Authorization Concept for WAD developers

Similar Messages

• Not clear with the Authorization concept for Marketing Plan

  Hi All,
  I am new to CRM and was going through some of the prescribed document for CRM marketing
  when i encounter with the authorization concept in marketing plan,for example how
  can i restrict a user with a campaign manager role from changing marketing plan.please
  provide the step by step procedure.
  Regards,
  Sanju

  Hi Sanju
  User with a campaign manager role can be restricted for changing marketing plan using authorization group.
  We define authorization groups for use in the Marketing Planner. Authorization groups can be maintained at both marketing plan level and campaign or trade promotion level. Authorization groups enable us to control which users are authorized to change which of these two types of marketing project. We could, for example, define one authorization group to be assigned to a marketing plan, then define further authorization groups to be assigned to the different campaigns within the marketing plan. In the Marketing Planne.
  Follow below steps
  1. Define authorization group using following IMG Path
  Customer Relationship Management / Marketing / General Settings / Define Authorization Group.
  2. In authorization object CRM_CPGAGR of the role Campaign manager maiantian activity 01, 02, 03 ,06 (this will allow user to create, change, display and delete)
  3. IMG defined authorization group ex: ABC can be seen under the tabstrip Basic Data of marketing plan.
  4. Now user have to choose the Authorization group ABC from the drop down in Basic tab to create a marketing plan. User will get the change access for all the marketing plan which have the authorization object ABC.
  Hope this will help...
  Rgds
  Mallikarjun

• New Authorization Concept for BI

  HI All
  I need to devlope a genral model for a company in which for some projects  info objects are not authorization relevent but same info objetcs are need to be authorization relevent in other projects if you make that infoobjects as authorization relevent in new projects then that creates issues in other project which are already running such as output of the query. what should be verious ways  to implement such model.
  With Regards,
  Deepak

  just try not having authorization variable for that info object at query level.so that it wont check for authorisations.

• Authorization concept for the operating SAP staff after Go-live

  Dear all,
  we are implementing SAP FI and CO. We will have three systems (development, Quality, Production).
  1)Customizing is supposed to be done in development only. However, we will need to be able to view the customizing in the production client as well. What is best practice to achieve this? Is there a role /authorization object which only can configure "IMG-allowed to read"?
  in the development client, we will need to distiguish the following roles: developer including transports, customizer, and authorization administrator.
  2) Are there any SAP standard roles with which you can distinguish these roles?
  thank you very much for your support.
  best regards Timo

  There is no standard IMG display only role.
  Even with all of the SOX  requirements out there so I guess you will need to build this from scratch.
  You also need to make sure you look at all of the information and not just at a t code level as you need to make sure the authorization levels are display rather than maintain.

• Authorization Concept - BI7

  Hi ,
  I'm working on authorization concept for BI7 which seems to be having a conflicting statement.
  User : Mary
  InfoObject : ZORDER
  Set 1 : Queries built on multiproviders within infoArea ZSALES should display ONLY order number 123.
  Set 2 : Queries built on multiproviders within infoArea ZPROJECT should display ALL order numbers.
  Its a conflicting scenario.
  Its giving an output for ALL orders for both set 1 and set 2 queries.
  Appreciate if anyone could provide some ideas if this is feasible to achieve within RSECADMIN.
  Thank you.
  Regards
  Maili
  Edited by: Maili06 on Jan 12, 2012 1:19 PM

  hi,
  plz try creating the analysis auth objects for the mentioned scenarios can be:
  1)1st auth object can have  infoarea=ZSALES and order number=123
  2)2nd auth object can have infoarea=ZPROJECT and order number=*
  Both these analysis authorization objects can be assigned to the user via RSECADMIN.
  In the auth profile, S_RS_AUTH = Inactive, read analysis auth from RSECADMIN and manual assignement.
  regards
  laksh

• How to create authorization for WAD in bw 3.5??

  Hi all,
  I would like to create a authorization for the WAD(web templates in bw 3.5) i cant find any authorization object for the WEb templates.
  I have included the Wad in the menus in the PFCG but still it is of no use.
  Can any one guide me how to carry out authorisation for WAD in bw 3.5 ?
  Thanks
  Pooja

  Please refer to below thread:
  BEx Web Application Designer Tool  with OLD Version 3.5
  I am sure for 7.0 and above S_RS_TOOLS object can provide the restriction.

• Roles and Authorization strategy for SAP BIBO

  Hello All,
  We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
  Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
  Current structure is like,
  User 1 belongs to Plant1 of Country1
  User 2 belongs to Plant2 of Country2
  user 3 belongs to Plant3 of Country1 etc..     
  We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
  As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
  The options we considered are,
  1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant  1, 2 or 3 and provide necessary authorizations.
  2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
  We are also forced to avoid Bex queries in BW and hence,  trying to connect Multiproviders directly in BO universe.
  How should we go forward in designing the authorization concept? Any better ideas?
  Thanks and Regards,
  Srinivas

  There are two ways which we can implement this kind of authorization based on my knowledge.
  1. Data Security purely at BW
  If the data is secured based on roles and users, there is no  need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
  Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
  2. Data Security from BO
  Let's assume that, if nothing is set at BW and every thing to be take care from BO.
  Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
  Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
  So you would need to create many restrictions for different permutations and combinations.
  I never tries this option with Multiprovider. But It worked well with NON-SAP data.
  Hope this helps!
  Regards
  Gowtham

• Authorization check for Easy Document Management

  Hello,
  I'm using ECC6 without cProjects or any other implementations regarding the authorization concept in Easy DMS. I'm trying to use authorization control inside the Easy DMS GUI but these settings won't work. I need document based authorization and it seems like ACL's are used for this. The problem is, I do not know which route to follow. I have viewed note 798504, but I could not make sure it will do the work for ECC6 also. My DMS is integrated to a Windows 2000 Content Server 6.3 and I have done its settings accordingly.
  Could anyone please kindly show me which way this is done, using only a ECC6 SAP system and Easy DMS without any need of SAP internal roles and authorizations?
  What I need is a step-by-step instructions, as I'm quite new to SAP.
  Regards,
  S. Gökhan Topç

  Hi,
  check this below link
  <u>http://help.sap.com/printdocu/core/Print46c/en/data/pdf/TRTMSE/TRTMSE.pdf</u>
  And
  <u>http://help.sap.com/printdocu/core/Print46c/en/data/pdf/BCRRR/BCRRRSAA.pdf</u>
  <u>http://help.sap.com/printdocu/core/Print46c/en/data/pdf/BCDOCDTL/CADOCDT1.pdf</u>
  These can be helpful to you, you can download
  Regards
  Rehman
  Reward with Points if useful

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• 'No authorization' error for selection values outside the authorized range

  Hi All,
  We are currently trying to use the authorization analysis concept for 'Cost center reporting'.
  We have made 0COSTCENTER info-object as authorization relevant and have created a analysis authorization object for it through RSECADMIN and we have maintained a single value as '1875' . We have assigned this object to 1 of the test users.
  So now if the user runs the report for cost center '1875' , he is able to view the data/report. Now if he enters any other cost center apart from '1875' than he gets an authorization error (Everything works as per requirement till this point).
  But now if the user enters multiple cost centers like 1875, 1876, 1877 as multiple single values and runs the report, he gets an 'No authorization error'.
  So all the experts, please let me know if it's possible in anyway for the user to see the result/report for the value he is authorized to (in this case - 1875) and should give an information/warning/error message saying that he is not authorized to other cost center (in this case - 1876, 1877).
  Same thing is occuring if user enters a range. Suppose a user is authorized for cost center - 1875 to 1880. Now if he puts multiple single values or range in between the authorized range than he can see the result but if he enters even 1 single value outside the range he gets an error - what I mean by this is - if the user enter a range from 1875 to 1801, he does not get any data display but instead he recieves an error message saying 'No authorization' even though he is authorized for all the cost centers in that range except 1801.
  I would really appreciate your help regarding this. Any comments/suggestions are very welcome.
  Thanks & regards,
  Sunny

  Hi Sunny
  That is the way analysis authorizations work!!
  If you ask for a number of values i.e. cost centers and you don't have authorization to *all* of them you will get a system error as you say.
  There is no way of partially evaluating the query as you suggest (only for the authorized values).
  Try to be less restrictive when defining characteristic values in RSECADMIN.
  In queries use variables with
  Processing by Authorization and Input Ready.
  So the system will tell the user which are the allowed values. In your example the system suggests the range 1875-1880.
  Hope this helps, regards
  Germá

• Authorization objects for  transaction, one to view, and one to maintain

  Hi all,
  My requrement is to create two authorization objects for  transaction, one to view, and one to maintain.
  I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
  Please suggest how to create object where i can asign activity codes.
  regards
  manish

  The Authorization Concept
  R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
  Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
  Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
  Do check this link as well.
  http://articles.techrepublic.com.com/5100-10878_11-5110893.html

• Standard authorization concept versus analysis authorizations

  Hi
  I am bit confused about the necessity of maintaining both.
  Example:
  I have designed an analysis authorizations for CO (Controlling), named CO_001:
  InfoProvider: 0COOM_C02
  Thereafter I have put the authorization object S_RS_AUTH into a role (standard authorization object) with CO_001 as value in BIAUTH.
  Is there still a need to maintain authorization objects for Business Explorer or Business Planning, like:
  S_RS_COMP (limiting to the InfoProvider mentioned in the analysis authorization)
  S_RS_PLSE (limiting to a special aggregation level of the appropriate InfoProvider mentioned in the analysis authorization)
  What happens when there is no limitations maintained in the role for these auth objects, "*"?
  Which concepts dominates the other one?
  Thanks
  BEO

  Hi BEOplanet,
  S_RS_COMP will give you access to the Infoprovidor in BEx so this will be access level security.
  Then Analysis authorization will give you the data level security within the infoprovidor (like what data you can see within the infoprovidor)
  There fore you need to maintain both S_RS_COMP and Analysis Authorizations.
  To your question ,if you have maintained the cube 0COOM_C02 in Analysis Authorization and S_RS_COMP has only 0PA_01 then the Query will fail since you dont have access to the cube 0COOM_C02 in S_RS_COMP.
  Regards,
  Karthik.

• How to turn off the authorization checks for a object in infoproviders?

  Hi - how can I turn off the authorization check for an object (ex: 0orgunit) in infoproviders?
  I have 0orgunit as an authorization-relevant object and is used in one of the cubes. When reports are run for this cube, this is causing authorization issues. The object is present in other cubes also but I have to remove or turn off the authorization check of this cube alone. How to do this? Please help.
  Thanks,
  Raj.

  Hi Raj,
  Srinivas, is right , however in BI7 the correct transaction is RSECADMIN and not RSADMIN.
  In BW3.5, use RSSM transaction to do thins.
  OR
  Go to transaction RSECAUTH ---> Choose  the authorization object that has been created for org unit(and has been assigned to the user). Go to change mode. Remove the cube from the dimension 0TCAIPROV
  If you are using old authorization concept in 3.5 or in 7.0
  Go to RSSM. In the checks for infoprovider, enter your infoprovider name. Choose change.Here you will see a checkbox to switch off the authorization.
  Hope this helps you,
  Best regards,
  Sunmit.

• SRM 7.0 authorization objects for table maintenance

  Hi guys,
  I wanted to know how authorization objects work in SRM.
  I created a custom table which key filed is company code (BUKRS). And in the table maintenance view I have to add an authorization object based on the company code.
  Is it possible to do that in SRM?
  Thanks!!

  Hi,
  Authorization concept is same for all ABAP based application. Do you have any issue in SRM?
  Regards,
  Masa

• Authorization Objects for Multiple Fields on a Screen

  Hi,
  I have a requirement to create authorization object on a screen with 20 fields and there are 3 users, each user for eg: User-A has rights to Display and modify a few fields and User-B has rights to diplay and modify a few fields and same is the case for the 3rd user, and there are some fields which all can modify.
  what i can do is create 2 authorization objects for each user one with all fields that he can modify & Display and other with all fields which he can display only. In this way i will have to create 6 authorization objects for 3 users, is there a way to reduce to 3, one for each user or even bring it down to 1 for all.
  Thanks,
  Thirumal

  Hi again,
  1. Thanks for the transparent example.
  2. Taking the same,
      it would be like this, in the program.
  ( u must agree that
  if there are six different cases,
  then there will be six different IF ENDIF
  in your program, for edit/display combination of fields)
  (you may also use GROUP1, GROUP2..GROUP4
  concept along with authorisation concept
  to group related fields )
  2. suppose user2 or user 1 has logged in.
  3. in the program,
     before displaying the fields,
    a) use authority-check
     with 1, 2 and check sy-subrc to know
     which VALUE (1,2) is there for rights.
     b)then, logic would be like this
        (for display/edit of all fields)
      IF value =  1.
      field1-visible = true
      field1-editable = true
      field2-visible = true
      field2-editable = true
       field3-visible = true
      field3-editable = true
     endif.
     if value = 2.
      field1-visible = true
      field1-editable = <b>false</b>
      field2-visible = true
      field2-editable = <b>false</b>
     endif.
  regards,
  amit m.