Authorization at module level

Similar Messages

• PM Organization Units Authorization on User Level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Planning Plant) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY
  This role should be able to display equipment from the Plant Maintenance module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User jsmith has ZPM_AUT_EQM_EQUIPMENT_DISPLAY assigned but can only display equipment from Planning Plant SL01.
  We know we can create this authorization creating several roles, like:
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SL01
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SJ01
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_AG01
  but our idea is not create several roles, but to assign the Planning Plant authorization on a user level and leave just one role so we would only need ZPM_AUT_EQM_EQUIPMENT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Best regards,
  Fernando Montenegro

  Hi ,
  Could you share about your solution ? I think I have face the same problem as yours.

• Organization Units Authorization on user level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZFI_AP_REPORT_DISPLAY
  This role should be able to display AP report from the Financial module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.
  We know we can create this authorization creating several roles, like:
  ZFI_AP_REPORT_DISPLAY_3201
  ZFI_AP_REPORT_DISPLAY _3202
  ZFI_AP_REPORT_DISPLAY_3203
  but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Christine Tseng

  I agree with Jurjen.  There is no point creating a "new" authorisation concept for a few transactions.  If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.
  Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend).  By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.

• How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level.

  How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client  and i propose two methode
  1- Creation of Ztcode ZVL32N and do changes ABAP program level
  2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32N

  I think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.

• Restrict Authorization at Material level during production confirmation

  Hi SAP Gurus,
  I would like to ask if its possible to restrict authorization at Material Level during production confirmation.
  Our scenario is we have SFG and FG which are handled by different group of people but it has the same Order Type. Now we want to restrict authorization such as one department can only confirm SFG and the other department can confirm FG only.
  Is it possible to set authorization at material type or production scheduler level. IF not possible, is there other way except creation of new Order Type?
  Thanks,
  Raymond

  Hi Raymond,
  DO you mean I should create a customized table for this?
  Yes
  Are there no standard way?
  As per my knowledge, you can control through production order type, so you need to create seprate order type for this
  Thanks,
  Sankaran

• Edit Authorization at Entity Level

  Problem: I am trying to Edit Authorization at entity level but my changes are not getting saved.
  Discription:
  I have use case that I want to make an entity read only for a role defined in my jazn.
  To do so, I am opening my entity, and in struture window...on right clicking the entity name I get this option to Edit Authorization.
  On Edit Authorization window, I get name of all the roles listed and options to select Read, Update and Delete in from of each Role.
  When I select "Read" for the role I want only read access and close this Edit Authorization window...my changes are not getting saved.
  Does anyone know why this is happening? Or any other way I can restrict users of a specific role to change the data for an entity.
  Thanks
  Vikas Kumar

  Hi,
  not sure what you mean by "changes are not saved". Are you saying they are physically not saved in that they don't show in the jazn-data.xml file ? If so, then this sounds odd and you should file a bug. If it is only that authorization is not enforced,have a look at this video as authorization on entities is a two step task
  http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/AdfSecurity/AdfSecurity.html
  Frank

• Why Module level trigger contains "WHEN-CHECKBOX-CHANGED" trigger in Forms 6i?

  Hi,
  Why Module level trigger contains triggers like "WHEN-CHECKBOX-CHANGED", "WHEN-BUTTON-PRESSED" etc.? "WHEN-CHECKBOX-CHANGED" trigger is present in CheckBox & "WHEN-BUTTON-PRESSED" trigger in Button. Then why these triggers are also presnt in Module?
  Can anyone please clarify my doubt?

  There's a lot of triggers that are present at different "scopes". Like they exist at the item level, the block level,
  the module level...
  The idea is if you have an action that should only occur at that one single item it can do in the item trigger. If
  it's for all of them on the block, in the block level trigger. If for all of them ever, at the module level.
  For example suppose you wanted it to do a next_item after the trigger executed you can put that logic in the module
  level trigger. A key thing to notice here is the trigger hierarchy. That is essential to know about.
  Right click on one of these triggers in the object navigator. The execution hierarchy is override, before and after.
  since each of these levels of the same trigger has this execution hierarchy this is, well, potentially not easy to
  understand what is going to happen. I would typically have a per-item trigger be before and a higher level trigger
  be after.
  And this execution hierarchy thing is something I'd love to see enhanced in the gui. I wish it was a lot easier to see
  what the execution hierarchy is when editing a trigger text. I wish one could see and modify the execution hierarchy on the
  same screen as the trigger text and what would be really great is some way to tell how the trigger hierarchy will sort out
  at run time. For example if one is looking at an item level trigger it would be fabulous to know that as is, that trigger will be
  overridden by a higher level trigger and so on. Or vice versa if one is looking at a block level or form level trigger that it is
  overridden by a lower level trigger, or it will execute before or after some other trigger. I don't know what is defined to happen
  with various levels of triggers that have the same execution hierarchy. Like suppose they are all override,before,after.. then
  what happens? It'd be good to know.

• Authorization at domain level

  Hi all ,
  I have a requirement wherein I have a put an authorization at domain level.
  The authorization group and object have been created.
  How to find the exit where i can use thse objects for the domain.
  Domain is BANKN .
  Pls help .
  Thanks
  Supriya

  Hi all ,
  I have a requirement wherein I have a put an authorization at domain level.
  The authorization group and object have been created.
  now i need to put an auth check for all the transactions that use this domain ...
  For eg in FK03 , enter ant vendor and company code , go  to 'DISPLAY VENDOR : PAYMENT TRANSACTIOn' . if that user is auth then he should be able to see the bank acc number ellse 'XXXXXXXXXX' ...
  This is the scenario .
  How to find the exit where i can use thse objects for the domain.
  Domain is BANKN .
  Pls help .
  Thanks
  Supriya

• DIR Authorization by Organizational Level

  Hi fellows!
  I would like to know if it is possible restrict access of DIR by organizational levels?
  Example: I need that if User A from plant 1234, creates a DIR type AAA number 0001, the User B from plant 4567 shouldn't have to access this DIR type AAA number 0001. I want that the users only can access the DIRs created by the plant which they have access.
  In the master roles of DMS I didn't find any object to help me in this scenario. I dont want to use the ACL to restrict the access of the documents. I want that this restriction has to be done by authorizations rules as in other areas.
  Can someone help me with some idea or case about this?
  Best Regards!
  Daniel
  Edited by: D Quintal on Nov 25, 2010 5:43 PM

  Hi Daniel,
  Its quite possible to achieve your requirement.
  There is a field called 'Authorization group' in a DIR if you have observed.This enables you to restrict authorization at Document level in addition to authorizations at Document Type and Status level.Suggest you create Authorization Groups like Plant1234,Plant4567 and so on with the help of your ABAPer.Now assign the required users to these Authorization groups.
  Once implemented,whenever a DIR is created and specific Authorization group is assigned, only those users part of this Authorization group will be able to process/access this DIR.Hope this addresses your requirement.
  For details on implementing Authorization group in DMS,refer link,
  http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
  Regards,
  Pradeepkumar Haragoldavar

• AUTHORIZATION ISSUE: cube level data restriction in BI

  Hi all,
  I have few cubes and ODS which are containing data. The requirement is to restrict the cube level data.
  Eg : we have option to see the cube data in RSA1( ADMIN WORKBENCH).Right click on cube manage data.
  the requirement is to restrict to see the data company code = 111(only)
  Likewise for few users only company code = 222.
  If they try to see other than 111, they should get u201Cno authorization messageu201D.
  Cube data               
  company code         distribution channel         account     amount
  111                         10                                   10002     100
  222                        20                                      10002     200
  333                        30                                       10002     300
  444                        10                                      10002     400
  1111                20                                       10002     500
  1111                30                                      10002     600
  2222               30                                           10002     700
  Thanks in advance.
  Jo

  Hi MaikI,
  Thank for the inputs.
  Actually i want restrict the data based on the ANALYSIS AUTHORIZATION - 0TCAIPROV.
  I want to give s_rs_comp-provider value *, and i want to control the query (data) access through analysis authorization. i want to create zanalysisauth which contains 0TCAIPROV = $variable.
  variable is populated with one/two provider values at runtime .
  based on the runtime variable population user should get access.
  But with this implementation user is able to open all queries.where i am going wrong? how can i do this?
  Regards,
  Joseph

• Project authorization at task level for a user

  Dear friends,
      I have created one project called TEST in solution manager. I am have assigned standard ASAP methodology as a road map for that project. I wants to restrict my user to do business blueprinting only for particular business process. I wants to restrict him to access other processes related to the same project.
  How to restrict authorization in individual task level (lower level) in solution manager for an user or team member?
  How is it possible?
  Thanks
  Senthil

  Hi Arkadiy,
     I wants to maintain dependency for my project execution. Let me explain in detail.
  My project name is TEST, it follows ASAP methodology, contains five phases namely,
  1. Project preparation
  2. Business Blueprint
  3.Realization
  4. Final Preparation
  5. Golive & support
  In each phase, some specific tasks to be completed.
  Let us consider, in Project preparation phase, i am having tasks of  following:
  A. Define Project scope
  B. Define Project Plan
  C. Define project team members
  D. Project charter sign off
  My question is:
  without completing( means status should be "Complete") Project scope (Task "A"), the system should NOT allow the team member to jump into next task ( Define Project plan). Like that i wants to maintain dependency for individual each task.
  Is it possible?
  Your answer will be very much appreciated.
  Thanks
  Senthil

• Information Broadcasting Authorization at Query Level

  Hi,
  I would like to know, is there any way to authorized a user at query level in information broadcasting?
  For example, there are three plant P1,P2 and P3 showing in Query, now i want to broadcast this query to E-mail to two user U1 and U2 in following manner.
  1.) User U1 get only Plant P1 Data.
  2.) User U2 get only Plant P2 Data.

  Yes, you can do that. For that;
  Plant should be authorization relevant info object
  (ii) you must have roles to give access to users at Plant level
  (iii) Users U1 and U2 must be SAP user IDs and should have required role for Plant access
  (iv) Query to be broadcasted must have auhtorization variable for Plant
  Once the basic setup is ready, you can test it by executing the report for individual users U1 and U2 and they should see data only for respective Plants.
  Now in the broadcasting setting, specify the users U1 and U2 in User box seperated by semi-colon and tick the checkbox "User Specific" - this will make sure that data is executed as per the data aurthoziation and also format will be selected as per the user profile (date format etc).
  If U1 and U2 are not the SAP users, you will have give their email addresses and will have to create two different broadcast settings to send data for selection plants.
  I hope it helps.
  Regards,
  Gaurav

• BW authorizations at report level

  hi,
  i have a requirement to restict user's access to certain cost centers on a report.
  i have created a new authorization object and switched on the reporting authorization on the cube for this object. i have created an authorization variable and this report is working like it should. But the issue is that when i switching on reporting authorization at the cube level, every query on the cube is getting affected. is there a way i can turn on this reporting authorization on the report level rather than the cube level and not affect the other queries?
  thanks,
  Parthava.

  Mark the Cost center Infoobject as Authorization relevant (RSD1 -> infoobject -> Business Explorer tab -> Authorization relavent) and restrict the user to the corresponding costcenters using correspnding authorization objects.
  http://help.sap.com/saphelp_nw70/helpdata/en/a0/48f438f3422f2ce10000000a114084/frameset.htm
  Assign points if helpful!
  Regards, Uday

• Authorizations for object level

  Hi
  Normally BI query I can get object level authorizations,
  I have customer.
  I can restrict customer ( 1-10) for 1 user , this query is with me now.
  if i build universe, and web intelligence
  in BO this authorizations will get automatically?
  or i need to restrict customer also in web intelligence.
  is there any radio buttons, drop boxes for my reports in BO?
  how to publish BO reports in my portal for end user purpose?

  Hi,
  when you use a BI query with authorization variables the authorization variable will take care of the BI security and yes the OLAP universe will leverage it as well.
  there is nothing "special" to do in the Universe
  Ingo

• UME authorization on object level

  Hi,
  I understand the concept of roles / actions / permissions in the UME, but this only means you have a permission or you don't have a permission.
  What if (and thats the common case in my mind) I need object level permissions, like I have a hierarchy of application objects and the user only should have access to a branch of the object tree?
  Is the application developer supposed to implement this solely himself or does UME support such scenarios when it comes to "how do I setup those permissions?" and "where are those permissions stored?" or in other words: Do I have to create a configuration UI in the application and store the permission data in our own database tables with saving the user id?
  Regards
  Bruno

  Hi Bruno
  To give object level permissions,
  0.Include the security API in your java build path.
  com.sap.security.api.jar
  1. you need to create a permission class which extends NamePermission for each object. Ex: Button B1. Have a permisson class for Button B1 in any of the package.
  2. Create the UI elements and set the visibility property to a context attribute so that you can set the property at run time.
  3. Get the user information in you view as follows
  IWDClientUser user = null;
      try{
           user = WDClientUser.getCurrentUser();
      }catch(WDUMException e){
           e.getLocalizedMessage();
  4. Now check whether the user has a permisson as follows
  if (user.hasPermission(new ButtonB1("But1View")))
            but1.setVisible(WDVisibility.VISIBLE);
  5. Now create a XML file with permission as follows.
  <!-- $Id: //shared_tc/com.sapall.security/630_VAL_REL/src/_deploy/dist/configuration/shared/UMErole.xml#3 $  -->
  <BUSINESSSERVICE NAME="TEMP" >
      <DESCRIPTION LOCALE="en" VALUE="Access Management Engine"/>
       <!-- Business Service Actions -->
        <ACTION NAME="But1_Admin" >
            <DESCRIPTION LOCALE="en" VALUE="Button 1 Permission" />
            <PERMISSION CLASS="temp.authorization.perm.ButtonB1"
             NAME="But1View" VALUE="*" />
       </ACTION>        
  </BUSINESSSERVICE>
  6. Deploy the XML File in the Visual administrator in services/Configuration Adapter/cluser-data/server/persistent/com.sap.security.core.ume.service
  7. Restart the J2EE engine
  8. Log on to UME Engine and try creating a role. There you can see the action you created in the XML file.
  Assing the action to the role and assign the role to the user
  9. Now only those users where the role you created is assined will be able to see the button.
  Regards
  NagaKishore