07-30-2009 2:16 PM
Hello Experts,
I have the following BW roles available in my SAP ECC6.0 IDES.
I have clubbed them into a single composite role and have
assigned to one user.
IDESBW_ADMIN_R3
SAP_BW_ALL
SAP_BW_ANZEIGER
SAP_BW_AWTEST
SAP_BW_DEVELOPER
SAP_BW_PATTERN_OBJECTS
SAP_BW_SEM_BPS_APPLICATIONS
SAP_BW_SEM_LP
SAP_BWC_0ROLE_0054
SAP_BWC_BBP_PURCHASING
SAP_BWC_BUSINESS_UNIT_ANALYST
SAP_BWC_CO_INVENTORY_ACCOUNTIN
SAP_BWC_CO_PA_REPORT_DEMO
SAP_BWC_CO_PROD_COST_PLANNING
SAP_BWC_MRP_CONTROLLING
SAP_BWC_PATTERN_OBJECTS
SAP_BWC_PUR_ORDER_ANALYSIS
Z_HR_BW
ZSAP_BW_0ROLE_0162
But the user is not able to run any transaction(like rsa3,rsa5 etc.).He is getting
error that "You are not authorized to this transaction".
As a DDIC user I am able to run all those transactions but I am
not able to change the authorization of the roles and getting error
"The role is not in customer namespace".
can anyone help in this regard? i.e. without DDIC priviledge, how
to run these BW related transactions in ECC6.0 IDES with the help
of above roles only?
Please Help..
Anupam..
07-30-2009 3:08 PM
Hi Anupam,
Its not a good practice to give SAP standard role to a new composite role.It is advisable that first create the z* role from the required role(copy)& then put it to a composite role.
Run transaction SU53 after you got the error "You are not authorized to this transaction".It gives you the exact missing authorization.
For more details
http://help.sap.com/saphelp_nw70/helpdata/EN/52/6714a9439b11d1896f0000e8322d00/frameset.htm
SAP Note 910010
Regards
Rafikul
07-30-2009 4:40 PM
Hi,
Check whether the transaction is already included in the role..
If it is already there, then check whether the role is properly generated...
also as suggested, SAP roles should not be used.. you should create new Z* role with help of the SAP standard role, then you can change the roles accordingly.
SAP standard roles should not be changed..
Regards,
Sandip.
07-30-2009 4:56 PM
> But the user is not able to run any transaction(like rsa3,rsa5 etc.).He is getting
> error that "You are not authorized to this transaction".
>
SAP Standard roles doesn't come up with generated profiles for them. For your information: Roles doesn't provide any authorization rather it is done by the Profile and generated Profile means the All the Authorization Instances are Active and current. So, the standard SAP roles you are assigining will not give access to any TCodes.
> As a DDIC user I am able to run all those transactions
DDIC is a Super user and contains SAP_ALL & SAP_NEW profiles which provides Unrestricted access.
> but I am not able to change the authorization of the roles and getting error
> "The role is not in customer namespace".
SAP doesn't allow to make changes to any SAP standard objects, not only roles... so, if you want to use the roles you mentioned, first copy them into a New role which do not start with "SAP_" and generate their profile and then assign those roles to the user ids.
Besides of all, I found the requirement of SAP Security trainings to get the overview of all these. Please try to attend SAP Security course.
Regards,
Dipanjan
07-31-2009 4:29 PM
this is because I guess none of the standard roles listed by you have RSA3 or RSA5 in them.
you can create your own role for these missing transactions and assign it to the users.
and when it comes to generating SAP standard(delivered) roles,who really want to spend
time on following the standards for an IDES system. if it was me I will generate and use SAP
standard roles.
08-01-2009 12:23 PM
Dear Anupam,
You should create Z* roles for the end users access. you can copy of SAP standard roles and make it as Z* and club it as composite roles.
Once you enter with the userid DDIC , please create BASIS userid with SAP_ALL and SAP_NEW access.
You should not use DDIC, since it is standard SAP user. One more thing, if they are authoirzed to access any of the transactions, please request them to exeucte SU53 and send to BASIS team.
if you want to run BW transactions in ECC 6.0, BI related support packages should be installed. please ensure that.
Note : please ensure that what ever the roles that you are copying from standard SAP roles, they should have access to all BW t-codes. if not plz add in menu -> transactions. Developer should need access to these kind of BASIC t-codes of BI.
hope this would help you.