Authorization Creation

Similar Messages

• Structural authorization - creation of employee number in webdynpro or abap

  Hello Experts,
  We are facing some problems with the combination of structural authorizations and the creation of a new employee.
  When we use PA40 to create a new employee this does not give any problem.
  In the webdynpro we first execute a call transaction PA40 to apply infotype 0000 and 0001. This works well.
  Except that the call transaction does not set the connection between PA and OM. (so we did program this ourselves)
  In PO13 and the table HRP1001 the same relations are made as when we use PA40 in the sap gui.
  After this we do call transactions PA30 for the next infotypes.
  When we check the SU53 it gives a message: problems with structural authorizations object P (with the employeenumber) starting at 01.01.1800, enddate is empty.
  The employee is manager and connected with his userid in infotype 0105.
  We use in the structural profile the function module  RH_GET_MANAGER_ASSIGNMENT
  We checked with transaction HRHAUTH.
  User has been adjusted to the tables T77UA etc.
  We do not use workflow in this webdynpro
  We used the trace function when this was executed, but it did not give more information about missing structural authorizations.
  This issue was before on SDN (Structural authorization - creation of employee number) but unfortunally there was no solution there for the issue!
  Hope one of you can help me to find the solution!
  With kind regards,
  Rita Mensink

  Hi.
  After 2½ days of frustration I finally nailed this.
  Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
  When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
  This example might be useful
    data: ls_view_entry type hrview,
          ls_related_object type hrobject.
    ls_view_entry-plvar = '01'.
    ls_view_entry-otype = 'P'.
    ls_view_entry-objid = lv_pernr.
    ls_view_entry-begda = '18000101'.
    ls_view_entry-endda = '99991231'.
    ls_view_entry-maint = 'X'.
    ls_related_object-plvar = '01'.
    ls_related_object-otype = 'S'.
    ls_related_object-objid = lv_ny_objid.
    call function 'RH_VIEW_ENTRY_INSERT'
      exporting
        view_entry     = ls_view_entry
        related_object = ls_related_object.
  Best regards
  Poul Steen Hansen
  Senior Technical Consultant
  EDB Consulting Group A/S, Denmark

• Structural authorization - creation of employee number

  Hello Experts,
  We are facing an issue with strutural authorization in creation of employee number,
  I have tested without assigning stuctural authorization and it process the hiring action and generates the employee number
  (Hiring action is carried through the adobe form which inturn calls the ABAP Function module),
  for the same user if i assign Strctural profile with Function module RH_GET_MANAGER_ASSIGNMENT ( User is assigned to an employee who is Chief ) the hiring action which has to happen through adobe form is not happening and when we check in the program it is throwing an error as Failed strutural authorizations.
  I checked whether the employee which has to generate lies within the organization unit of the manager ( who is chief) and it does lies with in the same org unit.
  can you please help me in analysing why the employee is not getting gereating though the user is having proper HR authorizations and Strutural authorization assigned.

  Hi.
  After 2½ days of frustration I finally nailed this.
  Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
  When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
  This example might be useful
    data: ls_view_entry type hrview,
          ls_related_object type hrobject.
    ls_view_entry-plvar = '01'.
    ls_view_entry-otype = 'P'.
    ls_view_entry-objid = lv_pernr.
    ls_view_entry-begda = '18000101'.
    ls_view_entry-endda = '99991231'.
    ls_view_entry-maint = 'X'.
    ls_related_object-plvar = '01'.
    ls_related_object-otype = 'S'.
    ls_related_object-objid = lv_ny_objid.
    call function 'RH_VIEW_ENTRY_INSERT'
      exporting
        view_entry     = ls_view_entry
        related_object = ls_related_object.
  Best regards
  Poul Steen Hansen
  Senior Technical Consultant
  EDB Consulting Group A/S, Denmark

• Mass role & authorization creation

  Hi all,
  I have been assigned a task to create some 400+ authorizations. Using PFCG and creating one by one would take much time, so I wonder if there is a different approach.
  Every role has a different number of transactions, but most of them have the same values for authorization objects (company code, purchasing group etc).
  Anyone have an idea on how to do this?
  Thank you,
  Igor

  What about ECATT or even BAPI usage? There are ECATT procedures for mass users creation. Can that be used for roles as well?
  Not as far as I know.
  In any case, I will never relay in mass creation of roles as this will represent a security issue, and In my personal opinion is why SAP does not offer mass creation of roles as a standard
  Regards
  Juan

• BI 7.0 Analysis authorization creation issue

  Hi,
  We are prototyping the new analysis authorization concept have a question regarding the build.
  We've had the BI execute the pre-implementation tasks (activate the business related content and OTCT* and OTCTA* infocbues and and OCTA* infoCubes).
  There aren't any custom reporting objects to carry over since the queries were previously just secured by the S_RS_ICUBE Administrator Workbench - InfoCube with specific values for the Infocube. Since this object is no longer checked in query processing, is it a correct statement that the characteristic 0TCAIPROV (InfoProvider) should be populated with whatever values were listed in the S_RS_ICUBE object for the InfoCube field?
  We built an anslysis authorization via RSECADMIN per the requirements below and executed it with a test user ID assigned the regular reporting roles (with access to the queries).
  0TCAIPROV     InfoProvider     EQ          "Value 1"     
  0TCAACTVT     Activity                     EQ     03
  0TCAVALID     Validty Date          
  0TCAIFAREA     InfoArea          *
  However, when executing the query as this test user, we received a "you are not authorized messsage".  The trace didn't show detailed information, so we executed the same query with another user ID that was assigned 0b1_all and obviously could execute successfully.
  Is it correct assume that all the characteristics that were checked in the trace are authorization relevant for the query? we added the characteristics with full authorization and still couldn't execute. In addition, when checking these characteristics via RSD1, they weren't makred as authorization relevant, yet they still appeared in the trace.
  Is there something else that is misisng in the analysis authorization? I checked the characterics for variables and none were defined.
  Any troubleshooting tips would be appreciated.
  Thanks in advance

  Hi Julie,
  0TCAIPROV should have values of infoprovidors ( infocubes) that you want the user to have access. If you dont want to restrict it by infoprovidors then you can give a  ' * ' for 0TCAIPROV  CP value ' * '.
  Also make sure when you run the query it is not looking for any other infoobjects which have been made Auth relevant.
  You can actually see the error log for queries
  Go to RSECADMIN --> Analysis tab  --> click error logs --> click configure log recording --> enter the test id and save. Now you do the test using the test id for query. Then come back and see the log for the test user and it will tell you what went wrong. Please let me know if you have any questions.
  Thanks,
  Karthik Kiran

• HCM Authorization - Creation of separate Roles & Objects

  Hi All,
  We are developing authorisation matrix and have following doubt:
  The Scenarion is:
  - There are around 130 HR Users can be classified into 10 unique groups.
  - Each user handles from 4 - 8 locations, where locations are not part of PSA but are captured thru VDSK1 feature and stored the details in Organisation Keys
  - OM, PA, PE, PD modules along with ESS with few Custom trnsactions, workflows developed.
  My proposed solution is :
  1. Create 10 Roles only with tcodes (Trn_Roles_Grp_01 to Trn_Roles_Grp_10)
  2. Create 130 Roles without tcodes, but with objects authorisations (Obj_Roles_001 to Obj_Roles_130)
  3. For each user, assign relevant Trn_Role & Obj_Role
  Will this solution work ?  Or any better suggestions are welcome...
  Thanks & Regards,
  Vijay

  Hi,
  You solution will work, but you will have 140 roles. It is to many for 130 users.
  I can suggest you to use structural authorizations to drive scope of access by organization structure rather than enterprise structure. This will reduce number of PA role, but increase number of structural roles. However it will be more consistent approach as you will drive access to functionality by PA roles and organizational scope by OM roles.
  Cheers

• Authorization creation by ODS((0TCA_DS01) not possible on PRD system

  Hi friends,
  I am setting the authorization values by using ODS(0TCA_DS01)(uploading file data to the ODS and then creating it via RSSM). But it is not possible on PRD system on which system is set as "No change to repository cross-client customizing objects".
  Are there good solution to set the authorization values by ODS method on PRD system?
  Kind regards,
  Masaaki

  Go to /nsu53 and see if u have no authorization in PRO then go to DEV assign authorization & then transport the same to Production.

• BW 3.5 works with multiple nodes for authorizations

  Hi,
  Does BW 3.5 allow to do authorizations on mutiple nodes? It seems that from the How to wotk with hierarchy authorizations paper, the variable can only allow filtering 1 node. for 2.0B. We have requirements to allow viweing multiple nodes in a hierarchy.
  Thanks
  Will

  Hi Will,
  creat a hierarchy-node variable fill by authorizations in the frontend. The type has to be multiple entries (not single value). In RSSM at the hierarchy authorization creation you have to use the F4 for selecting nodes. The F4 allows to drag more nodes into the right frame.
  Cheers
  Peter

• How can I determine which keyring is checked by Thuderbird on startup?

  Since the last update, when I open Thuderbird a black box comes up that asks me to authorize creation of a new keyring named "unknown." That occured after previous blackboxes which said a program was requesting access to a keyring named "unknown." The request for a new keyring named "unknown, after I chage the name to "Mail."
  The initial problem was that alleged program was unidentified and I did not know what was in "unknow"n keyring. For all I knew the source of the black box was a hacker or malware, etc., trying to access to my mai, mail serverl or msystem in general.
  My response was to deny permission until the previously standard request for the pawword requested to access the mail server. I enter the password, and my mail downloads.
  Assuming the blackbox is a result of installing Thuderbird 31.0 and that blackbox is Thuderbird's new way of asking for my password for the mail server, how can I force Thunderbird to request access to "Mail" rather then "unknown?"
  Frankly failing to identify the application requesting access to the a keyring named "unknown" seems a breach of good security practice. A user should know what he is doing before taking any of the actions requested by the black box.

  I followed your advice and it apparently worked. We'll see for sure when I log in tomorrow.
  The black box actually asked for a password for a new keyring that I created yesterday named. When the box requested that specific keyring, I believed I know who was asking and why.
  That solved my problem.
  Thanks Matt!

• Novell login not available with remote desktop on windows 7

  Installed Novell Client 2 SP3 for Windows Server 2012 on my terminal server. When I log in from Windows XP to that terminal server I am getting an option to login with Novell Client. On Windows 7 however I only can logon to the server. What am I missing here?

  djaquays <[email protected]> wrote:
  > Mostly, that MS RDP for Mac ignores the authentication level:i:0 option
  > in an RDP file and there's no GUI equivalent to force legacy
  > authentication.
  Microsoft's Network Level Authentication (NLA) feature is supported in
  Windows Server 2008 and later terminal servers, and supported by
  Remote Desktop Connection (MSTSC) 6.x and later terminal clients.
  Windows XP did not ship with a MSTSC 6.x terminal client, but it is
  available optionally through Windows Update.
  The NLA authentication is essentially requiring that valid Windows
  user account credentials for the Windows Server machine must be
  provided /before/ the RDP-level terminal session connection is even
  attempted or permitted. If the Windows user credentials you're logged
  in with on the client workstation do not already satisfy this
  requirement, the NLA-aware MSTSC clients will prompt you for valid NLA
  credentials before even attempting to open the terminal session.
  In other words, NLA doesn't directly have anything to do with whom you
  will become authenticated as within the terminal session, or whether
  you'll reconnect to some other already-running terminal session; it's
  a new default mechanism which requires Windows credentials for
  authorizing you to create an RDP connection to the Windows Server
  machine "at all."
  Unfortunately Windows Server 2008 and later don't permit you to turn
  NLA completely off. You can configure the Windows Server to always
  require NLA, which means pre-MSTSC 6.x terminal clients will be unable
  to connect. Or you can configure the Windows Server to "not require
  NLA" ("Allow connections from computers running any version or Remote
  Desktop"), but this still means Windows Server will use NLA if the
  workstation's MSTSC client supports NLA.
  The only option which has been available to "disable NLA" even when a
  Windows Server 2008 or later terminal server and a MSTSC 6.x or later
  terminal client are involved is to configure the
  "enablecredsspsupport:i:0" setting in the MSTSC client's .RDP file
  (e.g. default.rdp in the My Documents folder), in addition to
  configuring the terminal server to "not require NLA."
  Once you have "Allow connections from computers running any version or
  Remote Desktop" set on the Windows Server, and
  "enablecredsspsupport:i:0" set in the MSTSC client, now you're back to
  the Windows XP & Windows Server 2003 behavior where an RDP terminal
  connection can be established without first having to supply NLA
  credentials, and the first thing the MSTSC client user will experience
  is the full normal credential provider-based login experience just
  like you see at the physical console of the terminal server.
  Note that if you do leave NLA enabled and supply NLA credentials
  during the MSTSC connection attempt, after successfully using those
  credentials to authorize creation of the RDP connection, the MSTSC
  client will /also/ default to using the NLA credentials as default
  credentials to attempt logging on with within the terminal session
  itself. In other words, if you successfully supply NLA credentials,
  by default you also become logged in on the terminal session and go
  straight to the desktop of the Windows user account specified in the
  NLA credentials. So even though "NLA credentials" and "whom I will
  logon as within the terminal session" are two separate things, by
  default the MSTSC client tries to use the same credentials for both.
  But it's not that the NLA credentials "must" be used for logging in on
  the terminal session; that's simply the default behavior. If you
  leave NLA enabled on the Server 2008 or later terminal server, after
  NLA credentials are successfully used to authorize creation of an RDP
  connection, if you wanted to instead be prompted within the terminal
  session with the normal credential provider login experience, enable
  the "Always prompt for password" on the Windows Server 2008 or later
  terminal server.
  (On the Server 2008 or later machine, under "Administrative Tools"
  find the "Remote Desktop Services" group and launch the "Remote
  Desktop Session Host Configuration" console. Highlight/select the
  "RDP-Tcp" connection, right-click and select "Properties". On the "Log
  On Settings" tab elect "Always prompt for password".)
  That sounds like probably the scenario which fits best for the "I have
  a Macintosh-based client which doesn't allow enablecredsspsupport:i:0
  / authentication level:i:0." You would leave NLA enabled on the
  Server 2012 machine, but enable "Always prompt for password" in the
  RPC-Tcp connection properties on the Server 2012 machine. Such that
  after NLA authentication was performed and Windows allowed creation of
  the terminal session, instead of immediately also attempting to login
  within the terminal session as the Windows account specified in the
  NLA credentials, Windows will instead present the normal interactive
  credential provider login experience to allow the user to specify whom
  they want to login as.
  Finally, note that everything described above applies even to a
  Windows Server and Windows client workstation that do /not/ have the
  Novell Client for Windows installed. The same mechanisms remain in
  effect even once the Novell Client is installed; the presence of the
  Novell Client just changes what credential providers would be used or
  presented within the terminal session once the terminal session was
  allowed to be created. The fact that NLA is required by default and
  requires valid Windows credentials in order to authorize an RDP
  connection is still the same, regardless of whether the Novell Client
  is present or not.
  Alan Adams
  Novell Client CPR Group
  [email protected]
  Novell
  Making IT Work As One
  www.novell.com
  Upgrade to OES Community
  http://www.novell.com/communities/co.../upgradetooes/

• Configure AAA on 5508 WLC's

  Dear All,
  I am new to wireless,very keen on learning this technology.I have got a few questions from the situation which i have come across.How do we proceed with the same, Thanks in advance
  1>Customer wanted to configure two 5508 HA WLC's, he wanted to configure AAA
  2>Configuration of AP as Network access device
  3>Implementation of Cisco ISE ( For Wired and Wireless users
  Remote Installation  of Cisco Identity Service Engine
  Setting up Virtual ISE Appliance on VMware platform Licence update
  Installation of  ISE policy server
  Configure Policy module
  Configure Administration module
  Configure Monitoring moduleAuthentication (Integration with Active Directories)Integrate with Active directoryImport Active directory groups Authorization - Creation of policies pertaining to users and groups Define and configure authorization policyDefine and configure authorization conditionsDefine and configure authorization results

  Hello Saurav,
  Thank you so much for getting back, in error i rated this post only 1, 
  I have few more questions.Thanks for your help
  ISE Integration with Wireless LAN Controllers
  Integration of ISE with WLC – Pre-shared Key exchange
  Integration of ISE with Access Point  - Network Access Device
  Installation/Configuration of ISE supplicant on end-points
  Guest on-boarding portal – Design  
  Define Guest portal – Cisco template/Customised
  Define policy and access for Guest Vlan
  Integration of ISE and wireless networking into Cisco Prime

• EasyDMS

  Hello,
  What is the difference between public folder and private folder in EasyDMS?
  What is the relation between folder and document type?
  Atul

  Hi,
  pls find comments
  a) When an user does a search, document from both public as well as private folder are shown. For the user who is search public/private forlder is irrelevant. So what is the actual / real use of private folder? As i understand documents stored in private folder are not directly visible to other users where as documents stored in public folder is directly visible.
  Both Public and Private folders help in creating/maintaining documents in structured manner. i.e Document Structures
  lets take an ex:
  some equipment has to be assembled for which drawings are already available in DMS.
  consider 3 users - user1, user2, and user3
  all these 3 users develop their own document structures/design equipment based on their own ideas which must be maintained confidential so that other user shud not see the structure.
  if this structure is created in public folder the all other users will have access but if it is created in private folder then only respective user can see his own structure.
  b) When creating a folder, document type is asked. But in that folder one can store documents of any document type. Would it be right to understand that folders are just representation of boxes and the documents stored in these boxes relate to the box?
  How do i control/ authorize creation/non-creation of folders in public folder? How do i control/authorize that an user should by able to store documents in a particular folder only? e.g. i have created 5 folders under the public folder for project1, project2, project3, project4, project5 using document type PRJ. Now i want user2 to store documents in the folder project2 only?
  while creating folder doc type is asked, tis is just for repesenting as an header folder under which u will be structuring all the required folders and documents.
  all authorizations give in SAP while be taken into EDMS, after creating doc in standard SAP, document browser tab refers to creation of document structures which is nothing but fucntionlity of EDMS.
  if user have authorisation to doc type thru which folder is created, any documents can be stored in that particular doc type/folder.
  hope this example helps u.
  Thank You,
  Manoj

• Creating an OracleClob object

  Is there any way possible to create an oracle.sql.OracleClob object from within Java?
  I would like to create a CLOB object and pass it into an Oracle SP.

  Hi
  check following links :
  Authorization object creation
  Creation of a new Authorization object
  Authorization Creation
  Authorization object creation
  Authorization Object for Varient creation and Selection
  hope this helps you

• Creation of Authorization group

  Hello All,
  I have a requirement from FI consultant for creation of new authorization group. This auth. group we want to use in FI objects like F_BKPF_BEK. so that for few end users they should not change any vendor data in FK02.
  I have gone through several posts, but not able to get / understand clear steps for creation of auth group and assignment.
  One of the post i found is below:
  [How to create Authorization group;
  i tried to do few steps but not in right direction. Request you some one please suggest me the steps for cration.
  Rgds,
  Durga.

  Julius,
  Thanks for the update. As suggested by you i have inserted one entry of auth group in TBRG table against FI object with SE16.
  Now how do we maintain the view of V_TBRG. Is it from SE11?, if yes then i should do this step from ABAP login.
  But what i heard is, this activity is purely involved by Basis people.
  Please suggest.
  Rgds,
  Durga.

• BAPI for creation of Authorization Objects in BI 7.0

  Hi BW Gurus,
  Greetings!!!
  Is there any BAPI Available for creation of Authorization Objects in BI 7.0.
  The data will be transferred through flatfiles.
  Kindly provide me the info as earliest as possible.
  Best Regards,
  Priya

  Got the Workaround...
  Priya