Authorization Check in Business Transactions
Hi All,
i need to create Authorization Check for Business Transactions ( create/display/change ).
The standart sap Authorization object CRM_ORD_OP or CRM_ORD_LP is no good for me .
does anyone know a BADI or something else i can use ?
Thanks
Lilach.
I would suggest to give the authorization with CRM_ORD_OE if he isn' t in the document may be he is the organization which is selected on the activity..
For details, please have a look at this link :
http://help.sap.com/saphelp_crm70/helpdata/EN/48/a44236ceb873e8e10000000a42189b/content.htm
BR,
Cenk Sezgin
Similar Messages
-
CRM - Process Flow of Authorization Check in Business Transactions
Hello Folks:
I have implemented CRM security using Process Flow of Authorization Check in Business Transactions.
What I have in place:
CRM_ORD_OP (inactive, don't want access to own documents)
CRM_ORD_LP (inactive, not using standard org level values Distribution Channel, Sales Group, Sales Office, Sales Organization, and Service Organization.)
CRM_ACT (active)
CRM_CMP (active)
CRM_ORD_OE (active, restricted to display with dummy value ' ' for Distribution Channel
Sales Group, Sales Office, Sales Organization and Service Organization, as we are not restricting on them)
CRM_ORD_PR (active and restricted to display)
Issue:
Restrictions to display for documents works fine when using CRM backend system and the system throws out a message that you are not authorized to change. But, when i come in through Portals (PCUI), i dont get the display at all and it throws out a message insufficient access authorizations.
Traces on backend CRM reveal failing on change access for CRM_ORD_LP and CRM_ORD_PR, which we dont want to give out b/c we dont want to provide change for documents.
OSS notes to SAP have resulted in no results....please advise what is wrong here.
Thanks
KTThanks for the Priyanka for the reply, but what you mention is not correct.
BSP errors are different from what I am refering to.
The issue is still open...and looks like a SAP bug, which even they havent been able to fix so far.
Regards,
KT -
Authorization Check in Business Transactions in CRM 2007
Hi everybody, I have a problem whit the authorization check in CRM 2007.
This link help me to follow the steps
http://help.sap.com/saphelp_crm60/helpdata/en/e9/b29a39e7aee372e10000000a11
I follow this steps:
1.- Created a new single role on the PFCG
2.- On the Menu tab add the transaction BSP_CRMD_BUS2000108 (Trax for LEADS)
3.- On the authorization tab create a new profile and in the authorization data set the values for CRM_ORD_OP: PARTN_FCT 00000012, PARTN_FCTT *, ACTVT '02,03
4.- Generate the authorization.
5.- Set my user "TESTUSER" on the user tab
6.- Save the profile
Then, I login to CRM whit TESTUSER and I see all the leads. I miss something, what could be the problem ?
Thanks for your helpHi Shaji, Pankaj and Jushan, thanks four your answers.
I still have the same problem, I want to see only my leads that I´am the responsible, after I generated the authorization and assign the role to my user from tcode PFCG and SU01, I logout and login again and no changes, I still see all the leads.
Another test I made, I changed the authorization data and set the values for CRM_ORD_OP: PARTN_FCT , PARTN_FCTT 0008, ACTVT ' (person responsible) and the results was the same, see all the leads.
How works the User Comparisons and how can I check for errors in my pfcg role ?
Thanks for your help. -
Authorization Check for Business Partner screen
Hi!
Is it possible to exclude certain business partner information from being
processed or displayed in the business partner screen of Sales Order
(VA01/ VA21...) by restricting the authorizations? Thanks!
Just something similar to what is suggested for condition types in OSS notes 105621.
Best Regards,
Chris PoonThanks Mani for answering,
However, I am looking for ways to do it for the same TCode (VA01...) instead of creating a new TCode.
I tried using the user exit USEREXIT_FIELD_MODIFICATION in MV45AFZZ.
Display/hide Customer related field according to user authorization
IF SCREEN-NAME = 'GVS_TC_DATA-REC-NAME1' OR
SCREEN-NAME = 'GVS_TC_DATA-REC-STREET' OR
SCREEN-NAME = 'GVS_TC_DATA-REC-POST_CODE1' OR
SCREEN-NAME = 'GVS_TC_DATA-REC-CITY1'.
AUTHORITY-CHECK OBJECT 'ZV_DOC_CUS'
ID 'ACTVT' FIELD 'L1'.
IF SY-SUBRC NE 0.
SCREEN-ACTIVE = 0.
ENDIF.
ENDIF.
But it does not works at all
So I wonder if there is any other user exit to control the fields in Business Partner Page? thanks!
BR,
Chris Poon -
Authorization flow Business Transactions
Hello partners,
I have a issue with the authorization flow concept.
My need is :
A.- the transaction type z01 is only for the user that belong to unit org A, object CRM_ORD_OE
B.- the transaction type z02 is only for the for own transactions of the employee, object CRM_ORD_OP
C.- the transaction type z03 is access for all users and not depend of unit org or his transaction.
So I have doubt with the combination of all of them, how can indicate to the system that for A scenary, I need the restrict only if the transaction type is Z01? and for the scenary B only for Z02, and the scneary C without restrictions?
this is the help sap documentation:
Process Flow of the Authorization Check in Business Transactions - Authorization Check in Business Transactions - SAP Li…
Regards
Roberto.Thanks Christophe,
I analize the FM CRM_ORDER_CHECK_AUTHORITY_ACE,
but when I try to search activities in the SALESPRO, component view BT126S_APPT/ApptSQ, the break not work,
in others view like search service request, work ok the FM,
but for search activities not work,
I'm not sure if I need a specific Switch for that.
Do you know?
Regards -
Hello,
I would like to know if somehow is it possible to add an extra authorization check into a transaction. When the transaction PA20 is executed the following authorization object are checked:
PLOG
P_ORGIN
P_PCLX
P_PERNR
None of these object allow to filter by company code. Could I modify the PA20, so it could check an extra object to filter by Comany code without writting any code?Hi Jesus,
As Jose mentioned, using the org key (VDSK1) is the easiest and recommended way by SAP.
But, if you are already using it for some other purposes, some options are available to you:
1- use the standard string split option to use a part of the VDSK1 (IMG) to capture the company code.
2- You can modify PA20 in the user exit section, through transaction code PM01. But again, I would recommend to use the VDSK1, it is much more simplier, and well SAP Supported.
Hope the 2- answered your second part of you question Cheers
Jean-Michel -
Authorization for "Accept Quotation" Business Transaction in Service Order
Hello All,
I need of Authorization Control for doing "Accept Quotation" business transaction in Service Order.
Process goes as follows.
Service Order created with Planned cost components with DIP Profile
Service Quotation got created through DP80
Then, Accept Quotation will be done in Service Order
Release of Service Order
Execution, Billing, etc.,
Here, I want to control of doing "Accept Quotation" by only authorized people.
I couldn't find any suitable Authorization Object under I_VORG_ORD under field BETRVORG.
We can control that business transaction through User status. Is there any other standard object available to achieve this??
Hope I am clear in my query & looking forward your suggestions.
Thanks in advance.Maheswaran KD
Sorry, but I can't check at this client as we are not using CS processes.
Try popping into debug mode using "/H" and put a break-point on "authority-check" before continuing.
The program should now stop at all authorisation checks. See if any of these are suitable.
If not, then you may need to use a user-exit or BADI.
PeteA -
Transaction VASK authorization check on warehouse
Hello all,
Does anyone know why there is no authorization check on the warehouse in transaction code VASK? I have an issue where users from different warehouses are deleting groups created in other warehouses. I wanted to know if anoyone else has run into this issue as well. My solution is to create a custom transaction for VASK and add the warehouse check as well as a selection value. Does anyone else have a better soultion?
Thank you,
SteveI am going to create a new t-code and add the authorization check.
-
Disabling authorizations checks for transactions SU53 and/or SU56.
Greetings.
I seem to remember reading that there was either a system profile parameter or a table entry that can be used to disable all authorizations checks for transactions SU53 and/or SU56.
Any truth in this or is my mind playing tricks on me?Hi,
I guess theres is profile param auth/tcodes_not_checked(I guess thats right), this will exclude SU53/SU56 from checks on transaction code.
This can be done using RZ10 and need to restart the system.
Rakesh -
Forcing Authorization for a transaction code without authorization check in
Transaction code 'PP02' has an authorization object P_TCODE. So when a user who does not have authorization to transaction 'PP02' tries to execute it from command prompt, the SAP system appropriately restricts user saying "You have no authorization".
However, If Ia program has "Call transaction" verb calling this transaction and if the restricted user runs this report or module program, it does not restrict the user to access the transaction.
Is there any way to restrict user to access the transaction from program without explicitly doing authorization check from within the program?
Jitendra MehtaHi Florin:
S_TCODE restricts the user only at command prompt level, not if you run the transaction for program using "CALL TRANSACTION" verb.
If we assign auth.object P_TCODE with some other transaction values (not one for which we want to restrict), then the authority check works for the above.
But say, if I have no other transaction code values to be assigned to auth. object P_TCODE for the restricted user ( therefore, obviously I don't assign auth. object P_TCODE to any auth. profile for the restricted user) then again, I am out of luck.
The only way, I have seen this working is to assign value space ( ' ' ) to auth. object P_TCODE and then assign this auth.object to one of the auth. profiles of the restricted user, BINGO!, then it works.
But our Authorization team has an objection saying "We assign the transactions ( to auth. object ) which the user should have access. It is not proper to assign a no value to auth. object ( assigning space value ) "
I do not know how much merit their argument has, however, I was wondering if there is another way I could achieve it without relying on tens of hundred of programs doing auth. checks whenever they call the restricted transaction.
Please let me know your thoughts.
Thanks.
Jitendra Mehta -
Invoking HR Master Data (P_ORGIN) authorization check for transaction PCP0
Hello,
We have to limit access to executives (managers) sensitive posting data in transaction PCP0 (display posting runs).
Since executives belong to a personnel area other than all other employees, I thought we can achieve this by personnel area distinction.
In order to have this done, P_ORGIN authorization check should be performed.
It looks that by standard, such check is not performed.
Does anyone have any experience of dealing with this issue?
Thanks,
IsaacHi,
I have a vague idea.
I remember while creating an ESS user, we did something in P_ORGIN so as to to restrict access to personnel master data.
Check the composite role : SAP_EMPLOYEE_ERP.
A Z role was created for SAP_EMPLOYEE_ERP=>the corresponding roles in it had to be copied to a z role.
Check the z-role created ; zSAP_ESSUSER_ERP.
In Authorizations tab=>Display authorization data option => ;
Expand Human Resources;
In HR : Master data, you can find the various authorization assignments to P_ORIGIN; where
Authorization level (AUTHC)
Infotype (INFTY)
Personnel Area (PERSA)
Employee Group (PERSG)
Employee Subgroup (PERSK)
Subtype (SUBTY)
Organizational Key (VDSK1)
Authorization level (AUTHC) takes the values :
R (Read) for read access
M (Matchcode) for read access to input helps (F4)
W (Write) for write access
E and D (Enqueue and Dequeue) for write access using the Asymmetrical Double Verification Principle. E allows the user to create and change locked data records and D allows the user to change lock indicators.
S (Symmetric) for write access using the Symmetric Double Verification Principle
* always includes all other authorization levels simultaneously
In your case if some has to make changes through PPCO.. it's equivalent to making changes to infotype 0001 (Organizational Assignment)
So, probably, you need the Authorization level to R for Infotype 0001.
I have no personal hands-on experience on this...since we are not allowed to anything Basis
I have seen this being done and have noted what was done... !! May or may not be correct....!!
I hope this is what you want.
Cheers and Good Luck!!
Remi -
Authorization FBCJ for Specific Business Transaction
Dear Guru,
How to create user authorization via PFCG for FBCJ with specific Business Transaction?
I have tried, but I just find authorization FBCJ for Activity (Change, Delete, Post, Read) and Account Type (GL, Vendor, Customer, Material).
Thank you.Hello,
Normally, for casj journal the suggestion is to introduce segregation of duty. For e.g. the user who create and saves (for review, no document is posted at this point) the cash journal should not be allowed to post (SAP document will be posted) cash journal. Then another user should be assigned cash journal deletion auhtorisation shold related document required reversal. Basically, you should have authorisation for update, post and deletion in seprate user role.
Kind regards,
John Chin -
Authorization check when searching for transactions
Hi all,
We have a requirement to show only those activities for which a user is authorized. A custom authorization object has been maintained and the check in CRMD_ORDER has been extended accordingly. When opening an activity, the check is executed correctly, but when searching for activities, ALL activities are still shown, so the check is not performed at that particular moment. I have tested with standard authorization objects as well, but none of them are taken into account. Does anyone of you know how we can have the authorization check executed before or during the search, so that only those activities are shown, that the user may maintain as well.
Thanks in advance!
Regards,
JoostHello Joost,
Check if BADI CRM_ORDER_INDEX_BADI could not map your requirement.
Regards,
Frédéric -
Authorization Check exist in BAPI for Transaction
Hi,
I am using the standard BAPIs for Costcenter create, change and profitcenter change. Will these std BAPIs perform authority check for specific transaction with respect to the actions performed(KS01-CC create, KS02-CC Change, KE52-PC change)?
Thanks and Regards,
Vimala PHello Vimala,
You can check whether authorisation check is performed during the BAPI call by using System Trace(ST01).
Further read available on: [http://help.sap.com/saphelp_nw04s/helpdata/en/1f/83114c4bc511d189750000e8322d00/content.htm]
BR,
Suhas -
Authorization check on navigation attribute
Is there anything special I need to do to make a navigational attribute authorization relevant for a cube.
On 0sales_off I have checked it as authorization relevant, and this is assigned to 0cust_sales as a nav attribute. I created an authorization object on 0sales_off. I have turned on the nav attribute in the cube. But when I go to turn on the check for the infoprovidor (RSSM), the authorization object is not displayed.Michael, Troy:
Hi, I´ve already verified that the characteristic and the infocube have the navi attr marked, but now when I try to include it in an Authorization Object on RSSM transaction, the list of "Authorization relevant IObjects" doesn't show the nav attr that I'm trying to restrict (in this case the 0COSTCENTER__0BUS_AREA), seems that I can only authorize the 0COSTCENTER or 0BUS_AREA separately.
What actions should I take in order to make this nav attr relevant for authorization so I could create different roles using the 0COSTCENTER__0BUS_AREA restricted by business areas..?
Thanks in advance for your help.
Miguel Campos
Maybe you are looking for
-
Is there a way to lock several tabs that you need all the time so that they are always available?
I use the same 6 or 7 web pages everyday at work and I'm wondering if there is a way to keep those tabs open by default? It would be especially nice if they stayed in the same order. My work flow includes using LinkedIN, Basecamp, Zoominfo, SalesFo
-
Updating standby database from primary using rman
I have created a standby database using rman on my oracle linux server, now i want to update the standby from my primary database, but i didn't remember the scn which i used for creating the standby. How can i find out the scn from where i should per
-
Over half of my photos on my photo stream are gone? I never deleted them. Is there a way to recover them?
-
Mac Permissions Do Not Allow Me To Launch Premiere Elements 11?
-MAC OS X (ver. 10.8.3), Processor: 2.53 GHz Intel Core 2 Duo, 4GB Memory, 90GB available HD space I spent over an hour chatting via online and on the phone with Adobe concerning my inability to launch Premiere Elements 11. The outcome was that Ado
-
CAN YOU HELP?? i have recently tried to set up my new device, using the contacts from my old sim card from my old Nokia. i think i succeeded in transferring all of my contacts over as they appear nicely in my address book, but when i receive a call f