User creations and authorizations in ECC 6

Similar Messages

• How to maitain user creation and authorization in Portal from CUA

  Hi ,
  I want to create portal users in CUA i.e. instead of creating users in portal I want to maintain user administration from CUA and also want to assign the required portal roles from CUA
  what configuration I need to perform.
  Please help.
  Sandip

  Hi Sandip,
  Please refer to User Information System  for CUA
  http://help.sap.com/saphelp_nw04/helpdata/en/52/671261439b11d1896f0000e8322d00/frameset.htm
  Hope it helps
  Regards
  Arun

• Please guide me for user authentication and authorization in WebDynPro App

  Hi,
      I just study the WebDynPro to develop the SAP Portal. I've ever developed the Web-based App using J2EE. So when i developed the Web-based App i have to develop the control of the user authentication and authorization on each page for example ,checking the session of the user whether they can access this page or whether session is expired or not,. So i have no idea with the WebDynPro and the SAP Portal because i never had experience for both WebDynPro and Portal.
  I need to ask you some question to clarify my doubt :
  1. SAP Portal  is web page that include every enterprise application with in one page and user log-in to them just on time, isn't it?
  2. If i integrate WebDynPro with SAP Portal, which one will do the authentication and authorization?. I mean that, Do i have to develop the code to check authentication and authorization in the WebDynPro App or Let the SAP Portal manage them?
  3.Could you please suggest the best practice for authentication and authorization in webDynPro.
  Many Thanks
  Noppong J

  in most case you don't have to write code to deal with session, authentication and authorization.
  1. yes,
  2. no, no code needed. you just set an attribute to your application, which make the the authentication required. when user access this page, portal will display the logon page
  3 you can put some authorization related code in web dynpro for specific requirement, search this doc "Protecting Access to the Web Dynpro Car Rental Application Using UME Permissions"

• Netweaver Gateway user creation and self registration Procedure

  Dear All,
  Can you please provide the complete step by stpe by process for creating netweaver gateway user creation and self registration process
  by useing templates.
  Thanks & Regards.
        aYYaPPa.

  Hi Sriram
  Thanks for immediate response.
  I went throgh that link whcih is posted by you.
  But i need some more explosure to undesrtand user creation by using that templates
  Thanks,
  Ayyappa.

• User Roles and Authorizations

  As we know in MM different user have different roles to play and they need different SAP transaction and related activies.
  In SAP we define the particular user who are actually allow to access only certain transactions only?
  What are the steps to do this in SAP?
  Secondly in which stage of implementation we define those user roles and assign duties to them in SAP ?
  bEST Regards,
  Kapil

  u can create the user role using tcode su01 and pfcg for authorization management

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• Client creation and  authorization

  How to create our own client in sap like client 800 & 810 ....
  and how get authorization for created client
  regards,
  surya.

  hi,
  goto sale -> declare a client and assign client no
  u can login in that client.
  or while loggin in use user id - DDIC
                                 password - 19920706
  and click on change password to create  a new client
  if helpful reward some points.
  with regards,
  Suresh Aluri.

• Defining BI Power User Role and Authorizations

  We are looking for information/best practices/guidelines pertaining to defining BI Power Users and the appropriate authorizations to attach to this role.  Our Power Users are asking for approval to access several transactions within BI, specifically within RSA1. I am curious to know how you define your power user role(s) and to what extent they have access to BW itself (i.e. BEx, Web Designer, direct access to BW transactions such as listcube, RSA1, RRI, ability to update custom tables, ability to access the data model structure, etc )? Do your power users have access to develop production queries in DEV and test in your QA environment or are they restricted to ad hoc queries in Production? Have you seen any best practices or guidelines from SAP surrounding appropriate authorizations for Power Users? Any information you would be willing to share with us would be most appreciated.

  Hatem,
  You have an option to use the old method however it's recommend to use analysis authorizations going forward.
  Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
  Cheers,
  Ben

• New sap user creation

  Hi All SAP experts,
  My company has implemented 2 Systems SAP Landscape with one development and one production server which are running on R/3 Enterprise 4.7 (Kernel Release 6.20) with Microsoft SQL 2000 as database server.
  I have the following questions regarding new sap user creation by using user copy function.
  1.When I request to create new SAP User by using user copy function ,should I just create the user acct in DEV and transport it to PROD System? If yes, how could I do that?
  2.When I request to create new SAP User by using user copy function, can I just create it on PROD System only? If yes, what is the impact?
  3.When using User copy function to create new user acct, should I select all parts (like adress ,defaults,reference user, user groups.....) of the existing user to be cloned to new user acct?
  Thanks.
  Leon

  Hi Leon,
  Answer to your questions in their respective order:
  1. You can create user in DEV and then make remote client copy to PRD system using scc9 t-code. Here you can choose user accounts and authorizations for the copy. ( Rem: Data will be overwritten in target system when copied).
  You can also use client export/import(scc8/scc7)
  But, When you do the client import from the exported files using STMS,you will have to select only one of the transport requests and then STMS automatically selects the other requests for you.
  Then it will show you the different transport requests that you have created during your export, the client copy profile and the target system and client. The customizing and application data is deleted in the target client before copying for all profiles except SAP_USER. This is technically unavoidable (and hence the data will be overwritten).
  So if you can afford overwritting of user data in target client , you can go with the above procedure.
  2. Using  user copy in su01, you can copy one user to another user only in that client and is confined to that system only. So yes, If you want 2 or more users to have same authorizations, profiles ,etc etc.. you can choose this in PROD system.
  3. It depends.. If you want user to be in same group, then you can choose user groups. If you want them to have same authorizations , you can choose roles and profiles... If you want them to have same company address and others,... you can select address.. and so on.
  Also below link provides required steps in case you choose local/ remote client copy:
  http://www.sap-basis-abap.com/bc/client-copy-by-using-scc8-and-scc7.htm
  Hope this helps...
  Thanks,
  Ajith
  Edited by: Ajith Kamath on Oct 20, 2009 8:28 AM

• Windows 8 Sysprep - Can't skip local account creation and autologon fails, wrong admin password.

  Using Windows 8 x64 Enterprise, Sysprep pauses to ask me to create a local user, which I don't want.
  If I enable SkipSystemOOBE and SkipUserOOBE in OOBE under Microsoft-Windows-Shell-Setup sysprep (in oobe mode) will skip user creation and autologon works.  But it only works correctly once.  If I run sysprep again, when it tries to autologon
  it will say that I have the wrong password for the local account.  After I type in the password manually it works.  If I use the same password for the local administrator account as for the autologon account, it looks to have the encrypted password
  twice with an equal sign after it.
  What I need to know:
  How to skip local user account creation (we run on a domain but I have it connect through scripts later)
  How to fix the autologon issue
  Do I need the local administrator account enabled for this to work?
  I have my unattend.xml file attached.
  <?xml version="1.0" encoding="utf-8"?>
  <unattend xmlns="urn:schemas-microsoft-com:unattend">
  <settings pass="oobeSystem">
  <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <AutoLogon>
  <Password>
  <Value>[removed]</Value>
  <PlainText>false</PlainText>
  </Password>
  <Username>[removed]</Username>
  <LogonCount>2</LogonCount>
  <Enabled>true</Enabled>
  </AutoLogon>
  <FirstLogonCommands>
  <SynchronousCommand wcm:action="add">
  <Order>1</Order>
  <CommandLine>c:\folder\abatchfile.bat</CommandLine>
  <RequiresUserInput>false</RequiresUserInput>
  </SynchronousCommand>
  </FirstLogonCommands>
  <OOBE>
  <HideEULAPage>true</HideEULAPage>
  <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
  <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
  <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
  <NetworkLocation>Work</NetworkLocation>
  <HideLocalAccountScreen>true</HideLocalAccountScreen>
  <ProtectYourPC>3</ProtectYourPC>
  </OOBE>
  <TimeZone>Eastern Standard Time</TimeZone>
  <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet>
  <RegisteredOrganization>Company Name</RegisteredOrganization>
  <RegisteredOwner>CompanyName</RegisteredOwner>
  </component>
  <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <UserLocale>en-US</UserLocale>
  <UILanguage>en-US</UILanguage>
  <SystemLocale>en-US</SystemLocale>
  <InputLocale>en-US</InputLocale>
  </component>
  </settings>
  <settings pass="specialize">
  <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <ComputerName>*</ComputerName>
  </component>
  </settings>
  <cpi:offlineImage cpi:source="wim:[removed]/sources/install.wim#Windows 8 Enterprise" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
  </unattend>

  The user accounts-creation page in Windows Welcome is suppressed if a user or a group is added to a local security group. Add a user or a group to a local security group by doing one of the following:
  Create a local user.
  Add a domain user to a local security group with the Microsoft-Windows-Shell-Setup | UserAccounts unattended installation setting.
  To suppress the user accounts-creation page in Windows Welcome, without creating a local user, use one of the following workarounds:
  Workaround 1
  If the computer is already joined to a domain, use the following XML example to add the Domain Users security group to the Local Users security group.
  <DomainAccounts>
   <DomainAccountList wcm:action="add">
    <DomainAccount wcm:action="add">
    <Group>Users</Group>
    <Name>Domain Users</Name>
    </DomainAccount>
    <Domain>FabrikamDomain</Domain>
    </DomainAccountList>
  </DomainAccounts>
  Because joining a domain automatically adds the Domain Users security group to the Local Users security group, the DomainAccounts command does not affect the membership of the Local Users group. However, using this XML example to join a domain will also suppress
  the user accounts-creation page in Windows Welcome.
  Workaround 2
  Use the Sysprep/Quit command to set the following registry value to 1:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OOBE\UnattendCreatedUser
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• New user creation in AE- user group not getting assigned

  Hi All,
  Here is a typical case, wherein when we create a new user with AE for the production system, the user gets created and the roles are also assigned but the user group is not getting assigned. The user group is being fetched from a table from the backend and all that is working fine. Infact in order to test the configurations we even created a new user in the production instance of AE giving the development system as the target system for user creation and in this case the user was successfully created and the user group is also assigned. The problem is arising only when the target system is production system.
  Connectors are all working fine, but we are unable to think of a reason. Can somebody help us on this?

  Hi Vani,
  If you are provisioning the user group using user defaults, check  that production system is selected in the user defaults configured. Configuration -> user defaults. You can define any user default system, but for perticuticular user defaults that is applicable define all the systems, in which you want user defaults to be provisioned.
  Kind Regards,
  Srinivasan

• User creation in portal

  HI,
  Can we change the registration flow in the portal, so that a mail is sent to the email address and only when the user clicks on the link in the mail, the user account becomes active. Until the user clicks on the link and activates his account the user account should not be active.
  Can we implement this in SAP EP?

  Hi,
  You could do it via the UME API, but you would have to code it yourself.
  You could create the user via the admin functionality (but with the standard email generation disabled for user creation) , and manually lock it, or create the user via a custom WebDynpro or JSP front end that users the UME API to create and lock the user.
  Then use a mail API to generate the email with a URL to a servlet running on the Portal server, which extracts an id of the user from the URL (either the username in unencoded form which is a bit dodgy, or using some unique number that you store against the user to be activated to associate the two) and again use the UME API to unlock the user.
  Should be fairly straightforward providing you are confident with:
  1 - Deploying a web application to J2EE engine containing a servlet.
  2 - Can figure out how to use the UME API
  3 - Can use a mail API like Javamail, which is straightforward
  Cheers,
  Steve

• RFC Sender - Logon User - What Roles and Authorizations?

  Hi,
  Scenario: RFC Sender --> XI --> JDBC
  What necessary Roles and Authorizations has to be given for Logon User (in Sender RFC Communication Channel).
  It has to be moved to production soon. My Client wants to give only Roles and Authorization that are necessary for the Logon User.
  With Regards,
  Manikandan R

  Hi ,
  U need to give ECC Authorisation
  Application server : ECC Server
  Sytsem no : ECC system number
  Logoon User : ECC any username
  password : password for above user
  clientr : ECC client ( From which client u are sending to RFC adapter)
  Regards,
  Jayasimha jangam

• Authorization control on material reservation creation and change (MB21 & M

  Hi Friends
  Please help me to find a solution on Authorization control on material reservation creation and change (MB21 & MB23).
  Client looking for a control over end user on those T.Code s but not at T.Code level;
  Client looking for control either based on "Storage location" and/or u201CProduct hierarchyu201D.
  More specifically, user A and B both can Create/Change MR but user A only can do it for the MR which related to storage location say YY while B authorized for storage location ZZ
  Thanks in advance.

  Hello Partha,
  Only available Standard SAP Authorization Objects, related to Reservations, are M_MRES_BWA (Reservations: Movement Type) & M_MRES_WWA (Reservations: Plant) where you can maintain authorizations based on Movement Type & Plant respectively and hence seggested enhancement.
  You can use Tcode-SUIM to search for Basis authorization details i.e. Roles defined for specific transaction/authorization object / profiles.
  Revert if any further info required.
  Regards,
  Anup

• How do we reset password for SAP* and DDIC user in SAP R/3 ECC 6.0?

  Hi,
  How do we reset password for SAP* and DDIC user in SAP R/3 ECC 6.0?
  I tried with acual method as below from client '000':
  DELETE FROM USR02 CLIENT SPECIIED WHERE BNAME = 'SAP*' AND MANDT = '001'.
  After this when I tried to logon '001' using SAP* with password PASS it is giving  the message that Incorrect logon and password.
  (Also when I checked for 'SAP*' in 001 it looks like it is not got created as I queried as below:
  SELECT SINGLE * FROM USR02 CLIENT SPECIFIED WHERE BNAME = 'SAP*' AND MANDT = '001'.)
  Can anybody throw some light on this? RewardS is guranteed for solutions!
  -B S B

  Hi again:
  I forget to tell.
  You must restart the system. So, that a new user with the name "sap*" gets generated with password "pass"
  Hope this wil help,
  Eric