About authorization object

Hi basis guys........
i am not able to give print request.its showing authorization error
"no authorization for LOCAL PRINTER" and "output could not be issued"
i checked su53 screen. and i assigned that activity in authorization object.
even then its showing authorization problem.
Is there any object to add to get printing ?
and what is "s_gui" object ? is that works?
Please tell me your suggestions
Regards........nagendra.

Hi
Check whether for the user a printer is assigned or not. Only the printer which is assigned to the user in SU01 can be used by the user.
What u can try is assign the Local Printer in default printer for that particular user.
Also if you have assigned the authorization object that was missing then there should not be a problem.
Regards
Sumit Jain
[reward with points if the answer is useful]

Similar Messages

Details about authorization Object

Please help ,i had two fields ex sales org & distribution chanel and i have to write a code for authorization , is the authorization object which i wrote is right or not.
I know that we can use at max of 10 fields , but say vkorg / vtweg is used 5 times with different variable name in same prog how to make sure that this code will work for authorization check on VKORG/ VTWEG can anybody please explain me in step's
AUTHORITY-CHECK
          OBJECT 'Z_zzlau'
          ID 'VKORG' FIELD 'S_VKORG'
          ID 'VTWEG' FIELD 'S_VTWEG'
          ID 'ACTVT' FIELD '02'
          ID 'ACTVT' FIELD '03'
          ID 'ACTVT' FIELD '70'.
Thanks

Hi,
ACTVT field is used for checking the create /display / change authorizations.
after creation of the activity group , add it to the user profiles which need authorizations.
01-create 02-change 03-display
AUTHORITY-CHECK
OBJECT 'Z_zzlau'
ID 'VKORG' FIELD 'S_VKORG'
ID 'VTWEG' FIELD 'S_VTWEG'
ID 'ACTVT' FIELD '02'
ID 'ACTVT' FIELD '03'
ID 'ACTVT' FIELD '70'.
if you are checking authorizations with the selection screen parameters then change your code like below:(if change is required)
AUTHORITY-CHECK
OBJECT 'Z_ZZLAU'
ID 'VKORG' FIELD S_VKORG
ID 'VTWEG' FIELD S_VTWEG
ID 'ACTVT' FIELD '02'.
and also check SAP help on this :
AUTHORITY-CHECK
Basic form
AUTHORITY-CHECK OBJECT object
    ID name1 FIELD f1
    ID name2 FIELD f2
    ID name10 FIELD f10.
Effect
Explanation of IDs:
object
Field which contains the name of the object for which the authorization is to be checked.
name1 ...
Fields which contain the names of the
name10
authorization fields defined in the object.
f1 ...
Fields which contain the values for which the
f10
authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
The return code value changes according to the different error scenarios. The return code values have the following meaning:
4
User has no authorization in the SAP System for such an action. If necessary, change the user master record.
8
Too many parameters (fields, values). Maximum allowed is 10.
12
Specified object not maintained in the user master record.
16
No profile entered in the user master record.
24
The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
28
Incorrect structure for user master record.
32
Incorrect structure for user master record.
36
Incorrect structure for user master record.
If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
Table OBJ: Definition of authorization object
M_EINF_WRK
   ACTVT
   WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
M_EINF_WRK_BERECH1
   ACTVT 01-03
   WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
    ID 'WERKS' FIELD '0002'
    ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
    ID 'WERKS' DUMMY
    ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
    ID 'WERKS' FIELD '0005'
    ID 'ACTVT' FIELD '04'.
To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.
Regards
Appana

Mass update to FILENAME field in S_DATASET authorization object

We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value. I'd like to do this programmatically if possible.
What I've learned so far is that I need to update the value in table USR12, but the value is encoded. When I look at the table in SE16, I do not see the encoded value field. The value does show in UST12, but I'm told this is an unreliable table.
So I'd like to know..
1. How can I look at the value if not in SE16?
2. Is there an API I can use to encode/decode the value? If not, where is the specification on how to build it?
If this is better addressed in a different forum, which one should I try next?
Thanks,
Dan

Hi there,
Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
But the behaviour as you have described:
>
> Path                   Saveflag Fs_noread Fs_nowrite Fs_Brgru
> =============================================================
> *                                 X         X            DUMY
> /temp/FI/..                       X         X            DUMY
> /temp/FI               X                                 FIFI
>
... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
> Caution:
> - If you enter paths generically in the table SPTH, the most precise specification counts.
> - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
So, the only check which is effective to protect the path, is:
Path                   Saveflag Fs_noread Fs_nowrite Fs_Brgru
=============================================================
/temp/FI               X                                           FIFI
... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                            MODE       type CLIKE
                            SUBRC      type SY-SUBRC.
data: ACTIVITY like AUTHB-ACTVT.
   SUBRC = 0.
   case MODE.
     when 'R'.
          ACTIVITY = '03'.
     when 'W'.
          ACTIVITY = '02'.
     when 'D'.
          ACTIVITY = '02'.
   endcase.
   if ISPTH_HEAD-FS_BRGRU <> SPACE. "Here it is... for BEGRU checks there must be a value...
      authority-check object 'S_PATH'
          id 'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
          id 'ACTVT'    field ACTIVITY.
       if SY-SUBRC <> 0.
          SUBRC = 3.
       endif.
   endif.
endform.
Cheers,
Julius

BP Authorization Object

Hi,
I have the necessary CRM authorizations to create Business Partners of type person in roles such as employee, contact person, general using the BP transaction.
I have now activated the role 'Internet User'. While I can see this role in the 'Create in Role' dropdown on the BP creation screen, I cannot create a BP of type person in this role.
I get the error message: "You are not authorized to maintain user data".
Are there any additional authorizations that I require to be able to assign this role to a business partner?
Thank you,

But you could assign different values of B_BUPA_FDG authorization object for different authorization profiles. For example:
Profile 1: B_BUPA_FDG
Values:    FLDGR= FLDGR1 (Defined in IMG)
           ACTVT= Display
Profile 2: B_BUPA_FDG
Values:    FLDGR= FLDGR1 (Defined in IMG)
           ACTVT= Change
User Group 1 -> Profile1
User Group 2 -> Profile2
However probably the best solution for your requirements will be the GuiXT Tool.
You can find more information about this tool in <a href="http://www.synactive.com">http://www.synactive.com</a>. You will be able to assign different scripts to different user groups.
Message was edited by: Javier Merino Vivar

A question about authorization of "me29n".

I have a question about authorization of "me29n".
In the screen of me29n, after I choose "cancel release" option, there are several button I can use, such as "delete","lock","unlock" and so on. now I want the "delete" button become unavailable after I choose "cancel release". how can I archive ? Is there any authorization object to use? thanks a lot.

Hello Victor,
It is possible through Transaction code "SHDS".
try to create new variant for it.Also you need to take
ABAP'rs help in this .Try it.All the Best.
Regards,
Manjula.

Authorization Object Related To Movement Type

Hi,
I meet one problem, one user want to check which user can use MB1A t-code with movement type 201 and 202, but I know there are some authorization object related to movement type and I want to use suim with mb1a t-code and authorization object to check the user, but I don't know the authorization object about movement type in MB1A t-code, does anyone can help?

Go to SU24, enter the transaction code and press execute.
Here you can see the all authorization object whose are used for the transaction code MB1C.
Regards
Dev

Authorization object

Dear all,
I need to know any tcode or report which can tell about the authorization object for one user, i mean List of all authorization objects executable for users. i checked in tcode suim, that can tell me that user authorization for roles, tcodes and other criteria but i am unable to find such.
thanks

Hi,
SU56 Can tell you the objects for your own profiles.
Maybe you can use that report to build your own report to find out objects for your different user profiles.
Regards,
Siddhesh

Maintain assignments of authorization objects for Z Webdynpros in SU24

Hello experts,
When we display the assignments of authorization objects for External Services - Webdynpros in transaction SU24, Z_webdynpros are not shown in the screen.
We need to add more webdynpros in that table.
I suposse that there must exist a way for updating that table with the Z webdynpros developed or some configuration is needed.
Thanks in advance...
Hector Longarte

The Zwebdynpros I am talking about are Java Webdynpros in the SAP Portals, and the SAP ERP is onlyan ABAP stack.
Is this configuration posible??

BI 7 - Authorization objects

Hi,
I am trying to save the authorization object which I have created, But I am getting error message "Characteristic 0TCAACTVT not authorization relevant". Please help me on this error

>
Ramesh Babu M wrote:
> Hi,
>
> I am trying to save the authorization object which I have created, But I am getting error message "Characteristic 0TCAACTVT not authorization relevant". Please help me on this error
This is not about MaxDB or any other database but about SAP BI - just post this question there and the chances to get a useful reply will raise immediately!
regards,
Lars

Custom authorization object

Hi all,
I have created a custom authorization object to define a data security based on the Company code field.
These are the steps I did:
- I create a new authorization object containing the Company code field (BUKRS).
- I create a new role with this authorization object, and I have assigned a specific value to the Company code field.
- The role contains also the standard authorization object HR Master data which contains the field: infotype, personnel area...
- I have assigned the new role to a user and I have executed a report, but I had not the expected result.
- I had assigned the custom authorization object to the report transaction through SU24 and SU22, but I had not the expected result.
As expected result I was expecting that the data are filtered based on the Company code I put in the authorization field.
Any idea about the problem?
thx!

Please check that you have followed all of the steps listed here when creating your object:
<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm">http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm</a>
- April

BW 3.5 which authorization objects available rssm (checks for infoprovider)

Hi all,
How does SAP generates the list of authorization objects in RSSM when you enter a specific infoprovider (checks for infoprovider)? Are only the authorization object related to this infoprovider listed?
Is there any documentation about the purpose in RSSM for the button 'update check status (Authorization objects, infoprovider).
thanks for your help.

Based on which criteria?
Is there somwhere detailed documentation available about the RSSM part in BW authorizations? It seems hard to find any...
Thanks,

Authorization objects for FM (EA-PS) after upgrade

Hi,
We are upgrading from ERP 4.6c to ECC 6.0 (IS-PS 462 to EA-PS 6.00).
On preliminary tests we have found that we need to add a few authorization objects to the users, but we want to minimize that.
We opted to deactivate BAdi implementation "FMBS_ADDON_AUTH_FI" and to mark the two checks inside IMG "Activate Old Authorization Check"
Although we have found authorization issues with objects:
F_FICA_FTR and
F_FICA_FCD
Is there a list of Objects that we need to add to the roles that I can review? or maybe an OSS Note or SDN article about this?
Best regards,
Nelson

Hi, I have been studying this, and I have found that the error message I saw yesterday definitely speaks to the problem I have been having.
I created a test role with one transaction, then went into SU24 for that transaction and made a new auth check with display 03. After I updated that role in PFCG (maintaining the new authorization), I went back to SU24, changed that new auth check by removing 03.
When I went back into the role in expert mode, the maintained authorization was gone and replaced with a new standard authorization with no values.
My concern is that wherever the authorization checks are coming from, their construction is corrupt! I'm not even sure that the original auth checks are OK -- if they had values that were later taken out, I am concerned that they will cause this error I am seeing.
I'm getting ready to upload the auth check tables from QA back to the Sandbox, but I'm not sure that will solve the problem if there is another cause for this. Is there some other setting/selection that someone must have clicked on that is now causing this problem? I still don't have a clear answer on that, and I would love to know.
Thanks,
Ed

Authorization objects for EA-PS after upgrade

Hi,
We are upgrading from ERP 4.6c to ECC 6.0 (IS-PS 462 to EA-PS 6.00).
On preliminary tests we have found that we need to add a few authorization objects to the users, but we want to minimize that.
We opted to deactivate BAdi implementation "FMBS_ADDON_AUTH_FI" and to mark the two checks inside IMG "Activate Old Authorization Check"
Although we have found authorization issues with objects:
F_FICA_FTR and
F_FICA_FCD
Is there a list of Objects that we need to add to the roles that I can review? or maybe an OSS Note or SDN article about this?
Best regards,
Nelson

Hi, I have been studying this, and I have found that the error message I saw yesterday definitely speaks to the problem I have been having.
I created a test role with one transaction, then went into SU24 for that transaction and made a new auth check with display 03. After I updated that role in PFCG (maintaining the new authorization), I went back to SU24, changed that new auth check by removing 03.
When I went back into the role in expert mode, the maintained authorization was gone and replaced with a new standard authorization with no values.
My concern is that wherever the authorization checks are coming from, their construction is corrupt! I'm not even sure that the original auth checks are OK -- if they had values that were later taken out, I am concerned that they will cause this error I am seeing.
I'm getting ready to upload the auth check tables from QA back to the Sandbox, but I'm not sure that will solve the problem if there is another cause for this. Is there some other setting/selection that someone must have clicked on that is now causing this problem? I still don't have a clear answer on that, and I would love to know.
Thanks,
Ed

Change authorization object in a derived role

Hi Gurus,
What's happen if someone has added a new authorization object in a derived role?
He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
<u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
What do you think about this ?
Thanks
Hery-zo

Do i understand this right??? do functional teams have access to PFCG to create roles???
If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
2 ask all functional teams to describe the roles points to be adressed:
   A TRX in every role
   B all wanted restrictions on every TRX (described functionally)
   C orglevels on which restrictions should be build.
   D Test process for every TRX in every role (both positive and negative)
   E check all roles against table USOBT and look for manually added objects,
       if they can not give a good reason for adding these REMOVE them.
3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
5 check your roles for the corrected TRX after this change and update the other roels involved as well.
6 ONLY allow roles that have followed the above process to go to Production.
The above steps are the only way to create a secure SAP Production system for you!

Wanted: Dictionary-/ Metadatatable for the Mapping of the (old,3.5.) Authorization Object to the (Auth.relevant) InfoObject

Hi,
I am looking for the concrete BW's dictionary-/ metadatatable(s)
which contain/describe the
Mapping of the (old,3.5.) Authorization Object to the (Auth.relevant) InfoObject
of the transaction "RSSM-Authorization for Reporting"
For example:
I got 3.5 Auth.Object ZCOMP_CODE and want to know to which (Auth.relevant) InfoObject
this is mapped, basically what's in the usage of this Authorization Object.
ThanXs
Martin

Hi,
As of now, your authorizations still in 3.x. so please check the below tables.
RSSBAUTHGEN - it holds info provider and authorization object
RSSBAUTHGENERATD - it have user name and info provider
RSSBAUTHTRACE
RSSBAUTHTRUSER
RSSBAUTVAL
RSSAUTHHIER
RSSAUTHHIERNODE
Coming to 7.x , Above mentioned T code kumar is enough to handle authorization concepts.
There is best document about 3.x and 7.x comparison on Google.
please search for it by using search term "An Expert Guide to new SAP BW Security Features"
Written by Marc Bernard
Thanks

About authorization object

Similar Messages

Maybe you are looking for