I assign to test role, no objects is showing up in PFCG which is what I want!
    >
    This is happening not because of the Custom TCodes you have added. The reason are either of the following:
    1. In previous cases when some other TCodes (SAP Standard) were added, the the profile regeneration was not carried out by entering Authorization data through "Expert Mode for Profile Generation" (or used with option "Edit Old Status" only). Instead, "Change Authorization Data" was used. And thus the Object proposals for New entries in Menu were not pulled into Profile Generator at that time. Now it's coming. Surely you entered with Expert Mode for Profile Generation --> Read Old status and Merge with New data.
    2. Other option can be: Earlier some Objects were changed which were present there only with "Standard" status. It should have been done by copying the Object and change the copied one. Then make the standard one "Inactive".
    3. The Inactive Object described in the 2nd point has been Deleted and the object with status "Changed" is left only. Now when you are entering with "Expert Mode for Profile Generation" it's pulling those standard proposals again.
    Let me know if the probable reason of Yellow traffic lights are clear to you or need more details.
    Regards,
    Dipanjan

Maybe you are looking for

  • Need help sizing pictures for a catalogue please

    I'm making a catalogue of greetings cards, so I need to place pictures of the cards (about 30 to an A3 size page) so far they are coming out really bad quality and detail- what would be the best way to save the originals (currently in photoshop)- and

  • Iphone 3GS stuck in restore mode...PLEASE HELP!!

    Yesterday my microphone stopped working on my phone. I called tech support. They told me to run a restore on my phone (which I had thought I had done but didn't). They told me I would have to pay $200 to replace the phone since I am 30 days outside o

  • Need Help for AIR Email Application

    Hi, I'm a beginner to Adobe AIR. My new assignment is to create an AIR Application which works like MS Outlook with minimal features like compose mail, inbox, send items and contact details. With the help of some server side script (like PHP, CF) I c

  • Best Way to Handle Buttons

    I have a complex button graphic that I use for all the buttons in my Flash project. Currently, for every different button function I need, I've duplicated the button and linked it to a separate class. So if I need buttons that link to rules, credits,

  • How to make multisim 11 files (.ms11) work in labview

    I have designed a step down DC-DC converter circuit in Multisim 11. Is there any way that I can use this circuit as a VI in LabVIEW? I have an algorithm VI that hopefully can control the duty cycle in the DC-DC converter circuit I have designed. Than