Authorization check on users workstation basis
Hi experts,
I want to explore any log on event on SAP. I want to authorize the user according to users workstation. For example, If a user login into SAP from PC ABC he will get one type authorization. And if that user login to system using same id from another machine , he will get another type authorization. Is it possible ? Please help me on it.
Asad
Hi Asad,
Users are individually authorised, so you will need to set their authorisations per user.
Regards,
Graham
Similar Messages
-
How add Authorization check for user with assigened role for t.code-MIR4
Hi All,
Regarding authorization how to check authorizations check for user whith assigned roles for the t.code MIR4 using ABAP.
In Detail:2) All users are allowed to go to MIR4(invoice number), But ONLY for users with role: MM_RELEASE_INVOICE can proceed to do the posting.
suggest me...
Thanks,
srii..Hi Sri ,
first u need to find out in which user rules u are using this object , after that if u want to restrict users then remove create/change values from that object values .
make use of Tcode SUIM to find out all roles which are using this Object.
or
ask ur basis guy to remove authorizations to create/change....
regards
Prabhu -
Failed to activate authorization check for user SAPSYS
Hi Experts
I am trying to run the sdcc, it was throwing time_out error. i have increased the work process runtime. now
i am getting a error Failed to activate authorization check for user SAPSYS.
Please help me to solve this issue.
Regards
VenkatHi, Mr. Joe Bo.
Thanx for your reply. We are using ECC6 (HP Unix with Oracle)
Basis Patch - 15, Kernel 159
I have seen the the note but it's showing ccms method defination settings, but for my case we are yet to go live we have not made any settings from sap they are planning to run a session for the go live. When i am running sdcc i am getting a error in the system log "Failed to activate authorization check for user SAPSYS"
Thanks & Regards
Venkatesan J -
I need to do determine if a user is authorized to execute a certain transaction. What is the easiest way to implement this. I have been looking at ABAP statement AUTHORITY-CHECK but am not sure if it will work for me.
You can use Authority object S_TCODE to check if user has authority to execute particular transaction. Pass transaction code in id 'TCD'
AUTHORITY-CHECK OBJECT 'S_TCODE' FOR USER user_name ID 'TCD' FIELD 'ME23N'. -
Authorization check to users in Report
Hi frds,
FI- Posting document created smart form
My customer is asking Document values greater than RS : 250000/- restrict to view some users ..........
How to acheive this requirement...........Hi Kabil,
a third option to the suggestions Nabheet Madan mentioned is to look for a property to recognize the special users.
This might be a common role or authority, that no other users will own.
For checking roles you can access table AGR_USERS, for check checking special authorities you need a matching AUTHORITY-CHECK in your report.
Regards,
Klaus -
HCM Transfer process - Authorization Check Failed
Hi All
We are trying to run the Standard Transfer process of HCM . We are trying to run the tcode u201C HRASR_TEST_PROCESSu201D Can anybody Tell us what authorization objects does a user require to run this process if the user does not have SAP_All Authorization.
We have already added u201CP_ASRCONTu201DAuthorization object as suggested by sap .
We are failing in some HR authorization check but we have already added the same in useru2019s profile and it has already been genereated .
Note : We have already ran this process with SAP_All Authorization and it ran succesfully . Employee was Succesfully transferred to the new position .
Please check the shreen shots (click the links) below to get an idea of the problem .
Authorization Check Failed :
Link : [http://www.mediafire.com/?edtznzkmdm0]
Process flow :
Link : [http://www.mediafire.com/?ytxz3wlmjiz]
Please click on " Click here to start download.. " to check the screenshots.Hi, Mr. Joe Bo.
Thanx for your reply. We are using ECC6 (HP Unix with Oracle)
Basis Patch - 15, Kernel 159
I have seen the the note but it's showing ccms method defination settings, but for my case we are yet to go live we have not made any settings from sap they are planning to run a session for the go live. When i am running sdcc i am getting a error in the system log "Failed to activate authorization check for user SAPSYS"
Thanks & Regards
Venkatesan J -
Authorization Check of Multiproviders
Dear all,
we have a scenario like this:
Two Basiscube (A & B) with two authorization objects created in RSSM (AUT_A and AUT_B).
The assignment in RSSM is like this:
Cube A checked by AUT_A
Cube B checked by AUT_B
No we created a Multiprovider where A and B are assigned to.
We thought that the authorization check of the underlying Basis Cubes is also carried out in the Multiprovider. Therfore we thougth it is necessary to assign the user both authorization objects AUT_A and AUT_B to run a query on the MC. Now I found a OSS note (921820) that says:
"(XIII) For queries on MultiProviders, you must activate the relevant authorization objects for this MultiProvider (in transaction RSSM). The setting for individual basis providers is not relevant."
For me that would have the following implications:
We can assign either
only AUT_A or
only AUT_B or
both AUT_A and AUT_B or
a new authorization object to MC.
As long is the authorzation object that is assigned to the MC is also used in the roles the users can run the queries.
Can anyone confirm this?
Thanks in advance!
ThomasYou will be fine with setting the authorization at the multi provider level as far as the cubes are concerned.
But you seem to have authorization objects based on info objects. Is that correct?
If so, then you need to maintain authorization for the objects regardless of how you maintain authorization at the cube level.
Ravi Thothadri -
Authorization Check when logon into SAP via ITS
Hello
We have implemented Authorization Check after user have logged on to SAP via ITS in this User Exit SUSR0001. It was working fine in 46C version, but after upgrade to ERP 2005, when user logs on into SAP via ITS, this user exits is ignored, while logging normally via SAP GUI; authorization check is performed as before?
Did anyone else have experienced the same problem?From what I understand something on that line changed. We are still hanging on to our external ITS 6.20 so I am afraid I can not go into details.
-
Document search error in webshop(Error in authorization check: user unknow)
Hi All
actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
<b>Error in authorization check: user unknown.</b>
Can you please help me where to check the authorizations in the system for accessing the documents.
Regards
SunilHi Sunil generally this kind of error will occur when you choose acknoledgement
for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
Reward if helpful
Venkat -
Logical Data Base- Authorization Check
Hi,
Please tellme when is the authorization checked if the LDB is used in the program. If I am not using 'GET PERNR' statement in the START-OF-SELECTION then will this authorization check will be performed for the data being extracted from the Data base using select statement.
Waiting for reply,
Shwetambari.HI,
No it won't perform if you write the select statment, when you write the code GET PERNR, then internally it will get the data based on the Auth check and a SET PERNR will be triggers. so better to use the GET statment
Regards
Sudheer -
Error for customer specific Authorization check (User Exit)
Dear Experts,
I am facing a problem in PM.
I have created a maintenace plan for calibration via t code IP42 and mentioned the order type PM05. Scheduling is done for the order. I got the order number.
I have released the order and got the inspection lot number.
While entering the results recording through t code QE17, the reluts are out of the specified range, i have given the valuation Rejected, immediately system is giving an error message as below:
"Error for customer specific Authorization check (User Exit)"
Though there is no user exit activated in the system, this message is coming and not allowing the result recoring for rejection.
If I'm entering the result recording within the specified range, then valuation is Accepted and its allowing to save.
I have checked the following user exits:
QQMA0002: QM: Authorization Check for Entry into Notif. Transaction
QQMA0026: PM/SM: Auth. check when accessing notification transaction.
The above 2 User Exits are not active.
I have also checked a note 429066. But it says incase of any dump for that user exit only its applicable and more over the current version of the system is ECC 6.0 packae 15, where as that note is applicable upto 4.6C.
Please some one help me on this issue.
Thanks and Regards,
Praveen.Dear Pete,
I have cheked with my technical team, There is no hotpacks updated recently. This is the implementaion project I'm in, so performing the cycle for the first time.
Any how I got it solved, in T code QE17, after entering the Inspection lot in next screen goto menu path Settings - User settings - Defects recording mention the reprt type and tick on Reprt type Changable.
At the time of result recording if the valuation is Rejected then it ask for defects recording close that window if not rwequired then save, the error message no longer apperaing now.
Regards,
Praveen -
Any BADI or USER EXIT for Authorization check in ME51N
Dear MM Gurus,
My requirement is to assign Authorization to the User to create Purchase requisition based on the combination of Plant and Storage location. Is there any BADI or User Exit available to achieve this?
Regards
Yogahi,
> Its not possible to have the authorization for PR at storage location level...
> you can have authorisations for Puchase organisation EKORG, plantWERKS, puchase group EKGRP, puchase document type BSART ...
> and authorisations objects are:
>M_BANF_BSA : Document Type in Purchase Requisition
> M_BANF_EKG : Purchasing Group in Purchase Requisition
> M_BANF_EKO : Purchasing Organization in Purchase Requisition
> M_BANF_FRG : Release Code in Purchase Requisition
> M_BANF_WRK : Plant in Purchase Requisition
Regards
Priyanka.P
Edited by: Priyanka Paltanwale on Apr 27, 2009 3:01 PM -
Authentication and authorization for AD users in UCM11g
Hi all
we are using webcenter content server 11g. I read some where that for 11g users authentication is done in weblogic server environment, mean content server for 11g in now managed by weblogic server only, am i right?. we have successfully integrated Active Directory with weblogic sever and user of AD are able to log-in UCM but they don't have any role like contributor or Admin. How to do this role mapping for AD user in UCM i.e. authorization for these users. Please provide any guidence on this issue any doc or blog, we are new to webcenter suite.
Thanks
SomeshAs you already have weblogic integrated with AD, remains only role mapping and Single Sign-On integration. For authorization, AD must contain groups with exact names as roles in the Content Server. Those groups should be where Group Base parameter in the weblogic ActiveDirectoryAuthenticator point (like OU=Roles,OU=Oracle,DC=example,DC=com). Assigning AD user to the AD group named contributor, will add contributor role to logged Content Server user.
As for SSO, refer to the:
http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm
and
http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#autoId21
Procedure steps are:
Create a user account for the hostname of the web server machine in Active Directory
Create krb5.ini file, and locate it in the C:\Windows directory at both machines (Domain Controller and WLS host)
Generate the keytab file
Create a JAAS Login File named krb5Login.conf
Put both keytab and krb5Login.conf files to …/user_domains/domains/my_domain/
Configure the Identity Assertion Provider
Adjust Weblogic Server startup arguments for Kerberos authentication
Redeploy CS (and optionally other servers) server with the documentation given deployment plan
Check web browser configuration (IE and Firefox only)
Take a deep breath and test
If successful have a cake and cup of coffee else goto step one
Regards,
Boris -
Hi ,
i new to authorization so i need help ,
i go to transaction SU21 and i choose some object for example:
Object R_CPM_BSC
Text Authorization Object SEM: BSC Elements
Class SEM Strategic Enterprise Management*
Author STASTNY
Field name Heading
SEMSCARD Scorecard
SEMOBJTYPE Scorecard Elements: Object Type
SEMOBJKEY Scorecard Elements: Object Key
ACTVT Activity
And when i push on permitted activities i get:
R_CPM_BSC Authorization Object SE
ACTVT Activity
activists
01 Create or generate
02 Change
03 Display
04 Print, edit messages
1. i have always just permitted activities for ACTVT ?
if i wont that user just have display Authorization how i have to write it like below?
AUTHORITY-CHECK OBJECT R_CPM_BSC
ID ACTVT FIELD '03'
thats it i don't use the other fields?
RegardsHi,
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Thanks
Vikranth -
LDB PNP authorization check authorization object
Hi,
I have used LDB PNP for HR reports.
We are using the authority check also, but the problem is all the records/data for all the people is being read by the report where some of the people data should not have been read as they belong to some other personal area that the role of the executer (user).
Hence it appears that authorization check is not working properly.
Following is how I am using it, Please suggest corrections or alternate way to correct this issue.
rp-provide-from-last p0002 space gwa_outlist-begda
gwa_outlist-begda.
IF pnp-sw-found NE '1' OR
pnp-sw-auth-skipped-record EQ '1'.
EXIT.
ELSE.
ls_tab-vorna = p0002-vorna.
ls_tab-nachn = p0002-nachn.
ENDIF.
Please reply with the corrections ore alterations,
Thanks in advance.
Akash.Hi,
(1)
Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
(2)
In some case you do not work with LDB report, then you need to do the authority check by yourself. General function AUTHORITY_CHECK is what you need. AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
P_ORGIN HR: Master Data
PLOG Personnel Planning
P_PCLX HR: Clusters
P_TCODE HR: Transaction codes
Sample of checking personal area:
CALL FUNCTION 'AUTHORITY_CHECK'
EXPORTING
FIELD1 = ' PERSA'
OBJECT = 'P_ORGIN'
USER = 'SAPSUPPORT1'
VALUE1 = 'Z001'
EXCEPTIONS
USER_DONT_EXIST = 1
USER_IS_AUTHORIZED = 2
USER_NOT_AUTHORIZED = 3
USER_IS_LOCKED = 4
OTHERS = 5.
IF SY-SUBRC NE 2.
MESSAGE E001(01) RAISING AUTH_FAILED.
ENDIF.
Reward if helpful pls!
Maybe you are looking for
-
Help setting up port forwarding for Ekiga
Hi I am trying to set up Ekiga on my Arch X86_64 box but I can't get port forwarding to work on the Thomson TG585v7 wireless router, which I am sharing with a neighbor. I have tried some how-to's I found via Google and set up Application/Game Sharin
-
Can I cut/paste pages in iPhoto?
I have created 2 iphoto photo books. I would like to drag or cut/paste some of the pages from the one book to the other. Is this possible or do I have to recreate the pages again?
-
Hi, I was wondering if I could get some information and opinions about using a type defined array of clusters to hold configuration data. I am creating a program to test multiple DUTs and wanted to have a type defined control for each DUT containing
-
Help,about session array in JSP
Maybe It is a simple question for you.But it really trouble me.How to store an array into session variable and how to retrive it out from sesson,
-
This is a bit of an odd one and I'd appreciate any help that others can give me. I've had my blackberry 8900 for about a year and a half now. Whenever I charge my handset from an empty battery (e.g. this problem isn't a problem when I charge it if t