Authorization controll for 2 ,T-codes at a same role
Hi all I need your professional support
When we execute the PV00 t-code and try to Create Attendance and it will allow the user to create it by going to PA40 which should not allowed and this has to be blocked.
But in the same user under a different role, PA40 is also attached and we have to keep it available to the user.
If I specify more about this issue, under HR role we have assigned PA40, for 5 personal areas and for another role we have assigned 20 personal areas for PV00, so if the same user try to click on the Create Attendance it will give 20 personal areas access through PA40 , which we have to block it some how. Through PV00, should not allow the user to access PA40 transaction. I tried through authorization which I couldnt control.
We are using role based authorization. Please advice me how to resolve this issue.
hai
i got the answer tnx for every one
regard
nawa
Similar Messages
-
Authorization control for actual price calculation
Dear all,
I found that there is no authorization control for actual price calculation(KSII), this means user can calculate actual price for all cost centers, even this cost center belongs to other company. Is there a way to control this?
Thanks,
BenHi Ben,
By SAP standard we do not have the control. we also have the same situation. We are venturing in to Realisation phase and we decided to have some kind of program (development) to control this.
Please let me know if you find some better solution
Best Regards
Surya -
Authorization control for "Revoke Status Closed"
Dear Experts,
We are trying to restrict the authorization of business transaction u201CClosedu201D & u201CRevoke status closedu201D through authorization control for transaction COR2.
For that I have included authorization objects- K_ORDER, K_VRGNG, I_VORG_ORD in the user profile.
I have also added these objects in SU24 with check indicator u201CChecku201D & proposal u201CYESu201D
Through authorization object- K_ORDER I succeeded to restrict business transaction u201CCloseu201D.
But I am unable to restrict u201CRevoke Status Closedu201D.
I have also tried for this with user status but through user status also I am unable to restrict u201CRevoke Status Closedu201D.
Can anybody help me for this.
Regards
VivekDear ,
You can do it through two option :
1.Apply Screen variant -SHD0 at user level in which you can switch off menu path of TECO/REVOKE etc.
Refer : http://wiki.sdn.sap.com/wiki/display/Snippets/TransactionVariant-AStepbyStepGuidefor+Creation
2.You can try User Status at Production Order level .Refer : authorization for TECO
You can also check by User Exit : PPCO0007 (Exit when saving Production Order)
Regards
JH -
Authorization check for caller assignment to J2EE security role
Dears experts, in the default.trc logs in, my Enterprise Portal NW2004s, appear this error:
#1.#0018714E4A14005E000027E1000057B8000441BB7EF2FC03#1198173451524#com.sap.engine.services.security.roles.SecurityRoleReference#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleReference#Guest#2126####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ : ] referencing J2EE security role [ : ].#5#ACCESS.ERROR#service.jms.default.authorization#administrators#SAP-J2EE-Engine#administrators#
#1.#0018714E4A14005E000027E5000057B8000441BB7F8BDC21#1198173461543#com.sap.engine.services.security.roles.SecurityRoleImpl#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#2127####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ :
Any idea about it?
Thanks friendsHi Holger,
Thanks for the tip, it could be the case, I just checked and we are on Patch 0 for JEECOR as you can see here below:
sap.com/SAP-JEECOR 7.00 SP13 (1000.7.00.13.0.20070907082334) 20071028144036
sap.com/SAP-JEE 7.00 SP13 (1000.7.00.13.2.20071026143730) 20071203150628
Will inform some people internally to patch to atleast 3 to check if it still occures.
Anyway, Thanks again..
Benjamin Houttuin -
Error :Authorization check for caller assignment to J2EE security role whil
Hi Experts,
i m working as a portal resource .
after the deployment of standered Sap e-rec package .
i m getting some error. i have assigned the recruiter role to one test user.
Now i m getting two issue:
1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
2) I m able to see few iview for the test user but those are also in detailed navigation view.
And few ivews are giving following error :
i)Internal error
ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
/System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
Full Message Text
ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
please suggest what can be done or what is pending from my side.Prajakta2602 wrote:
Hi Experts,
>
> the previous issue got solved..
> it was due to servies pack miss match and applying notes
> the Basis guy checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
> notes 1445294 and 1175239 were applied.
> now the issue is:
>
>
> After implemetation and i assigning the standerd sap roles
> 1)Recruiter Administrator
> 2)Recruiter
> to the test user .
> but for few iview it is showing error as in
> 1) you are not a authorized user
> 2) internal error
>
> please help experts.
>
> i m working on portal side have i to assign any role to that test user..
>
>
> Thnaks & Regards,
> Prajakta
You can run a quick check using the below steps:
1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
Regards,
Mahesh -
Authorization control for 2, T-codes at a same role
Hi all I need your professional support
When we execute the PV00 t-code and try to Create Attendance and it will allow the user to create it by going to PA40 which should not allowed and this has to be blocked.
But in the same user under a different role, PA40 is also attached and we have to keep it available to the user.
If I specify more about this issue, under HR role we have assigned PA40, for 5 personal areas and for another role we have assigned 20 personal areas for PV00, so if the same user try to click on the Create Attendance it will give 20 personal areas access through PA40 , which we have to block it some how. Through PV00, should not allow the user to access PA40 transaction. I tried through authorization which I couldnt control.
We are using role based authorization. Please advice me how to resolve this issue.Hi there.
what about restric access to one of the transactions at the role level. If you are using the role based approach for authorizations it should be based on the derived role concept.
Basically you'll have a master role with as many derivations as the organization requires. The menu structure and transaction assignment willl be maintained at the Master role level which does not have any authorization profile. The authorizations are maintained at the derived role level.
In other words your security concept will be based on transaction+Object access control following the derived approach.
Consider running Virsa reports to identify security overlaps, and SOD breaches.
Cheers,
Damien -
MD61 -Authorization control for Version , requirements type -reg
Hi,
We have an issue in providing MD61 -Create Planned Independent Requirements to the users
By standard authorization objects available , Plant level authorization control only is there
if we have to give authorization for many users in the same plant based on teh VERSION , REQUIREMENTS TYPE etc... is it not possible ?
can the authorizations objects be created manually for these and assign to teh concerned user's roles ?
please provide your thoughts
regards,
madhukiran.Dear Madhu,
Authorization objects can be added for an individual T Code also in SU24.
Check with your Basis consultant,Also i think its possible to give the authorization for versions as well
as requirement type also.
Regards
Mangalraj.S -
BDC- Inconsistancy in table control for t-code MR21
Hi all,
We are facing inconsistency in the table control (number of line items) for t-code MR21 in normal transaction screen and BDC screen.
In normal transaction run (MR21) we can see 12 line entries.
But for the same t-code while processing of a session created by BDC recording we can see only 9 entries.
Because of the mismatch in the lines, there will be a gap of 3 blank lines.
Kindly provide any input to solve the issue.
Thanks & Regards,
PrabhuHello,
You will have to use the OPTIONS addition of CALL TRANSACTION to set the default screen size
data: t_ctu type ctu_params.
t_ctu-defsize = 'X'.
t_ctu-dismode = 'N' . " Mode
t_ctu-upmode = 'S' " Update
call transaction 'MR21' using bdcdata options form t_ctu messages into t_messages.
Vikranth -
Authorization object for company code and profit center together
Hi all,
Please help me with the following requirement..
Company Code = ABCD
Profit Center = *
The user is authorized to run the report for company code ABCD only but any profit center within this company code.
2 Company Code = *
Profit Center = WXYZ
The user is authorized to run the report for Profit Center WXYZ only but any company code.
3 Company Code = *
Profit Center = *
The user is authorized to run the report for any company code and profit center.
The same user could have 1 and 2. So, in this case he should be able to run a report for the total inventory of company code ABCD, and a report for total inventory of profit center WXYZ only regardless company code.
He should not have visibility to other company codes inventory other then profit center WXYZ.
Regards,
RajHi ,
Anyone please help me..
Regards,
Raj -
Authorization control for batch master
Hello Experts,
I have a special requirement from client on authorization control on batch master. The requirement is user should not be allowed to change the batch header details but allow to change selected characteristic values. For e.g If I have a batch A, the header values such as prod date, country of orgin etc should not be allowed to change. In classification view few characteristics only should be editable, rest all should only be displayed.
Is there any option to do this. Either through authorization control or exits. We dont want to create a custom transaction to achieve this.
Thanks in advance
PrathibHello
The following document explains how to check which authorization objects are called on each transaction:
How to analyze authorization issues in debug
BR
Caetano -
Authorization control for document status
Dear All,
I want to control the status change of Documets created,
How can i achieve this, so that a perticular user /ID can change the perticular status,
I have ,
01
02,
03,
04, Rel.
05,
Do i need to put some trace anf find Objects to control...
or there is any standard method to do this..
Please guide me..
Regards
RaghuHi Raghu,
Here are DMS authorizatoins objects. For handle status it should be C_DRAW_STA
C_DRAD_OBJ Create/Change/Display/Delete Object Link
C_DRAW_BGR Authorization for authorization groups
C_DRAW_DOK Authorization for document access
C_DRAW_MUP Authorization for Markups
C_DRAW_STA Authorization for document status
C_DRAW_TCD Authorization for document activities
C_DRAW_TCS Status-Dependent Authorizations for Documents
C_DRZA_TCD Document Distribution: Authorization for Recipient Lists
C_DRZI_TCD Document Distribution: Authorization for Distribution Order
S_ECL_CAT ECL Viewer: Authorization Object for Stamp Categories
S_ECL_STP ECL Viewer: Authorization Object for Printing with Meta Data
S_ECL_STP2 ECL Viewer: Authorization Object for Printing with Meta Data
Hope that it will help you
//Håkan -
Authorization Object for Transaction Code
Hi,
Is there a report I can execute to give me the list of authorization object for this transaction code?
Thanks.Check Transaction SU24
Alternatively you can go to SE16-- enter the table name TSTCA, then enter the T CODE, you will get the object related to that T Code.
Reward points.. -
Is there any table for see Authorization object for Function code?
Hi,
I am facing problem in finding autho. object for function code.
My problem is, in tcode cor2 there is function Approval (in Menubar->process order->function->approval), I want to restrict this to some users.
So is there any way or table to see function code's authorization object..
Thanks...Hi ,
I such scenario the best way is to run trace (ST01) and analyse to find used/missing authorization objects.
Regards, -
Authorization check For T code
Hi everyone,
Can anybody guide to set a authorization check for a particular Tcode.
I have ztable where users are assigned particular numbers.
I want the users who are assigned some numbers should be able to use this particular t code
Thanks in advancehi
chk this out
AUTHORITY-CHECK
Basic form
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
ID name10 FIELD f10.
Effect
Explanation of IDs:
object
Field which contains the name of the object for which the authorization is to be checked.
name1 ...
Fields which contain the names of the
name10
authorization fields defined in the object.
f1 ...
Fields which contain the values for which the
f10
authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
The return code value changes according to the different error scenarios. The return code values have the following meaning:
4
User has no authorization in the SAP System for such an action. If necessary, change the user master record.
8
Too many parameters (fields, values). Maximum allowed is 10.
12
Specified object not maintained in the user master record.
16
No profile entered in the user master record.
24
The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
28
Incorrect structure for user master record.
32
Incorrect structure for user master record.
36
Incorrect structure for user master record.
If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
Table OBJ: Definition of authorization object
M_EINF_WRK
ACTVT
WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK -
Plant level authorization control for Internal Order
Dear Sir,
We create Internal Order using tcode KO01 and being a multi plant scenario , we want to have an authorization control on Internal Order creation/change so that plant or profit-center level authorization rights can be given to the users .
We request you to Kindly guide us about the steps to be followed for addressing such requirement .
With thanks and Regards
Sonia AgarwalaSonia-
It can be done. You have two options.
1. SAP security - when your security person can limit a user by plant, profit center etc using authorization objects.
2. Validations - Here you can create a validation where you define you logic. In your logic you can restrict set of users who can access a set of fields (profit center, plant etc). If he deviates, the system can issue error messages which is maintained in validations. Use transaction GGB0 to create validations.
Hope this helps.
Shail
Maybe you are looking for
-
Bluetooth Driver In Windows 8.1 is Not Working [Model :- F0D96EA#ABV]
Bluetooth Driver In Windows 8.1 is Not Working [Model :- F0D96EA#ABV] When I connect the phone he load and then says no connect
-
Seeing jagged lines on external monitor in 720P project???
I just a purchased a Panasonic BTLH1700 to use as a braodcast monitor with Final Cut Pro 6 and even though the monitor and my FCP project are 720p mode, I'm still seeing jagged lines. I thought that was usually a 480i issue. When you're working in a
-
New Post - GR not shown in inter-company return PO history
Hi Gurus, Below is the process we performed for the return PO process 1. ME21N, create the STO with the return indicator ticked. 2. VL10B, create the delivery note for the STO created in step1. 3. MIGO, GR against the PO created in step 1. (Mov.Type
-
Thanks SophiaW! Just clearing the data solved the problem! I didn't think it would be so simple
-
Decrypt a PDF - Encryption Key Algorithm
Hi to All, I'm italian, so I want to apologize if my english isn't perfect. I'm a young developer and I've some problem with decrypting PDF. I try to explain my problem telling you what I'm trying to do. Using this parameter: << /Filter /Standard /V