Authorization Checks of Project in Incident

Similar Messages

• Authorization Check in Project System-CJ30

  Hi!
  I have a requirement wherein in the transaction CJ30 where we enter the Project budget amount , when entered it should check against the user s authorized amount and allow to go further and save or give a message saying that the following person is not authorized to enter that amount for project budget. For example if I am authorised to enter project budget amounts <= 15000 dollars and if I enter 23000 dollars it should give me a message saying I am not authorised to enter that amount and the higher in line should be contacted . If I enter amounts below 15000 I shld be able to save it and proceed. I want this authorization at this level so that not any amount is enterd by anyone and missused so that it creates problem in budget forecasting and reviewing in future. I tried looking for BADIS and Exits for it but couldnt find any.
  Is there a solution to this and if so can anyone help me with it as we shall be going live next month with thisproject.
  Kindly help.
  Aarav

  Hi Sheel!
  Thanks for your answer but where exactly do I use this statement "Authority check...."
  I mean where and how do I use this statement so that I can validate the entry .
  Thanks

• PS Authorization Check (CJ20N)

  Hi guys,
  I am implementing 'authorization check' to projects and WBS elements. I found the enhancement CNEX0002 and everything worked fine for all PS transactions, except for CJ20N.
  The implementation is to not allow changes for projects (and all it's WBS element) which I have no authorization. So we can see them (in gray color), but cannot  change.
  The problem is when we open a Project or WBS element at CJ20N. If I have no authorization to change them, the objects comes with no possibility for inputting data, but when we try to create an activity, it works and should not work.
  I would appreciate some tips from people whom have done that.
  Bests,

  Hi Karla,
  I have successfully implemented that. Here you need to do the similar authorization checks in includes EXIT_SAPLCNAU_003 and EXIT_SAPLCNAU_004 for Network Header and Network activity authorization.
  Then it will work fine.
  Regards
  Priyank

• Authorization challenge in Project system

  Hi,
  We seek to solve an authorization challenge in Project system with use of the authorization object K_PCA together with the PS authorization objects C_PROJ_PRC and C_PRPS_PRC. Hence, the client seek an authorization solution for Report Painter/ writer reports using the standard Profit Centre hierarchy. Assistance in this matter is highly appreciated.
  Thanks!
  Kjell Aarhus

  You can create checks on projects and WBS elements by company code/profit centre.  We looked at all PS auth objects and nothing really fit the bill for us so In the end we activated some user exits associated with project systems and created a couple of new auth objects which were called in specific code placed in the user exits.  When the exists are activated, they are checked whenever the specific project information is displayed.  So long as your report writer reports use the PS logical database for reporting, you will call these exits.
  In our example, we had logic that checked at a project definition level that checked the company code of the project definition, and at WBS element line item check - to extract profit centre and display/not display as appropriate.  Of course you can make your logic work however you like when the exits are opened up.
  You can find more information on them by going into the IMG; SPRO >  Project System > Authorization Management > Enhancement Create Auth Check.  The documenation is also quite good too.
  Good luck hope it works out for you.
  D

• Kanban authorization checks (SU24, PK13N, PK*)

  Hi,
  Does anyone know why the Kanban transactions (PK*) have mostly disabled authorization check indicators in SU24?
  In PK13N, for example, there is functionality to do a goods receipt (MIGO GR) and also functionality to create POs (and maybe more that I have not looked into yet).
  However, the related auth objects in SU24 are not enabled (check indicator = do not check).  This seems strange for these authorization objects.
  Especially in light of SoD.  Users could create POs or do Goods Receipt via PK13 without proper auth check and these 2 functions conflict already (using default GRC ruleset).
  But that's beside the point.  The question is: Is there a good reason why these are disabled and how is this NOT a secuty risk?
  Now, there is one object that is enabled: C_KANBAN
  But, I feel that this is insufficient to really secure the goods receipt action and the PO creation action.
  For reference, a list of disabled auth objects:
  C_STUE_WRK CS BOM Plant (Plant Assignments)
  C_TCLS_MNT Authorization for Characteristics of Org. Area
  F_BKPF_KOA Accounting Document: Authorization for Account Types
  F_FICA_CTR Funds Management Funds Center
  F_FICA_FTR Funds Management FM Account Assignment
  F_FICB_FKR Cash Budget Management/Funds Management FM Area
  F_FICB_FPS Cash Budget Management/Funds Management Commitment Item
  F_LFA1_APP Vendor: Application Authorization
  F_SKA1_BUK G/L Account: Authorization for Company Codes
  L_BWLVS Movement Type in the Warehouse Management System
  L_LGNUM Warehouse Number / Storage Type
  M_BANF_BSA Document Type in Purchase Requisition
  M_BANF_EKG Purchasing Group in Purchase Requisition
  M_BANF_EKO Purchasing Organization in Purchase Requisition
  M_BANF_WRK Plant in Purchase Requisition
  M_BEST_BSA Document Type in Purchase Order
  M_BEST_EKG Purchasing Group in Purchase Order
  M_BEST_EKO Purchasing Organization in Purchase Order
  M_BEST_WRK Plant in Purchase Order
  M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
  M_MRES_BWA Reservations: Movement Type
  M_MRES_WWA Reservations: Plant
  M_MSEG_BWA Goods Movements: Movement Type
  M_MSEG_BWE Goods Receipt for Purchase Order: Movement Type
  M_MSEG_BWF Goods Receipt for Production Order: Movement Type
  M_MSEG_LGO Goods Movements: Storage Location
  M_MSEG_WMB Material Documents: Plant
  M_MSEG_WWA Goods Movements: Plant
  M_MSEG_WWE Goods Receipt for Purchase Order: Plant
  M_MSEG_WWF Goods Receipt for Production Order: Plant
  M_RAHM_BSA Document Type in Outline Agreement
  M_RAHM_EKG Purchasing Group in Outline Agreement
  M_RAHM_EKO Purchasing Organization in Outline Agreement

  Hi Steven
  Normally, when I submit OSS messages about security gaps the response is "working as designed", so I thought I'd try SCN first... perhaps it REALLY IS working as designed and there is a good reason why no auth checks should happen in this case.
  Unfortunately this is all too common. However, I have found a lot of the times it is a Level 1 Support person in SMP advising you of this. With perseverance and escalation to a the next level the chance of a fix is greater (still not a guarantee)
  It's a pity if working as per design they could explain why.
  MIGO can be used in display mode only. If PK13 and PK13N are meant to be display transaction and the SU24 allows you to perform change (i.e. none of the underlying auths are checked for change) then I would refuse to close the customer incident until SAP responds further. At the end of the day, if a display transaction allows modification then it isn't a display transaction
  I get the impression SU24 and some other security (e.g. authority check on '' instead of dummy) has been allowed to exist as customers give up and change the values themselves instead of getting SAP to fix their solution.
  You could also look at SE97 if call transaction can be switched to yes so users cannot jump from PK13N to MIGO (assuming the code was a CALL TRANSACTION)
  Regards
  Colleen
  P.s. - understand the comment with stale thread but take note of timezone and if you raise it on a Friday people may not see it until the following week. Although you did consider this, a lot of people on SCN put urgent in their question and then within the same day respond to their thread to "bump it" on the list

• ADFC-0619: Authorization check failed implementing popup through taskflow

  Hi All,
  I receive the error ADFC-0619: Authorization check failed: '/WEB-INF/main-task-flow-template.xml#main-task-flow-template' 'VIEW'. when accessing the taskflow that will show as a popup as described in this blog: http://andrejusb.blogspot.com/2013/03/reusable-adf-region-with-dialog.html. I created a sample application and I have it working as expected.  The sample app has no security configured.  When I put the functionality into our main app the error occurs.  I have checked the jazn-data.xml and have granted a role to both the task flow and the web page.
  Our app is setup where I have a task flow template that most taskflows inherit from.  The calling page is inherited from the template which uses page fragments.  The taskflow for the popup is not inherited from the template and does not use page fragments.
  I am using 11.1.1.6.  The error happens when deploying to the Integrated server as well as a local WLS.  I read a few forum posts on this subject and some folks removed the anonymous role.  I have this role defined but is is only used for my login page so I don't want to remove it from there.
  Appreciate the help as this is blocking me from working on the functionality within the popup.
  Thank you - Rudy

  Resolved.  Our Application is setup as described by Jobinesh in the book "Oracle ADF Real World Developer's Guide".  In this case we have a separate application called "Common", within that we have projects for the ADFFrameWorkExtension, CommonModel, CommonUtilities and CommonUI.  The CommonUI project contains the main-task-flow-template and errorPage.jsff as well as the MainTemplate.jspx.  Each of these projects are deployed as a jar and imported into the main project.
  In the jazn-data.xml under Resource Grants, Resource Type = Task Flow, check the option to "Show task flows imported from ADF libraries".  This showed the main-task-flow-template which I granted the anonymous-role view action.
  When I run it now shows the popup.

• EHSM: Use Auth Check BAdI to hide Incident

  Hi all,
  I have enhanced the standard Auth Check BAdI BADI_EHHSS_INC_EXT_AUTH_CHECK for EHSM. Works like a charm.  But I just got another requirement and thought maybe someone else has done this before.
  Right now, I have it set up so people with out the correct access can only view incidents.  Is there a way to use the BAdI to completely hide an incident when a user clicks on it?
  Hope this makes sense.
  Cheers,
  Kevin

  Hey all,
  Our requirements ended up changing a bit but ended up putting authorization checks into class methods that control visibility for the sections of EHSM that we wanted to hide.  So, we got the result we were looking for.
  Cheers,
  Kevin

• PS Authorization check

  Hello.
  We are trying to use the enhancement CNEX0002 to check the authorizations in PS.
  It works very well in transaction CJ20N, but we are having problems in transactions CN21 and CN22. The main problem is that in both transactions, the exit is not executed when you save, so you can't check if the person has the authorization for what he wants to save.
  For example, I need to verify something in the project when I create a network and I didn't have the project in the beginning the creation, but I have it when I want to save it.
  Is there another way I can check this authorizations when I'm saving in CN21 and CN22??.
  Thanks in advance.

  Hi Karla,
  I have successfully implemented that. Here you need to do the similar authorization checks in includes EXIT_SAPLCNAU_003 and EXIT_SAPLCNAU_004 for Network Header and Network activity authorization.
  Then it will work fine.
  Regards
  Priyank

• Error for customer specific Authorization check (User Exit)

  Dear Experts,
  I am facing a problem in PM.
  I have created a maintenace plan for calibration via t code IP42 and mentioned the order type PM05. Scheduling is done for the order. I got the order number.
  I have released the order and got the inspection lot number.
  While entering the results recording through t code QE17, the reluts are out of the specified range, i have given the valuation Rejected, immediately system is giving an error message as below:
  "Error for customer specific Authorization check (User Exit)"
  Though there is no user exit activated in the system, this message is coming and not allowing the result recoring for rejection.
  If I'm entering the result recording within the specified range, then valuation is Accepted and its allowing to save.
  I have checked the following user exits:
  QQMA0002: QM: Authorization Check for Entry into Notif. Transaction
  QQMA0026: PM/SM: Auth. check when accessing notification transaction.
  The above 2 User Exits are not active.
  I have also checked a note 429066. But it says incase of any dump for that user exit only its applicable and more over the current version of the system is ECC 6.0 packae 15, where as that note is applicable upto 4.6C.
  Please some one help me on this issue.
  Thanks and Regards,
  Praveen.

  Dear Pete,
  I have cheked with my technical team, There is no hotpacks updated recently. This is the implementaion project I'm in, so performing the cycle for the first time.
  Any how I got it solved, in T code QE17, after entering the Inspection lot in next screen goto menu path Settings - User settings - Defects recording mention the reprt type and tick on Reprt type Changable.
  At the time of result recording if the valuation is Rejected then it ask for defects recording close that window if not rwequired then save, the error message no longer apperaing now.
  Regards,
  Praveen

• Authorization check For Test plan in SAP Solution Manager test management

  Hi experts,
  I need to allow only selected user to view their test package and the list of transaction so i need to have a authorization check by using enhancement i got struck since i am not able to find any badi for this ..kindly looking back your suggestion

  Hi Namrata,
  Yes, you can create project structure before using solar01 tcode. later once your test cases (either manual or automatic) are ready then you can upload them using solar02 on test cases tab,
  refer Link Test Case to Transactions/Reports - Configuration - SAP Library
  Assignments - SAP Solution Manager - SAP Library
  Thanks
  Jansi

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash

• Where we check the Project closing status?T.code for List of Closing Projec

  Dear Guru's,
  Where can we check the Project closing status? Can we change the closing status if want to do some modification, and what is the transaction code that we to view the list of closing project.
  Regards,
  Kalyan

  1.You can find the project status ( all the  status )  in any project maintenance transaction for ex. Run Cj20n > Open you project> on the basic data tab you will find the project status.
  ( If you want to see the status of other  PS oject than click on that object, similarly you will get the status of that object on Basic data tab. )
  2.Yes you can change the closing status of proejct for midification. path is clickon the object for which you want to change the closed object > Edit> Status--> Close --> Undo.
  3.For the list of Project status go to CN41
  on the projectno. input line click on multiple selection--> give the proejct no. list for which you wanted to see the  status. -->enter --> Excute.
  Report will open in screen. in that report go to toolbar and click on 'choose filed' button.(F5) -->one pop up window will open -->right handside scroll down in that window >select 'status' field and move it to left side>enter
  project status will be shown against you project list. you can verify the same in maintenance txn.
  If you have activated user status the same will also get populated.
  You can downlaod the same in Excle file path is  : Evaluation menu>export>save to file. ( via filtering in Excle you call do all the analysis realted to project status how amny are in clised status etc. )
  Regards
  Nitin

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• Authorization checks for PNP LDB

  question    : how to validate authorization checks for pnp logical database?
  2 nd question: hr report
  this report is basically for salary survey. in this i had so many fields can any body let me know how
  can i form the internal tables. and i have to display overall 150 fields in csv file for that
  how can i take in to the final internal table.
  what is the logic behind this:
  T71JPR09-JOBCODE
  PA0000-PERNR
  HRP1000-STEXT
  P0006-PSTLZ
  PA0008-ANSAL * 100 / PA0008-BSGRD
  PA0015-BETRG
  PA0761-LTEXT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-GRADT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
  like that i had.
  please give me the steps how can i proceed.

  Hi,
  The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
  Hope this helps.