VIRSA tables for users, roles and profiles sync?
Hello,
I am in a customer, implementing CC 5.2. At the first time, we tried CC 5.2 in DEV environment, and when everything was OK, we redirect RFC connectors to QA environment.
After doing user, roles and profiles sync in DEV and in QA environment too, I have 4.500 user (1.100 from DEV + 3.400 from QA) when I recover all users "*" with "user level - risk analysis" from the "Informer" tab.
It seems that "users, roles, profiles, sync" works like and "APPEND", but I did a COMPLETE syncronization not an INCREMENTAL.
If I start an analysis for QA environment, CC works properly and only analyse QA users (3.400). But I would like to clean CC tables (users, roles and profiles) in order to have a clean copy of QA in CC.
Which VIRSA tables (users, roles and profiles) I need to clean?
It is necessary to do the same with authorization and text objects? Which would be these tables?
Thanks in advance,
Victor
Hi all,
SAP GRC Support provides a script which allows you to remove a connector since it does delete all data link to it. Anyway, I would recommend a deep analysis of it and find out if it does what you really want to do.
Víctor, if what you want to do it is just to remove all user, role and profile master data (stored in tables VIRSA_CC_SYSUSR and VIRSA_CC_GENOBJ) you could upload a text file using data extractor functionality with the delete field set to X. Doing so user, role and profile master data will be removed from CC database.
In order to use data extraction functionlaity you connector must be of type "File Local".
Be careful about removing data directly from DB since, as Prem states, you might loose the DB consistency.
Hope it helps. Best regards,
Imanol
Similar Messages
-
DB table for Derived Roles and Parent Roles
Hi Expart,
In which DB table the Derived Roles and Parent Roles are store .that is i need to find out the derived role and parent Role .i have completed the Complex and single role by table AGR_AGRS
But i have to find out the table for Derived Role
Plz help me to get those table
Thanks in advance
TarakIt's the same table as for the master role: AGR_DEFINE (field PARENT_AGR is filled for derived roles).
~As from Forum -
User Role and Profile Managment
Hi All,
I have task on role management , i have a profile assigned to like 20 users , but one of the user is asking me to have special authorization on particular Z Table he want to have modify rights.
in order to give the rights to this guy fro that table , i have to make this profile modified so that it will apply for all of them, so i wan to have this rights to this particular user with the same profile , does any body ahs idea how to achieve this??
Or can any one suggest me where can i put this question in the forums??
Thanks in advance
Regards,
SundarDear Sundar,
To create new Role, use T. Code: PFCG
Now, Provide Role's name, and Click tab: Create (in 4.6 X) or Tab: Single Role or Composite Role (In ECC 6.0). Give Description.
Now, click Tab: Menu --> Transaction (T. Codes etc.),
Tab: Authorization --> Change Authorization Data (Auhorization to Profile i.e. change/ Display/reate etc.)
Tab: User (user to which Role assignment is reqd) and then click: User comparison.
Thats it....
Rewards accordingly.
Best regards,
Amit -
Table for User Name and User ID?
Hi Experts,
I hv User ID, that Logs in. So, I waanna to pull the corresponding Name.
So,
Wher Can I find these data i.e. Which is the best Table/source?
ThanQ.Yo ucan alternatively use SUSR_USER_ADDRESS_READ.
The exporting parameter user_address would have the full name of the user in the field name_text.
DATA: user_address LIKE addr3_val.
CALL FUNCTION 'SUSR_USER_ADDRESS_READ'
EXPORTING
user_name = sy-uname
* READ_DB_DIRECTLY = ' '
IMPORTING
user_address = user_address
* USER_USR03 =
EXCEPTIONS
user_address_not_found = 1
OTHERS = 2.
IF sy-subrc = 0.
write:/ user_address-name_text.
ENDIF. -
RAR: Best strategy for users/roles/profiles synchronization
Hi all,
Assuming that:
1) we will be never interested about profiles risk analysis (just users and roles)
2) roles risk analysis will be run first and after sometime (threee weeks) we will run it for users.
and we will run batch risks analysis:
Question 1) Is it possible to synchronize just roles and do it for users just when we want to execute risk analysis for them? Or is a best practice to synchronize always for users/roles and profiles eventhough risk analysis will not be done for all three?
Question 2) If we execute just full sync and full risk analysis, users/roles or profiles deleted in backend between executions are also deleted from DB? or removal takes place only when executing incremental sync?
Many thanks in advance. Best regards,
ImanolHi Imanol,
Answer Q1: Yes, you can just select user and roles for the snych and risk analysis. Go to configuration-background jobs - shedule job. If you don't run risk analysis for profiles, you shouldn't sync and select them.
Answer Q2: Both, the Full risk analysis will alwaly update your DB. I will recommend you, to do this job in some periodic times. The incremental sync job will as well update your DB, if anything changed in the backend system. Normally your are going to run your daily or weekly jobs with this selection.
Thanks,
Martin -
Restrict GL / Cost Centre combinations for users/roles?
Hi,
Please could someone advise if it is possible to restrict Cost Centre and GL Account combinations during PO creation for specific users/roles?
For example:
Valid Combinations:
CC A1 GL 99
CC B2 GL 88
Scenarios:
Create PO with A1, 99 -> Allowed
Create PO with B2, 77 -> Not Allowed
I've found a related post, but not exactly my requirement - any other thoughts? Or has anyone done this themselves?
Authorisations - User Profile for purchasing - restrict by cost centreUse the user exit MM06E005 to control the CC and G/L for user dependent.
to do that - ask ABAPer to create the custom table for user, CC and GL combination and let teh user exit read the combination from the table and give a error or warning based on your requirements. -
I would like to download a list of all users and what roles and profiles each has. I did it once before but now I can't remember the table names. Can anyone help?
Hi,
Roles:
SAP_BW_DEVELOPER
Profile:
SAP_ALL
S_BW_D____
S_BW_D____1
Authorizations are
S_Rs_Admwb_a
S_rs_adw_a
S_rs_exp_a
S_rs_wb_all
Links for user roles:
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/42/271d24d86211d2961a0000e82de14a/content.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/e4/15e48efd6c11d296430000e82de14a/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/d3/559a4271c80a31e10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/4e/52b74065448431e10000000a1550b0/frameset.htm
For profiles and authorisations:
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/67151e439b11d1896f0000e8322d00/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/20/efcbfed8a511d397110000e82de14a/frameset.htm
Also chk this link..
http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
screenshots..
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
Hope this helps,
regards
CSM reddy -
Su01 recreate old user - lost roles and profiles
Situation: a person's sap account was deleted, but now that person needs it again with the same sap access as before
when you recreate an old sap user account in su01,
sap gives a message "found old user information, do you want to reacreate this".
Press yess, then all is copied except roles and profiles (empty)....
You can find them back via the menu : information<change dcuments for users.
Is there a way to make sure that roles (and/or profiles) are instantly copied from the old records of the sap account (like
the name, email user group, user parameters, etcetera)?
Regards,
ABCNo. There is no such feature.
The solution is not to delete the user but rather lock the ID and move it to a "retired" user group where it is protected. From there you can restore it again easily.
Cheers,
Julius -
hi
Please tell anybody what is the table for User Status Profile in Sales Orders? where it will stores?
Regards
RajendraHi,
Use table JEST
Here you will have to enter the object number as an input field
Get object number from table VBAK or VBAP based on whether the status profile is attached at sales order header or at sales order item.
Status which is active will start with letter E and the status inactive flag will be blank.
Regards
Ravi -
Hi Guru.
I need this: I wish to export the new and the modified roles and profiles to an external non-SAP system. This non-SAP system is able to receive iDoc message.
Is it possible? Can I find n the SAP system the change point and the iDoc to do this?
Regards
Manuel Chiarellinot for roles. no. you can:
transport them
up-/download them
RFC-copy them
but not idoc them. -
ABAP User Roles and Query for accessing particular T- codes and Reports
dear Gurus
I have one problem, i want to know about ABAP User Query ,i have one requirement my user wants to Lock all the HR Std versus Customized reports in T- code SQ01,other department peoples also see the Payslips and Hr personal reports which is harmfull to the dept so i want to Lock all the reports in Std T- code in SQ01 and i have created one Customized User Roles or Query in which the T-codes and Reports are assigned only those particular user can access the T-codes and Std reports .how can it be possible i dont have any idea about user roles and Queries .
kindly help me out or send me some documents related to user roles and queries
regards ritesh sharmaHi Ritesh,
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/103cafc2-7a64-2b10-14b3-eddb7d324561
Regards,
Flavya -
User role and Authority-check ?
Hello,
Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
Thanks in advanceHello Martin,
I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
@OP:
The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
BR,
Suhas -
Developing security Roles and profiles
Hi Team,
Can you guys let me know how to develop security roles and profiles. We are rolling out for a company in Japan, and the congif is completed. We are in the process of developing test cases ans also security roles and profiles for users? Can somebody guide and help me on this?
Regards,Hi,
Use Tcode = PFCG -->then create any customized roles and profiles for any users on module based.
user masters: USR01 to 09, UST04,
profiles: USR10, USR11, UST10S, UST10C,
authorisations: USR12, USR13, UST12.
password exceptions USR40.
History tables(may not be applicable but FYI): users: USH02, USH04,
profiles: USH10, auths USH12.
R/3 Security Tcodes
End User Transaction Code Menu Path Purpose
SU3 System > User Profile> Own Data Set address/defaults/parameters
SU53 System > Utilities > Display Authorization Check Display last authority check that failed
SU56 Tools --> Administration --> Monitor --> User Buffer Display user buffer
Role Administration Transaction Code Menu Path Purpose
PFCG
Tools --> Administration --> User Maintenance --> Roles Maintain roles using the Profile Generator
PFUD Work on SAP check indicators and field values
Select: Copy SAP check IDu2019s and field values
Installation
1. Initial Customer Tables Fill
Upgrade
2a. Preparation: Compare with SAP values
2b. Reconcile affected transactions
2c. Roles to be checked
2d. Display changed transaction codes
SU24
Same as for SU25:
Select: Change Check Indicators > Maintain Check Indicators>Maintain
Regards,
Srini Nookala -
Hello,
Could you please provide information on "security roles and profiles "
I would appreciate.
Regards,
AlexRoles give you authorization to specific area of the system. Use TC pfcg and you will see different setting for a role.
In specific Role -> Authorization -> click on Display Authorization Data.
Here all specific InfoArea, Cube, ODS, Reporting componets: display, execute and other security rules are defined.
User Section: defines who has access to this role.
Multiple authorization are combined to create an Authorization Profile. You defined a profile at TC su01 and under profile section.
Hope that helps.
thanks.
Wond -
Table contain user name and tcode
Dear Experts,
Can you tell me which Table contained user name and tcode field?
Thanks and Best regards,
wilsonYou need to be even more carefull with parameter transactions.
If SU24 is not maintained for them, PFCG will pull the proposals from the core transaction (via which the parameters are used in the skip screen feature...). If the core transaction has authority proposals for S_TCODE, then you will get those tcodes and their proposals as well.
A carefull choice of menu objects (not only limited to Tcodes), taking heed of SU24 defaults and tuning it to meet your needs is the key. But it requires organizational discipline and good training, otherwise rather dont use it for anything other than important objects which you want to control manually only, even if your business roles are a mess.
You can also restrict the authorizations of the security admins for example (as unpopular as that may sound... to segregate authorization concept development (SU24 etc), role building development (PFCG etc) and user administration (SU01 etc). Object S_USER_TCD also has a field called TCD...
There are also other objects (as Dipanjan has pointed out) which have TCD as a field of an object which is not S_TCODE. In addition to I_TCODE, Q_TCODE, P_TCODE, see also S_IDOCMONI for example.
To be honest I have given up on trying to find them all
The easiest solution is to use the menu and maintain SU24 when the transaction is configured or the application is developed and tested. That is what SAP does as well in SU22. It is more work upfront, but more sustainable in the long run.
If your users (and auditors) only see the menu (and use the SUIM --> Executable transactions) options, then you can get away with it in the short or even medium term. Latest when someone else need to maintain the roles they will hate it...
My 2 cents,
Julius
Maybe you are looking for
-
I have a simple Flash animation which I'd like to be made into a transparent GIF. When I do the GIF export, only the first frame of my movieclips (which are placed in the main timeline) get rendered. It seems like Flash only records the main timeline
-
Can i have two devices sharing one itunes account
i currently have my iphone synced with my itunes account, i have just bought a ipod and want it to share the same itunes account, library etc, how do i do this without wiping it off my phone when ading the new ipod ??
-
Choppy video playback with FCP 6 and 5D footage already converted to Apple ProRes 422
I am trying to edit a film I shot on the Canon 5D using FCP 6. I converted my raw files from the Canon 5D to Apple ProRes (HQ) . But as I try to work on the timeline everything is super choppy and drops frames constantly. I am trying to sync audio as
-
?I've searched through everything I could find here and tried them all, to no avail. Here's what's happened. My Zen Vision M (30 Gb) wouldn't start when connected to 3 different PCs I use it with. I figured it needed firmware update or something, so
-
How to populate form data in jsf
Hi I have 2 questions about how to do things in jsf, i have been working with struts and so will give example of what i would do in struts I have a jsf page for login, when i authenticate the next screen is a table with bunch of data, Where do i popu