Ways of role assigment

Similar Messages

• Role Assigment in EP

  Hi all ,
  We r in the process of implementing EP .
  Plz clear my doubts ,
  1. Role Assignnment
      I have some std Roles which comes along with the BP.
      and if i assign that to any user it's working fine .
      I have created one role and copied the std workset ( ESS-Personel info ) into that .and i have assigned that role to myself .It's not appearing in the top level navigation .
      But when i copy the std role into newly created role and if i follow the same procedure mentioned above , it's working finely .
     Can anyone help me ?
  Valuable pts will be awarded .
  Thks in advance ,
  rgds,
  J

  Thk u Uma & raj ,
  see my other Q in the same forum .
  Pt's r awarded .

• Any ideas on restricting userID Role Assigment within the SAP Security Team

  Hello,
  I have gotten a request to look into restriction of assignment of roles to oneself within the company SAP Security Team. Thoughts I have come up with so far involve the use of UserID User Groups, Role Assignment Ranges, and forcing all role assignements for all userIDs through GRC-AC CUP for QA and Prod. Has anyone come up with a workable solution that is outside of these suggestions that they have put into practice?
  Thanks in advance for your help!
  John

  Hi John,
  There can be a manual control in place and individual should not assign role/s to himself / herself.
  Otherwise, security team members can be assigned to a specific group (let say Security) and they shouldn't have access to authorization S_USER_GRP with ACTVT 22 & CLASS - Security.There should be a dedicated power user to assign the role/s to the security team members and this can be auditted (SM20 log for manual super user / FireFighter log for FireFighter user).
  Thanks
  Prasanna

• How to inherit roles between root organization unit and sub units

  Hi all,
  I have root organization unit and sub units:
  ->Company
  >Department 1
  >Department 2
  >Department 3
  >Department 4
  >Department 5
  I would like it to work like this that all people from all departments would have access to transaction ZTEST. Most obvious way would be for me to assign appropriate role to unit Company. Unfortunately it looks like roles are not inherit between units like this. So question is how it should be done? Do I have to assign this role to all departments to make it work?
  Best regards
  Marcin Cholewczuk

  Hi,
  To activate inheritance of roles between root org and sub org units, you need to set switch HR_ORG_ACTIVE to Yes in table PRGN_CUST. Also proper evaluation path has to be used so that user comparison (via PFUD)  creates the indirect role assignment to user master records.
  You can modify evaluation path US_ACTGR in table T77AW/ tcode OOAW to include root org and its subunits (add entry for relationship O B002 O) and connect the role assigned to root org to the users belonging to sub org units. Then run PFUD which will use this evaluation path to create indirect role assigment.
  Thanks
  Sandipan

• ABAP prog with Call Transaction  to SU01 will not add roles in a CUA client

  I am modifying a current ABAP program that works in a non-CUA client to hopefully execute in a CUA client.  This program performs a Call Transaction to tcode SU01 and adds roles to an existing user.  I used tcode SHDB to identify the new BDC commands needed for CUA when using tcode SU01.  When executing the program in the CUA client  it does not save the roles to the user.  There is no error message or abnormal termination.
  When I assign the role to the same user that's referenced in my program directly with tcode SU01 it works fine.  Its just when I run the ABAP program the role assigment is not retained.  I opened a Customer Message with SAP and they referenced OSS Note 93802 and said this was a consulting question.  My program is not abending as referenced in Note 93802, it just does not add the role.
  Has anyone been able to get this to work in a CUA client?

  Hi,
  it should be fairly simple to create a new ABAP using the BAPI's related to business object USER. Call BAPI_USER_CREATE1 to create the users, and BAPI_USER_LOCACTGROUPS_ASSIGN to assign roles in a CUA environment. It should go something like this:
  [read file with user data into internal table wt_users]
  [read file with role assignments into internal table wt_roles]
  Loop at wt_users into wa_user.
    [create LOGINDATA, ADDRESS and other structures for user in BAPI below, based on the data in wa_user]
    call 'BAPI_USER_CREATE1'
    exporting
      username                      = [the user name from input file]
    NAME_IN                       =
      logondata                     = [structure for logondata]
      password                      = [initial password value]
    DEFAULTS                      =
      address                       = [address structure created above]
      [etc.]
    if sy-subrc eq 0.
  Assign roles for the user
  clear wt_activitygroups. refresh wt_activitygroups.
  loop at wt_roles into wa_roles where username = wa_user-username.
      [build an internal table, wt_activitygroups, for system/role assignments for the user]
  endloop.
      call BAPI_USER_LOCACTGROUPS_ASSIGN
        exporting
          username                      = [the users name]
        tables
          activitygroups           = wt_activitygroups
          return                       = wt_return.
  Endloop.
  Ideally, you would have two input files: one with the user data (one record per user), and another one containing the data for the BAPI_USER_LOCACTGROUPS_ASSIGN (on the format USERNAME, SYSTEM, ROLENAME); one entry per line. You'd loop at the first table, containing the user data, then create the user, then loop at all entries in the system/role assignment file for the same username, building an internal table of role assignemnts; then call the second BAPI (provided there were any role assignments to assign for that user!)
  Hope this makes sense. It's not rocket science really; you can omit most of the parameters of BAPI_USER_CREATE1, and the second BAPI is even simpler. You could consider validating the input data by checking entries in table USRSYSACT, which contains all valid system/role assignments as seen from the CUA system (this table gets updated every time you do a "text compare" from within SU01.
  Regards,
  Trond

• Automatic upload of roles from ECC to portal (UME with LDAP)

  Hi experts,
  This thread reopen the question asked on the following message : automatic upload of roles from BI to portal
  However, it concerns this time "UME with LDAP".
  Problematic :
  SAP Library 04s tells us that is not yet possible to automate role replication (or role assigment replication) from ABAP Based back-end to Netweaver Portal. Only manual process for initial upload is possible.
  Source = http://help.sap.com/saphelp_nw04s/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm
  Questions :
  1 - Did anyone ever try to implement such an automatic tool ?
  2 - What if I'm not able to write on the Active Directory ? I am still able, at least, to automate role assignment replication from ABAP Based back-end to Netweaver Portal (ie. UME with LDAP) ? Directly from SAP R/3 to EP through UME, without passing through Active Directory since the group field is not maintained in AD.
  Many thanks for your inputs
  Alexis MARTIN

  Hello,
  As I did not read the previous thread I don't know what exactly you are trying to achieve, but I can tell you about what we have done - as far as it is not too late yet.
  We use the portal with integration to a BI system. In the ABAP stack we have lots of roles with menu items for hundreds of reports. We want the users to see these roles in the portal.
  First we have used the role migration tool of the portal to upload these roles. There is a Java API for executing role uploads from code. You need to create a webservice in the java stack to call this api, and can call the webservice from ABAP.
  However it is just a question of time and role size until this will not work at all. Standard role migration is more or less crap, stability is a problem. It also creates a lot of logs in the PCD and thus fills the database with trash. (After a few OSS messages there is now a program for deleting logs + you can turn of logging.) Also upload of larger roles takes up to an hour, and you alwasy have the problem that your portal roles are not up to date during the day.
  When I got completely fed up, I have implemented an own navigation connector. When you log on to the portal it will connect to the ABAP stack via RFC, load the role, and generate the portal menu from it. It uses caching, but on every logon it checks whether the role has been updated in ABAP since the last time it was loaded. It is up to date, faster then PCD navigation, and you need absoluetely no periodical synching at all. I cant even understand why this is not offered by SAP per standard!
  Drawback is that it will of course only work for the menu items, and only menu items with an "URL-type" are supported. I'm prettry sure however that it would be possible to implement a few other types as well.
  Let me know if you are interested in the solution, I can give you a few additional details: oliverDOTsvisztATwienerbergerDOTcom
  Oliver

• Federated Portal Language change not visible on remote role

  Hi,
  Remote role assigment is done on consumer portal. This remote portal role comes from a BI Producer portal.
  This roles has worksets and iviews attached to it like km navigation iview etc.
  User on consumer portal has options to change his language to french from default english.
  Here the issue is, this language change does not reflect or apply to the remote role and its iviews or contents.(It continues to show in english) . But it works without problem o n local roles or ivews as expected.
  Any idea on how this language change can be effected on the remote role and its contentc will be much appreciated.
  Regards,
  Ashok D

  Hello Ashok,
  You must remember that because this is RRA the content will actually run on the producer (unless this is an AI iView).
  This means that the language will be determine according to the user's language defined on the producer itself, therefor you have to change the language of that specific user on the producer portal.
  If this does not help it might be that the iView is forcing the language, then we'll have to try somehthing else.
  Update me with the results of the first triage,
  Also have a look at SAP Note # 1295703 under the Language category, it explains the algorithem of determining the language.
  Best Regards,
  Nadav.

• Advice needed: what does your company log for SAP security role changes?

  My client has a situation where for many years, they never logged changes to SAP security roles.  By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!!  Sadly their ticketing system is terrible, completely free-form text and not even searchable. 
  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details?   What details do you capture?  What about Projects, that involve dozens of changes and testing over several months?
  I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system?  I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations.  It's really weird but they will get into big trouble eventually without any logs for security changes!

  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
  I have questions:
  a) Do you want to make things straight
  b) Do you want to implement a versioning mechanism
  c) You cannot implement anything technical, but you`re asking about best "paper" practise?
  The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
  Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
  PFCG transaction usage will be curtailed to minimum if implemented fully.
  Do we really want to do things "outside" PFCG?
  @all:
  a) do you guys use custom approval workflows for roles?
  b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
  c) who is a friend of GRC here, raise your hand
  Cheers Otto
  p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

• CUA with HR-Org - How to assign systems for role

  Dear all,
  we are planning to use CUA with HR-Org assignment. Can please anyone explain to me how or where the system for the role comes from.
  I mean, normaly in SU01 -> Role Assignment I have in the first colum the system and in the second colum the role. It the role assigment come from HR-ORG there is always the local logical system in the system colum. This is not what we want.
  CUA is on Solution Manager, HR-ORG is replicated from R/3 HR Systeme and the user needs the roles in ECC production systeme.
  So how can we manage the system/role combination assignment?
  Thanks for any hints.
  Best regards
  Roman

  Hi,
  If I understand your problem you want to do role assignment from the HR-Org structure on a system that is using CUA.
  I have only managed this successfully when the CUA master is also the system with the HR-Org structure on it. Otherwise you have lots of issues with replicating data between systems. I did this for a UK council's SAP solution where we allocated all the roles from the HR system, including roles on ECC, SRM(EBP), CRM and BI - so it does work.
  PO13 on the system with the org. structure will only allow you to allocate a role that exists on that system, but if the roles that you are allocating are composite roles that include single roles on other systems, you can achieve this sort of business role allocation without having to go the IdM route.
  Darren Hague (no relation) gave a presentation at SAP Tech Ed 07 on such a scenario, that explains how the composites would be set up far better than I can, but in essence you use the CUA connectivity and the rights of the CUA master system (which includes the org. structure) to allocate roles on other systems / clients in your CUA landscape.
  Have a search through SAP Tech Ed 07 presentations and you should find what you are looking for.

• Indirect Role Assignment: Composite roles

  Can anyone shed some light regarding the following scenario:
  We have a user previously assigned to a managerial position and this position is attached to a MSS-composite role in PO13 (thorugh the AG relationship). Now this user has been delimited from that managerial position, and is now assigned to a new position as a normal staff, so he shouldn't have the MSS-composite role anymore. We updated the run in PFUD with HR Org-assignment reconcilation, but we still find the Composite role for Managers in his user master record in SU01.
  What might be wrong?

  > Items to check for before running RHPROFL0:
  > PA Records info for the User
  > ==================
  > 1.  Was the HR check pointer on when the position was delimited?
  > 2.  Is the position truly delimited
  > 3.  Does the IT105/ST0001 match the person's user ID
  > 4.  How many position does this person hold in the PA record
  > 5.  Check if the new position have the correct roles for this person, it might actually have the MSS composite role you are trying to remove access from the user.
  Hi John, thanks for your response to this thread.
  We have not scheduled RHPROFL0 to run. Correct me if I'm wrong, isn't this is only needed when PD-profile is used? We are not assigning structural profile though PD-profile in PO13, we do it manuall instead in OOSB. Besides, I am not able to run that program anyway, because we have the CUA set to Global, and no indirect role asssignment is possible. We can only do the comparison via the HR-org assignment reconciliation in PFUD. Can this be the main reason somehow?
  I also found out that our PRGN_CUST has no entries in it: HR_ORG_ACTIVE is not on. <<--- Does this only need to be switch-on if our CUA is set Local? Do I need this?
  Then, my answers below to your questions:
  1. Do you mean the "pink-arrow-up" icon from the old position? Then the answer is yes.
  2. Then position itself it not delimited, only the user assignment is. In PPOSE, it shows that the person is assigned to this old position from 01.04.2007 until 31.01.2008. So I guess in that sense, it tells that the position is truly delimited.
  3. Yes
  4. In PA records I can see many records under different validity dates, but they are all records of the new position. The earliest record (the one at the end of the list) was a record attached to a default position and without any organization assignment. Then, in PA > List Organizational Assignment screen, there is a system message that says "Employee has more than one position". --> Does this refer to the non-listed old position? or default position + new position in PA record?
  5. No. The new position is just an ordinary employee without any indirect role assigment.
  We also tried to remove the MSS-composite role from the old position in PO13, but it doesn't make any difference to the user master record in SU01.
  For your reference as well, this is how our US_ACTGR looks like:
  40 > AG > A > 007 >  S
  50 > AG > A > 007 > US
  60 > AG > A > 007 > P
  70 > P > B > 208 > US
  110 > S > A > 008 > *
  Hope this information tells something.
  I appreciate your time and many thanks in advance for your help!

• GRAC AC 10 CUP E-Mail Notification for Role Owner to approve

  Hello Experts ,
  I have my CUP working in such a way that role owners are able to go to their Inbox in UI>My Home . However I would like to send E-mail into their Inbox . Right now we are getting the e-mail only at the end of the request when the request is completed.
  What should be configured in MSMP ?  Following notification events defined for Process ID Access Request Approval Workflow
  Notification Event : END_OF_REQUEST Template ID : GRAC_AR_SUBMIT Recipient ID: Requestor
  For the stage Config ID GRAC_ROLEOWNER notification settings are :
  Not .Event : NEW_WORK_ITEM  Template ID : GRAC_AR_NEW_WORK_ITEM Recipient ID : Current Approvers .
  What else do I have to do .
  Reg,
  Anthony

  Hi,
  You will need to make sure that the submission and new work item notifications are activated in MSMP at the various stages and also make sure that the approvers are marked for both approval and notification at the agent assignments.
  I would also check to make sure that their emaill addresses are maintained correctly in the GRC system (the data sources will not pick up the approver email addresses automatically).
  Cheers, Simon
  Edited by: Simon Persin on Jan 25, 2012 6:27 PM

• How to list principals in the security role?

  Does anybody know how to list principals assigned to a security role programmatically?
  The role assigment is specified in weblogic.xml files for web applications and
  weblogic-ejb-jar.xml files for EJBs.
  Any help would be much appreciated,
  Margaret

  I think it's not possible. However, what you can do is to assign a role to a
  group (this relationship being statically defined in weblogic.xml) and then
  manipulate the group membership in order to assign users to the role on the
  fly.
  "Margaret Oberc" <[email protected]> wrote in message
  news:3b127763$[email protected]..
  >
  Does anybody know how to list principals assigned to a security roleprogrammatically?
  The role assigment is specified in weblogic.xml files for webapplications and
  weblogic-ejb-jar.xml files for EJBs.
  Any help would be much appreciated,
  Margaret

• Additional system roles in SOLAR01/SOLAR02

  Hello,
  Is it possible by customizing or something else, to have more than the Dev/Qas/Prod system roles selectible in SOLAR01 and SOLAR02 ?
  I have logical components where there are other types of systems, and I would like to use them in my Blueprint/Configuration.
  Thanks.
  Thomas

  Goto SMSY
  Goto Project Landscape
  select your project
  now you see your logical components for your project, in here you can add via system role assigment other system roles like evaluations, demo, sap referecen etc... if you want more than available here, click on "Systm Roles" in the System Role Assigment and you can add your customer Roles
  once you did that, this will be visible in solar02 / system-role
  Edited by: Nesimi Buelbuel on Jun 12, 2009 10:51 AM
  Edited by: Nesimi Buelbuel on Jun 12, 2009 10:52 AM

• How to remove transaction that was added under Menu - Role Menu

  We have roles that we need to remove some transactions.
  These transactions were added under Menu - Role Menu and expanded for ex: Logistics and Picked Miro transaction.
  When I go to PFCD and check under s_tcode I cannot remove Miro transactions since it's grayed out.
  The only way to remove this is to go back to the Menu and do a find on miro and work through the menu until I get to Miro transaction and then delete it.
  Is there another way to accomplish this.
  Thanks
  Joe

  This is the intended way a role built from a menu works. What might be the use of an authorization without any corresponding transaction to start it? It is only a risk...
  Unless of course you know better or design differently and don't make the effort to adjust SU24, then you can insert manually or cause "changed" authorizations, but PFCG will not look at it from a "your own fault" view and not adjust it or protect it against illogical changes.
  To use the discipline of the one approach but keep the flexibility of manual authorizations is not possible for S_TCODE, S_RFC and S_SERVICE objects (the entry points).
  Cheers,
  Julius
  PS:
  > Total Questions:  42 (36 unresolved) 
  Please follow-up on your unresolved questions. There is a limit now of 10 open questions asked since July 2008.

• Assign remote roles with Federated portals

  Hello all,
  We're trying to implement a federated Portal network using the <i>"Implementing a Federated Portal Network" in Detail</i> document.
  The steps that we have follow successfully are:
  1. Connect to the user repository (Producer and Consumer).
  2. Configure system settings (Producer and Consumer).
  3. Define and Configure producers (consumer).
  4. Set permisions (producer).
  Now we want to assign remote roles to local users in <i>User Administration -> Proxy-to-remote Roles option.</i> But <i>Proxy-to-remote Roles</i> tab doesn't appear in the second level navigation...
  We are working with EP7 SP10.
  Any idea?
  Thanks in advance

  Maybe a clue: According to the Remote Role assigment question, We have a similar problem using the Remote content copy option.
  In the consumer EP, Content Administration -> Portal Content, the Netweaver Content Producers contains the producer connection icon but it's empty. So, the content share can't be done...
  Now... Any idea?
  Thanks!
  Message was edited by:
          Marta Sánchez