Authorization in CO Roles

Hello experts,
Scenarion: i have only one controlling area, many company codes are assigned to this controlling area into different countries.
Now we have a requirement to segregate the user roles and authorizations based on the countries or company codes.
for example if i have a user in country x therfore he can view and do transactions only to his related company codes.
would please give an idea how i can restrict user from the CO Perspective.
Regards,
Bilal

Similar Messages

Regarding Authorization policy and Roles in OIM 11g

Hi,
In OIM 11g Admin interface, is there a way to find out what all authorization polices, a role has been assigned to ?.
I am asking this because, if you search for a user, you will know what all roles he is a member of, and similarly if you search for a role, you will know who all users are members of that role.
Similarly, if you search for a Authorization policy, you will know what are roles are assigned to this policy. But if I search for a role, I am not able to find what all authorization policies has been assigned to this role.
Looking forward to hearing from you,
Many thanks in advance

I understand your concern. But, this feature has not been available
--nayan

Authorization on BP Role ???

Hello Experts,
we are running on CRM 5.0. we have created 3 roles "Prospect", "Customer", "Employe".
In our case we want "Customer" and "Employe" role to be in display only, user shoud not edit the details. Prospect can be created or edited.
What we did we put authorization on role Customer and Employe "DISPLAY"
This authorization is working in GUI but in PCUI, user still able to edit the details of Customer and Employe.
Please guide me how i can achive this authorization check on roles ???
Regards!!!
Amit Saini

Hi Amit,
How is that done? We tried using Authorization and Spro table but when we make address Display Only it only applies to SAP GUI and doesnt carry over to the portal.
Is there a way to add PCUI field groups to the BP role dataset and then make it a Display only? If you could please give me details on how you accomplish it I would really appreciate it.
Thank you,
Arpan

Need FM which create authorization for a Role

Hi,
i neeed to create authorization for the roles. can anybody tell me , is there any FM to create authorization for a Role.
it is done through PFCG transaction.
i need a FM which creates authorization for a Role.
Thanks in advance

Hi Sami
Try this link.
Re: Programatically create Security Profiles via BAPI/FM in R/3?
Regards
Neha

3rd party tools to migrate Authorization profiles to roles

Experts,
Are there any 3rd party tools to migrate Authorization profiles to roles while upgrading to ECC 6.0?
NW

Hi,
Thanks so much for replying. I posted the errors here (no answers though):
XML to Forms conversion gives error for menus
Error when converting form to XML

Authorization Object And Roles For Functional Consultant

Dear Expert,
What kind of respective Authorization Object And Roles would be provided to Functional Consultant (FI,MM, SD, PM, PS, CO, HR )at the time of implementation ?
Thanx in advance
Pavel

Thanks Juan,
We now already have it here and in the NW IDM forum a few times as well...
Cheers,
Julius

S_TCode Full Authorization in all Roles

Hello,
We have created roles as per the role matrix given by the client. All are absolutely working fine but when i see the report at user level the transaction codes assigned to user we can see almost 100000 T-Codes authorization. I analyzed and found that S_TCODE authorization object consists of value as " * " so that is the reason i am finding all the T_codes authorization.
How this has happpened? We have not given these value in any of the Role.
Regards,
Narasimha Kumar

> How this has happpened? We have not given these value in any of the Role.
If you didn't do it manually then it must have been a (very strange) proposal value coming from SU24. Have a look in table USOBT_C, filtered on object S_TCODE. If there's a star in the low or high column, the 'name' column tells you which transactions' proposal you need to fix in SU24. After that re-read the authorizations for roles containing this transaction.

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

HR ABAP authorizations for Nakisa roles

Hi there,
We have just started to plan for ORG chart and Talent planning systems by naksia. Wondering if there are any
standard HR authorizations that the standard nakisa roles use and if anyone can elaborate if IT 008 (Basic Pay) really comes in to play with this as it is very sensitive. The project team has presented these user types:
Everyone, Executive,Assistant,HR(Human Resources), Manager
We are not using Structural auths but auth by PLOG, P_ORGIN
Any direction appreciated. Thanks !

Hi Dan,
For OrgChart are you using Live or Staged?
There are no special auths required for OrgChart. A SAP role needs to be mapped to an ORgChart role in order for users to see certain data. No PA0008 data is shown by default in OrgChart, although obviously if you want to show it you'll need to make configuration changes to restrict display, depending if you are using Live or Staged. The roles you mention are standard OrgChart roles that come pre-defined out of the box.
For SuccessionPlanning (assuming you are on ECC6 EhP4) you need to have the Talent Management Specialist role (SAP_TMC_TALENT_MANA_SPECIALIST) assigned to each user and an Area of Responsbility assigned in HRTMC_PPOM. This is between the Position of the user and the OrgUnit of each area they are responsible for. No configuration is required in the application because, for SuccessionPlanning, it is really just an interface between the user and ECC data and leverages ECC security etc.
I hope that helps!
Luke

Assigning different authorizations inside a role to different users

Hello,
Could someone please guide me to how can we assign different authorizations (authorizations field values) for an authorization object inside a role to different users; i.e. in the role maintenance transaction (pfcg) after we create a new role and add an authorization object to it, if this authorization object has several authorizations (authorization field values), and if I need to add two users to that role, how can I assign to one user an authorization different from that assigned to the other user ?
Thank you in advance.
Best regards.
Reda Khalifa
IT Department - Almansour Automotive Group - Egypt

Hi Reda,
That documentation complicates the subject slightly as it is talking about principles that are at a lower level than the usual role level.
We have 1 authorisation object - S_TRVL_BKS
Authorisations have been created for this object, called S_TRVL_CUS1 and S_TRVL_CUS2
In this context, an authorisation is an instance of an authorisation object that has been populated with data.
Before the profile generator you used to create authorisations (auth objects populated with data) and assign them to profiles which are then assigned to users.
In this example 2 profiles would be needed
Profile1: S_TRVL_CUS1 and S_TRVL_CUS2
Profile2: S_TRVL_CUS2
Miller would be assigned profile1, Meyers would be assigned profile2
The profile generator allows us to easily build authorisations and profiles and packages them up in a role. This way, we can assign transactions and authorisation objects into a role, populate the authorisations (which is what we do in the authorisations tab in the role) and automatically create the profile.
The example in the documentation is still valid because it requires 2 seperate authorisations (and therefore profiles and roles) to be assigned to different people. Unfortunately this is not explained very well in the documentation.
I hope that makes sense, roles are static and the permissions that they give do not vary dynamically. In BW we can use variables to do something similar and to some extent structural authorisations in HR work dynamically however this doesn't apply to R/3 or ECC. (it can be done in come cases but costs many, many £££/$$$'s)
Please let me know if you want me to elaborate further on this
Cheers
Alex

Authorization schemes & verifing roles

Hi,
I'm having a hard time understanding how to use authorization schemes. My users log in as Oracle users. Each user is assigned to a role (with specific privileges granted to each type of role). I found that the privileges were not being enforced in the application according to the roles assigned to each user. From what I understand, this is because the SQL is being parsed according to the schema owner, not the individual user. So let's say for example I want to have a Create button only appear on a page if the user is assigned to role A or role B. Do I need to use an authorization scheme for this, or do I perform a query to determine the type of role the user is assigned to, and based on the result, conditionally show the button? I know there are lots of postings on authorization schemes in this forum (and I have read the Help manual), but I still do not understand how to get this working. Thank you.

....later same day... 
I've been reading/researching all day and it seems like I need to either a) make a table that defines user/role or b) query the database for the role assigned to this user (which I would have to do in choice a also) and then assign it as an application item. I tried option b, by creating an item on page 1 in my application, using this query: 
SELECT granted_role
FROM dba_role_privs
WHERE grantee = :APP_USER;
 
But I am getting this Oracle error message: 
ORA-00942: table or view does not exist 
Error ERR-1019 Error computing item default value: page=1 name=P1_ROLE.
 
How can I query the dba_role_privs table from within Application Express?
Do I need to GRANT SELECT priviliges to the schema owner to access this table?

Programmatically assigning Authorization Objects to roles

Hi there,
I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
What I want to do is the following:
There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
Thank you very much,
Gregor
Edited by: Gregor Bender on Mar 11, 2008 8:41 AM

>
Gregor Bender wrote:
> I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
For mass regenerating profiles there's transaction SUPC.
For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.

Open Authorization Objects in role after role Transport

Hi All,
I have transported a R/3 (ECC6, support) role from Dev to QA and Dev (Multiple clients). After transport, Role has authorization tab with status (green) but when i display authorization data i found one new open authorization object (yellow).
I already have generated profile before tranporting. Role is also okay in Dev other clients (We have multiple clients in Dev) with status green and no open authorizations (yellow)
Any feedback/suggestions ?
Thanks in advance
Khasim.

This happens when PFUD runs at the same time as you are generating the role. Refer to this note: 355030 - Loss of authorizations after profile generation. Another remote reason could be if your source (DEV) and target (QA) systems use different characters sets. (Note #535554).
If it is the former case, re-transporting your role may just be the solution for you. Just re-generate the role in DEV and initiate a new transport.
Hope this helps.
Ashutosh

Authorization in Basis Roles

The scenario is; there is a single client but two different companies.
We are planning to develop a separate Basis Administration roles for each company.
To restrict Organizational levels (Company code, controlling area...) I use "S_USER_VAL" Authorization object. it works fine with org. levels but I have to define all possible Field Names along with their Authorization values and it seems very difficult.
Is it possible "S_USER_VAL" works according to the values I maintained but for rest of other values it may goes to * ?. In other word it should not by pass the maintained values.

Jurjen Heeck wrote:>
>... something else to make a part of SAP_ALL not work?
2 ideas:
- If the regeneration of SAP_ALL could check that the user running it does not have any SAP_ALL authorizations? Meaning, they would need to know exactly which non-SAP role authorizations (their technical names) have that authority in it. Many folks who only work with SAP_ALL don't know how to do that
- If there were some way to isolate the program parts which are required to change SCC4 such that they can only be run with root priveleges, then you do not need to give your SAP system (with SAP_ALL) root access...?
Disclaimer: Just ideas! Complete overkill!!
=> Does restricting the user's access sound like a much easier idea now?
Cheers,
Julius

New Authorization Object within Role

hi everybody,
does anyone know how can i get New Authorization Objects for any Role for the new release that did not exist in the same Role from former release?
tables AGR_1250 and AGR_1251 do not show if object is new for this role. they only show if object is new itself.
thanks a lot,
javier rubio

pandu,
se54 is not related with this topic.
thank you very much for your answer, very hepful

Authorization in CO Roles

Similar Messages

Maybe you are looking for