Association of authorization group with authorization object

Dear Colleagues,
We are using ECC 6.0 system. There is a transaction EMMAC2 where in the user would pick the case categories & view/make changes as required in the cases.
However, we would like to have a user to pick only those case categories for which he/she is authorized & view/change the data.
This EMMAC2 is controlled by authorization object B_EMMA_CAS & this authorization object has field BRGRU (Authorization Group) along with ACTVT (activity).
We would like to control this via authorization groups
We would like to create authorizations groups based on case categories & those authorization groups would be assigned in this BRGRU field.
Meaning, the end result should be such that, when that new authorization group is added in BRGRU field & that role is assigned to an end user, the user should be able to see data only for those case categories for which the new authorization group has been created
If I use SE54 to create authorization group, it automatically associates itself with authorization object S_TABU_DIS & this does not solve my purpose.
But we would like to create a new authorization group & associate it with authorization object B_EMMA_CAS.
Can someone please let me know the steps on how to achieve it or any other method to achieve it(for above underlined text)?
Does a developer or functional consultant also need to be involved in this?
PS: I tried to search in Google & our forums but could not get any answers

Dear Aninda,
Thanks for the help.
I created an auth group via SE16 in table TBRG & associated to B_EMMA_CAS
A case category was then assigned to this auth group
We tested it - below are the results:-
1. The user is allowed to 'change' and 'display' the case for the case category for which the user is authorized: this works as per requirement.
2. The user is not allowed to 'change' case for the case category for which the user is not authorized: this works as per requirement.
3. However, he is able to 'display' cases for the case category for which the user is not authorized: this we do not want.
If I remove activty 03 (display), then the user is unable to display the case for the case category for which the user is  authorized.
How to resolve this?

Similar Messages

  • Object-group with network-object containing an IP address range

    Hello,
    Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
    object-group network test
    network-object 192.168.0.0 192.168.63.255
    network-object-group mode commands/options:
      A.B.C.D  Enter an IPv4 network mask
    sh run ob id test
    object-group network test
    network-object 192.168.0.0 192.168.63.255
    I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly. Thank you.
    -John

    Hello,
    Thank you for your replies. In code version 8.0(5)23, it appears I am able to define a "range" of IP addresses as in:
    192.168.0.0 192.168.63.255 as opposed to defining a range with a netmask like 192.168.0.0 255.255.192.0.
    With the "range" of IP address applied to the "object-group network test" with sub command "network-object 192.168.0.0 192.168.63.255" the ASA does not pick up on said "range" when this object group is applied to a DENY access list. It only reads it properly when the netmask is attached, which is the correct configuration, as in: "network-object 192.168.0.0 255.255.192.0".
    To clarify, I mean range as in 192.168.0.0 - 192.168.63.255.
    Hope this helps to understand. I am just curious as to why this is even able to be applied in such a way or if it is a bug in this particular code version? I can also confirm that this can be done in code version 8.4(2). See below snippets of my configuration in the 8.4(2) code version:
    access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8
      access-list 101 line 3 extended deny ip 192.168.0.0 192.168.63.255 any (hitcnt=0) 0x0623b0c4
    access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd
    Packet trace results in allowing the "range" of IP address:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: dmztest
    output-status: up
    output-line-status: up
    Action: allow
    Now with the "correct" configuration:
    access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8
      access-list 101 line 3 extended deny ip 192.168.0.0 255.255.192.0 any (hitcnt=1) 0xa31c6bbd
    access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: dmztest
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    Thank you.
    -John

  • Can a shape be grouped with an object?

    Is there any way to group a shape such as a line with arrowhead to an object? The intent is that the line overlay the object and point to a particular part of the object and that both should move with the text without the relationship between them being altered. I can place the two appropriately in the first instance but seem unable to select both at once or to group them to prevent the relationship being lost when the text moves.

    I'm glad you got it figured out & shared the solution. It will help others who come along. That didn't dawn on me at the time. It doesn't work to have one move with text & the other fixed on page as they are in different layers in the document.

  • Links don't work when grouped with a object

    I am trying to create links on a element that will slide; however, when I group my link box to the image I created in Sketch I can no longer click the link. Is there a way to fix this?  Thank you.

    When objects are grouped, the group act as a single object, that's the reason for grouping. You can add a single link to a grouped object, but only one link. Any links added to individual objects will not action when they are grouped.
    If you want to link to multiple slides, you will need to keep any objects that include a link, ungrouped, I've never found a problem doing this.

  • Authorization Group in T-Code: OB52

    Hi,
    I need to maintain 2 Auth. Group in T-Code: OB52, my requirment is below:
    for some users (nearly 25) needs to post the transaction in June Month and for some users (nearly 10)should have to post for selected GL in the month of June.
    So we decide to create two roles and assign the Auth Group in F_BKPF_BUP Auth. group. But i need to know whether the system will allow to assign two Auth. Group for one Company code (ie., 2 Auth. Group and all common users)
    Please revert ASAP.
    Regards
    JS

    The help on AuGr field in OB52 is good.  Here it is
    Authorization Group
    The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. The authorization groups usually occur in authorization objects together with an activity.
    Use
    A posting period can be made available to only a limited set of users using the authorization group.
    Procedure
    If only a limited set of users is to be able to post in a particular posting period, proceed as follows:
    Add the posting period authorization (authorization object F_BKPF_BUP) to the authorizations of the selected users. Assign an authorization group (e.g. '0001').
    Enter the account type '+' for the posting period variant to which the restriction is to apply. Enter the period(s) whose use is to be restricted in the first period, those which are available to all users in the second period, and the authorization group (e.g. '0001') in the last column.
    Examples
    A posting period can be successively restricted. If, e.g. 10 users have the posting period authorization with authorization group '0001', and 3 of these 10 users also with authorization group '0002'.
    If the period is only to be accessible to the 10 selected users the authorization group '0001' is entered in the posting period variant. Access can later be restricted to the remaining 3 users by entering '0002'.
    I guess your requirement can very well be met, as explained in the example above.  Also implement the following SAP Note to be able to assign the authorization group at document header level (account type '+') and at line item level in Transaction OB52.
    https://service.sap.com/sap/support/notes/891505
    Srikanth
    PS: I have seen in a reply above that AuGr controls only special periods, which is not a correct statement.  AuGr controls postings in the period specified in From per.1/Year To period/Year in OB52.

  • Problem with authorization M_MATE_MAT

    hi guys,
    i have created authorization role with authorization object M_MATE_MAT
    and i put the value of begru = COMM, but when i display the PR, the search help still displays all material group even the authorization group is not COMM , is there anything that i missed out, pls help

    Hello
    No, you did not miss anything out.
    But authorizations usually do not restrict the values displayed in search helps.
    Regards
      Uwe

  • Reg:authorization group

    Hi Experts,
                    I awnt know wat are authorization groups and wat is the link betwwen authorization group and authorization object,in which table i can find authorization groups

    Hi ,
    An authorization group contains tables and views with the same security requirements.
    For details on authority object read the link below :
    http://help.sap.com/saphelp_46c/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/frameset.htm
    Regards,
    Vartika

  • Multiple Authorization groups to be used in OB52 for a single company code

    Hello All,
    I need help in creating and assigning authorization groups in Transaction Code: OB52 to control the postings of few users in one authorization group. That is i want some users  to post in 2 back  period and others in only 1 back period.I have tried from my side and it is still not working.
    I followed the following step:
    I have created 2 groups and assigned the users accordingly but the thing is i am only able to find 1 feild for entering authorization group
    If there is any thing i am missing or if i have done some thing wrong in this process please help me.
    Please Provide me the logic of how to use two authorization groups with one feild.
    Best Regards,
    Ravi
    Edited by: Ravi Eddhula Reddy Kumar on Apr 3, 2011 1:01 PM

    Hi,
    Try with this possibility
    In ob52 create two rows.
    Assign the required periods for Group A in Row 1
    Assign the required periods for Groub b in Row 2
    Regards
    Prasad

  • Assigning of authorization object to authorization group

    I have created an authorization object and I have assigned this to already exsiting authorization group.I would like to assign the authorization object to a new  authorization group.Please confirm how to create an authorizaton group and assigning a authorization object to this new authorization group.

    hi,
    I have got a pdf related to this.
    I shall send that to you if i can get ur mail id.
    I too havent tried this. I dont have any authorizations to do with my server.
    Plz follow the following steps:
    1. Create a user (for example for SAP DEV, TEST, or PRD systems).
    2. Open the SAP Profile Generator (transaction PFCG) available in SAP R/3 versions 4.6 and above.
    3. Create an Activity group (Role since SAP 4.6C), for example ZBODI_ROLE.
    4. Enter a description for the role.
    5. Go to the Authorizations tab and click Change authorization data.
    6. On the Change Role: Authorizations screen, click the Manually,toolbar icon.
    7. The Manual Selection of Authorizations window opens.
    8. Type in the following authorization objects.
    S_ADMI_FCD*
    S_BTCH_JOB
    S_DEVELOP*
    S_DATASET
    S_PATH
    S_RFC
    S_TABU_DIS
    S_TCODE
    S_RS_ADMWB — for SAP BW
    9. Click OK
    10. Return to the Change Role: Authorizations screen.
    11. Manually configure components by entering the values  that support Data Integrator operations include:
    • Administration
    • Batch
    • BW loading
    • Development
    • File access
    • File system access
    • RFC calls
    • RFC calls in BW
    • Table source access
    • Transactions
    12. To complete the security profile, click the Back icon (or press F3), select
    the User tab, enter your SAP user ID for Data Integrator and click the Save icon.
    Regards,
    Sailaja.

  • ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

    Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
    ACS version: 5.3.0.40.6 (internal build B.839)
    I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
    Requested Identity Group exist
    Testing user is created in Internal Users and has assigned requested Identity Group
    Radius Access Policy: 
    Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
    Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
    When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
    I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
    What I am tested:
    Remove testing user and create his account again.
    Rename Identity Group
    Use another Identity Group
    Remove Access Policy rule and create it again
    Use Compound Condition: System:Identity Group
    Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
    Do you have any idea where problem can be?

    OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

  • Can an email address be a member of an LDAP group even if it isn't associated with an object in the Directory Server?

    Can an email address be a member of an LDAP group even if it isn't
    associated with an object in the Directory Server?
    <P>
    General members of a group are the members defined in the
    Directory Server. They are full-fledged members of the group who
    may have a set of permissions associated with their membership,
    a title, or other attributes. Mail-specific users are users who
    are not full-fledged members of the group, but who receive mail
    sent to the group. Mail-specific users need not be identified as
    a user in the Directory Server--an email address is sufficient.
    An example of this is a group of salespeople, all of whom are in
    the group "North American Sales Team." They have access to a
    sales-tracking database, on-line quota information, and
    competitive information. The mail-specific users of this group
    are the admins who support the members of the sales team, who need
    to get the mail that goes out to the group, but don't need access
    to the applications and information that the salespeople do.

    Hey EllyK,
    Welcome to the BlackBerry Support Community Forums.
    Thanks for the question.
    I would suggest performing this workaround and then try to login to BlackBerry Link:
    Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID. 
    Connect the BlackBerry 10 smartphone to the computer. 
    Open BlackBerry Link
    Sign in using the BlackBerry ID. 
    Let me know if the issue still persists.
    Cheers.
    -ViciousFerret
    Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
    Be sure to click Like! for those who have helped you.
    Click  Accept as Solution for posts that have solved your issue(s)!

  • Issue with authorization objects

    Hi,
    We are running on ECC 6 . There is an issue while adding t-codes to a role.
    When we add a transaction code in the Menu tab, for eg, a Z transaction code, it throws up a whole lot of open authorization objects under the authorization tab (open authorizations under FI, MM, so on). The open values proposed are all the default values in SU24. This happens even if we use the 'Read old status and merge with the new'. Our check indicator maintenance for all t-codes seem to be fine. Pls advise.
    Cheers!!

    > The default values (SU24 values) are once again populated if they were not maintained during the earlier maintenance.
    They are populated again if they were deleted during the earlier maintenance or are in a changed status of the original authorization where new values in SU24 are proposing something different.
    That is why you should never delete standard or maintained authorizations and try to avoid the copy & change strategy by maintaining SU24 to meet your needs.
    It shounds like SU24 is not as "fine" as you have stated before hand.
    Cheers,
    Julius

  • BAPI to create bp with name, search term, address and Authorization Group

    Hi
      which BAPI could be used to create Business Partner (type organazation) with names, search term, address and the Authorization Group field.
      ths

    Hello ,
    You can use : BAPI_BUPA_CREATE_FROM_DATA
    In case you need to update additional fragments just search in trn code SE37  for BAPI_BUPA_*CREATE.
    For example BAPI_BUPA_FRG0040_CREATE - Create classification data for BP , etc'.
    Additional you can use XIF :CRMXIF_PARTNER_SAVE to create business partners
    Rika

  • Where we check the authorization group & authorization object?

    Hi all,
    i have a  std program & tcode  like fb03 . now i want to know the authorization group & authorization object. so where we will check..?
    help me.
    thanks.
    Vipin

    Hi,
    Use transaction SU21 & SU22 for Auth Objects & Class

  • Cant use more than one authorization group per report with SBO CR Basic

    Cant use more than one authorization group per report with SBO CR Basic.
    I have installed on SAP Business One SBO 2007 SP00 PL49 the Crystal Reports Basic 2.0.0.7.
    i have defined two users, manager and supervisor.
    I have defined two groups, M and S.
    Manager belongs in managers (M), and supervisor is assigned to the supervisors (S).
    i enter to one report, disable the public option to enable group authorization, and then check M group.
    Manager can see the report, but Supervisor is not allowed. So far good.
    Then i uncheck M, then check S in the report properties, and Manager cant get in, supervisor opens the report, So far good.
    But when we check both Groups or more, only the M group authorization appears to work, and S group users cant acess, even the report is allowed for that group, also happens with all the groups appart the first (2nd, 3rd, 4th, etc.).
    It seems that a report can manage a single group, but i have to be shure to tell this to the customer.
    So far we have included all Manager users to the S group in order that only S group is used and authorized users can use, but this is duplicating user participation in groups, and it would be much easier to check the desired groups for a single report.

    Cant use more than one authorization group per report with SBO CR Basic.
    I have installed on SAP Business One SBO 2007 SP00 PL49 the Crystal Reports Basic 2.0.0.7.
    i have defined two users, manager and supervisor.
    I have defined two groups, M and S.
    Manager belongs in managers (M), and supervisor is assigned to the supervisors (S).
    i enter to one report, disable the public option to enable group authorization, and then check M group.
    Manager can see the report, but Supervisor is not allowed. So far good.
    Then i uncheck M, then check S in the report properties, and Manager cant get in, supervisor opens the report, So far good.
    But when we check both Groups or more, only the M group authorization appears to work, and S group users cant acess, even the report is allowed for that group, also happens with all the groups appart the first (2nd, 3rd, 4th, etc.).
    It seems that a report can manage a single group, but i have to be shure to tell this to the customer.
    So far we have included all Manager users to the S group in order that only S group is used and authorized users can use, but this is duplicating user participation in groups, and it would be much easier to check the desired groups for a single report.

Maybe you are looking for

  • Multiple Hard Drive Failures

    I purchased a MacBook Pro just before last Christmas and in late January or early February the hard drive failed and had to be replaced. I was told then that it was a fluke and not to worry about it that the chances of it happening again were very sl

  • Using To Do lists for repetetive tasks to appear on monthly calendar?

    I would like to format a household zone cleaning schedule (aka "FlyLady" for those familiar) and use iCal in place of the printed lists or 18 daily emails her system currently sends. How do I use the To Do list feature in iCal and attach them to the

  • Login on

    I Can log on with the Oracle 8i lite I do know the user name, password or host string.

  • Meetings showing up in Outlook but not on iPhone

    What could cause meetings to be on the Outlook calendar but not showing up on the iPhone celendar? Not all do it, just some.

  • EPMA not starting

    We are using 11.1.2.3 EPMA planning applications for our budgeting. Recently I applied an ADF patch 16709748.After that EPMA is not starting.It is showing the below error     Invalid URI: The hostname could not be parsed. Code: com.hyperion.awb.web.c