Authorization CRM_BPROLE not working

Similar Messages

• ME21N Material group level authorization is not working in ECC 6.0

  Dear Security Experts,
  We have created a role Z_ME21N with one Tcode ME21N. The role has to restrict users in the material group level.
  For that, we added Authorization object M_MATE_WGR.
  1.     When we are trying to add field values for {M_MATE_WGR, BEGRU}, generally it should show me the list possible values to be used based on the MM configuration related to Material Authorization Group. We have correctly configured the authorization groups from V_TBRG for M_MATE_WGR. But itu2019s not showing any possible values.
  2.     However we are able to add values manually, but I guess these are not being considered during authorization check and our restriction on Authorization group level in ME21N is not working.
  Test Scenario: We have manually added values 005,007,009,010,013 (which is pointing to specific material group) to BEGRU of M_MATE_WGR. We already assigned this Authorization Object to role Z_ME21N and this role has been assigned to u2018testuseru2019, but the authorization check with the M_MATE_WGR authorization group is not happening. It allows operations on all the material groups.
  Anybody came accross same scenario?
  SAP Prodcut version : ECC 6.0
  Database : SQL Server 2005
  Support pack level : 15
  Please share your views, thanks in advance.
  Regards,
  Abu Sandeep

  Dear All,
  I got a reply just now from SAP regarding the same issue.
  I coudnt understand what SAP and you are saying.
  Dear Abu
  *Apologies for the delay. This message has been turned on to application*
  *area of MM from the Basis side just now.*
  *Unfortunately, authorization object "M_MATE_WGR " is not checked*
  *in the purchasing transactions (PR & PO), the system works as standard*
  *functional designed.*
  *Only the following objects are checked in PR/PO:*
  *M_BEST_BSA Document Type in PO M_BANF_BSA Document Type in PR*
  *M_BEST_EKG Purchasing Group in PO M_BANF_EKG Purchasing Group in PR*
  *M_BEST_EKO Purchasing Org. in PO M_BANF_EKO Purchasing Org. in PR*
  *M_BEST_WRK Plant in PO M_BANF_WRK Plant in PR*
  *Setting in check/maintain on in SU24 only means that the profile*
  *generator will propose the object when creating a user, however is*
  *does not mean that M-MATE_WGR will be checked.*
  *Please close this message by pressing the confirm button at your*
  *earliest convenience.*
  *Many thanks in advance for your understanding.*
  So, how can I resolve this problem? John, are you sure that, you implemented this successfully?
  SAP says, this cant be done.
  Regards,
  Abu Sandeep.

• ISE authorization Policy not working

  Hi ,
  I have configured the ISE as per the belwo link 
  https://supportforums.cisco.com/document/110031/central-web-authentication-cwa-guests-ise
  but my authorization policy is not working as when user get connected to guest wlan it get authneticated but when it look for authorization
  it going to default policy it should hit on above policy created screen shot as below

  What version of ISE + patch are you running?. Could you please send an screenshot of AUTH policies including the default --- > USE part?. Are you using customized portal for the first authentication process?
  CWA is pretty straightforward. Only issues I faced was multiple VM (ISE Personas) running on one single server was not replicating properly the AUTHZ policies so I added the PSN persona into the PAN Node and everything worked fine immediately. In addition to that, I realized that I needed at least ONE ENTRY into the ISE PAN Internal Endpoints DB so I could hit the AUTH Policy for MAB & user not found condition which sent me to the AUTHZ = User Unknown + Redirect. Once I authenticated the user using the Default Portal that meant I hit the GUEST FLOW policy. If you are using customized portals for the first authentication process, check: web portal mgmt. --- > Guest --- > MultiPortal Configurations --- > Customized Portal -- > Authentication part.

• Authorization scheme not working.

  My requirement is I want to allow access only to few people for some pages, buttons.
  I am using Authorization scheme with scheme Type as "Exists SQL Query"
  Working Query
  SELECT p.EMP_ID FROM people p where emp_alias=:APP_USER and p.EMP_alias = 'ABC'
  Not Working query
  SELECT p.EMP_ID FROM people p where emp_alias=:APP_USER AND p.EMP_alias in ('ABC','XYZX)
  Error: ORA-00907: missing right parenthesis
       ERR-1082 Error in executing authorization scheme code.
  Can anyone say what am I missing.

  Thank you, adding braces and putting OR condition worked.
  SELECT p.EMP_ID FROM people p WHERE emp_alias = :APP_USER AND (p.EMP_alias = 'ABC' OR p.EMP_alias = 'XYZX')
  But not sure, how it is working some times and not working some times, if I have new lines, it doesnt work and if I have multiple conditions, it doesnt work.
  This doesnt work..
  SELECT p.EMP_ID FROM people p WHERE p.EMP_alias= :APP_USER and (emp_alias='ABC' or emp_alias='XYZ') and (p.EMP_ROLE='DBA' or p.EMP_ROLE ='DBAMGR')

• Analysis Authorization Object not working

  Hi Gurus,
  I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
  For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
  I have followed the below steps but still the report shows all data instead of restricted one.
  1)RSECADMIN -> Maintenance ->zz_div ->Create
  2) Add 0DIVISION in Auth structure , and in details 
  I     EQ     32
  I     EQ     33
  3) Add 0TCAIPROV with I     EQ     0SD_C03
  4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
  I     CP     *
  5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
  6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
  Following are the authorization object in that user's Role (Reporting Only)
  S_RFC 
  S_TCODE
  S_GUI
  S_BDS_D  
  S_BDS_DS 
  S_OC_SEND
  S_RS_AUTH - only having zz_div
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  S_RS_RSTT
  S_RS_TOOLS
  S_RS_PARAM
  I have surfed lots of thread for this issue but not getting a solution
  Tell me what i m missing in above or any additional setting need before creating analysis authorization
  Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

  Hi
  Thanks a Ton for ur reply
  I have checked in SPRO : Analysis Authorization
  where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
  We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
  Thanks
  Sonal....

• Hierarchy Analysis Authorization does not work after transport

  Hi Gurus,
  I am facing a issue in hierarchy analysis authorization in quality system but the same authorization works perfectly fine in development.
  All hierarchy authorizations works in Quality except for this one. I found one old sap note describing this as program error but this note is not applicable in BW 7.3.
  I have checked the table RSECVAL, RSECHIER and authorization is active so everything looks good. Please advise if anyone faced this issue after transporting hierarchy auths to other systems
  Regards,
  Salman

  Salman,
  What I understood from your description is that you have same role+AA in Dev and QA, which provides access in Dev for all the nodes for said hierarchy but in QA, same role+AA provides access to the same hierarchy for all the nodes but one. Try to create a ZTEST analysis authorization in QA itself with access for the problematic hierarchy node and see if it works ? This will rule out the case if there is a difference in hierarchy in DEV & QA.
  Regards,
  Shivraj Singh

• Authorization will not work only have one computer.

  I have 100 songs that no matter how many times I try to authorize, my itunes will not play the song even though after I put my password in it comes back machine authorization was succesful. Then nothing happens. Also only have one computer that I have always had with itunes. Need Help.

  Try getting rid of the SC Info folder mentioned in this article
  http://support.apple.com/kb/TS1389
  If that doesn't work, try DLing the free single of the week. You might need to agree to the new Apple store license agreement.

• Authorization does not work

  I need to configure my web application such that users from different groups/roles
  have access to certain or all application uris. The way I am trying to achieve
  this is by defining separate <security-constraint> for each type of role. Please
  see the snippet from my web.xml below. I am using weblogic 7.0 service pack 2
  and the web application is struts based. Also, I am using Form Based Authentication.
  <!-- SECURITY CONSTRAINTS -->
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Operator Access</web-resource-name>
            <url-pattern>startOfDayStatus.do</url-pattern>
            <url-pattern>viewExceptionReport.do</url-pattern>
            <url-pattern>exceptionReport.do</url-pattern>
            <url-pattern>mqCheck.do</url-pattern>
            <url-pattern>dbCheck.do</url-pattern>
            <url-pattern>endOfDayReport.do</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>OPSGRPLOCAL</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Admin and MKTOPS Access</web-resource-name>
            <url-pattern>*.do</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>THSMONGRP</role-name>
            <role-name>MKTOPSGRPLOCAL</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  As you would see, in the first security-constraint tag, I have allowed access
  to only certain action uris for users belonging to OPSGRPLOCAL role. That works
  fine. However, the second security-constraint does not behave as it is defined.
  For any user belonging to the THSMONGRP and MKTOPSGRP does not even get authorized
  and the user gets throws to the error page. Can anyone tell me if they have seen
  such behviour when having configured multiple security-constraints?
  Interesting thing I found is that if I deploy the application without defining
  the first security-constraint tag but only have the second security-constraint
  as shown above, all users belonging to those roles are authenticated as well as
  authorized (the users do not get thrown to the error page). Has anyone experienced
  such behaviour before?
  One thing to note that, I have based the constraints on the same action uris and
  not separated them into separate directories. Could this be the issue?
  Anyway, I would appreciate if you could share your thoughts and experiences if
  you have seen and/or resolved such problems before. Thank you for taking your
  time.

  Hi,
  Probably an overlapping issue. As you suggest I would put them into different
  subdirectories.
  Kai
  "Abhijit Joshi" <[email protected]> wrote:
  >
  I need to configure my web application such that users from different
  groups/roles
  have access to certain or all application uris. The way I am trying to
  achieve
  this is by defining separate <security-constraint> for each type of role.
  Please
  see the snippet from my web.xml below. I am using weblogic 7.0 service
  pack 2
  and the web application is struts based. Also, I am using Form Based
  Authentication.
  <!-- SECURITY CONSTRAINTS -->
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Operator Access</web-resource-name>
            <url-pattern>startOfDayStatus.do</url-pattern>
            <url-pattern>viewExceptionReport.do</url-pattern>
            <url-pattern>exceptionReport.do</url-pattern>
            <url-pattern>mqCheck.do</url-pattern>
            <url-pattern>dbCheck.do</url-pattern>
            <url-pattern>endOfDayReport.do</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>OPSGRPLOCAL</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Admin and MKTOPS Access</web-resource-name>
            <url-pattern>*.do</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>THSMONGRP</role-name>
            <role-name>MKTOPSGRPLOCAL</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  As you would see, in the first security-constraint tag, I have allowed
  access
  to only certain action uris for users belonging to OPSGRPLOCAL role.
  That works
  fine. However, the second security-constraint does not behave as it is
  defined.
  For any user belonging to the THSMONGRP and MKTOPSGRP does not even get
  authorized
  and the user gets throws to the error page. Can anyone tell me if they
  have seen
  such behviour when having configured multiple security-constraints?
  Interesting thing I found is that if I deploy the application without
  defining
  the first security-constraint tag but only have the second security-constraint
  as shown above, all users belonging to those roles are authenticated
  as well as
  authorized (the users do not get thrown to the error page). Has anyone
  experienced
  such behaviour before?
  One thing to note that, I have based the constraints on the same action
  uris and
  not separated them into separate directories. Could this be the issue?
  Anyway, I would appreciate if you could share your thoughts and experiences
  if
  you have seen and/or resolved such problems before. Thank you for taking
  your
  time.

• Client authorization is not working!!

  Hi, I have been trying to find out how to create certificates and issue one to the client and use SSL.
  Finally i have succeeded in doing that.
  But when I say setNeedClientAuth(true) everything breaks up.
  Even the sample code that sun has provided fails when I try this with my certificate.
  However it works fine with the testkeys file that the samples are using. It also works fine if i use the same keystore for both the server and the client...
  Can someone tell me where i am doing wrong?
  I create the certificates like this..
  keytool -genkey -alias alias -keystore server.ks -storepass storepass -validity 180 -keypass keypass
  keytool -selfcert -alias alias -keystore server.ks -storepass storepass -validity 180 -keypass keypass
  keytool -export -alias alias -file client.cer -keystore server.ks -storepass storepass
  And for the client
  keytool -validity 180 -keypass keypass
  keytool -import -trustcacerts -alias alias -keystore client.ks -storepass storepass -file client.cer -keypass keypass
  And all the time I am getting "null cert chain".
  Is there anyway out of this mess?

  Hi,
  Do you create a keypair and certificate for the client? Server authorization has
  following meaning: presented certified server public key the client can authorize the
  server. This is actually almost always done. The client authorization has following meaning:
  presented authorized client public key the server can authorize the the client. This
  is optional.
  If you want to have client authorization you need to generate the keypair for the
  client and obtain a certificate for this key. Then export this certificate into server
  keystore.
  Hope it gives you a clue,
  BR,
  Robert

• Authorization will not work during sync

  Trying to sync ipad and I get a window saying this computer is no longer auntorized for apps.... When I enter my itunes password it will not accepts it. If I cancel out it says it will delete all the apps from the ipad. I do I get passed this sync step without loosing all my apps?

  Try getting rid of the SC Info folder mentioned in this article
  http://support.apple.com/kb/TS1389
  If that doesn't work, try DLing the free single of the week. You might need to agree to the new Apple store license agreement.

• Authorization variable - not work

  I need to define authorization criteria using 0COMP_CODE.
  1) I checked 0COMP_CODE as "Rilevant for authorization"
  2) I defined the object authorization using RSSM
  3) I put the authorization object into the roles (PFCG)
  4) I defined an authorization variables into the queries
  But when I execute the query, no authorization range is applied. 
  Where is my error?

  Hi Fabio,
  from your list it seems that everything is well...
  so, in the maintenance of the authorization objects, I suggest you to activate the extended trace function for the reporting (Transaction RSSM).
  Select key 'Authorization Check Log' to do this.
  Enter a user in the field 'User' or select one via F4 help. Then activate the trace for this user with the pushbutton 'Create' (F5).
  If the user is already entered, it is recommended to delete the old trace first.
  After you have carried out the authorization-relevant activity, you can display the current status of the trace for the user entered in the 'User' field by using key 'Display' (F6).
  After, remember to deactivate the trace for the entered user by using pushbutton 'Delete' (F2) and the existing trace of this user is deleted.
  The system stores the trace in the database according to the key fields, thus, if you start the same query several times in succession with the same parameters (in the authorizations, too), the checks appear only once in the trace and not several times as in a log.
  Hope it helps !
  Ciao,
  Roberto
  (and please don't forget to assign some points by clickin'on the yellow star to the contributors that help you !!!)

• Is Apple TV down?? The authorization is not working. Not fun....

  Content does not play.

  Me too.  We rented a movie, but it won't play - we just get the swirling sign.  It also takes a long time to load even the lists of movies - and we cannot load a preview of anything.

• Custom login module Authentication works but Authorization Does not work

  Hi:
  I am using custom login module and switched on the ADF authentication using adf-config.xml file. My custom authentication works i.e. it returns true but when it finally tries to display the page 401 Unauthorized message is shown. I am using JDev 10.1.3.2.
  Is there any other settings I need to perform. Could you please let me know.
  Thanks

  I have the same issue, please refer to this thread.
  Re: ADF Security Authorization

• Installing on Mac with OS 10.4.  Internet authorization does not work. Telephone authorization does not work.

  How do I install?

  I have not tried it yet, but this web page appears to be the answer.
  Error: Unable to Activate | Macromedia products

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes