Authorization Issue in WebUI (also ST01 question)

Similar Messages

• Authorization issue - help request

  Hi guys,
  One of the consultants is having an authorization issue ( He is not abele to run a t-code)
  I ask him to run a su53 report and i am not sure how to proceed with this.
  Please help.
  Here are the details from the SU53 report.
  DISPLAY AUTHORIZATION DATA FOR USER VYXXXX
  User : VYXXX                       profile parameter authorization buffering    4
  Authorization Object: F_KNA1_GRP
  Description
  Authorization check failed:
        + Authorization object F_KNA1_GRP Customer Account Group Authorization
              Activity                                08
              Customer Account Group     ZM01
  Users Authorization Data :
        +  Authorization object F_KNA1_GRP Customer Account Group Authorization
                 Authorization  T-PD19002300
                Authorization  T-UG39000900
                Authorization  T-UG39001000
  Please help me guys what need to  be performed.
  Regards,
  Vamsi.

  Hi Vamsi,
  SU53 shows us the last failed authorization for a user. However, it might not only be the failed authorization object failed.
  Hence, "just to learn" , you can use transaction ST01 to enable and run a trace for particular users. Be sure to use in a test environment first, and with proper filters. (for a particular user only).
  Then check-> which auth object is failing.
  RC=4 means a object value is failing.
  RC=12 means an object is missing!
  Check, which tcode is calling that object and this tcode is present in which role. Then.........proceed.
  You can check the SAP documentation on running traces on the help portal of SAP.  I think you will find the answer yourself by troubleshooting more and may be massaging some test roles here and there!
  Likewise, if you are new to security, I would encourage you to start by reading some books on SAP security. Authorizations made easy is a good book to start with.
  Let me know if you have any questions
  EOD for me :P . take care
  Abhishek

• S_CTS_ADMI Authorization issue

  Hi Experts,
  Every now and again a user sends me a SU53 with the error requesting access to S_CTS_ADMI field TABL. The user of this morning is trying to release a purchase order using transaction ME29N. Why would the SU53 indicate that the user want to maintain the control tables of the Change and Transport System in Production when they are trying to release a purchase order? I am running a trace ST01 but it's not helping.
  Could you please help me to resolve issue.
  Thanks
  Pavel

  Hi
  Gowri is perfectly ok. Below Objects checked.
  M_BEST_BSA
  M_BEST_EKG
  M_BEST_EKO
  M_BEST_WRK
  Along with that M_EINK_FRG also get checked.
  Check for access to all of the above Objects in user master records. Before that check with MM team to get these values of the PO that the approver is trying to release.
  1) Document Type : Relate with M_BEST_BSA
  2) Purchasing Group : Relate to M_BEST_EKG
  3) Purchasing Organization : Relate to M_BEST_EKO
  4) Plant : Relate to M_BEST_WRK
  5) Release code & release Group : Relate to Object M_EINK_FRG
  You also can get these information through ME23N
  If all of the above matches with user master record and PO then there is no further authorization issue. Rest on MM team !!!!!
  Best of luck...
  Arpan

• Authorization Issue with Custom Pending Value Object and Anonymous Users

  Hi,
  I am just converting my demo from version 7.1 to 7.2. I am not doing upgrade. The demo uses a custom pending value object USER_REQUEST. The idea is that new employee goes to Java AS as anonymous user and enters her details and store where she will work. After submitting request there is an approval process using custom entry type USER_REQUEST. If the request is approved then IdM converts USER_REQUEST into MX_PERSON entry. This works nice in 7.1 but I am having problems with replicating this in 7.2. I created new UI task accessible by anonymous that creates new USER_REQUEST entry. I also assigned role idm.anonymous with UME action idm_anonymous to UME built in group Anonymous users.
  My problem is with the field STORE. This field is a reference field to another custom entry type STORE (this entry type will be used in context based assignment). Every new employee must selects a store where she will work. The problem is when user clicks on button "Select". Web dynpro terminates and returns authorization error. I also tested this with entry type MX_ROLE. I added attribute MXREF_MX_ROLE and same issue. So it seems that just assigning UME action idm_anonymous is not enough to list objects from identity store. I found a workaround for this issue. When I assign also UME action idm_authenticated to Anonymous users then it does not dump and I get a pop up window where I can search for store. It does not seem right to assign idm_authenticated to anonymous users.
  Another issue is with display task for entry type USER_REQUEST. I assigned a display task to entry STORE and I set that Anonymous have access to this task in Access control tab. I assigned default value to the field store. So when a user opens page she can see a hyper link to display already assigned store. When user clicks on this hyper link it opens a new pop up window and user must authenticate against Java AS. After successful authentication the display task for entry STORE is displayed. I would assume that anonymous user can display it without authentication.
  So to me it seems like authorization checks have been changed in 7.2 versions and are more strict for anonymous tasks. Hence my question is how can I implement my scenario. Am I missing some configuration or what's the proper solution to my two issues? I don't count assigning idm_authenticated to Anonymous users as a solution. This workaround does not solve my second issue.
  Thanks

  Some of the folks from Trondheim labs check, but rather infrequently.  There's another person who I guess is in consulting that also checks from time to time.
  Sorry I can't help you with your main question...
  Matt

• How does IDM takecare of Authorization issues

  Hi All,
  I am pretty new to IDM product. I am aware that using IDM we can automate user creation and role assignment, also with 7.2 we have password self service available.
  However i will like know whether IDM can also be used for regular authorization issues i.e., let say a user is facing an authorization issue in a particular tcode, in order to solve this issue we need to assign additional field values in one of his roles. will such issues where user id is already present and roles also assigned to that id but some changes to his roles is required be taken care by IDM.
  I couldn't get this info from Master and solution operation guide of IDM  7.2, so thats why i am posting it here.
  Regards,
  Siva.

  Hello - No IDM only manages the abap roles ie provisioning and deprovisioning. If the user requires additional authiorization and a role exists to solve this then this role can be assigned from IDM. However if you need to add extra values to a role this still needs to be done using PFCG.
  Hope this answers the question.
  Chris

• PA30 Display Facsimiles Authorization Issue

  Dear All,
  I am facing one authorization issue in PA30 Transaction. User trying to display the archived documents from PA30 > Extras > Display All Facsimiles, when user trying to execute he is facing the below authorization issue.
  You have no authorization to display the facsimile
  Message no. PG424
  I have analyzed this issue this is lack of infotype authorization, but I am not sure which infotype we have to give under P_ORGIN authorization object. SU53 not showing anything for infotype, it is showing  ' ' in infotype.
  I checked the below SAP notes also.
  1562091 - Display all facsimiles: Incorrect Message PG424/PG425
  1990223 - HRFORMS : Can not view archived documents in PA20
  373063 - Authoriztn for applicnts opticl archv does not work
  User getting access If I maintained Star (*) or (' ') . Please help me to solve this issue.
  Thanks
  Kishore ch

  Hello,
  You can check which Infotype your archived document is linked to in table V_T585O. A user will require read authorization for that infotype as well as an authorization for S_WFAR_OBJ for the document type. If I'm not mistaken you may even need S_TCODE or P_TCODE for transaction SDV.
  Secondly, I would not advise you to rely only on SU53 data for authorization checks as it only shows the last failed authorization check. You'll get a better view on what's going on by using the system trace (ST01) or the authorization trace (STAUTHTRACE).
  It seems a bit odd to me that assigning P_ORGIN with value ' ' for INFTY would solve the problem as that is the dummy value and should match with any other INFTY value your user has. Seeing as he/she has PA30 then I assume he/she will already have an authorization for P_ORGIN. Check the settings in V_T585O for the document type. Maybe someone made a mistake there and left the Infotype cell empty instead of "-".
  Good luck
  Brent

• Secured WebDAV Mounted Volume Authorization Issues

  I use a secure WebDAV mounted volume from myDisk.se and up until the latest Security Update have had zero issues being able to manipulate files and folders as I would on a normal volume. However, since the installation of the Security Update (2009-004 (PowerPC) 1.0) I find weird things happening with this mounted volume:
  1) I am able to mount the secured WebDAV share using my security credentials.
  2) I can create a default "untitled" folder but when I try to change its name, the WebDAV authorization dialog pops up and despite entering the same credentials (why, I am not sure as the volume has already been properly credentialed in order to be mounted), access is denied.
  3) Trying to create a file within a folder on the mounted WebDAV volume I previously created pre-update causes the same authorization issue.
  I have no other WebDAV shares I can try to mount from any other companies so I am not sure if this is a myDisk issue or one borne from the Security Update. I am not a .Mac/MobileMe user and that info is not filled out in System Preferences. The internal hard drive has been meticulously maintained with Disk and Permissions repair being run both before and after each and every software update installed. Likewise, the volume's structure is also checked both before and after and shows no need for repairs.
  Any ideas? Perhaps there is a corrupted file somewhere that's affecting the authorizations needed by this third-party WebDAV volume?
  The machine that has this problem is the last model iBook G4/1.33GHz 12" display, 1.5GB RAM, and a 100GB 5400rpm HD which replaced the stock OEM 40GB 4200rpm drive about one year ago.
  I'm not willing to do an Archive and Install at this point as the loss of the WebDAV access to my online volume is not critical. Inconvenient as heck but not to the point where I'm willing (or able) stop my normal work to spend the hours it will take to get WebDAV access back.
  Thanks in advance for any insights.

  same problem here with webdav, I can't mount my idisk from university network on Mac Pro 10.5.3 (although it mounts fine from home network on both ibook and PMG5 10.5.3). Everything was fine with 10.5.2 and I already re-installed 10.5.3 combo. Other bugs as well with .Mac prefs (keeps crashing, sometimes it shows the available space on idisk but still no mounting, with error -35 or -8086), but .Mac sync is OK
  Jun 11 12:34:21 webdavfs_agent[579]: mounting as authenticated user
  Jun 11 12:34:22 kernel[0]: webdav server: http://idisk.mac.com/[username]/: connection is dead
  Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 received VQ_DEAD event (32)
  Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
  Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 type 'webdav', mounted on '/Volumes/[username]', from 'http://idisk.mac.com/[username]/', dead
  Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
  Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 found 1 filesystem(s) with problem(s)
  Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
  Jun 11 12:34:52: --- last message repeated 1 time ---

• BI 7.0 Analysis Authorization issue: some reports displaying a blank page.

  Hi All,
  This is regarding BI 7.0 Analysis Authorization issue.
  Overview:
  we have restricted some queries at infoobject level.
  Issue:
  a. For some of the queries, we can see the selection screen but when we try to execute the query by clicking on the execute button (Queries WAD) we get a blank page, meaning nothing is displayed on the output (white/Blank screen).
  b. When we execute the same query through RSRT, we get a message which says "Disconnecting from BW server..".
  c. Let me explain further on this. Basically we are doing this in order to have limited access to Auditors at the client side. At the same time normal users should not get impacted due to this, hence we created two roles. One for normal users and other for Auditors.
  d.  Now the thing is that we execute the same report with normal user ID's the report executes properly and displays the output. it does not show the blank page.
  e. But when we execute the same report with Auditors ID then we get a blank page.
  Any idea why this is so?

  Hi Neha,
  I tried the below also,
  GL Acnt
  I EQ 0000134010
  I EQ :
  but still it didn't work.
  No Infoobject is missing in Authorization Object.
  For your point, "rsecadmin - > analysis -> execute as -> check for the desired user & analyze the log" it didnu2019t allow me to analyze, since as soon as click on execute button a pop-up comes up saying "Disconnecting from the BW server..."
  As mentioned earlier also it is giving me the below message,
  ""I>> Row: 103 Inc: AUTHORITY_02 Prog: CL_RSR_RRK0_AUTHORIZATION                                                                       RS_EXCEPTION        301CL_RSR_RRK0_AUTHORIZATION                         AUTHORITY_02"
  Kindly suggest, since this is a show-stopper for us!
  Thanks,
  Ishdeep Kohli.

• Variable screen/variant screen authorization issue

  HI All,
  We have implemented standard Cost Center Overview Report(0SR_C02_Q0002) in BI 7.
  We have three selection fields:
  1.Company Code which is mandatory
  2.My controlling Area which is also mandatory
  3.Costcenter which is not mandatory
  The requirement we are facing over here is that in the Variable screen/variant screen when I enter a company code, then I need to display dynamically only those "My Controlling Area" values which are assigned to that particular company code and not all. In the same way after selecting the appropriate "My controlling area" value, I need to display only those cost centers in the cost center selection field which are assigned to the selected company code and My controlling area combination and not all.
  can anyone guide me on how to go about on this authorization issue at the variable screen itself.
  Please treat this issue/requirement on high priority.
  Appreciated in advance.
  Regards,
  raps.

  Hi,
  I think that an alternative to solve your concern could be using Web Application Designer (WAD).  In this respect, there are several design options, with different levels of complexity.
  As the simplest alternative, you could create a WAD including your query and three Dropdown Boxes: one for Company, a second for Controlling area and another for Cost center.  The four mentioned elements should be linked to the same dataprovider so, when you select a company, the options in the other two Dropdown boxes and the information in the query are updated.
  In order to enforce mandatory filter selection at Company and Controlling area level, you should set NO_REMOVE_FILTER='X' in both two Dropdown boxes, so that "All values" option -which would mean no filtering- is not offered.
  I hope this helps you.
  Regards,
  Maximiliano

• Authorization issue "No authorization"

  Dears gurus,
  I created an analysis authorization using tx. RSECADMIN, this contains the IO 0COSTCENTER restricted with some value, and also contains the IO: 0TCAACTVT, 0TCAIPROV, 0TCAVALID. When I assigned it to a role using tx. PFCG. But when the query is executed it appears the following message: "No authorization". Using a trace tool, it appears to requiere the analysis authorization 0BI_ALL, but if I give this authorization, it doesn't restrict the IO 0COSTCENTER as wanted.
  Please let me know what is missing.
  Best regards,
  Pilar Infantas.

  Remove 0BI_ALL object fro users profile and try executing as below it should give you the authorization objects values missing ..
  goto RSECADMIN >Analysis>Execution as User -->enter the user name you are executing the query
  Check box -->with Log option
  select RSRT option
  hit start transaction button ,it should show you the authoriztion errors with authorization objects missed.
  if not
  again RSECADMIN>Analysis>Error Logs-->check with the latest time stamp for that particular user and analyse the authorization issues
  Hope it Helps
  Chetan
  @CP

• Authorization issue with VA02 radio buttons

  Hello All,
  We are stuck at one authorization issue. The user navigates using tcode VA02.
  1)     Execute Tcode -VA02=>
  2)     2) puts order number # 100001 =>
  3)     press enter =>
  4)     press enter =>
  5)     Screen: Change (Company Name) Return 100001: Overview =>
  6)     Option: Display doc. Header details (looks like a magnifying glass beside PO_date) =>
  7)     This bring us to Change (Company Name) Return 100001: header Data =>
  8)     select status tab =>
  9)     on Status tab lower end there is a button u201CObject Statusu201D =>
  10)     Press it => 
  11)     Come to Change Status :
  12)     On this screen There is Status with status no. on the right side with 7 options
  e.g:
  u2022     1 BLK Approval Required for,
  u2022     2 BL1 Approval for Credit,
  u2022     3 BL2 Approval for material Replacer
  We need to restrict the radio button access for user for which we are unable to find the authorization object.
  Could any one help.
  Thanks & Regards
  gab

  Hi,
  Use ST01 to trace the user activities and check which objects its hitting when you click on those buttons, then you can restrict radio buttons using those objects.
  I have'nt run the tcode myself and performed the steps you mentioned, but if you think its calling other transaction from those buttons you can manage tht in SE97, or add the t-code VA02 in the S_tcode auth object in PFCG.
  Hope this should get you going
  Thanks,
  Vijay

• Authorization Issue in SM50

  Hi All,
  One of our user is facing authorization issue in SM50. He goes to SM50 and tries to open a work process. This is where he gets message "You are not authorized to use function Work Process List".
  When I check the trace, I see only missing access for SM04. I checked trace for my own id (with no error) and found that SM04 is not even checked for my id and rest all authorization checked are same for both ids.
  I assigned a BASIS role to this user and that resolved the issue. But strange thing is still that user's trace shows SM04 missing. (SM04 is not there in that Basis role).
  Now I don't understand what exactly is the missing authorization for this user. Definitely SM04 is not the one and I can't assign this basis role to him. Could any one guide with this issue? Below is the trace for the user in both cases (without Basis role assigned and with this role assigned).

  Hi Julius,
  I created a test id with same rights as the user. My id has SAP_ALL assigned. Now I am doing exactly same activity (double click on same work process). But I don't see SM04 access being checked for my id.
  Even if I assume that I am doing something different than the user. The thing which is strange to me is: when I assigned a basis role which doesn't have SM04 access, to the test user, I still see the same trace results but  this time there is no authorization error. I don't think there are authorization checkes which are not recorded in ST01 trace.
  There could be one tiny possibility that SM50 is throwing an error message (authorization error) but its not triggered through failed authorization check, instead based on some other condition. For that I would need to bedug the tcode. But that doesn't seem likely as this is a standard and widely used tcode.
  Thanks

• Computer Authorization issue with iTunes 11.4

  When I try to synch my IPhone 5S on Windows 8.1 / iTunes 11.4, I keep getting a message that "This computer is not authorized for the apps that are installed on our iPhone" and when I de-authorize…

  Hey Ashfromsea,
  Thanks for the question. I understand that you are experiencing issues with iTunes Store authorization. The following resources may provide a solution:
  iTunes repeatedly prompts to authorize computer to play iTunes Store purchases
  http://support.apple.com/kb/TS1389
  iTunes: Missing folder or incorrect permissions may prevent authorization
  http://support.apple.com/kb/ts1277
  Thanks,
  Matt M.

• IBNS with ISE, authorization issue

  I'm running the 90-day ISE demo and trying to configure IBNS with it. I love the feel of the interface and almost instantly had a set of policies up and working fine. My issue is this:
  I have an authorization service for machines so before a user logs in, their machine will authenticate to a list of machines in AD. This will give them guest/limited access.
  I have a second authorization service for users. Once the user authenticates to AD, they should get access based on user group or other AD attributes. However once the user authenticates to AD, the previous authorization service that they had before is still enforced. The user is stuck with machine authorization. I figured that it was because the setting was "First Matched Rule Applies" so I switched to Multiple and now after the login, it still matches machine authorization but it now also matches on Default which will deny access...how can something match both authorized and default?
  Because of that I have to make the machine authorization setting open to everything. Can anyone provide any guidance on this issue as config examples and such aren't out yet for ISE and the admin guide wasn't very helpful with this particular issue.
  Thanks
  Xavier

  The problem is that when the user is authorised after the machine is authorised, he still gets Machine Access (number 6). The user is supposed to get Engineer Access based on the IBNS User Authorisation Rule in number 1.
  Comparing 5 and 6, the username for 5 is host/machineName/domain which should be granted Machine Access based on how AD is set up (with a list of hostnames of Domain Computers). In number 6 the username is domain/username which indicates it's a domain user and so he should get engineer access. For some reason, ISE doesn't want to match with the new authorisation rule and just keeps the one that I had before.

• Authorization Issue to Upload file in Integrated Planning

  Hi All
    I have included the planning role for the user...which is the same as mine..I can execute and upload  the file..when I login with the user iD, it says you are not authorize to upload zFILE_SEQ/...in my role..there is Z* values also..
  No idea how to rectify as I dont see any problem??
  pppls help..

  Hi,
  Could you please look into the authorizations that restrict data selection for the user, say if he control one or two costcenters and you have access to all costcenters. Also you need to have that object in the Aggregation level that allow the user selection. You need to include that info object restriction based on authorization value in the aggregation level and in the upload file.
  Also try to execute the input ready query from RSECADMIN T-CODE . Use the 3rd tab and choose the user id and choose with log .Then on the next screen will be RSRT and choose your input ready query and execute. Then choose back button and the pervious screen choose display log, which will give you detail log on the authorization issue ...
  hope it helps...
  cheers,
  Balaji
  Edited by: Balaji NS on Jun 4, 2011 1:47 AM