Custom Authorization Object for HR

Similar Messages

• HR Authorization : Custom Authorization Object  for P_ORGIN

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  but still it is taking the P_ORGIN object

  Online Help
  <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a>

• Custom authorization object and check logic

  Hi gurus,
  we need to apply additional authorization check in our custom reports.
  so i created a custom fields & object, and put the statement
        AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                 ID 'ZROLEID' FIELD '03'
                 ID 'ZSOBID'  FIELD zzdwbm.
  in a abap class method centrally, so it could be called by many reports.
  but the test show that the sy-subrc always set to 0, even for users without any authorization.
  what i missed for adding custom auth check?
  for this case, do i need to maintain authorization check indicator in SU24?
  what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
  thanks and best regards.
  Jun

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan

• Authorization Object For Activate Reservation/Purchase Req - IW31

  Hi,
  I want to authorize only certain users to use button  "Activate Reservation/Purchase Req" IW31 transaction. What is the Authorization Object for the above mentioned button, if any. Is there any other way that i can do this activity in customizing? I am using ECC 6.0
  We find that activating the objects below (suggests- SU24)
  M_BANF_BSA
  M_BANF_EKG
  M_BANF_EKO
  M_BANF_WRK
  allowed in IW31, that 'not-authorized-users' would not be able to create purchase requistions. therefore: no material procurement.
  But for reservations, we didn´t find  the object in  IW31.
  Thanks and regards
  Gabriel.
  Edited by: Gabriel_Fornazier on Dec 31, 2010 12:16 PM

  Olá Michely
  Segundo a SAP não existe objeto de autorização em BASIS para restringir por usuário o botão da transação IW31 que eu precisava(Ativar Reserv./Req. de Compra). Portanto segundo a SAP, poderia usar a ampliação IWO10006 para resolver isso.
  E foi o que fiz. Primeiramente criei manualmente um objeto de autorização 'Z'  dummy, para atribuir a um usuário que não quero que enxergue o botão.   'DISP' o nome do botão(dar F1 no mesmo) que desejo esconder.
  Posteriormete na EXIT desenvolvi o seguinte código para esconder o botão:
  AUTHORITY-CHECK OBJECT 'Z_VORG_ORD'
             ID 'ZBETRVORG' DUMMY.
  IF SY-SUBRC EQ 0.
    FCODE_EXC_CUST-FCODE = 'DISP'.
    APPEND FCODE_EXC_CUST.
  ENDIF.
  Portanto, todo usuario que tiver aquele objeto de autorização ''Z'' no seu perfil não vai exergar o botão Reserv./Req. de Compra.
  Essa é a melhor solução do que usar objetos de autorização de outras transações.
  Espero ter ajudado
  abraços,
  Gabriel M. Fornazier
  SAP FI Certified Professional
  Minas Gerais - Brasil

• Authorization object for Command Button

  Hi all,
  How can I create the Authorization object for command button which is on application server.
  if you do not have auth when you click on that command button, it should be say 'you dont have auth'.
  please help me in this.
  regards,
  Ajay reddy

  Hi,
  Tcode for Authorization Objects are,
  su20----> for defineing authorization field ,
  su21-----> for authorization class,
  su22------> for assignement authorization object
  To create an authorization object:
  1) Execute transaction SU21
  2) Double-click an Object Class to select a class that should contain
  your new auth object
  3) Click on CREATE (F5)
  4) (If creating custom field) - Click the 'Field Maintenance' button -->
  Click on CREATE (Shift+F1)
  5) Enter the Name for the New Authorization field and the corresponding
  Data Element and SAVE
  6) Confirm the Change Request data for the new Authorization Field
  7) Go back two screens (F3-->F3)
  8) Enter the Authorization field name and document the object:
  9) SAVE and ACTIVATE the documentation
  10) Save the new Authorization Object
  11) Confirm the change request data for the Authorization Object and
  EXIT SU21
  12) Finally, the SAP_ALL profile must be re-generated
  Regards,
  hema.

• Authorization object for manual condition type in sale order

  Hi experts
  I want ask them, If exist an authorization object for manual Condition type (KOMV-KSCHL) in the sales order (VA01/VA02), that the user don' t can create neither modify the sale orden with a specific manual condition type (payment term) by stardard way.
  Best regards
  John Angulo

  HI John,
  I would be surprised to know that someone uses the Payment terms as a condition in the Pricing procedure for sales orders. The payment terms define when the customer agrees to pay, (15, 20, 45 ,....days or 5 years or 10 years....whatever it be)
  this detail for what i know is in the sales order header,and ideally has nothing to do with the Item level material price conditions.
  its ok, If you mean something else by payment terms.....in principle you can have a conditon type restrcited such that manual entries on the condition are not possible. this cane be done in SPRO customizing, i am sure your functional consultants would know what to do (SPRO->Sales and Distribution->Basic Function->Condition Types), in the tab "Changes that can be made" have a value that says manual Processing is not allwowed
  The ABAP route mentioned above is for a different scenarion and i dont think it is necessary for your requirement

• Authorization Object for Account Assignment field

  HI all,
  We wanted to restrict the users from creation of PO (in ME21N) against the specific Internal Orders (Account assignment KNTTP='F'). So that user can use Internal orders assigned to his Business Area only.
  Which authorization object i can use to restrict the user to use specific Internal order during PO creation and change. ??? I tried to check authorization object listed under t code ME21n but none of them restrict Internal order.
  Is there any std. object available, if not then what I need to do while creation of customized authorization object (in SU21), how system will call this authorization object in ME21N while using Acc. Assignment u201CFu201D. more detailed answers will be more useful.
  Thanks...

  Hi frnd...
  i think you want to allow all users to use acct. ***. "F",
  but you want to stop the user from using ir-relevant internal orders.
  For this, i think you can create a "Z" table having fields:
  1)User ID - (key field)
  2)Internal Orders - (key field)
  3)Access.
  Make the entries of the users against the internal orders. (if you  want any user to access all the internal orders, then make entry (*) in the field access. 
  While creating GRN check these entries, if the entry exist, let user use that internal order, if not give the error as you are not authorized.
  To do all these, you have to use user - exit. which one i dont  know...
  kindly let me know, if you use any.
  njoy SAP...
  njoy Lyf...
  Regards,
  Amit P Hiran

• Authorization Object for Purchase Group while GRN

  HI all,
  We wanted to restrict the specific users from doing GRN with ML81N & MIGO_GR against specific Purchase Group. Which authorization object can be used to restrict the user from processing others Pur. groups for which he is not authorised.
  Is there any std. object available, if not then what I need to do while creation of customized authorization object (in SU21), how system will call this authorization object in MIGO & ML81N. more detailed answers will be more useful.
  Thanks...

  closed...

• Authorization object for the "global settings" of a workbook of BW 7.0

  Hi colleagues,
  I search for a authorization object for the "global settings" of a workbook in the analyzer of BW 7.0.
  The normal user should not have the authorization to change the "default workbook" .

  Hello Hans-Dieter,
  have you solved the issue? I think it is not clearly defined and needs to be enhanced even Note 332738 has been applied. S_RS_TOOLS is not working, that's my opinion.
  I opened a customer message in Marketplace to become a solution.
  May be you have a solution already done?
  I would appreciate this very much.
  Best regards
  André
  Edited by: Andre Brachert on Apr 14, 2009 1:42 PM

• Custom authorization provider for WL7 problem (not getting all parameters from ContextHandler)

  I'm implementing a custom authorization provider for WebLogic 7.
  In my Access Decision isAccessAllowed method I need to check values of
  the parameters passed to an EJB method. Now, if an EJB method I have
  two parameters of the same type, for example int, when I get
  ContextElement array from ContextHandler and iterate through it to get
  names and values of the parameters I get the same value (value of the
  first int parameter) from both ContextElement's.
  Here is the code:
  String [] names = ch.getNames();
  for (int i = 0; i < names.length; i++)
  String name = names;
  System.out.println("name = " + name);//here it gets array of
  Strings, which contains two parameter names: "int","int",
  which are the types of EJB method parameters
  ContextElement[] ces= ch.getValues(names);
  for (int j = 0; j < ces.length; j++)
       ContextElement ce = ces[j];
       System.out.println(ce.getName()+ " = " + ce.getValue());
  //here if the value of the first int was 2 and the second 0,
  it would get 2 from both ContextElements (each of ContextElements will
  have name "int"
  If I try this with method parameters of different types, for example
  int with value 2 and long with value 0, then this code work fine -
  first ContextEleement has name int and value 2 and the second has name
  long and value 0.
  Thanks,
  -Oleg Kozlov.

  I'm implementing a custom authorization provider for WebLogic 7.
  In my Access Decision isAccessAllowed method I need to check values of
  the parameters passed to an EJB method. Now, if an EJB method I have
  two parameters of the same type, for example int, when I get
  ContextElement array from ContextHandler and iterate through it to get
  names and values of the parameters I get the same value (value of the
  first int parameter) from both ContextElement's.
  Here is the code:
  String [] names = ch.getNames();
  for (int i = 0; i < names.length; i++)
  String name = names;
  System.out.println("name = " + name);//here it gets array of
  Strings, which contains two parameter names: "int","int",
  which are the types of EJB method parameters
  ContextElement[] ces= ch.getValues(names);
  for (int j = 0; j < ces.length; j++)
       ContextElement ce = ces[j];
       System.out.println(ce.getName()+ " = " + ce.getValue());
  //here if the value of the first int was 2 and the second 0,
  it would get 2 from both ContextElements (each of ContextElements will
  have name "int"
  If I try this with method parameters of different types, for example
  int with value 2 and long with value 0, then this code work fine -
  first ContextEleement has name int and value 2 and the second has name
  long and value 0.
  Thanks,
  -Oleg Kozlov.

• Authorization object for Object services

  Hello together,
  I want to know if there is an authorization object for Generic object services functionilty especially the WF options like WF overview, start WF, Archieve WF..............................
  My understanding is any user who has access to a particular Business object, can user GOS to view WF stuff..................Is my understanding correct or should we have extra functions.....................
  Regards

  Check authorization objects S_OC_ROLE and, for recent releases, S_GOS_ATT.
  Regards,
  Raymond

• Authorization object for plant on selection-screen

  Hi All,
  I need to cehck the authorization object for plant on sleection screen..the palnt is select-options.
  I have written the code
  Declaration of local constants.
    CONSTANTS : lc_i(1)  TYPE c VALUE 'I',
                lc_eq(2) TYPE c VALUE 'EQ'.
    REFRESH : r_werks.
    LOOP AT s_werks.
      IF s_werks-low IS NOT INITIAL.
        AUTHORITY-CHECK OBJECT 'M_MATE_WRK'                "Check if the user has autorization for the plant.
                             ID 'ACTVT' FIELD '03'
                             ID 'WERKS' FIELD s_werks-low.
        IF sy-subrc NE 0.
          r_werks-sign   = lc_i.
          r_werks-option = lc_eq.
          r_werks-low    = s_werks-low.
          APPEND r_werks.
        ENDIF.
      ENDIF.
    ENDLOOP.
    LOOP AT s_werks.
      IF s_werks-high IS NOT INITIAL.
        AUTHORITY-CHECK OBJECT 'M_MATE_WRK'                "Check if the user has autorization for the plant.
                             ID 'ACTVT' FIELD '03'
                             ID 'WERKS' FIELD s_werks-high.
        IF sy-subrc NE 0.
          r_werks-sign   = lc_i.
          r_werks-option = lc_eq.
          r_werks-low    = s_werks-high.
          APPEND r_werks.
        ENDIF.
      ENDIF.
    ENDLOOP.
  My doubt is will the authorization will check the plants in between 1001 and 2001..suppose i have pplants 1001,1002,1003,1004,2001..Now will the above code will check for all the plants or only 1001 and 2001 if i specify in the select-options.
  Regards,
  raj

  Hi Raj
  First no need to LOOP AT s_werks and check s_werks-high as it will always be present only once in the table s_werks.
  Do this
  SELECT werks FROM t001w INTO li_werks
  WHERE werks IN s_werks.
  LOOP AT li_werks.
  *check your authority thing here and fill the range
  ENDLOOP.
  Pushpraj

• Authorization Object for Marketing Attributes

  Hi Experts,
  We are working with CRM 2007 and use in BP Marketing Attributes. Does someone know if there are any authorization objects for Marketing Attributes? We would like to restrict some of users to see some Attribute sets!
  Thank you in advance,
  Roula

  Hi Roula,
  Thank you so much for awarding points.
  Please note that in Transaction PFCG you have to assign the appropriate three digit attribute set key under the authorization group BGKRL to the authorization object C_KLAH_BKL for assigning attribute sets and to the authorization object C_KLAH_BKP for editing attribute sets.
  Please have a look at the Note in the bottom of the page at the following link for further information.
  http://help.sap.com/saphelp_crm60/helpdata/en/46/3517cc86e01421e10000000a1553f6/frameset.htm
  Regards,
  Deepak

• Authorization object  for PLANNING PLANT

  Hi all,
  My client has different Planning plant & Production plant.
  If I need to give access to GR for order (MB31), how do I know the authorization object for the Planning plant.
  User should be given access to MB31 to the Planning plant & NOT to the Production plannt.
  Any idea where we could find the authoriz. objects for a particular field?
  Pls advise.

  Goods Receipt for Production Order: Movement Type            M_MSEG_BWF
  Goods Receipt for Production Order: Plant                    M_MSEG_WWF
  these are the authorisation objects with activities as  ACTVT and WERKS
  Maintaine the values for ACTVT  as
  01 Create or generate,
  02  Change
  03 Display
  04 Print, edit messages
  and maintaine the values WERKS   (ur plants 4 which u want to give authorisations)
  and BWAR ( movement types 4 which u want to give authorisations)