Authorization Creation
Hi All
I ve an ABAP program which is been used for loading the file from workstation to application server and triggers the process chain, In the ABAP coding,, i need to select the application area and eventid,, this is been maintained in seperate infoobject. The Application area is basically based on different workstream like finance, Manufacturing etc.
When the user runs the ABAP program,, say for example, if that particular user is assigned for Finance, when selecting the file,, he needs to see only Finance related eventids alone, is it posible to set a authorization objects on Info objects and restrict it to the users in ABAP coding??
If yes, please send me the details of how to do it,,
Ill assign points for it,,
Regards
Dinesh,
Hi Dinesh,
In BW we don't have Tcode base authorization, hence we cannot do as we do in R3 (restiction of Tcodes other then his module).
Here with help of roles we provide authorization. In these roles we can restrict user to specific info object/data target/info source/ query/workbook and so on , as per need.
Hence what you can do is that restrict users by info source/ info cubes which are relevent for them for reporting.
Say finance person shall be authorised to change/display only FI info source or info cubes and not SD or MM, as per the scenario.
Procedure:
1.Make info object Auth relevelant by putting cross in check box provided in info object maintenance.
2.Go to RSSM
3.choose Auth object name
4.Select required info object for list
5.if want to restrict this object for perticular data target then choose that also from below
6.Check that you have used info object and data target (you can also provide auth for hierarchy and hierarchy nodes).
7.Now go to PFCG and create a new role or use an existing one which your user is having in his ID.
8.Manully add that object in his auth object list and restrict accordingly, you can check here for other objects (eg cube and info source) if you want to edit them.
9.Generate this and go back, put user id in coulomn on user tab and perss user comperision.
10.Finally save and exit.
this way use do this, also depends on your requirements that how you want to authorize a person for activities.
Hope it helps.
Write for more help if needed.
Similar Messages
-
Structural authorization - creation of employee number in webdynpro or abap
Hello Experts,
We are facing some problems with the combination of structural authorizations and the creation of a new employee.
When we use PA40 to create a new employee this does not give any problem.
In the webdynpro we first execute a call transaction PA40 to apply infotype 0000 and 0001. This works well.
Except that the call transaction does not set the connection between PA and OM. (so we did program this ourselves)
In PO13 and the table HRP1001 the same relations are made as when we use PA40 in the sap gui.
After this we do call transactions PA30 for the next infotypes.
When we check the SU53 it gives a message: problems with structural authorizations object P (with the employeenumber) starting at 01.01.1800, enddate is empty.
The employee is manager and connected with his userid in infotype 0105.
We use in the structural profile the function module RH_GET_MANAGER_ASSIGNMENT
We checked with transaction HRHAUTH.
User has been adjusted to the tables T77UA etc.
We do not use workflow in this webdynpro
We used the trace function when this was executed, but it did not give more information about missing structural authorizations.
This issue was before on SDN (Structural authorization - creation of employee number) but unfortunally there was no solution there for the issue!
Hope one of you can help me to find the solution!
With kind regards,
Rita MensinkHi.
After 2½ days of frustration I finally nailed this.
Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
This example might be useful
data: ls_view_entry type hrview,
ls_related_object type hrobject.
ls_view_entry-plvar = '01'.
ls_view_entry-otype = 'P'.
ls_view_entry-objid = lv_pernr.
ls_view_entry-begda = '18000101'.
ls_view_entry-endda = '99991231'.
ls_view_entry-maint = 'X'.
ls_related_object-plvar = '01'.
ls_related_object-otype = 'S'.
ls_related_object-objid = lv_ny_objid.
call function 'RH_VIEW_ENTRY_INSERT'
exporting
view_entry = ls_view_entry
related_object = ls_related_object.
Best regards
Poul Steen Hansen
Senior Technical Consultant
EDB Consulting Group A/S, Denmark -
Structural authorization - creation of employee number
Hello Experts,
We are facing an issue with strutural authorization in creation of employee number,
I have tested without assigning stuctural authorization and it process the hiring action and generates the employee number
(Hiring action is carried through the adobe form which inturn calls the ABAP Function module),
for the same user if i assign Strctural profile with Function module RH_GET_MANAGER_ASSIGNMENT ( User is assigned to an employee who is Chief ) the hiring action which has to happen through adobe form is not happening and when we check in the program it is throwing an error as Failed strutural authorizations.
I checked whether the employee which has to generate lies within the organization unit of the manager ( who is chief) and it does lies with in the same org unit.
can you please help me in analysing why the employee is not getting gereating though the user is having proper HR authorizations and Strutural authorization assigned.Hi.
After 2½ days of frustration I finally nailed this.
Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
This example might be useful
data: ls_view_entry type hrview,
ls_related_object type hrobject.
ls_view_entry-plvar = '01'.
ls_view_entry-otype = 'P'.
ls_view_entry-objid = lv_pernr.
ls_view_entry-begda = '18000101'.
ls_view_entry-endda = '99991231'.
ls_view_entry-maint = 'X'.
ls_related_object-plvar = '01'.
ls_related_object-otype = 'S'.
ls_related_object-objid = lv_ny_objid.
call function 'RH_VIEW_ENTRY_INSERT'
exporting
view_entry = ls_view_entry
related_object = ls_related_object.
Best regards
Poul Steen Hansen
Senior Technical Consultant
EDB Consulting Group A/S, Denmark -
Mass role & authorization creation
Hi all,
I have been assigned a task to create some 400+ authorizations. Using PFCG and creating one by one would take much time, so I wonder if there is a different approach.
Every role has a different number of transactions, but most of them have the same values for authorization objects (company code, purchasing group etc).
Anyone have an idea on how to do this?
Thank you,
IgorWhat about ECATT or even BAPI usage? There are ECATT procedures for mass users creation. Can that be used for roles as well?
Not as far as I know.
In any case, I will never relay in mass creation of roles as this will represent a security issue, and In my personal opinion is why SAP does not offer mass creation of roles as a standard
Regards
Juan -
BI 7.0 Analysis authorization creation issue
Hi,
We are prototyping the new analysis authorization concept have a question regarding the build.
We've had the BI execute the pre-implementation tasks (activate the business related content and OTCT* and OTCTA* infocbues and and OCTA* infoCubes).
There aren't any custom reporting objects to carry over since the queries were previously just secured by the S_RS_ICUBE Administrator Workbench - InfoCube with specific values for the Infocube. Since this object is no longer checked in query processing, is it a correct statement that the characteristic 0TCAIPROV (InfoProvider) should be populated with whatever values were listed in the S_RS_ICUBE object for the InfoCube field?
We built an anslysis authorization via RSECADMIN per the requirements below and executed it with a test user ID assigned the regular reporting roles (with access to the queries).
0TCAIPROV InfoProvider EQ "Value 1"
0TCAACTVT Activity EQ 03
0TCAVALID Validty Date
0TCAIFAREA InfoArea *
However, when executing the query as this test user, we received a "you are not authorized messsage". The trace didn't show detailed information, so we executed the same query with another user ID that was assigned 0b1_all and obviously could execute successfully.
Is it correct assume that all the characteristics that were checked in the trace are authorization relevant for the query? we added the characteristics with full authorization and still couldn't execute. In addition, when checking these characteristics via RSD1, they weren't makred as authorization relevant, yet they still appeared in the trace.
Is there something else that is misisng in the analysis authorization? I checked the characterics for variables and none were defined.
Any troubleshooting tips would be appreciated.
Thanks in advanceHi Julie,
0TCAIPROV should have values of infoprovidors ( infocubes) that you want the user to have access. If you dont want to restrict it by infoprovidors then you can give a ' * ' for 0TCAIPROV CP value ' * '.
Also make sure when you run the query it is not looking for any other infoobjects which have been made Auth relevant.
You can actually see the error log for queries
Go to RSECADMIN --> Analysis tab --> click error logs --> click configure log recording --> enter the test id and save. Now you do the test using the test id for query. Then come back and see the log for the test user and it will tell you what went wrong. Please let me know if you have any questions.
Thanks,
Karthik Kiran -
HCM Authorization - Creation of separate Roles & Objects
Hi All,
We are developing authorisation matrix and have following doubt:
The Scenarion is:
- There are around 130 HR Users can be classified into 10 unique groups.
- Each user handles from 4 - 8 locations, where locations are not part of PSA but are captured thru VDSK1 feature and stored the details in Organisation Keys
- OM, PA, PE, PD modules along with ESS with few Custom trnsactions, workflows developed.
My proposed solution is :
1. Create 10 Roles only with tcodes (Trn_Roles_Grp_01 to Trn_Roles_Grp_10)
2. Create 130 Roles without tcodes, but with objects authorisations (Obj_Roles_001 to Obj_Roles_130)
3. For each user, assign relevant Trn_Role & Obj_Role
Will this solution work ? Or any better suggestions are welcome...
Thanks & Regards,
VijayHi,
You solution will work, but you will have 140 roles. It is to many for 130 users.
I can suggest you to use structural authorizations to drive scope of access by organization structure rather than enterprise structure. This will reduce number of PA role, but increase number of structural roles. However it will be more consistent approach as you will drive access to functionality by PA roles and organizational scope by OM roles.
Cheers -
Authorization creation by ODS((0TCA_DS01) not possible on PRD system
Hi friends,
I am setting the authorization values by using ODS(0TCA_DS01)(uploading file data to the ODS and then creating it via RSSM). But it is not possible on PRD system on which system is set as "No change to repository cross-client customizing objects".
Are there good solution to set the authorization values by ODS method on PRD system?
Kind regards,
MasaakiGo to /nsu53 and see if u have no authorization in PRO then go to DEV assign authorization & then transport the same to Production.
-
BW 3.5 works with multiple nodes for authorizations
Hi,
Does BW 3.5 allow to do authorizations on mutiple nodes? It seems that from the How to wotk with hierarchy authorizations paper, the variable can only allow filtering 1 node. for 2.0B. We have requirements to allow viweing multiple nodes in a hierarchy.
Thanks
WillHi Will,
creat a hierarchy-node variable fill by authorizations in the frontend. The type has to be multiple entries (not single value). In RSSM at the hierarchy authorization creation you have to use the F4 for selecting nodes. The F4 allows to drag more nodes into the right frame.
Cheers
Peter -
How can I determine which keyring is checked by Thuderbird on startup?
Since the last update, when I open Thuderbird a black box comes up that asks me to authorize creation of a new keyring named "unknown." That occured after previous blackboxes which said a program was requesting access to a keyring named "unknown." The request for a new keyring named "unknown, after I chage the name to "Mail."
The initial problem was that alleged program was unidentified and I did not know what was in "unknow"n keyring. For all I knew the source of the black box was a hacker or malware, etc., trying to access to my mai, mail serverl or msystem in general.
My response was to deny permission until the previously standard request for the pawword requested to access the mail server. I enter the password, and my mail downloads.
Assuming the blackbox is a result of installing Thuderbird 31.0 and that blackbox is Thuderbird's new way of asking for my password for the mail server, how can I force Thunderbird to request access to "Mail" rather then "unknown?"
Frankly failing to identify the application requesting access to the a keyring named "unknown" seems a breach of good security practice. A user should know what he is doing before taking any of the actions requested by the black box.I followed your advice and it apparently worked. We'll see for sure when I log in tomorrow.
The black box actually asked for a password for a new keyring that I created yesterday named. When the box requested that specific keyring, I believed I know who was asking and why.
That solved my problem.
Thanks Matt! -
Novell login not available with remote desktop on windows 7
Installed Novell Client 2 SP3 for Windows Server 2012 on my terminal server. When I log in from Windows XP to that terminal server I am getting an option to login with Novell Client. On Windows 7 however I only can logon to the server. What am I missing here?
djaquays <[email protected]> wrote:
> Mostly, that MS RDP for Mac ignores the authentication level:i:0 option
> in an RDP file and there's no GUI equivalent to force legacy
> authentication.
Microsoft's Network Level Authentication (NLA) feature is supported in
Windows Server 2008 and later terminal servers, and supported by
Remote Desktop Connection (MSTSC) 6.x and later terminal clients.
Windows XP did not ship with a MSTSC 6.x terminal client, but it is
available optionally through Windows Update.
The NLA authentication is essentially requiring that valid Windows
user account credentials for the Windows Server machine must be
provided /before/ the RDP-level terminal session connection is even
attempted or permitted. If the Windows user credentials you're logged
in with on the client workstation do not already satisfy this
requirement, the NLA-aware MSTSC clients will prompt you for valid NLA
credentials before even attempting to open the terminal session.
In other words, NLA doesn't directly have anything to do with whom you
will become authenticated as within the terminal session, or whether
you'll reconnect to some other already-running terminal session; it's
a new default mechanism which requires Windows credentials for
authorizing you to create an RDP connection to the Windows Server
machine "at all."
Unfortunately Windows Server 2008 and later don't permit you to turn
NLA completely off. You can configure the Windows Server to always
require NLA, which means pre-MSTSC 6.x terminal clients will be unable
to connect. Or you can configure the Windows Server to "not require
NLA" ("Allow connections from computers running any version or Remote
Desktop"), but this still means Windows Server will use NLA if the
workstation's MSTSC client supports NLA.
The only option which has been available to "disable NLA" even when a
Windows Server 2008 or later terminal server and a MSTSC 6.x or later
terminal client are involved is to configure the
"enablecredsspsupport:i:0" setting in the MSTSC client's .RDP file
(e.g. default.rdp in the My Documents folder), in addition to
configuring the terminal server to "not require NLA."
Once you have "Allow connections from computers running any version or
Remote Desktop" set on the Windows Server, and
"enablecredsspsupport:i:0" set in the MSTSC client, now you're back to
the Windows XP & Windows Server 2003 behavior where an RDP terminal
connection can be established without first having to supply NLA
credentials, and the first thing the MSTSC client user will experience
is the full normal credential provider-based login experience just
like you see at the physical console of the terminal server.
Note that if you do leave NLA enabled and supply NLA credentials
during the MSTSC connection attempt, after successfully using those
credentials to authorize creation of the RDP connection, the MSTSC
client will /also/ default to using the NLA credentials as default
credentials to attempt logging on with within the terminal session
itself. In other words, if you successfully supply NLA credentials,
by default you also become logged in on the terminal session and go
straight to the desktop of the Windows user account specified in the
NLA credentials. So even though "NLA credentials" and "whom I will
logon as within the terminal session" are two separate things, by
default the MSTSC client tries to use the same credentials for both.
But it's not that the NLA credentials "must" be used for logging in on
the terminal session; that's simply the default behavior. If you
leave NLA enabled on the Server 2008 or later terminal server, after
NLA credentials are successfully used to authorize creation of an RDP
connection, if you wanted to instead be prompted within the terminal
session with the normal credential provider login experience, enable
the "Always prompt for password" on the Windows Server 2008 or later
terminal server.
(On the Server 2008 or later machine, under "Administrative Tools"
find the "Remote Desktop Services" group and launch the "Remote
Desktop Session Host Configuration" console. Highlight/select the
"RDP-Tcp" connection, right-click and select "Properties". On the "Log
On Settings" tab elect "Always prompt for password".)
That sounds like probably the scenario which fits best for the "I have
a Macintosh-based client which doesn't allow enablecredsspsupport:i:0
/ authentication level:i:0." You would leave NLA enabled on the
Server 2012 machine, but enable "Always prompt for password" in the
RPC-Tcp connection properties on the Server 2012 machine. Such that
after NLA authentication was performed and Windows allowed creation of
the terminal session, instead of immediately also attempting to login
within the terminal session as the Windows account specified in the
NLA credentials, Windows will instead present the normal interactive
credential provider login experience to allow the user to specify whom
they want to login as.
Finally, note that everything described above applies even to a
Windows Server and Windows client workstation that do /not/ have the
Novell Client for Windows installed. The same mechanisms remain in
effect even once the Novell Client is installed; the presence of the
Novell Client just changes what credential providers would be used or
presented within the terminal session once the terminal session was
allowed to be created. The fact that NLA is required by default and
requires valid Windows credentials in order to authorize an RDP
connection is still the same, regardless of whether the Novell Client
is present or not.
Alan Adams
Novell Client CPR Group
[email protected]
Novell
Making IT Work As One
www.novell.com
Upgrade to OES Community
http://www.novell.com/communities/co.../upgradetooes/ -
Dear All,
I am new to wireless,very keen on learning this technology.I have got a few questions from the situation which i have come across.How do we proceed with the same, Thanks in advance
1>Customer wanted to configure two 5508 HA WLC's, he wanted to configure AAA
2>Configuration of AP as Network access device
3>Implementation of Cisco ISE ( For Wired and Wireless users
Remote Installation of Cisco Identity Service Engine
Setting up Virtual ISE Appliance on VMware platform Licence update
Installation of ISE policy server
Configure Policy module
Configure Administration module
Configure Monitoring moduleAuthentication (Integration with Active Directories)Integrate with Active directoryImport Active directory groups Authorization - Creation of policies pertaining to users and groups Define and configure authorization policyDefine and configure authorization conditionsDefine and configure authorization resultsHello Saurav,
Thank you so much for getting back, in error i rated this post only 1,
I have few more questions.Thanks for your help
ISE Integration with Wireless LAN Controllers
Integration of ISE with WLC – Pre-shared Key exchange
Integration of ISE with Access Point - Network Access Device
Installation/Configuration of ISE supplicant on end-points
Guest on-boarding portal – Design
Define Guest portal – Cisco template/Customised
Define policy and access for Guest Vlan
Integration of ISE and wireless networking into Cisco Prime -
Hello,
What is the difference between public folder and private folder in EasyDMS?
What is the relation between folder and document type?
AtulHi,
pls find comments
a) When an user does a search, document from both public as well as private folder are shown. For the user who is search public/private forlder is irrelevant. So what is the actual / real use of private folder? As i understand documents stored in private folder are not directly visible to other users where as documents stored in public folder is directly visible.
Both Public and Private folders help in creating/maintaining documents in structured manner. i.e Document Structures
lets take an ex:
some equipment has to be assembled for which drawings are already available in DMS.
consider 3 users - user1, user2, and user3
all these 3 users develop their own document structures/design equipment based on their own ideas which must be maintained confidential so that other user shud not see the structure.
if this structure is created in public folder the all other users will have access but if it is created in private folder then only respective user can see his own structure.
b) When creating a folder, document type is asked. But in that folder one can store documents of any document type. Would it be right to understand that folders are just representation of boxes and the documents stored in these boxes relate to the box?
How do i control/ authorize creation/non-creation of folders in public folder? How do i control/authorize that an user should by able to store documents in a particular folder only? e.g. i have created 5 folders under the public folder for project1, project2, project3, project4, project5 using document type PRJ. Now i want user2 to store documents in the folder project2 only?
while creating folder doc type is asked, tis is just for repesenting as an header folder under which u will be structuring all the required folders and documents.
all authorizations give in SAP while be taken into EDMS, after creating doc in standard SAP, document browser tab refers to creation of document structures which is nothing but fucntionlity of EDMS.
if user have authorisation to doc type thru which folder is created, any documents can be stored in that particular doc type/folder.
hope this example helps u.
Thank You,
Manoj -
Is there any way possible to create an oracle.sql.OracleClob object from within Java?
I would like to create a CLOB object and pass it into an Oracle SP.Hi
check following links :
Authorization object creation
Creation of a new Authorization object
Authorization Creation
Authorization object creation
Authorization Object for Varient creation and Selection
hope this helps you -
Creation of Authorization group
Hello All,
I have a requirement from FI consultant for creation of new authorization group. This auth. group we want to use in FI objects like F_BKPF_BEK. so that for few end users they should not change any vendor data in FK02.
I have gone through several posts, but not able to get / understand clear steps for creation of auth group and assignment.
One of the post i found is below:
[How to create Authorization group;
i tried to do few steps but not in right direction. Request you some one please suggest me the steps for cration.
Rgds,
Durga.Julius,
Thanks for the update. As suggested by you i have inserted one entry of auth group in TBRG table against FI object with SE16.
Now how do we maintain the view of V_TBRG. Is it from SE11?, if yes then i should do this step from ABAP login.
But what i heard is, this activity is purely involved by Basis people.
Please suggest.
Rgds,
Durga. -
BAPI for creation of Authorization Objects in BI 7.0
Hi BW Gurus,
Greetings!!!
Is there any BAPI Available for creation of Authorization Objects in BI 7.0.
The data will be transferred through flatfiles.
Kindly provide me the info as earliest as possible.
Best Regards,
PriyaGot the Workaround...
Priya
Maybe you are looking for
-
Throwing error from backing bean on button click?
Hi Everyone, i have two lovs out of 2 lovs user has to select atleast one lov value and click on find button. On clicking on find button im getting lov values if atleast one is not selected i need to throw one error message. How can i throw error mes
-
Way to force .pdf to open in Reader and not in browser
I saw where there was an Acrobat action called Convert PDF2FDF auto-save Action on the AcrobatUsers.com Action Exchange. which didn't work, it came in corrupted and unusable. Does anyone know of an action or anything that will force a .pdf hosted on
-
Automatic contact sync problems
My phone is syncing my friends contacts automatically to my phone. it happens every time icloud updates it. how can i turn this off?
-
Problems using itunes on both desktop and laptop
i use laptop mainly for itunes but have downloaded softawre onto desktop now, however, the desktop version does not seem aware of my full catalogue of songs. how do i update my desktop to mirror the laptop?? Please help
-
Strange activity with regular weekly clone backup.
This morning I tried to make a regular clone backup of my internal HD (320 GB). "About This Mac" shows I have used about 46 GB on the Internal HD. My DataBackup (ProSoft Engr) reported failure several times because of trying to backup more than 300 G