Value Role Concept

I tried searching for documents on Value Role concept. Please reply if anybody has any documents or links about this.
Thanks.

There is not a lot of info in the public domain on the value role concepts. I know it has been covered on a couple of the other security forums.
Subbiah - generally the value role concept is where you split the functional and the data access. This is also referred to as the enabler concept.
You create 1 role with your transactions but don't populate org data for example
You then create another role with the auth objects that contain the org data
When you combine the two you get the access that is required. If you require lots of org data variants, you can have lots of org data value roles and assign as required.
There is no need to restrict it to org data either. Anything that needs differentiation can be catered for using the value concept. A example that is quite common is where a separate role is created for object F_BKPF_BUP which is then assigned as an extra value or enabler
Like any approach there are pro's and con's. Value roles take a while to set up. You need to manually import the relevant objects into the value role, and make sure the corresponding objects in the master role are deactivated or not populated etc.
It isn't a common approach so you need to ensure that your documentation is up to standard.

Similar Messages

Master role & Derived role concept

Hi Friends ,
We have master and drive role concept in our project . ABC_XXXX (Master role ) ABC_1000(Derived role) (1000= company code)
Now we need to maintain some values in master roles lets say display :03 . Should we regenrate deived role as well ?
If we regenrate derived role , Do inhertiance relatioship breaks? and we need to maintain company code =1000 value again ?
Please suggest.
regards

Forgot to answer some more questions you had asked. Adding them here:
Now we need to maintain some values in master roles lets say display :03 . Should we regenrate deived role as well ?
- use the steps I mentioned in my earlier reply to re-generate derived roles from the Master role.
If we regenrate derived role , Do inhertiance relatioship breaks?
- please use the steps I suggested, the inheritance will not break. And this is an advantage of Master-->derived role.thats the meaning of having this concept in SAP.
and we need to maintain company code =1000 value again ?
--- No you dont need to. (you can check and see this manually).
Hope it helps...
Soumya
Edited by: Soumya Thomas on May 20, 2010 12:34 PM
Edited by: Soumya Thomas on May 20, 2010 12:35 PM

Funktion Roles and Value Roles

Hello,
i read in a SAP Press book something about funktion roles and value roles.
Can someone explain me how this work.
kind regards,
Bernhard

I would suggest taking preventative legal action against anyone who even mentions "functional and value" roles - particularly if they give the impression that transaction codes, activities and org-levels can be built in seperate roles - because when the concept goes downhill (which it will!) then they will unlikely be around to clean up the mess nor take responsibility for it.
Rather steer well clear of this type of concept.
Cheers,
Julius

Need help regarding Value Object Concept in flex/java

I need to map the java objects to flex use value objects in flex.
The problem is I have a class in java which is referring to another class and again that class referring another class.
For instance
Class A
protected User user;
Class User
protected Address address;
Now I need to map class A to the flex using value object concept and I have to display the user info in the grid as well.
Need some help to get started.

You need to set the "scope" property in your remoting destination definition to "session" or "application".

Role concept - CRM - EP

Hi All,
I imported the business package for CRM in enterprise portal.rightnow i am dealing with security aspects. I have some conceptual doubts related to role concepts with this Business package.
I have a role for sales manager in business package, com.sap.pct.crm.SalesManager,which have some iviews and external services. from the documentation, i came to know that this role corresponds to "SAP_PCC_SALES_MANAGER" in BW system and "SAP_PCC_SALES_MANAGER" in CRM system.
I just want to know, which strategy, I should use for Role, user to role assignments in my scenario i.e. either "EP as leading system" or "ABAP system as leading system"
I was thinking of having ABAP system as lead. i.e. getting the role menu and user to role assignments from CRM system and BW system and adding this to the delta link of portal role that came with business package, so that i could get the user assignements from both the CRM and BW systems. but later i came to know that this role, SAP_PCC_SALES_MANAGER is portal specific role in BW and CRM, so i was worried of how to get the user assignments of the original sales manager role in crm system and bw system to the portal.
right now, i am totally confused and have no ideas. I thought that some one could help me in this regard with thier experience.
Thank you

HI
please ensure that user is present with same userid as that in portal with both BW and CRM system and then use com.sap.appintegrator.portal component for creating transactions of any type ussing template iview as well get user autorization for user for both the roles in BW.
hope this helps
With Regards
Subrato kundu

Shell Role Concept

Hello All,
Any one can explain me concept of shell role, what is use, advantages, disadvantages how to maintain shell roles.
thanks
Sushant

Hi Sushant,
It sounds like you are talking about cross-system composite roles.
What is use
If you are using CUA you can define roles in your CUA master that contain roles for the target systems too. That way if you have HR as your CUA master (possibly using org assignments too?), you can provision for all relevant systems based on the role definition.
Advantages
Can speed up provisioning into multiple system
Helps support accurate job definitions for all system access
Disadvantages
CUA needs to be setup and maintained properly (not sure if that is a disadvantage but is a factor for consideration)
If enough thought does not go into design then you end up with composites/shells that cover lots of eventualities
If you have a granular single-role concept then your shell role could get very cluttered by the number of assignments required.
Maintain
Use PFCG in the CUA master
Like any other composite role - use text comparisons etc to pull in the roles from the target systems

Office 365 API, error: The token has invalid value 'roles' for the claim type ''

Hi guys,
I am trying to develop a Daemon / Server application using the new Office 365 APIs. I have added a new application to Azure Active Directory. I am using cURL + the app ID and secret to get a JWT token, this is the exact request:
curl -X POST https://login.windows.net/TENANT_KEY/oauth2/token \
-F redirect_uri=http://spreadyDaemon \
-F grant_type=client_credentials \
-F resource=https://outlook.office365.com/ \
-F client_id=XXXX \
-F client_secret=XXXX=
I get back a JWT however it has no scopes for access set here is the decoded JWT claims:
"ver": "1.0",
"aud": "https://outlook.office365.com/",
"iss": "https://sts.windows.net/TENANT_KEY/",
"oid": "17fa33ae-a0e9-4292-96ea-24ce8f11df21",
"idp": "https://sts.windows.net/TENANT_KEY/",
"appidacr": "1",
"exp": 1415986833,
"appid": "XXXX",
"tid": "e625eb3f-ef77-4c02-8010-c591d78b6c5f",
"iat": 1415982933,
"nbf": 1415982933,
"sub": "17fa33ae-a0e9-4292-96ea-24ce8f11df21"
Therefore when I do a request to the exchange API endpoint I get the following response:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Server: Microsoft-IIS/8.0
request-id: d08d01a8-7213-4a13-a598-08362b4dfa70
Set-Cookie: ClientId=WDALDNO0CAIOOZDZWTA; expires=Sat, 14-Nov-2015 16:40:59 GMT; path=/; HttpOnly
X-CalculatedBETarget: am3pr01mb0662.eurprd01.prod.exchangelabs.com
x-ms-diagnostics: 2000001;reason="The token has invalid value 'roles' for the claim type ''.";error_category="invalid_token"
X-DiagInfo: AM3PR01MB0662
X-BEServer: AM3PR01MB0662
X-AspNet-Version: 4.0.30319
Set-Cookie: exchangecookie=6bf68da033684824af21af3b0cdea6e3; expires=Sat, 14-Nov-2015 16:40:59 GMT; path=/; HttpOnly
Set-Cookie: [email protected]=[email protected]4Wbno2ajNGQkZKWnI2QjJCZi9GckJKBzc/Oy9LOzdLOy6vOycXLz8XKxoGaio2PjZvPztGPjZCb0ZqHnJeekZiak56djNGckJI=; expires=Sun, 14-Dec-2014 16:40:59 GMT; path=/EWS; secure; HttpOnly
Set-Cookie: [email protected]=[email protected]4Wbno2ajNGQkZKWnI2QjJCZi9GckJKBzc/Oy9LOzdLOy6vOycXLz8XKxg==; expires=Sun, 14-Dec-2014 16:40:59 GMT; path=/EWS; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: DB4PR02CA0026
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm=""
Date: Fri, 14 Nov 2014 16:40:59 GMT
Content-Length: 0
I have asked a stack overflow question here: http://stackoverflow.com/questions/26950838/office-365-api-error-the-token-has-invalid-value-roles-for-the-claim-type
Any help on the matter will be hugely appreciated, thanks!

Hi Manu,
To wrap this thread up; I have had an answer on stack overflow.
It appears that currently the grant type client_credentials is not supported, according to a comment on this blog post by Matthias' http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx
"There is no way in the code flow to avoid username/password. We're working on a client credential flow for later this fall that will give you the functionality required to run background services. For this you will not need a username/password,
but the application will directly assert its identity and authenticate as itself."
Unfortunately I require client_credentials for a daemon process, Q4 is the scheduled release for support for this grant time.
Thanks for the help,
Nick

Nested groups ,multi-valued groups,nested roles ,multi-valued roles

Does OID support
1)groups, nested groups and multi-valued groups
2)nested roles and multi-valued roles
Thanks in advance

You will typically see problems when multi-valued attributes are in the range of 10k-20k values. 10 values in a multi-valued attribute should not have much impact at all.

Master role and derived role concept

Guys,
1) How to assign the organizational levels for the derived role?
Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
Greatly appreciate for some body's help.

> 1) How to assign the organizational levels for the derived role?
> Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
Only if you assign the master roles to users. (and maybe for testing, see 3)
>
> 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
>
> 3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
>
> 4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
See 2, it goes there automatically. No choice.
Jurjen

Master role-derive role concept and FICO role in dev system!!!

Hi all,
I have created a master role with t-codes
AWUW
BAPI
BD10
BD100
BD101
BD102
BD103
BD104
BD105
BD11
BD12
BD13
BD14
BD15
also included object PLOG where maintained org data
and created a derived role from that master role and generated from the master role.
After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
How should I proceed???
I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
Thanks in Advance
Regards,
Souren

Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

Master role-derive role concept?

Hi all,
I have created a master role with t-codes
AWUW
BAPI
BD10
BD100
BD101
BD102
BD103
BD104
BD105
BD11
BD12
BD13
BD14
BD15
also included object PLOG where maintained org data
and created a derived role from that master role and generated from the master role.
After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
How should I proceed???
Thanks in advance
Regards,
Souren

you should refer to the SECURITY forum at Security

Enterprise Role Concept in ERM

Hello,
We want to implement Enterprise Role(Not Portal) concept in ERM. Anybody has implemented this concept of composite roles from different single roles belonging to different SAP components.
Ex : Marketing Management Enterprise Role is a collection of single roles from ECC and SCM. We want to have cross system risk analysis performed on the same.
Thanks in advance,
Ashutosh

Hi Sri,
Is the role status set to "production" ??
Cheers,
Diego.

Concept of Value, Task & Template Roles

Hello,
Can anyone explain the concept of value roles, task roles & Template roles in SAP? I have heard about single, composite, derived roles in sap.
Also, can there be a transaction in derived roles independent of the parent role? i mean that a transaction that i could add to derived role only in addition to the transaction that derived role with inherit from the master role. if yes, what will be its affect on auth. objects etc..
Kind Regards, Ben

Hi
Single, composite & derived roles are technical role types. Value, task & template are descriptions of how roles can be used and can often have different meanings. The most common ones are:
Task: A single role (or could be a derived role) that represents a small piece of functionality such as create PO, display SO, create journal, change material etc.
Template: Is sometimes used to describe a parent role or if derived functionality is not used, the transactional template for variants to be created that have different org level and / or field level restrictions. It is also used for composite roles where you have the "shape" of the composite role defined with dummy roles and these are replaced with equivalents that represent the access required for the relevant org levels. There are probably a few other uses for the term template - like task and value, it is not a standardised term.
Value: There is a design concept that has transactional content in one role and org level content in another role. The org level/key restriction part is designed to reduce the number of variants created but this introduces complexity in other areas, e.g. it breaks SU24.
It also describes a concept where you have small pieces of authorisation (e.g. cost centre, access to posting periods) where you can supplement the role build with discrete authorisations.
Different transaction in a derived role: As Soumya said, this is not recommended. You could do it by manually adding an instance of S_TCODE and adding the transaction in there however it breaks the derived role concept and as soon as you push changes down from the parent, the change will be overwritten.

Question on org level values in derived roles

I have a set of derived roles for a retail org.
They have set the org level for the WERKS object to the store number i.e. 0012. in the M_MSEG_LGO, M_MSEG_WMB, and M_MSEG_WWE but set it to "" in the M_MRES_WWA and M_MSEG_WWA. Needless to stay the "" is overiding the site restriction.
My question is, how can they allow store to store transfers and goods issues for other sites but only do POs and goods receipts for their default store?
If the transactions in the role are using the same object, it doesn't seem like it can be done but I am told it can! I can't figure it out. Can anyone assist?
Thanks

If you are talking about straight authorization object ( then your design cannot go with derived role concept )
If your controls are only through the organizational object only then derived role design will help
If its a mix of both standard object + organizational level object derived role will not help you.
Please note
the WERKS is the organization level in your case the plan value is 0012
do not set the values in parent role and also do not populate this value were its "$werks"
what is TCODE you are using ?
Edited by: Franklin Jayasim on Jul 21, 2010 11:45 PM

Concept of groups vs concept of roles

Hi!
I'm designing an LDAP structure mainly for authentication and authorization of users. I want to use the LDAP server for applications, intranet (different platforms like linux, NT, ...) and portals.
I read the Admin guide about groups and roles and found, that there aren't that many reasons for using roles instead of groups. The only real difference is (as I understood) that when using roles, I don't have to search for the the groups a user is member of, because every user contains the nsrole attribute with all the roles he is member of.
One big reason for not using roles is, that they are quite specific for iPlanet Directory Server. If one ever changes to another product (for example OpenLDAP) the roles concept may or may not be the same. When using groups I don't have that problem.
(If my information about that is incorrect please conradict!)
A mixture of groups and roles is a quite bad idea because if I put a group in a role, the "nsrole" attribute is added only to the group but not the the members of the group, so if I use roles, I should stick to them and should not use any groups.
As I told at the beginning, I am planning an LDAP structure. I don't have any "real life LDAP-experience" so if your experience is different, please tell me.
Thanks in advance for your opinion!
Florian

1. Why there could be a problem without scopes in
groups. If I have two companies and each of them has
a group "employees". Two companies would probably be
separated in two different subtrees, so I just use a
dynamic group, where I can specify a subtree where
groupmembers can be located or I use static groups,
where I define each entry.You see, you had to make a choice on which group type you could use - not because one was more convenient for defining members for the problem at hand, but because only one would work at all.
One thing I did not mention about roles advantages: they all work the same way - if a new role type were invented, applications written to work with roles prior to the new role, would still work with that role type. Groups types are so different that forward compatibility is not possible - mostly because to even use groups, applications have to do all the work to do common things like, enumerate the group, enumerate the groups an entry belongs to, test for group membership etc.
>
2. The coding logic for group evaluation with dynamic
and static groups and even mixtures of it is quite
complicated, it is much easier to ask an entry for a
roledn and thats it, but do most clients support
roles? Probably not. But then roles have not been around as long. I don't have any hard data on how many apps use roles - you would be surprised how hard it is to get that data for a developer.
As far as I know roles are not used in any
other LDAP Server. Well, the Sun DS, and the Netscape DS (which admittedly were once the same thing) both support the same roles.
So you can optimize an
applications implementing a role based queries, but
if you have a OpenLDAP environment you also need a
possibility to use groups. Talk to the OpenLDAP people about that. I believe they (at one time at least) decided to support the Netscape slapi interface - roles have interface components in that api.
I do understand what you are saying - there isn't an RFC, so other servers don't support roles. Well, I'm sorry, I never got around to it. To be perfectly frank, a lot of LDAP RFCs/Drafts merely describe some proprietary mechanism which other servers never adopt. Some even describe mechanisms that nobody has ever implemented.
When it comes down to it, it is only you who can decide whether being able to move to OpenLDAP or some other server without any reimplimentation is an important consideration. Every server will have features not supported by others, and if your choice is to use only those that are commonly supported, then that is your choice.
Roles will allow much less complex coding in order to use them and they are much faster than equivalent client side operations, but the price is non-comformance with other servers. But when that non-conformance simply boils down to entries which merely "describe" the groups without adding application level functionality - how much have you really lost? Well, until you need to change server vendor you have only gained, and then you'll need to put in the effort you saved ealier.
On the other side, what
application do support roles right now? (I really
don't know)Apart from applications by vendors that also supply DS I don't know either - but support for features such as this need to come from customers of those products. It is surprisingly simple to add support for roles in a product (for most it will almost be free) - much simpler than for groups.

Value Role Concept

Similar Messages

Maybe you are looking for