Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP_J2EE* roles - shouldn't they have authorziations?

Go to solution
Former Member

‎08-09-2006 7:57 PM

0 Kudos

Hello,

We just upgraded to BI (using the portal) and are running into some issues with users.

As I understand it, any user created in the SAP backend system is automatically going to be created in the portal. The roles assigned to the user should contain whatever authorziations they require to execute the various and queries (referring to end users only). Are any SAP_J2EE* roles required to be assigned to the user in order for them to access the portal? The user is assigned the applicable portal role, such as for Business explorer or Business Intelligence. (pcd.. . . )

For example, I created a test user in the backend, Ztestjn, with a BI role assignment and assign a portal role to the ID in the portal. I verified with my own ID that the test ID exists with the selected roles assigned.

When I try to log into the portal with this test ID, it won't allow me to log in. However, when I assign the SAP_J2EE_ADMIN role in the backend to this test ID, I can log into the portal. (I can log in via the backend with this test ID w/o the SAP_J2EE* role assigned)

However, in PFCG, there are no authorizations in the SAP_J2EE_admin role, so it shouldn't make a difference as to whether or not any of the SAP_J2EE* roles are assigned to the user.

Since there may be several culprits as to the issues we are having, I have several questions.

1. Does an SAP_J2EE* role (such as the guest role) need to be assigned to the user in the backend (SU01) in order for it to access the portal?

2. Should there be authorziations (objects, etc), in the SAP_J2EE* role? Ours may have not been imported properly since the role is empty.

Thanks in advance

1 ACCEPTED SOLUTION

Go to solution
Frank_Buchholz
Product and Topic Expert
Product and Topic Expert

‎08-10-2006 11:45 AM

0 Kudos

Hello Julie,

it seems that you have configured the Portal to use ABAP as the user store. All users in the ABAP system are visible in the Portal, too. The ABAP role assignments are visible as UME group assignments in the Portal.

>For example, I created a test user in the backend,

>Ztestjn, with a BI role assignment and assign a portal

>role to the ID in the portal.

>When I try to log into the portal with this test ID, it

>won't allow me to log in. However, when I assign the

>SAP_J2EE_ADMIN role in the backend to this test ID, I

>can log into the portal. (I can log in via the backend

>with this test ID w/o the SAP_J2EE* role assigned)

Sounds strange...

>1. Does an SAP_J2EE* role (such as the guest role) need

>to be assigned to the user in the backend (SU01) in

>order for it to access the portal?

No, it should not be neccessary to assign an SAP_J2EE* role like SAP_J2EE_GUEST if the user is already assigned to other Portal roles or UME roles.

>2. Should there be authorziations (objects, etc), in the

>SAP_J2EE* role? Ours may have not been imported properly

>since the role is empty.

No, the ABAP roles which are used only to get UME group assignments do not contain ABAP authorizations.

Kind Regards

Frank

Online Help

Integrated User and Access Management

http://help.sap.com/saphelp_nw2004s/helpdata/en/42/e4f0dfe4cc3ee1e10000000a1553f6/frameset.htm

5 REPLIES 5

Go to solution
Frank_Buchholz
Product and Topic Expert
Product and Topic Expert

‎08-10-2006 11:45 AM

0 Kudos

Hello Julie,

it seems that you have configured the Portal to use ABAP as the user store. All users in the ABAP system are visible in the Portal, too. The ABAP role assignments are visible as UME group assignments in the Portal.

>For example, I created a test user in the backend,

>Ztestjn, with a BI role assignment and assign a portal

>role to the ID in the portal.

>When I try to log into the portal with this test ID, it

>won't allow me to log in. However, when I assign the

>SAP_J2EE_ADMIN role in the backend to this test ID, I

>can log into the portal. (I can log in via the backend

>with this test ID w/o the SAP_J2EE* role assigned)

Sounds strange...

>1. Does an SAP_J2EE* role (such as the guest role) need

>to be assigned to the user in the backend (SU01) in

>order for it to access the portal?

No, it should not be neccessary to assign an SAP_J2EE* role like SAP_J2EE_GUEST if the user is already assigned to other Portal roles or UME roles.

>2. Should there be authorziations (objects, etc), in the

>SAP_J2EE* role? Ours may have not been imported properly

>since the role is empty.

No, the ABAP roles which are used only to get UME group assignments do not contain ABAP authorizations.

Kind Regards

Frank

Online Help

Integrated User and Access Management

http://help.sap.com/saphelp_nw2004s/helpdata/en/42/e4f0dfe4cc3ee1e10000000a1553f6/frameset.htm

Go to solution
Former Member
In response to Frank_Buchholz

‎01-08-2008 5:29 PM

0 Kudos

Hi Did you fix you issue

I am facing the samer one

I would be gratefull if you could help me

Thanks in advance

K

Go to solution
Matt_Fraser
Active Contributor

‎01-08-2008 7:18 PM

0 Kudos

Hi Julie,

No, you do not need to assign any ABAP roles specifically in order to enable Portal logons, but you do need to assign Portal roles! Portal roles can be mapped to ABAP roles, and this is the case with SAP_J2EE_ADMIN, so that's why your experiment worked when you assigned your test user this role, even though the role contains no ABAP authorizations. If you look in the User Administration area in your Portal, you'll find that you can search on the various ABAP roles (they are called Groups in the Portal), and if you search on SAP_J2EE_ADMIN, you'll be able to look at the mappings to Portal/J2EE roles. For this role in particular, there will be several, but one you are interested in will have a name like 'everyone' or something similar. You probably need your Portal users to have this Portal group to enable basic Portal functionality.

Rather than assign this group to each and every user, however, the easier way is to map it to your basic enduser ABAP role, so every user who has that ABAP role will automatically get the Portal 'everyone' group.

In our case, we use the Portal for ESS/MSS (not BI... yet), so I mapped the ABAP role Z.EMPLOYEE_ERP (which every user gets) to the Portal roles 'employee_self_service' and 'erp_common.'

--Matt

Go to solution
Former Member
In response to Matt_Fraser

‎01-08-2008 8:34 PM

0 Kudos

Hi Matt,

How to map the portal roles to the abap roles. Is it done on the portal side or on the abap engine. Can you please give the steps to map portal roles to abap roles.

Thanks.

Go to solution
Matt_Fraser
Active Contributor
In response to Matt_Fraser

‎01-08-2008 10:12 PM

0 Kudos

Narsing,

It is done from the Portal side. Switch to the User Administration tab, Identity Management. In the Search Criteria, select 'Group,' make sure that either 'All Data Sources' or 'R3_ROLE_DS' is selected, and type in the name of the ABAP role you are interested in, then press 'Go.' The role should show up in the hit list; select it and details will appear below. In the details, select the 'Assigned Roles' tab. Note that if any are already assigned, they don't show up until you hit 'Go' to search. Also pay attention to the 'Search Recursively' selection box -- if you check that, then you will also see subroles. Anyway, now you can click 'Modify' and start picking the Portal roles you want to assign to your ABAP role.

--Matt