Addition of New Authorization Objects in DMS

Similar Messages

• New Authorization objects When Adding New tcodes

  Hi Guys
  I have two Identical R3 Productiosn Systems One is Called Prd and the Othe RPP.
  When Going into Pfcg on PRD and adding A tocde I.e Mi02. It  already has mi01 and mi03.the authorization tab chnages from green to Yellow,.When Going into The Authorization Tab,( option change authoirazation tab), there aer new authoiration object that has a yellwo status and needs to be filled in.
  When doing the same i.e go into Pfcg on RPP and adding A tocde I.e Mi02. It  already has mi01 and mi03.the authorization tab chnages from green to Yellow,.But when  Going into The Authorization Tab,( option change authoirazation tab), there are no new authorization object that has a yellwo status They are all greeen, but there are some with status updated.This looks right.
  Am I doing anything wrong,.I have not tried to go into the authorizatin tab with the expert option.
  Pls advise

  Hi Moods,
  Did you check the objects before adding MI02?
  Check with SU24 for objects in PRD and RPP if you have same objects then check as below.
  Check what new objects are comming up in PRD.
  Check for the Additional T-codes which are having the new objects which are populating in PRD.  if you have additional T-codes in PRD, then their may be chances of new objects populating
  If you check in authorization tab options with expert mode and choose merge with new data this might reslove the issue.
  Cheers
  Soma

• Adding new authorization objects to transactions

  Hi experts,
  i would like to add new authorization objects to specific transactions, for example the object K_CCA for checking the cost element in the transaction KB15N.
  What do we have to maintain, except the transaction code with (SU22). What do we have to do with the program behind the transaction?
  Is it "just" adding two line of code into the auth object check in the program, similar or like described for client specific ABAP-programs???
  Any experiences on that?
  Regards
  Florian

  Hi,
  First add the objects in DSO then in Info Cube.
  Map the same with transformation.
  Move the objects to production then DSO.
  Load the DSO first. then delete the data from cube in production.
  Now move the modified cube and transformation to production.
  Now load the Cube from DSO.
  No need to change any thing in existing query.
  I hope this will help.
  Thanks,
  S

• Query on new Authorization Objects after Upgrade&SAP_NEW profile

  Dear Experts,
  We have upgraded our system from 4.5 to 7.0 version,  i  was checking what are the new authorization Objects  introduced after upgrade comparing older system ojects.  I got few objects which are new in upgraded system,
  But when i check SAP_NEW profile,   and in the latest profile SAP_NEW_7000 profile i can not see all those new Ojects which are new.
  generally SAP_NEW should contain all new objects which come after upgrade?  i can see those in SAP_ALL  but not in SAP_NEW
  is there any issue  in system?  how should I know and where should i check what are the new Objects come in upgrade,
  Please advise.
  Thanks#Regards,
  Vijay

  Hi Jurjen Heeck ,
  see my previous post
  I did 'nt get this.
  SAP_NEW is your friend here
  does the SAP_NEW profile contains all the new authorization Objects.
  Regards,
  Anthony

• When to create new authorization objects

  Hi Experts,
  I am learning SAP Security.
  I have one question , what is the necessity of creating new authroization field and object , when SAP gives a huge list of objects /fields.
  Is there any reason behind like, whenever a customised transaction is created, a new authorization object or filed has to be created?
  Regards,
  Rekharaj

  Trick is to find not only a standard authorization object with the same field you are looking for, but an object already assigned to the users with those roles with the same semantic for all it's fields - so that you can simply reuse the existing concept which is also assigned to the sets of users.
  Often you will find "base" function modules and classes you can use to do all that work for you. Just call them at the correct location in the code and dont forget to check the return code and react to it.
  If you use BAPI APIs to access or process data, then many of them make these same semantically correct checks "out of the box".
  Cheers,
  Julius

• New Authorization Objects for latest releases

  Dear Colleagues,
  Do you happen to know how to find out the objects that should be added when using a role from a previous SAP version in a new one. That is, we have imported a role from a previous SAP version into our system and would like to update it with the latest objects. How should I find out which are the new objects?.
  Thanks in advance for your help.
  Best regards,
  CMPT

  Charles,
  If you role has transactions in the menu the new authorization objects will be pulled in when you go to change the authorizations (select read old and merge with new under expert mode).
  If the transactions are not in the menu you will need to do a compare of the usobt_c and usobx_c between the old and the new system.
  During new auth objects analysis is performed via transaction SU25.
  Cheers,
  Ben

• New Authorization Objects after system upgrade

  Hi All ,
  I require the list of all new Authorization Objects that have been added to the system after System Update.
  Regards
  Anthony D'souza

  Hi Jurjen Heeck ,
  see my previous post
  I did 'nt get this.
  SAP_NEW is your friend here
  does the SAP_NEW profile contains all the new authorization Objects.
  Regards,
  Anthony

• New Authorization Object within Role

  hi everybody,
  does anyone know how can i get New Authorization Objects for any Role for the new release that did not exist in the same Role from former release?
  tables AGR_1250 and AGR_1251 do not show if object is new for this role. they only show if object is new itself.
  thanks a lot,
  javier rubio

  pandu,
  se54 is not related with this topic.
  thank you very much for your answer, very hepful

• Add new authorization object for production order creation/change/display

  As mentioned. I definded new authorization object using "Production scheduler" (Field Name : FEVOR) by SU20. then use SU21/SU24 to add authorization object for some transaction code such as COOIS. use PFCG maintain new role and assign a  fixed production scheduler value and assgin transaction code COOIS to this role. create new user ID and assign to that role.
  logon system with new ID, run COOIS. but system don't check new authorization object(production scheduler). who can tell me why it is and how i can add new new authorization object for standard transaction code?
  Thanks.
  Kevin.WU

  Hi,
  there is an icon of generation.  just click there in PFCG and also in su21.
  then add this object in new role.
  Assign this role to user id
  while assigning the role also there is a generation.
  Please take a help of BASIS consultant also as this is entire a BASIS process.
  Regards
  Amit parkhi

• Creation of a new Authorization object

  Hi ,
  I need to create a new Authorization group and add three existing tables to it.
  Kindly suggest a way.
  Regards.

  Authorization Field
  Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the database table TACT and the customer-specific table TACTZ.
  Maintenance using transaction SU20.
  Authorization Object
  Repository object that forms the basis for authorizations. An authorization object comprises up to 10 authorization fields. The combination of authorization fields, which represent data and activities, is used for authorization assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
  Maintenance using transaction SU21.
  Authorization
  Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
  Maintenance in transaction SU03 or generation from transaction PFCG (profile generator for role maintenance).
  Authorization Profile
  Grouping of several individual authorizations or further authorization profiles. Can be entered in the user master record instead of individual authorizations. An authorization can be assigned to authorization profiles as often as you wish.
  Maintenance in transaction SU02 or generation from transaction PFCG (profile generator for role maintenance).

• Implement new authorization object in MRBR (SU24)

  Hi,
  I'd like to add a new authorization check in transaction MRBR.
  I tried with SU24 -> MRBR -> adding object M_RECH_BUK with "CM" check ID.
  When testing : nothing appened (no check made).
  After reading all SDN posts about SU24, i think i'd to implement an "authority-check" on M_RECH_BUK in MRBR coding. And i don't like this....
  Do you think i can do this check in MRBR using user-exit ?
  Thanks a lot for your response.
  Etienne

  Hi,
  Below are the User-Exits for the T.CODE MRBR
  Exit Name           Description                                                                               
  <b>LMR1M001</b>            User exits in Logistics Invoice Verification                 
  <b>LMR1M002</b>            Account grouping for GR/IR account maintenance               
  <b>LMR1M003</b>            Number assignment in Logistics Invoice Verification          
  <b>LMR1M004</b>            Logistics Invoice Verification: item text for follow-on docs 
  <b>LMR1M005</b>            Logistics Inv. Verification: Release Parked Doc. for Posting 
  <b>LMR1M006</b>            Logistics Invoice Verification: Process XML Invoice          
  <b>MRMH0001</b>            Logistics Invoice Verification: ERS procedure                
  <b>MRMH0002</b>            Logistics Invoice Verification: EDI inbound                  
  <b>MRMH0003</b>            Logistics Invoice Verification: Revaluation/RAP              
  <b>MRMN0001</b>            Message output and creation: Logistics Invoice Verification  
  it is better if you write a Field exit on the Field <b>M_RECH_BUK</b>
  For the Field exits,
  http://www.sapgenie.com/abap/fieldexits.htm
  http://www.sap-img.com/abap/field-exits-smod-cmod-questions-and-answers.htm
  Thanks
  Sudheer

• Authorization object of DMS Document Number

  i need to limit access of users on range of document .
  for example  :
  i have created document type ZFI with number range 100 to 500
  i need grant the access of a specific user to range from 100 to 300 only .
  How can i do that ?
  i need to know the authorization object of Document number .

  Hi Reda,
  You can use ACL authorization, There is the only option available to control authorization at document level.
  The task for doing the same will take time if the documents are more, I hope there is some standard FM for ACL , try using the same and let me know the results.
  Rgds,
  Nayeem.

• How to Use new Authorization Objects

  Hi guys i need to implement the new schema of authorizations and i have created an authrization and add the 0comp_code characteristic (previously i set i it up as authorization relevant) and i need to add the restrictions for infoprovider but i need to add the new infoobjects 0TCAIPROV, 0TCAACTVT, 0TCAVALID, but this infoobjects i ve activated are not authorization relevant and i am not using them in any infocube, thats the reason why i cant use them in an authorization.....
  Do i need to add them in my infocube or theres another configuration in order to use them?
  Regards

  Hello Oscar,
  You do not have to add the 0TCA* characteristics to your InfoCube. Instead you have to set these characteristics to authorization relevant. Then everything should work as intended.
  General information on how to use the new analysis authorizations can be found here: https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
  Kind regards,
  Stefan

• Creation of Authorization Object

  Dear All,
  Can anyone of you guide me on how to create Authorization Object?
  My Knowledge on this concept:-
  1) Mark required object as Authorization Relevant
  2) Use of T-code RSSM
  3) Select marked Authorization Object
  4) Assign fields to it, for authorization.
  thats all i know.
  There are few more additional settings we need to do for it.
  Request you to provide with step by step procedure for the same.
  Thanks & Rgds,
  Anup

  hi
  To create an authorization object:
  1) Execute transaction SU21
  2) Double-click an Object Class to select a class that should contain
  your new auth object
  3) Click on CREATE (F5)
  4) (If creating custom field) - Click the 'Field Maintenance' button -->
  Click on CREATE (Shift+F1)
  5) Enter the Name for the New Authorization field and the corresponding
  Data Element and SAVE
  6) Confirm the Change Request data for the new Authorization Field
  7) Go back two screens (F3-->F3)
  8) Enter the Authorization field name and document the object:
  9) SAVE and ACTIVATE the documentation
  10) Save the new Authorization Object
  11) Confirm the change request data for the Authorization Object and
  EXIT SU21
  12) Finally, the SAP_ALL profile must be re-generated
  the following link will be helpful
  http://209.85.175.104/search?q=cache:BigTSV4_olEJ:www.gingle.com/glenaccess%255CsdnAuthorizationObjectsimple.docHowtocreatauthorisation+object&hl=en&ct=clnk&cd=10&gl=in
  http://aroundsap.blogspot.com/2008/02/sap-bw-70bi-70-new-authorization.html
  Use of T-code RSSM
  Through BIW Authorizations (TCode RSSM)
  Authorization check log. This gives information on
  missing authorizations for reading data.

• TCT* Info objects and Authorization objects

  When defining an authorisation object do I need to include TCT* info objects as fields in the authorisation object and if so why and which ones are required - if this is different for different scenario could someone elaborate? Thanks

  Hi,
  yes... you need to include the TCT fields as you would like to restrict the users based on the infoproviders and the time duration.
  Since in any organozation you have many type of users like the super users who can access anything...end users who have access to areas related to them only and may be some other kind as well.
  Suppose if a user is beloging to FICO department and he is only suppose to use the reports based on GL cubes then you will create an authorization object where you will give the values for authorization relavent objects like company codes,sales org and additionally you will maintain the value for the cube in 0TCAIPROV field.
  when you assign the user to this object he will only see the data in the queries based on the FICO cube and that too for the company codes specified in the authorization object.
  Now if there is another user who can see the data for all the company codes and all the areas but only for certain duration then you will create a new authorization object where you will not give any values for any object but will keep it as * but will maintain 0TCAVALID objects and give the validity period here.
  Thanks
  Ajeet