02-18-2011 11:38 AM
Hi,
I am in a security project and after role designing is done there are lot of roles designed by our functional consultants. And there are 33 company codes present in the company. And few end users are responsible for 20 company codes, So when I saw per user more then 450 deriroles created. Now my question is can I assign 450 roles to a user?
As far as I know 312 roles can be assigned to user max. But is there any profile parameter available in SAP so that I can assign more then default maximum roles.
Thanks,
Sudip
02-18-2011 11:57 AM
02-18-2011 12:23 PM
Hi Bernhard,
I could not understand the solution you provides. Please tell me the answer in descriptive way.
Thanks,
Sudip
02-18-2011 2:05 PM
Bernhard is suggesting that you use the forum search for your query. You may also want to include search term USR04.
Alternatively you can get the info from the following link before this thread is moved to the test forum:
http://lmgtfy.com/?q=Maximumrolesassignmentperuser+SAP
02-18-2011 4:57 PM
Further more, when searching you should pay close attention to the difference between a role with a generated profile and a role without a generated profile.
Cheers,
Julius
02-28-2011 9:57 PM
Sudip :
A trickey way could be 'merge'ing 2-3 roles together based on feasibility.You can use the option 'insert authorization from profile' in PFCG. It helps to reduce the profile count per user.
And I dont have answer for your question regarding profile parameter. Please post your solution if you have any. This is very interesting !!!
cheers ....
Sujit
03-01-2011 2:13 AM
Hi,
try to use use composite role instead of single role !
hope it help you.
rgds,
Alfonsus Guritno
03-01-2011 9:09 AM
nevertheless he will need to redesign his concept, because including the single roles into composites won't reduce the number of assigned profiles which in fact builds the assignement limit. I read such suggestions quite often in the past, but I can't see the advantage regarding max. number of assigned profiles... Do you?
thx, Bernhard
03-01-2011 7:07 PM
>
> nevertheless he will need to redesign his concept, because including the single roles into composites won't reduce the number of assigned profiles which in fact builds the assignement limit. I read such suggestions quite often in the past, but I can't see the advantage regarding max. number of assigned profiles... Do you?
> thx, Bernhard
If someone can convince me that it's a good idea to increase the max number then I will eat Julius' hat - the one that he hasn't eaten yet!
03-01-2011 7:17 PM
If someone can convince me that it's a good idea to increase the max number then I will eat Julius' hat - the one that he hasn't eaten yet!
I'm fairly certain Julius still owes me a hat too
But it was a basic thread which seems to have been an interview question which vaguely related to our 19th Century 4.6C steam driven system and back porting...but I don't think the OP ever replied in the end so maybe that doesn't count!
Cheers
David
03-01-2011 7:37 PM
An auditor once had the task to audit a system of "mine" and ended up going for speculation about improvement possibilities in his presentation to the CIO (who was originally an ABAP developer when he started in the company!)
<blabla>The overall security of the roles could be improved by using composite roles to reduce the number of roles (okay... you can use "personalization" attached to composites...) and therefore profiles assigned to the users. This will (apparently) make maintenance easier (I think he wanted to derive the composites?) and produce less SoD conflicts requiring mitigating controls, thereby avoiding long debates with the auditors each time.</blabla>
I let him walk into that one on his own steam... the resultant discussion was like a Montypython scene, or possibly even Blackadder...
Cheers,
Julius
ps: Regarding [my hat|http://www.google.ch/imgres?imgurl=http://www.chocolates-ala-carte.com/look/news/candy_mag_feb07/c_i_hat.jpg&imgrefurl=http://www.chocolates-ala-carte.com/look/news/candy_mag_feb07/index.html&usg=__m6YWntia9g543IgeOxZBu_JYSSw=&h=361&w=458&sz=137&hl=de&start=0&zoom=1&tbnid=GQ3eRe-oXx12_M:&tbnh=135&tbnw=172&ei=WkltTc_-Aoa6vwOflpm5BA&prev=/images%3Fq%3Dchocolate%2BAND%2Bhat%26um%3D1%26hl%3Dde%26rlz%3D1R2ADSA_deCH392%26biw%3D1259%26bih%3D544%26tbs%3Disch:1&um=1&itbs=1&iact=hc&vpx=126&vpy=74&dur=9750&hovh=199&hovw=253&tx=143&ty=108&oei=WkltTc_-Aoa6vwOflpm5BA&page=1&ndsp=21&ved=1t:429,r:0,s:0]: easter is around the corner.
pps:
If someone can convince me that it's a good idea to increase the max number then I will eat Julius' hat
Actually I can smell blood in the water here via object K_REPO_CCA...
Edited by: Julius Bussche on Mar 1, 2011 8:40 PM
03-01-2011 8:31 PM
Montypython scene, or possibly even Blackadder...
We are the Knights of Ni !
Amazing how we can always use a Montypython sketch
You were lucky, in my day we had to create profiles without PFCG, our security manager would come home at night and kill our transports and make us lick our profiles clean and then kill us...and we were greatfull...
Edited by: David Berry on Mar 1, 2011 8:32 PM
03-02-2011 12:03 PM
>
>
If someone can convince me that it's a good idea to increase the max number then I will eat Julius' hat
> Actually I can smell blood in the water here via object K_REPO_CCA...
>
> Edited by: Julius Bussche on Mar 1, 2011 8:40 PM
It's still generally the same root cause issue.....
03-01-2011 7:28 PM
Sudip
Maybe consider working out the combinations of company code (or plant for MM) and build a few extra versions of the originals?
Nice way to occupy a Wednesday afternoon...
Cheers
David
PS That bat and ball is packed away - Fishing next
03-01-2011 10:12 PM
> I am in a security project and after role designing is done there are lot of roles designed by our functional consultants.
Great!!
And there are 33 company codes present in the company. And few end users are responsible for 20 company codes, So when I saw per user more then 450 deriroles created. Now my question is can I assign 450 roles to a user?
Yes. Assign SAP_ALL directly.
>
> As far as I know 312 roles can be assigned to user max.
Please have a look into the SAP Note#410993.
But is there any profile parameter available in SAP so that I can assign more then default maximum roles.
>
We all are looking for it.
regards,
Dipanjan
03-02-2011 12:03 AM
Sometimes the concept of company plant combination roles sounds strange but may be necessary - the naming convention can cause confusion but derived roles can help (I hate them) but I think are better than sets of singles
Edit - related org levels need to be considered but that should be a given
Edited by: David Berry on Mar 2, 2011 12:06 AM
03-02-2011 8:04 PM
Hi Sudip,
Sorry for the jokes about hats - it is an ancient reservation for security horse races on SDN... just a bit of fun
Anyway, there is a way to double to the number of profiles available to the user for successfull authority-checks from 312 to 624 (no jokes, not well known, and not much easily understood documentation) --> reference users.
Via coding techniques and escalation of priviledges you can take it much further than that: See the documentation in transaction ABAPDOCU on the "AUTHORITY-CHECK" statement extention "FOR USER" (as of release 7.00). Very powerfull and to be used carefully but for isolated cases it can be usefull to artificially extend authorizations or simulate checks before performing user-switches in program controls etc.
Here it is the responsibility of the developer to make the decision and how to react to it (and where the USER variable comes from... e.g. remote calling programs is a bad idea....).
Cheers,
Julius
03-04-2011 6:33 AM
Hi Sudip,
create a reference user assign the remaining roles to the reference user and include the reference user ID in the main user's references field and save. It will approximately double the total number of roles that can be assigned to a user.
regards
rasheed
03-04-2011 8:26 AM
Thanks guys. I have resolved my issue of m own.
The solution is-
Few users working for one perticular company code like 1000. So, here I have no issue. I created one derived role and maintained 1000 in the CC org value and naming convention of the role I maintained like Z:ROLENAME_1000.
But, few users working for 22 CC, So I created one more derived and maintained all the 22 CC in the org value.
And naming convention I maintained here is Z:ROLENAME_9999. Here 9999 refers to the users who work for 22 CC.
So, instead of assigning diferent derived roles for all 22 CC and assigned him only one role.
Thanks once again for replying to my thread
Sudip
03-04-2011 2:33 PM
I must appreciate the solution..specially after a redesign...
Regards,
Arpan Paik