0PLANT Level Authorizations

Similar Messages

• Direct database data access without data level authorization check

  Hello,
  My customer raised issue about direct database data access. Due to the customeru2019s strong security policy, it shouldnu2019t be allowed.
  To prevent this kind of illegal data access, customer ask me to list up all the possibilities to display data without data level authorization check.
  The things in my mind are
  SQL Command Editor (for Oracle based system) : ORASPACE, DB02, ST04
  Query Based : SQVI (Quick Viewer), SQ01/SQ02/SQ03 (SAP Query)
  Data Browser : SE11, SE12, SE16, SE16N, SE17
  Table Maintenance : SM30
  Function Module : RFC_READ_TABLE
  Function Module : DB_EXECUTE_SQL (DML)
  Anyone knows anything which is not listed above?
  Thanks

  HI,
      Generally in production user's should not be given all these authorizations.
  Ram.

• Organization level authorization restrictions

  Hello All,
  Please can you let me know
  1) f it is possible to org level authorization restrictions for CLM documents and master data without any development?
  - E.g. while creating suppliers the user should only be able to create for the Company assigned to the user id?
  2) What is the significance of the company and organization unit fields in the user account information page?
  Regards,
  Subramaniam Iyer

  Hi ,
  Could you share about your solution ? I think I have face the same problem as yours.

• Tab Level Authorization

  One of My application I plan to give the tab level authorization. I used two level tabs.
  for example, the sub tabs are like aa,bb,cc. I need to write the authorization schemes and I need to get the tab name dynamically here to show this tab for only few users. This scheme will be seleted for all the tabs.
  When I try with :app_tab_id, :parent_tab_cells bind variables, it's not working properly. Any one can suggest me how can I refer the tabname or tab label (like for page we are using app_page_id)
  Advance thanks for your help
  Balaji

  Balaji:
  I don't understand why you need to know the current-tab etc.
  Authorizations can be applied at the tab level declaratively (in the tab's defintion).
  So, your authorization should simply be something like 'return true for user1, user2, user3...' and this authorization should be specified as the 'Authorization' for the tab's authorization.
  Varad

• Object level authorization for SLT Configuration schema in HANA DB

  Hi All,
  We have connected SLT with HANA DB (& ECC as source system).
  Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
  With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
  Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
  Regards,
  Kumar

  Hi Santosh,
  You can find more info about SLT Roles and Authorization from below security guide.
  http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
  Regards,
  V Srinivasan

• "Low-level" authorizations for accessing BW reports - add users to role

  Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
  Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.

  Hi!
  i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
  with regards
  ashwin
  <i>PS n: Assigning point to the helpful answers is the way of saying thanks in SDN.  you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.</i>

• Field Level Authorization

  Hi Gurus,
  Can you explain me how to proceed forward inrelation to Field Level Authorizations in SAP HR. For instance I want to restrict roles of individuals based on Field for example restrict users based on Field Workschedule in IT 0007 ( Planned Working Time).
  Regards,
  Happy

      AUTHORITY-CHECK OBJECT 'S_TABU_LIN'
        ID 'ORG_CRIT' FIELD 'MOLGA'
        ID 'ACTVT' FIELD '03'
        ID 'ORG_FIELD1' FIELD '10'
        ID 'ORG_FIELD2' FIELD '*'
        ID 'ORG_FIELD3' FIELD '*'
        ID 'ORG_FIELD4' FIELD '*'
        ID 'ORG_FIELD5' FIELD '*'
        ID 'ORG_FIELD6' FIELD '*'
        ID 'ORG_FIELD7' FIELD '*'
        ID 'ORG_FIELD8' FIELD '*'.
      IF sy-subrc NE 0 .
        MESSAGE e000 WITH 'No Authorization for area' v_text.
      ENDIF.
  Use S_TABU_LIN authority object for field level authorizations.

• SM30 Field level authorization check

  Hi,
  I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
  Thanks,
  Gagan Chodhry

  Hi,
  I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
  If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
  If anyone can send the sample or the way to skip the record based on the check.
  Also is there any other way to add the field level authorization to custom and standard tables...
  Thanks,
  Gagan Chodhry

• Multiple Level authorization

  Hi I am using OBIEE 11.1.1.5.
  I want to set the row level security and also with multiple level. for example i have one sales dashboard, i have entered using sales person id then the dashboard shows for the particular salesman sales details and i have entered as zonal sales manager then the dashboard shows the details of sales men under my zonal or i have entered to dashboard using the regional sales id i can able to view the all the regional information. How can achieve this.
  For single level authorization i can used the row level security. but multiple level how is it possible?
  Regards
  Gauthaman

  You can set up a initialization block to set up values for three variables.
  1) GROUP
  2) LEVEL or COLUMN_NAME
  3) COLUMN_VALUE
  In your single level authorization you will intialize only 1 and 3 variables, here intialize second one also and use it in the filter clause.
  like COLUMN_NAME = COLUMN_VALUE

• Plant level authorization control for Internal Order

  Dear Sir,
  We create Internal Order using tcode KO01 and  being a multi plant scenario , we want to have an authorization control on Internal Order creation/change so that plant or profit-center level authorization rights can be given to the users .
  We request you to Kindly guide us about the steps to be followed for addressing such requirement .
  With thanks and Regards
  Sonia Agarwala

  Sonia-
  It can be done. You have two options.
  1. SAP security - when your security person can limit a user by plant, profit center etc using authorization objects.
  2. Validations - Here you can create a validation where you define you logic. In your logic you can restrict set of users who can access a set of fields (profit center, plant etc). If he deviates, the system can issue error messages which is maintained in validations. Use transaction GGB0 to create validations.
  Hope this helps.
  Shail

• Discount level authorization in sales order

  Hi,
  I have one scenario where customer want to give discount level authorization for some customer, please find below example and suggest possible solution
  Ex. There would be like 3 level discount authorization in sales order like sale manager 2%, manager 3-4% n sales head 5%.
  If sales manager make the order n enter  3 %  and more discount then error show like " you are not authorized for this discount" and order can not be saved ,same will be applicable to manager and sales head.
  Note: There may not be different level user id used here means Sales manager and manager will be using same ID.
  Please suggest the configuration step by step
  Edited by: KHAPREVIPIN on Jan 4, 2012 7:51 AM

  Hello
  there is a process of Basis roles that can help u in doing this. Using these roles u can give permission the condition types
  u create 3 diffrent condition type ZCP1,ZCP2ZCP3 and give authorization only to the required level.
  Example : manger can only add ZCP1 not others.
  Through this no need to create any program... for each specifice condition type u can give authorizatoin this is standard in SAP.
  Mager      ZCP1 discount 30%
  user :      ZCP3 Dicount 5%
  If the system must determine automaically : make a requirement for each condition and check the role(USER ID) and pass the condition
  If it is the manual discount then the user can only add the discount they can not give others.

• Second Level Authorization for ESS

  Hi,
  I have an issue regarding ESS . The requirement is to provide a second level authorization when anybody clicks on the content in ESS. i,e a logon screen. On successful authentification the user has to see the required info. We should also be able to provide a 5 min idle time out. Can anybody help me with this.
  Thanks,
  Abhishek

  Abhishek, Did you find any solution for second level authentication for ESS?

• Field level Authorization configuration in SAP BO issue !!!

  Hi gurus,
  I want to create field level authorization at query level and use the same at BO web Intelligence. (Ex if i h ave company code as A,B,and C. and if i have created a rolehe users  where only A and C is assigned so when i crreate a webi where users should only able to select comapny code as A and C only.)
  Now i want to know the steps to configure the same in BO for roles import and SAP authentication setting.Please do tell the pre-requisites .I got lot of links but am still confused.
  So please provide exact steps and setting to configure the same.
  Thanks &Regards,
  Montz
  Edited by: montz2006 on Jun 27, 2011 9:05 PM

      AUTHORITY-CHECK OBJECT 'S_TABU_LIN'
        ID 'ORG_CRIT' FIELD 'MOLGA'
        ID 'ACTVT' FIELD '03'
        ID 'ORG_FIELD1' FIELD '10'
        ID 'ORG_FIELD2' FIELD '*'
        ID 'ORG_FIELD3' FIELD '*'
        ID 'ORG_FIELD4' FIELD '*'
        ID 'ORG_FIELD5' FIELD '*'
        ID 'ORG_FIELD6' FIELD '*'
        ID 'ORG_FIELD7' FIELD '*'
        ID 'ORG_FIELD8' FIELD '*'.
      IF sy-subrc NE 0 .
        MESSAGE e000 WITH 'No Authorization for area' v_text.
      ENDIF.
  Use S_TABU_LIN authority object for field level authorizations.

• Object level authorizations for deffirent user restrictions

  Hi
  i have 1 object, this object have only 3 values?
  i need authorizations for this object at report level?
  rsa1- i keep authorization relevant?
  rsecadmin i can include this object , here i need give from value and to value? i have 3 values only? suppose user 1 want only 1 value? user 2 need 2 and 3 value? how can i restrict like this ? ple let em know

  Hi Suneel,
  Go to RSECADMIN.
  Here, in maintain authorizations, create authorization for your characteristics along with the special characteristics.
  i.e. in your case, create authorization(assume 0plant is marked as authorization relevant)
  0PLANT
  0TCAACTVT
  0TCAIPROV
  0TCAVALID
  Double click on each characteristic to assign them the authorized value set.
  Thus, you will create two authorizations
  Z_PLANT_1
  0PLANT...................I..EQ..............1
  0TCAACTVT.............I...EQ..............3
  0TCAIPROV.............I...EQ..........ZPROVIDER
  0TCAVALID..............I...EQ...........*
  Z_PLANT_2&3
  0PLANT...................I..EQ..............2
  ..............................I..EQ..............3
  0TCAACTVT.............I...EQ..............3
  0TCAIPROV.............I...EQ..........ZPROVIDER
  0TCAVALID..............I...EQ...........*
  Go to RSECADMIN again in user tab in assignment, assign these authorizations created to the respective users.
  Like assign User1 -
  >Z_PLANT_1
  ................User2  -
  >Z_PLANT_2&3
  Refer  the link below for more information
  [Analysis Authorization|http://help.sap.com/saphelp_nw70/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm]
  Hope this helps,
  Best regards,
  Sunmit.

• ME21N Material group level authorization is not working in ECC 6.0

  Dear Security Experts,
  We have created a role Z_ME21N with one Tcode ME21N. The role has to restrict users in the material group level.
  For that, we added Authorization object M_MATE_WGR.
  1.     When we are trying to add field values for {M_MATE_WGR, BEGRU}, generally it should show me the list possible values to be used based on the MM configuration related to Material Authorization Group. We have correctly configured the authorization groups from V_TBRG for M_MATE_WGR. But itu2019s not showing any possible values.
  2.     However we are able to add values manually, but I guess these are not being considered during authorization check and our restriction on Authorization group level in ME21N is not working.
  Test Scenario: We have manually added values 005,007,009,010,013 (which is pointing to specific material group) to BEGRU of M_MATE_WGR. We already assigned this Authorization Object to role Z_ME21N and this role has been assigned to u2018testuseru2019, but the authorization check with the M_MATE_WGR authorization group is not happening. It allows operations on all the material groups.
  Anybody came accross same scenario?
  SAP Prodcut version : ECC 6.0
  Database : SQL Server 2005
  Support pack level : 15
  Please share your views, thanks in advance.
  Regards,
  Abu Sandeep

  Dear All,
  I got a reply just now from SAP regarding the same issue.
  I coudnt understand what SAP and you are saying.
  Dear Abu
  *Apologies for the delay. This message has been turned on to application*
  *area of MM from the Basis side just now.*
  *Unfortunately, authorization object "M_MATE_WGR " is not checked*
  *in the purchasing transactions (PR & PO), the system works as standard*
  *functional designed.*
  *Only the following objects are checked in PR/PO:*
  *M_BEST_BSA Document Type in PO M_BANF_BSA Document Type in PR*
  *M_BEST_EKG Purchasing Group in PO M_BANF_EKG Purchasing Group in PR*
  *M_BEST_EKO Purchasing Org. in PO M_BANF_EKO Purchasing Org. in PR*
  *M_BEST_WRK Plant in PO M_BANF_WRK Plant in PR*
  *Setting in check/maintain on in SU24 only means that the profile*
  *generator will propose the object when creating a user, however is*
  *does not mean that M-MATE_WGR will be checked.*
  *Please close this message by pressing the confirm button at your*
  *earliest convenience.*
  *Many thanks in advance for your understanding.*
  So, how can I resolve this problem? John, are you sure that, you implemented this successfully?
  SAP says, this cant be done.
  Regards,
  Abu Sandeep.