Authority check error + su53 + autho object

Hello,
My userid is having misising authorization for one authorization object. We have the authorization object, but it is not included in any profile / role.
Please advice me how the authority check works?
Where do we need to inlcude the authority object , In a role or profile?
Thanks and regards,
Anand

please send a screen shot of your SU53 to your SAP security team - they will know what to do with it.

Similar Messages

  • Troubleshooting through Authority check

    Hello All,
    Please let me know the procedure for troubleshooting at programming level. I understand, we have to go thru SE38 then authority check but, I want to know the correct program name for authority check at the auth.object level , the tcode level and steps after executing the program.
    Regard's
    Salman

    >
    > Can We do troubleshooting at the programming level ? If yes, then please let me know the steps to proceed.
    >
    Seems your requirement is to find out the meaning and requirement of Authority Check.
    You know each Transaction Codes consist of several screens through which we used to navigate by clicking some buttons. These screens are basically represented by separate programs called Dynpro (Dynamic Program). You know the Authorization Objects are the control point of measuring access to a user. These Objects are not checked for their values just because you see them in SU24 or in USOBT_C. They are basically checked by a typical ABAP program statement called "AUTHORITY-CHECK".
    Now if you want to see the AUTHORITY-CHECK statements involved for a specific TCode: You can do this by using the report RSABAPSC.
    Regards,
    Dipanjan

  • Incorrect authorization object is checked in SU53. SU53 checks the wrong BP

    Hi all,
    I am setting up a new user and a new role in CRM 4.0.
    When coming to BP maintenance I get some frustrating errors.
    I have created a role with BP and SU53 transaction codes assigned.
    I have given the authorization to two BP roles:
    - 000000 (BP General) Activity: Display
    - ZCRM41 (Potential customer) Activity: Display and Edit.
    I can display the BP role '000000' but when trying to change to BP role 'ZCRM41' I get No authorization.
    SU53 indicates that I am trying to enter another BP role than ZCRM41.
    As a result no authorization is given. If I add the BP role the SU53 indicates and retry SU53 another BP role is checked and so on...
    Anyone who knows what is wrong?
    Points will be rewared!
    Thanks,
    //anders

    Hello Anders,
    Thanks for providing me the details. Now I am clear abt the problem.
    This is a sort of puzzling tome. Such a behavior should not happen. It can happen only:
    a) In SU53, are you seeing the role 'ZCRM41' and customer role as an additional check? If this is the case, there might be some dependency assigned like role groupings (check in SPRO under business partner if these two roles form a role) or if there is any functional dependency.
    b) Also make sure that you have assigned and generated the right profile for the role. Some time in a hurry we might miss to cross check this.
    c) For business partners, the role authority check is done inside function module BUP_BUPA_EVENT_AUTH1. We need to debug here to find cause for this problem.
    Hope this helps.
    Regards, Sudheer.

  • System error - User not authorized to access requested Info Object!

    Hi, Experts,
    I have a user ID begin with S***, but when I click some links, the following message shows:
    "System error - User not authorized to access requested Info Object!"
    How could I have authorization to see these links?
    Thanks!
    Lorrie

    Hi Lorrie,
    If you are a superuser, you should not get this error.
    If not, you can not change any autohorizations.
    Check it out.  For your job, you have to be a super user.
    Thanks,
    Gordon

  • Error Individual check for creating the object WBS Element required

    Hi Expert,
    I've a requirement to create WBS elements using BAPI. And I am using BAPIs in the following manner.
    CALL FUNCTION 'BAPI_PS_INITIALIZATION'
    CALL FUNCTION 'BAPI_BUS2054_CREATE_MULTI'
    EXPORTING
    i_project_definition = g_pdwbs
    TABLES
    it_wbs_element = it_wbs_element
    et_return = it_return
    EXTENSIONIN =
    EXTENSIONOUT =
    CALL FUNCTION 'BAPI_PS_PRECOMMIT'
    CALL FUNCTION 'BAPI_TRANSACTION_COMMIT'.
    When I do so I am getting the below errors. Please suggest.
    "Individual check for creating the object WBS Element C-497082 required ".
    "Individual check for creating the object WBS Element C-497082-0001 required".
    Please suggest how to correct this error.

    Hi Karthikeya,
    I think the project profile which you are using has a different mask and the WBS element you are passing is different to the BAPI.
    Are you able to create manually from CJ01 using the same WBS element?
    Create a project manually and it will give the list of the mandatory fields set in the config. Using that list populate the BAPI struture accordingly.
    Hope this helps.
    Thanks
    Lakshman.

  • Authority-Check Object for PLANT(WERKS)?

    Hi Experts,
    By using "V_VBAK_VKO" Authority Object am checking the user Authentication against the sales area(Sales OrgDistr. ChannelDivision) in my custom report. Below is the code,
    AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
        ID 'VKORG' FIELD s_vkorg
        ID 'VTWEG' FIELD s_vtweg
        ID 'SPART' FIELD s_spart
        ID 'ACTVT' FIELD '01'
        ID 'ACTVT' FIELD '02'.
    (Note: My report is for SD/OTC module)
    I also need to check the authenmtication of user against entered PLANT (WERKS) in selection screen, so, pls. let me know that  What is the Authority-Check Object for PLANT(WERKS)
    Thank you

    Hi,
    Transaction SU20, search for WERKS.
    When you find it, double click on the row, in the bottom half of the resulting screen there is a list of authorisation objects that contain the field.
    Unfortunately, you can't navigate from this list into the definition of the objects, so you'll need to cross-reference against transaction SU21.
    Regards,
    Nick

  • How to create authority check object and assign to  ztcode which is of modu

    Dear ,
             how to create authority check object and assign to  ztcode which is of custom module pool program.its urgent kindly help points rewarded.

    Manoj,
    You can check with your Basis team to create authorisation object and assigining tcodes to the user profiles.
    K.Kiran.

  • With regard to lock object and authority check

    hi all
    i would like to know about lock object and authority check specifically in reports. there is a coding in sap library with regard to authority check, but there is no coding to restrict user (i mean there is no user names that the object is restricting for a particular user or any user has got permission to change or display object). 
    further, the code mentions that you need an authorization in your user master record for the object, could any of u explain where is user master record.
    below is the code for authority check.
    *&      Module  USER_COMMAND_0100  INPUT
    MODULE USER_COMMAND_0100 INPUT.
      CASE OK_CODE.
        WHEN 'SHOW'.
       AUTHORITY-CHECK OBJECT 'S_CARRID'
    ID 'CARRID' FIELD '*'
    ID 'ACTVT'  FIELD '03'.
       IF SY-SUBRC NE 0. MESSAGE E009. ENDIF.
       MODE = CON_SHOW.
       SELECT SINGLE * FROM  SPFLI
        WHERE  CARRID      = SPFLI-CARRID
        AND    CONNID      = SPFLI-CONNID.
       IF SY-SUBRC NE 0.
    MESSAGE E005 WITH SPFLI-CARRID SPFLI-CONNID.
       ENDIF.
       CLEAR OK_CODE.
       SET SCREEN 200.
        WHEN 'CHNG'.
       AUTHORITY-CHECK OBJECT 'S_CARRID'
    ID 'CARRID' FIELD '*'
    ID 'ACTVT'  FIELD '02'.
       IF SY-SUBRC NE 0. MESSAGE E010. ENDIF.
       MODE = CON_CHANGE.
       SELECT SINGLE * FROM  SPFLI
        WHERE  CARRID      = SPFLI-CARRID
        AND    CONNID      = SPFLI-CONNID.
       IF SY-SUBRC NE 0.
         MESSAGE E005 WITH SPFLI-CARRID SPFLI-CONNID.
       ENDIF.
       OLD_SPFLI = SPFLI.
       CLEAR OK_CODE.
       SET SCREEN 200.
      ENDCASE.
    ENDMODULE.                 " USER_COMMAND_0100  INPUT
    i thank u all for the help in advance.

    hi
    this might help
    REPORT YUSRLOCK NO STANDARD PAGE HEADING.
    TABLES: TRDIR, USR02.
    DATA: MARK,CNTR TYPE I,
          ACCNT LIKE USR02-ACCNT, ERDAT LIKE USR02-ERDAT,
          ANAME LIKE USR02-ANAME, CLI(3) VALUE 'AAA', SZIN TYPE I,
          SYDATUM LIKE SY-DATUM, FLAG(3).
    TABLES: UINFO.
    DATA: OPCODE TYPE X VALUE 2.
    DATA: BEGIN OF USR_TABL OCCURS 10.
            INCLUDE STRUCTURE UINFO.
    DATA: END OF USR_TABL.
    START-OF-SELECTION.
      CALL 'ThUsrInfo' ID 'OPCODE' FIELD OPCODE
        ID 'TAB' FIELD USR_TABL-SYS.
      SELECT * FROM USR02 CLIENT SPECIFIED ORDER BY MANDT BNAME.
        IF USR02-MANDT <> CLI.
          SZIN = SZIN + 1. SZIN = SZIN MOD 2.
          CLI = USR02-MANDT.
        ENDIF.
        IF USR02-UFLAG = 0.
          MARK = ' '.
        ELSE.
          MARK = 'X'.
        ENDIF.
        CLEAR FLAG.
        LOOP AT USR_TABL.
          IF USR_TABL-BNAME = USR02-BNAME AND USR_TABL-MANDT = USR02-MANDT.
            FLAG = '!!!'.
          ENDIF.
        ENDLOOP.
        SYDATUM = SY-DATUM - 30.
        IF SYDATUM < USR02-TRDAT.
          IF SZIN = 0.
            WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 2,
                  ' ',USR02-MANDT COLOR 2,
                  '   ',USR02-USTYP COLOR 2,
                  ' ',USR02-TRDAT COLOR 2, USR02-LTIME COLOR 2,
                  ' ',FLAG COLOR 6.
          ELSE.
            WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 3,
                  ' ',USR02-MANDT COLOR 2,
                  '   ',USR02-USTYP COLOR 2,
                  ' ',USR02-TRDAT COLOR 2, USR02-LTIME COLOR 2,
                  ' ',FLAG COLOR 6.
          ENDIF.
        ELSE.
          IF SZIN = 0.
            WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 2,
                  ' ',USR02-MANDT COLOR 2,
                  '   ',USR02-USTYP COLOR 2,
                  ' ',USR02-TRDAT COLOR 4, USR02-LTIME COLOR 4,
                  ' ',FLAG COLOR 6.
          ELSE.
            WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 3,
                  ' ',USR02-MANDT COLOR 2,
                  '   ',USR02-USTYP COLOR 2,
                  ' ',USR02-TRDAT COLOR 4, USR02-LTIME COLOR 4,
                  ' ',FLAG COLOR 6.
          ENDIF.
        ENDIF.
        HIDE: USR02-BNAME, USR02-MANDT.
      ENDSELECT.
      CLEAR USR02.
    TOP-OF-PAGE.
    WRITE:/ 'LOCK   USER         CLIENT  TYPE     LAST lOGIN     ' COLOR 6.
      SKIP.
    AT USER-COMMAND.
      IF SY-UCOMM = 'SEL'.
        DO.
          CLEAR MARK.
          READ LINE SY-INDEX FIELD VALUE MARK.
          IF SY-SUBRC NE 0.  EXIT. ENDIF.
          IF USR02-BNAME IS INITIAL.CONTINUE.ENDIF.
          SELECT SINGLE * FROM USR02 CLIENT SPECIFIED WHERE
          MANDT = USR02-MANDT AND BNAME = USR02-BNAME.
          IF MARK = 'X' AND USR02-UFLAG = 0.
            USR02-UFLAG = 64.
            UPDATE USR02 CLIENT SPECIFIED SET: UFLAG = 64 WHERE
            MANDT = USR02-MANDT AND
            BNAME = USR02-BNAME.
            COMMIT WORK.
          ENDIF.
          IF MARK = ' ' AND USR02-UFLAG = 64.
            USR02-UFLAG = 0.
            UPDATE USR02 CLIENT SPECIFIED SET: UFLAG = 0 WHERE
            MANDT = USR02-MANDT AND
            BNAME = USR02-BNAME.
            COMMIT WORK.
          ENDIF.
        ENDDO.
        CLEAR USR02.
      ENDIF.
    regards
    Arun

  • Plz tell me how to create authority check objects and how to usein prg

    dear sir,
    plz tell me how to create authority check objects and how to usein prg

    http://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
    http://help.sap.com/saphelp_nw70/helpdata/en/52/6716a6439b11d1896f0000e8322d00/content.ht
    Create custom authorization – Customer specific object
    If you have requirements that cannot be met using the P_ORGIN and P_ORGXX authorization objects (for example, because you want to build your authorization checks on additional fields of the Organizational Assignment infotype (0001) that are customer-specific), you can include an authorization object in the authorization checks yourself.
    Create the authorization object using transaction SU21. Make sure you keep to the customer name range (Z/Y). To be able to use the new authorization object you have created in the master data authorization check, the object must contain the INFTY, SUBTY, and AUTHC fields. You can use any of the fields of the Organizational Assignment infotype (0001) for the other fields. You can also use customer-specific additional fields provided they are CHAR or NUMC type fields.
    After you have created the object, you must start the RPUACG00 report. This report overwrites the MPPAUTZZ standard include with the code that is needed to evaluate the authorization object you created. Note: Technically speaking, this involves a modification. However, SAP fully supports this procedure. And you should not have more maintenance work as a result of this modification.
              Note: that if you use customer-specific authorization objects, you must maintain these objects in transaction SU24 (Maintain Assignment of Authorization Objects to Transactions) in the same way as you maintain the authorization objects P_ORGIN, P_ORGXX, and P_PERNR
    AUTHORITY CHECK OBJECT Object_name
                ID fieldname1 FIELD fieldvalue1
                ID fieldname2 FIELD fieldvalue2
                ID fieldname3 FIELD fieldvalue3.
                 If sy-subrc eq 0.   "Authorization exists
                 Endif.
    http://articles.techrepublic.com.com/5100-6329_11-5110893.html
    Edited by: JackandJay on Jan 16, 2008 10:21 AM

  • How to create Authority check object

    Hello Gurus,
    How to create Authority-check object 'ZABC'
                                                             ID 'TABLE' FIELD 'ZTABLE'.
    Please tell me detailed procedure.
    Thanks in advance.
    Best Regards,
    zubera

    Dear Zubera,
    Creating Authorization Fields
    In authorization objects, authorization fields represent the values to be tested during authorization checks.
    To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects ® Fields.
    To create a authorization field:
    1. Choose Create authorization field.
    2. On the next screen, enter the name of the field. Field names    must be unique and must begin with the letter Y or Z.
    3. Assign a data element from the ABAP Dictionary to the field.
    4. If desired, enter a check table for the possible entries. For    more information about check tables.
    For more information about AUTHORITY-CHECK, see the keyword documentation of the ABAP Editor.
    You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
    Assigning an Authorization Object to an Object Class
    Each authorization object must be assigned to an object class when it is created.
    Choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Objects.
    You can also create authorization objects in the Object Navigator (SE80).
    Creating / Choosing Object Classes
    The system displays a list of existing object classes.
    Object classes are organized according to the components of the system.
    Before you can create a new object, you must define the object class for the component in which you are working. The objects are not overwritten when you install new releases.
    You can also define your own object classes. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
    Creating an Object
    Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.
    You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and create documentation for it.
    Ensure that the object definition matches the AUTHORITY-CHECK calls that refer to the object.
    Do not change or delete authorization objects defined by SAP. This disables SAP programs that use the objects.
    You can regenerate the profile SAP_ALL after creating an authorization object.
    Best Regards,
    Rajesh
    Please reward points if found helpful.

  • About authority-check object 'M_MATE_WGR'

    hi all
          I have a problem about authority-check object 'M_MATE_WGR'. the detail is bleow:
    Read table T023 where the material group is in select option s_matkl. Then loop at the results and check for every found material group. If the user is authorized to use it with the ABAP statement AUTHORITY-CHECK with object M_MATE_WGR with parameters ACTVT = ‘03’ (display) and BEGRU = ‘the material group’. When the user is allowed to use it, store it in an internal table and continue with the remaining materials groups from T023. When the user is not allowed to use it, set the status flag to X and don’t save the current material group in the internal table.
    After all checks have been done, empty the select option s_matkl. Loop over the internal table with the allowed material groups and fill up the select option s_matkl again with these records.
    Thank you in advance .
    Nick

    You are on the right track. Authorization object M_MATE_WGR checks the Authorization Group (BEGRU) not the Material Group. You read table T023 with the Material Group to get the Authorization Group.
    Step 1: Read table T023 where MATKL = the Material Group you want to check authorization.
    Step 2: Retreive the value in field BEGRU from the record in table T023. Use the value in T023-BEGRU to pass to the AUTHORITY-CHECK object M_MATE_WGR.
    Hope that helps.

  • How to debug a authority check in program and a authorisation object in tco

    Can anyone tell me how to debug a authority check in program and a authorisation object in tcode
    i just want to know the flow of authorisation object in debugging how user is assocaited with authorisation object and roles.
    i know if sy-subrc ne 0 is authorisation failed ,so please help me anyone on this.
    every time when i put breakpoint ,if its program level only, i am able to decide only through sy-subrc but iam unable o view the flow .

    flow cannot be seen, we have to be based on sy-subrc only...
    you cannot see the flow in read table... describe table... transfer...
    the authorization object will be assigned to the data element, that data element has some realtion to the roles given to the users. So if the role of the user and data element value doesnt match the sy-subrc NE 0.

  • Securing action box items with authority-check object

    In a 4.6c environment I have setup action box items for various sm and QM notifications.
    I would like to secure some of the action box items that their execution is only allowed by authorized personnel using authority-check objects.
    Is there a way to secure the action box item by the item number? If not the action box items are using a function module. Maybe I could use the fm name in the authority-check.
    Any ideas would be greatly appreciated.

    Hi,
    just see these examples
    SAPTLIST_TREE_CONTROL_DEMO_HDR
    SAPTLIST_TREE_CONTROL_DEMO
    SAPTLIST_TREE_MODEL_DEMO
    and for getting a checkbox we have to repalce the icon what is there in the example program and handle the checked and unchecked event for the checkbox.
    this can be achieved by using object oriented methods...
    reward if helpful
    rgds,
    Prajith
    Prajith

  • Reg:Authority Check object

    Dear All,
    I am calling two authority check object M_MATE_MAR  and M_MSEG_BMB in my report.
    Now for a user if i see the Role the second object  M_MSEG_BMB is maintained and the object M_MATE_MAR is not maintained.
    Now in my program for the object M_MATE_MAR(as it is not maintained),my sy-subrc is returning 12,hence check faing and for
    M_MSEG_BMB sy-subrc = 4 as check is failng.
    My requirement is the user should not see some movement types irrespective of the material ,
    If i pass a material in the selection screen report , movement type records are deleting fine along with that others are alos deleting becs of sy-subrc <> 0(sy-subrc = 12).so i get a blank report as output.
    so wht should be done in my case.
    Regards

    Hi Rajendra,
    When you hit F1 on the Authority-check,
    If Sy-subrc = 4, Authorization check not successful. One or several authorizations were indeed found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect or too many authorization fields were specified.
    If Sy-subrc = 12, No authorization was found for the authorization object in the user master record.
    When Sy-subrc = 24, Incorrect authorization fields or an incorrect number of authorization fields was found. This return value is no longer set since Release 6.20. Up to Release 4.6 it is set only if the profile parameter "auth/new_buffering" has a value less than 3.
    When sy-subrc = 40, An invalid user ID has been entered in user.
    Hope it helps.
    Sujay

  • Authority Check Object

    Hello Freinds,
    If there is a field from custamize table for exa.(Zmara-werks )then can we use standard authority check object? or should we create custamize authority object.
    Please guide me...........
    Thanks,
    Amar

    Hi ,
           To Find Authorization Object for a particular field, use TCode SU21. Click on Find button and enter the filed name to know the Authorization Object.
    If suitable combination of required fields is not found in Authorization objects, new objects need to be created. Use TCode SU21 to create new authorization objects. Click on Create Button and enter new object class name and press save button.

Maybe you are looking for

  • The host is not authorized to connect to this Backup Server

    Hi experts, I'm trying to connect to a remote backup server S2_BS running on VM2 from a data server S1 running on VM1. When I issued following command in isql 1> SYB_BACKUP...sp_who 2> go Msg 7221, Level 14, State 2: Server 'S1', Line 1: Login to sit

  • CURRENT_DATE  in EclipseLink/JPA

    When I use CURRENT_DATE in JPA queries for date comparisions, it seems to be taking time into consideration as well. So when I comapre a date with CURRENT_DATE, even though the date I am comparing is today's date, the results state that CURRENT_DATE

  • Unlocking a iphone bought in UK to use with local service provider

    I bought an iphone 4 when I was a student in London in 2011.  When my semester was finished, I moved back to my home in Colombia and would like to use it with my provider here.  How would I be able to release the lock so I can continue to use my phon

  • Problem in Services PO: Urgent

    Hi Experts, I have a big problem with the services PO. Issue is described as under. 1. One PO was created with Quantity of Services 28. (Price: 1000 INR) 2. The first SES was created for quantity of 4. 3. 2nd SES was created for the quantity 11. 4. I

  • Welcome page with out  any password pop up

    Hi All,   I have one req. that we have to make one BSP page in page with flow logic. And that page should not ask for any user id and password. Can you please  help me out? Thanks and regards, Kuldeep Verma