Authorization Object for 0TCTBISBOBJ - restriction field too short in PFCG

Similar Messages

• Authorization Object for Account Assignment field

  HI all,
  We wanted to restrict the users from creation of PO (in ME21N) against the specific Internal Orders (Account assignment KNTTP='F'). So that user can use Internal orders assigned to his Business Area only.
  Which authorization object i can use to restrict the user to use specific Internal order during PO creation and change. ??? I tried to check authorization object listed under t code ME21n but none of them restrict Internal order.
  Is there any std. object available, if not then what I need to do while creation of customized authorization object (in SU21), how system will call this authorization object in ME21N while using Acc. Assignment u201CFu201D. more detailed answers will be more useful.
  Thanks...

  Hi frnd...
  i think you want to allow all users to use acct. ***. "F",
  but you want to stop the user from using ir-relevant internal orders.
  For this, i think you can create a "Z" table having fields:
  1)User ID - (key field)
  2)Internal Orders - (key field)
  3)Access.
  Make the entries of the users against the internal orders. (if you  want any user to access all the internal orders, then make entry (*) in the field access. 
  While creating GRN check these entries, if the entry exist, let user use that internal order, if not give the error as you are not authorized.
  To do all these, you have to use user - exit. which one i dont  know...
  kindly let me know, if you use any.
  njoy SAP...
  njoy Lyf...
  Regards,
  Amit P Hiran

• Authorization object  for PLANNING PLANT

  Hi all,
  My client has different Planning plant & Production plant.
  If I need to give access to GR for order (MB31), how do I know the authorization object for the Planning plant.
  User should be given access to MB31 to the Planning plant & NOT to the Production plannt.
  Any idea where we could find the authoriz. objects for a particular field?
  Pls advise.

  Goods Receipt for Production Order: Movement Type            M_MSEG_BWF
  Goods Receipt for Production Order: Plant                    M_MSEG_WWF
  these are the authorisation objects with activities as  ACTVT and WERKS
  Maintaine the values for ACTVT  as
  01 Create or generate,
  02  Change
  03 Display
  04 Print, edit messages
  and maintaine the values WERKS   (ur plants 4 which u want to give authorisations)
  and BWAR ( movement types 4 which u want to give authorisations)

• Authorization object for field, EBAN-ESTKZ (creation indicator)

  Dear All,
  Does anyone know if there is an authorization object for field, EBAN-ESTKZ?
  I need to control the PR's authorization at creation indicator level. i.e. we need to remove the ability for all users to change Purchase Requisitions created by MRP.
  Thanks,
  Arun.

  Hi Jay,
  Thanks for your response.
  I didnt find it there. You have any Z options?
  Thanks,
  Arun.

• Authorization Objects for Multiple Fields on a Screen

  Hi,
  I have a requirement to create authorization object on a screen with 20 fields and there are 3 users, each user for eg: User-A has rights to Display and modify a few fields and User-B has rights to diplay and modify a few fields and same is the case for the 3rd user, and there are some fields which all can modify.
  what i can do is create 2 authorization objects for each user one with all fields that he can modify & Display and other with all fields which he can display only. In this way i will have to create 6 authorization objects for 3 users, is there a way to reduce to 3, one for each user or even bring it down to 1 for all.
  Thanks,
  Thirumal

  Hi again,
  1. Thanks for the transparent example.
  2. Taking the same,
      it would be like this, in the program.
  ( u must agree that
  if there are six different cases,
  then there will be six different IF ENDIF
  in your program, for edit/display combination of fields)
  (you may also use GROUP1, GROUP2..GROUP4
  concept along with authorisation concept
  to group related fields )
  2. suppose user2 or user 1 has logged in.
  3. in the program,
     before displaying the fields,
    a) use authority-check
     with 1, 2 and check sy-subrc to know
     which VALUE (1,2) is there for rights.
     b)then, logic would be like this
        (for display/edit of all fields)
      IF value =  1.
      field1-visible = true
      field1-editable = true
      field2-visible = true
      field2-editable = true
       field3-visible = true
      field3-editable = true
     endif.
     if value = 2.
      field1-visible = true
      field1-editable = <b>false</b>
      field2-visible = true
      field2-editable = <b>false</b>
     endif.
  regards,
  amit m.

• Authorization objects for  transaction, one to view, and one to maintain

  Hi all,
  My requrement is to create two authorization objects for  transaction, one to view, and one to maintain.
  I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
  Please suggest how to create object where i can asign activity codes.
  regards
  manish

  The Authorization Concept
  R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
  Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
  Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
  Do check this link as well.
  http://articles.techrepublic.com.com/5100-10878_11-5110893.html

• Authorization Object for using Object Services

  Can you tell me how to limit a users authorization to create or delete attachements using the object services functionality?  We'd like to control the addition and deletion of the attachments.  Is there a specific authorization object for this functionality?
  Thank you, Julie

  Hi julie;
  I hope that following are the solution for you problem. Check wheather this is helpful to you or not.
  Authorization Object C_DRAW_BGR (Authorization Group)
  The following table shows authorization object C_DRAW_BGR. This authorization object allows you to limit access to individual documents.
  Fields      Possible Values      Description
  BEGRU (Authorization group)      0000 - ZZZZ      Used to restrict the authorizations for document maintenance further.
  Authorization object C_DRAW_BGR can be used to restrict access to individual documents. It works like a simple on/off switch. If the check of object C_DRAW_BGR is fine, the user's authorization can be further restricted by checking C_DRAW_TCD (check only based on the document type) or C_DRAW_TCS (check of the
  combination of document type and status). At the fifth level there is a BADI called DOCUMENT_AUTH01, which you can use to design your own authority check.
  Authorization Object C_DRAW_DOK (Document Access)
  The following table shows authorization object C_DRAW_DOK. This authorization object controls which original data of a specific document type there are access authorizations for.
  Fields      Possible Values      Description
  ACTVT (Activity)      52 53 54 55 56 57      Change application start Display application start Display archive application Change archive application Display archive Store archive
  DOKAR (Document type)            Here you enter the document type that access to original data is allowed for.
  Authorization Object C_DRAD_OBJ (Object Link)
  The following table shows authorization object C_DRAD_OBJ. This object controls which users can process which document info records, based on a combination of activity, object, and status.
  Fields      Possible Values      Description
  ACTVT (Activity)      01 02 03 06      Create Change Display Delete
  DOKOB (Object)            You must enter the data base table for the objects here (for example, MARA for material record).
  STATUS (Document status)
  if useful rewards points.           
  Regards,
  nitin
  Edited by: nitin bhagat on Feb 18, 2008 6:23 AM

• Authorization object for plant on selection-screen

  Hi All,
  I need to cehck the authorization object for plant on sleection screen..the palnt is select-options.
  I have written the code
  Declaration of local constants.
    CONSTANTS : lc_i(1)  TYPE c VALUE 'I',
                lc_eq(2) TYPE c VALUE 'EQ'.
    REFRESH : r_werks.
    LOOP AT s_werks.
      IF s_werks-low IS NOT INITIAL.
        AUTHORITY-CHECK OBJECT 'M_MATE_WRK'                "Check if the user has autorization for the plant.
                             ID 'ACTVT' FIELD '03'
                             ID 'WERKS' FIELD s_werks-low.
        IF sy-subrc NE 0.
          r_werks-sign   = lc_i.
          r_werks-option = lc_eq.
          r_werks-low    = s_werks-low.
          APPEND r_werks.
        ENDIF.
      ENDIF.
    ENDLOOP.
    LOOP AT s_werks.
      IF s_werks-high IS NOT INITIAL.
        AUTHORITY-CHECK OBJECT 'M_MATE_WRK'                "Check if the user has autorization for the plant.
                             ID 'ACTVT' FIELD '03'
                             ID 'WERKS' FIELD s_werks-high.
        IF sy-subrc NE 0.
          r_werks-sign   = lc_i.
          r_werks-option = lc_eq.
          r_werks-low    = s_werks-high.
          APPEND r_werks.
        ENDIF.
      ENDIF.
    ENDLOOP.
  My doubt is will the authorization will check the plants in between 1001 and 2001..suppose i have pplants 1001,1002,1003,1004,2001..Now will the above code will check for all the plants or only 1001 and 2001 if i specify in the select-options.
  Regards,
  raj

  Hi Raj
  First no need to LOOP AT s_werks and check s_werks-high as it will always be present only once in the table s_werks.
  Do this
  SELECT werks FROM t001w INTO li_werks
  WHERE werks IN s_werks.
  LOOP AT li_werks.
  *check your authority thing here and fill the range
  ENDLOOP.
  Pushpraj

• Authorization Object for Marketing Attributes

  Hi Experts,
  We are working with CRM 2007 and use in BP Marketing Attributes. Does someone know if there are any authorization objects for Marketing Attributes? We would like to restrict some of users to see some Attribute sets!
  Thank you in advance,
  Roula

  Hi Roula,
  Thank you so much for awarding points.
  Please note that in Transaction PFCG you have to assign the appropriate three digit attribute set key under the authorization group BGKRL to the authorization object C_KLAH_BKL for assigning attribute sets and to the authorization object C_KLAH_BKP for editing attribute sets.
  Please have a look at the Note in the bottom of the page at the following link for further information.
  http://help.sap.com/saphelp_crm60/helpdata/en/46/3517cc86e01421e10000000a1553f6/frameset.htm
  Regards,
  Deepak

• Authorization object for delivery block

  Hi ,
  How do I check the authorization object for any field? I specifically need one for delivery block.
  Please help.
  Thanks,
  Shailaja

  Hi,
  If your looking to put a delivery level block or its removal then i guess you explore it through userexit mv45afzz
  Regards,
  Saurabh

• Custom Authorization Object for HR

  Hi,
  As per our Company's internal needs I have created a Custom Authorization Object for HR named ZP_ORGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction & do a trace on it, the object ZP_ORGIN is never checked (for a user having this object in his/her User Master). Only P_ORGIN object is checked instead.
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell  which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked.
  Your help will be appreciated.
  Thanks,
  Mandeep Virk

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• HR Authorization : Custom Authorization Object  for P_ORGIN

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  but still it is taking the P_ORGIN object

  Online Help
  <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a>

• Authorization Object for data downloading from application server

  Hi friends ,
     My program downloads and uploads data from the application server .
  My requirement is  ,
  Authorization checks should be performed on the Server directories to ensure that the user has access to read and write to the directory. It should check the s_dataset authorisation object for this.. If a user does not have the s_dataset authorisation object no upload or download should be allowed.
  Can you please tell me how to deal with this ? how do we check the above condition ??
  Many thanks ,
  Hemant

  hi,
  This is not a single step process.
  First of all you have to create a field for authorization for server directories from su20 and then create authorization object from su21.then define a role from pfcg with this authorization object and assign this role to user profile from su01 with values defined.
  Then you have to call this authorization object in your program at selection screen.

• Adding authorization object for "Function Group"s ?

  Is it possible to add any authorization object for any function group ?
  We have an issue i.e. whenever user "XYZ" is getting some Windows Excel related error whenever trying call an excel report from BW server. System log related to "XYZ" user shows that -> User "XYZ" has no RFC authorization for the function group "ABCD". The RFC authorization object is S_RFC.
  Function Group you can check through SE37->GoTO->Display Function Group
  Now is it possible to add authorization for any "Function Group" ?

  You give authorisation for all function groups by giving auth object S_RFC a * value in field RFC_NAME
  However I do not recommend this as giving wide access to RFC's can bypass a lot of the security you have implemented for the users.
  In this case, add only the function group that the user requires in this instance into S_RFC

• Authorization Object for Material Type

  Hi All,
  Is it possible to restrict the user from creating the material master based on Material Type. If yes then what is the authorization object for the same.
  Regards
  Mahendra

  Dear Mahendra,
  You can definitely restrict a end-user to only particular Material Type thru Authorizations.
  Authorization Object: M_MATE_MAR
  This can be done thru authorization management. Consult your Basis person or follow this:
  SU01 - Enter the user Id & select display button. Now click on the Roles Tab & note down the role assigned to this user Id.
  Go to T-Code - PFCG - enter the Role name & select the change icon.
  Click on the Authorizations tab page. & then Click on Change Authorization Data.
  Now expand the menu tree of Materials Management: Master Data & further expand the menu tree of Material Master: Material Types. Now click on the change icon next to Authorization Group & select the required Material Type that you want to authorize the end-user.
  This is how you can give authorizations only for a particular Material Type. 
  Hope this helps.. .
  Give point if useful...
  Thanks,
  Jignesh Mehta
  Mumbai