User Roles and Authorizations

Similar Messages

• Defining BI Power User Role and Authorizations

  We are looking for information/best practices/guidelines pertaining to defining BI Power Users and the appropriate authorizations to attach to this role.  Our Power Users are asking for approval to access several transactions within BI, specifically within RSA1. I am curious to know how you define your power user role(s) and to what extent they have access to BW itself (i.e. BEx, Web Designer, direct access to BW transactions such as listcube, RSA1, RRI, ability to update custom tables, ability to access the data model structure, etc )? Do your power users have access to develop production queries in DEV and test in your QA environment or are they restricted to ad hoc queries in Production? Have you seen any best practices or guidelines from SAP surrounding appropriate authorizations for Power Users? Any information you would be willing to share with us would be most appreciated.

  Hatem,
  You have an option to use the old method however it's recommend to use analysis authorizations going forward.
  Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
  Cheers,
  Ben

• RFC Sender - Logon User - What Roles and Authorizations?

  Hi,
  Scenario: RFC Sender --> XI --> JDBC
  What necessary Roles and Authorizations has to be given for Logon User (in Sender RFC Communication Channel).
  It has to be moved to production soon. My Client wants to give only Roles and Authorization that are necessary for the Logon User.
  With Regards,
  Manikandan R

  Hi ,
  U need to give ECC Authorisation
  Application server : ECC Server
  Sytsem no : ECC system number
  Logoon User : ECC any username
  password : password for above user
  clientr : ECC client ( From which client u are sending to RFC adapter)
  Regards,
  Jayasimha jangam

• Business Explorer Roles and Authorizations

  Hi,
  I am using Business Explorer Query Designer and Analyzer ( Excel Work book add on) with BI 7.0.
  I need to create roles and authorizations for the end users to create queries and view queries in excel by using Business Explorer Query Analyzer.
  Kindly suggest me what are the standard transactions, roles and authorizations to be given to the end users.
  Thanks and regards
  Murugesan

  I dont have idea about Bi 7.0 ..
  If its bw 3.X i jusz used rrmx --->>excel ->addins-->>queries --->pop up window --->here we need rfs object S_RFC
  Finally rrmx tcode and general roles which has S_RFC  autorisation object and the query .
  Regards,
  Naveen

• What Roles and Authorization Req

  Hi All,
  I am getting the Error in SOAP to RFC Sync secnario.
  User using one URL through that URL he is trying the send the data to before sending the req user have the USER ID and Password. what are the Roles and Authorization req for that user id and password. Are they service user id ?
  Regards

  This user ID have roles similar to Service user PIAPPLUSER or XIAPPLUSER. However, it is recommended not to provide this user detail directly to sender system. Instead create a new user and provide that to your partner.
  Regards,
  Prateek

• Roles and authorizations in BI content

  Hi experts,
  I'm trying to define a very simple scheme of roles and authorizations for my queries.
  So, i'm trying to limit the acess by infocube and DSO, but I'm missing the authorizations objects for Cube and DSO.
  I know that authorization object for queries it's S_RS_COMP.
  So my roles would be something like
  BI_ROLE_FI
  Authorization Object                                  Autorization Object Value
  Acess query (S_RS_COMP)                         NA                              
  Infoobject (whats the object???)                   0FIGL_C01
  DSO (whats the object???)                            0FIGL_O14
  BI_ROLE_PUR
  Authorization Object                                  Autorization Object Value
  Acess query (S_RS_COMP)                         NA                              
  Infoobject (whats the object???)                   0PUR_C01
  Can you help me find out whats the missing information
  Thanks and regards
  Joana

  Hi,
  Iu2019ve gave authorization to the object youu2019ve mentioned, but itu2019s still not working.
  Basically what I have is the following:
  One role that allows me to execute queries, workbooks, etc.
  A second role, dependent on the area of work, that should allow me only to have access to queries  from cubes/MP/DSO that are specific to users area.
  I will then give each user role 1 + the adequate role 2, depending on their work area.
  For role 1 I have got:
  S_RFC     
  Activity: 16
  Name of RFC to be protected: *
  Name of RFC object to be protected: *
  S_TCODE     
  Transaction code: RRMX
  S_GUI     
  Activity: 16
  S_USER_AGR     
  Activity: 01, 02, 03
  Role Name: ANLG_BI_01
  S_USER_TCD     
  Transaction code: RRMX
  S_RS_AUTH     
  BI Analysis Authorization: BI_ALL
  S_RS_COMP     
  Activity: 03, 16
  InfoArea:*
  InfoCube: *
  Name (ID) of a reporting component: *
  Type of a reporting component: *
  S_RS_COMP1
  Activity: 03, 16, 22
  Name (ID) of a reporting component: *
  Type of a reporting component: *
  Owner (Person Responsible) for a reporting Component: *
  S_RS_TOOLS
  Logical Command Name: THEMES
  Iu2019ve tested this role, and it works u2013 they can access queries, create workbooks, create permanent model workbooks
  For role 2 u2013 Finance I have     
  S_USER_AGR     
  Activity: 01, 02, 03
  Role Name: ROLE2
  S_RS_ADMWB
  Activity: 03,66
  Data warehousing workbench Object: INFOAREA
  S_RS_ODSO
  Activity: 03
  Infoarea: 0FIGL_ERP
  DataStore Object: 0FIGL_014
  SubObject for ODS Object: *
  S_RS_ICUBE
  Activity: 03, 66
  Infocube SubObject: *
  Infoarea: 0FIAP
  InfoCube: 0FIAP_C02
  S_RS_MPRO     
  Activity: 03
  Infoarea: 0FIN_REP_SIMPL_1_ERP
  MultiProvider: 0FIAP_M20, 0FIAP_M30
  MultiProvider SubObject: *
  I then gave to my test user this 2 roles, and with that user I can still see every infoarea, and access all reports.
  I will have more specific roles u2013 to other areas (SCM, TV, etc), but I chose this one has an example.
  First question I have: can I manage my requirement in 2 different roles: one for action that can be performed (role 1) and other for areas that they can access data from (role 2)?
  What objects/restrictions am I missing in role 2?
  Many thanks
  Joana

• Deleting FICO Roles and Authorizations

  Hi Guys,
  i want to Delete some roles and authorizations from a user profile.I have the user id and I want to know what roles are assigned to the user.
  Which tcode can be used for the same and how to delete the fico roles assigned to that sap user id.
  thanks,
  Srikanth.

  Hi,
  I got the solution. It is SUIM.
  Anyways thanks for the help
  srikanth

• VIRSA tables for users, roles and profiles sync?

  Hello,
  I am in a customer, implementing CC 5.2. At the first time, we tried CC 5.2 in DEV environment, and when everything was OK, we redirect RFC connectors to QA environment.
  After doing user, roles and profiles sync in DEV and in QA environment too, I have 4.500 user (1.100 from DEV + 3.400 from QA) when I recover all users "*" with "user level - risk analysis" from the "Informer" tab.
  It seems that "users, roles, profiles, sync" works like and "APPEND", but I did a COMPLETE syncronization not an INCREMENTAL.
  If I start an analysis for QA environment, CC works properly and only analyse QA users (3.400). But I would like to clean CC tables (users, roles and profiles) in order to have a clean copy of QA in CC.
  Which VIRSA tables (users, roles and profiles) I need to clean?
  It is necessary to do the same with authorization and text objects? Which would be these tables?
  Thanks in advance,
  Victor

  Hi all,
  SAP GRC Support provides a script which allows you to remove a connector since it does delete all data link to it. Anyway, I would recommend a deep analysis of it and find out if it does what you really want to do.
  Víctor, if what you want to do it is just to remove all user, role and profile master data (stored in tables VIRSA_CC_SYSUSR and VIRSA_CC_GENOBJ) you could upload a text file using data extractor functionality with the delete field set to X. Doing so user, role and profile master data will be removed from CC database.
  In order to use data extraction functionlaity you connector must be of type "File Local".
  Be careful about removing data directly from DB since, as Prem states, you might loose the DB consistency.
  Hope it helps. Best regards,
     Imanol

• ABAP User Roles and Query for accessing particular T- codes and Reports

  dear Gurus
  I have one problem, i want to know about ABAP User Query ,i have one requirement my user wants to Lock all the HR Std versus Customized reports in T- code SQ01,other department peoples also see the Payslips and Hr personal reports which is harmfull to the dept so i want to Lock all the reports in Std T- code in SQ01 and i have created one Customized User Roles or Query in which the T-codes and Reports are assigned only those particular user can access the T-codes and Std reports .how can it be possible i dont have any idea about user roles and Queries .
  kindly help me out or send me some documents related to user roles and queries
  regards ritesh sharma

  Hi Ritesh,
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/103cafc2-7a64-2b10-14b3-eddb7d324561
  Regards,
  Flavya

• Please guide me for user authentication and authorization in WebDynPro App

  Hi,
      I just study the WebDynPro to develop the SAP Portal. I've ever developed the Web-based App using J2EE. So when i developed the Web-based App i have to develop the control of the user authentication and authorization on each page for example ,checking the session of the user whether they can access this page or whether session is expired or not,. So i have no idea with the WebDynPro and the SAP Portal because i never had experience for both WebDynPro and Portal.
  I need to ask you some question to clarify my doubt :
  1. SAP Portal  is web page that include every enterprise application with in one page and user log-in to them just on time, isn't it?
  2. If i integrate WebDynPro with SAP Portal, which one will do the authentication and authorization?. I mean that, Do i have to develop the code to check authentication and authorization in the WebDynPro App or Let the SAP Portal manage them?
  3.Could you please suggest the best practice for authentication and authorization in webDynPro.
  Many Thanks
  Noppong J

  in most case you don't have to write code to deal with session, authentication and authorization.
  1. yes,
  2. no, no code needed. you just set an attribute to your application, which make the the authentication required. when user access this page, portal will display the logon page
  3 you can put some authorization related code in web dynpro for specific requirement, search this doc "Protecting Access to the Web Dynpro Car Rental Application Using UME Permissions"

• User role and Authority-check ?

  Hello,
  Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
  Thanks in advance

  Hello Martin,
  I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
  Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
  @OP:
  The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
  BR,
  Suhas

• About roles and authorizations

  hai friends,
  who will create roles and authorizations plz
  thanks in advance
  suitable answer will be given suitabel points
  kumari

  Roles and authorizations have to be done with Basis team and HR team together, because they are not the usual roles that other modules use. For instance, HR authorizations have different objects for PA, PY, Clusters, BM and CM. For OM and PD, you use transaction OOSP for authorization profiles.
  For my personal experience, when the consulting team ask the basis team to deal with authorizations for HR, they become paralized when they find Structural Authorizations Profiles, Period of responsibility, etc., because they don't know (and it is not their responsibility) about HR objects and concepts handled in txn OOSP.
  In order to avoid this problems, take an extra time for this in your implementation project. Roles and authorizations in HR, when done correctly, takes more time than other modules.

• Query user roles and access

  hi,
  How can query user roles and access in whole database? I want to list username, status, rights, and role
  thanks
  P

  Hi,
  The data dictionary view dba_users has one row per user.
  The data dictionary view dab_role_privs has one row for every distinct combination of user and role that actually occurs ion your database,
  Are you interested in system privileges? See dba_sys_privs.
  Are you interested in individual grants, like the privilege to UPDATE a given table, or the privilege to execute a given stored procedure? See dba_tab_privs. (Don't be fooled by the name; it's not just for tables.)
  I hope this answers your question.
  If not, post some CREATE statements, that create tables, roles, and whatever else you want, and some GRANT statmeents that grant privileges on those objects. Pos the results that you would want to get from those objects and grants.

• User, user roles and previllages

  I have made all the tables under one user for my oracle forms, is it a good approach or should i use multiple users for this and how can i use user roles and villages for oracle forms?
  Thanks
  Hina

  In our organization, we usually has an application owner and another schema with limited privilege to connect to from application (in this case forms). For example we have application owner say DBO which owns all the objects in the application and another user IA_APP is there to connect to database from application. Privileges such as SELECT, INSERT, UPDATE, DELETE is given to IA_APP user. Object access is provided through public synonym. You can do analogy to this in your application and database.
  Regards,
  Virendra

• As XI developer what are the roles and authorization i shoul have in realti

  Hi Experts,
                  As XI developer what are the roles and authorization i shoul have in realtime, as a dveloper is it possible for me to crate namespace and business system, can any one please exaplain me abt business system  in real time scenario.
  thanks
  dhanush

  Hi Dhanush,
  your authorizations will be decided depends on your role in your team.
  yes you will have authorization for creating name space ,but your bussiness system will be created by Basis pesron and assign it to your scenario.
  Business System is a logical entity which represents logical view of your technical system. (eg a client in R3 system can be respresented as business system in SLD) For one technical system you can have multiple business systems.
  Look in to these links for detalis of bussiness systems.
  http://help.sap.com/saphelp_nw04/helpdata/de/31/f0ff69551e4f259fdad799a229363e/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/de/87/7277e8fba34421a45d97a41ec27381/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/7b/d4653fd1d3b81ae10000000a114084/content.htm
  Reward points if found usefull......