Authorization Matrix for BI Sandbox

Similar Messages

• Authorization restriction for CRM 2007

  Dear Experts,
  We are in process of defining the authorization matrix for CRM 2007 for end users who will be using Web UI.
  Here my requirement is the service orders created by USER1 should not be displayed by USER2 and vice-versa when they do a search in both Web UI and GUI in Tx CRMD_ORDER for service orders.
  Please let me know how can I acheive this and what is the auth. object for the same.
  Thanks & Regards,
  Sharath

  Dear babu,
  If I understood your request, you want that, only one user will be able to access the document. If you want to do that, this is the answer:
  At tcode PFCG you shoud set:
  First you must set what type of document will be avaible to the user, in this case Z020.
  CRM_ORD_PR: PR_TYPE 'Z020',ACTVT '*'
  Next you must set which activities they will be able to do (notice, you must set the same field in the previsou object(
  CRM_ACT: ACTVT u2018*u2019
  And then you set which partner function or partner category are able to access the document, here is the main point !
  In this example I set that only users who has Partner Category (not partner function) Employee Responsible (std partner category 0008) are able to access the document
  CRM_ORD_OP: ACTVT '', PARTN_FCT '', PARTN_FCTT '0008'
  Here you can notice again field ACTVT, here you will set what user are able to do, "*" means everything, "1" = create, "2" = modify, etc. (I can see the list at PFCG, adding the auth. object to the PFCG profile).
  I notice only std partner function or partner category works with this object. I sent a message to sap support, and they confirm that, so if your user has Z partner funcition or category it is not possible to do that.
  Summary, your user must be present in the partner list of the document, and they must have a partner function or partner category std. It is possible to set together both values PARTN_FCT  and PARTN_FCTT, but I think it is not necessary.
  The easy way to do that is, user who will be able to access the document, must be the employee responsible.
  This help is very usefull
  http://help.sap.com/saphelp_crm60/helpdata/en/4a/b9f63a8ab2c745e10000000a114084/frameset.htm
  Regards,
  Lalas
  ps.: As you should know, only one partner function must have partner category Employee Responsible, in the partner det. procedure, otherwise, you will get error message in your application.

• Regarding Making user authorization matrix

  Hwello Friends,
     Can anybody tell me the user authorization matrix for sap system ? How can we make and how to make profiles and roles. i know the transaction. but does sap or other documents for this ? plz send me or guide me. waiting for ur reply.send me some link if any or material links. or send me material on my id. [email protected]
  Thanks
  Deepak

  Hi, Deepak!
  As your question is quite general - which kind of SAP system? ECC? Portal? PI? - I' m doing a little hard with concrete answers. Probably you' ll find some infos under <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/81/0e0f61b566dc44bbb4055b3ccd25be/frameset.htm">Identity Management</a>. If that' s not what you' re looking for, let me know!
  Regards,
  Thomas

• Query on SoD matrix for CRM-Webshop applications - RAR 5.3

  Hi,
  We are implementing RAR 5.3 for CRM system. We observed that GRC has standard SoD matrix for CRM application. But there is no SOD matrix available for the Webshop (B2B/B2C/BOB) where access will be provided to the external users
  We are of the opinion that there will be no SoD conflicts for the Roles/Users created for the webshop applications as the webshops are used by the external users i.e. customers.
  Is there any standard SoD matrix available for the authorization objects of the webshop application with SAP? Has anybody configured SoD rules for the webshop application roles? If yes, please provide us the link of the information where we will get this rule matrix
  Thanks in advance.
  Srihari.K

  Hi Sri,
  The standard rule for CRM is available in the marketplace.
  But I don't think SAP has created standard rule for webshop.
  Thanks,
  Sudip.
  Edited by: Sudip Saha on May 18, 2009 4:05 PM

• Security error: Cannot authorize operation for invalid non-ASCII URL

  I have an error that popped up with Flash Player 10.1.85.3 or 10.1.82.76.
  In our application, we load users' avatars with their original filename. Some filenames have non-ASCII characters (i.e. Hebrew, accents, or umlauts) and I can no longer load those files from a different subdomain.
  For example, I'm trying to load this image (with the Loader class and a LoaderContext):
  http://photos.myawesomedomain.com/images/awesöme.jpg  (o with umlaut)
  It comes to me encoded in UTF-8:
  http://photos.myawesomedomain.com/images/awes%C3%B6me.jpg  (umlaut converted to %C3%B6)
  When I try to load the file from http://myawesomedomain.com/myawesome.swf, I get this error:
  *** Security Sandbox Violation ***
  Connection to http://photos.myawesomedomain.com/images/awesöme.jpg halted - not permitted from http://myawesomedomain.com/myawesome.swf
  Error: Cannot authorize operation for invalid non-ASCII URL http://photos.myawesomedomain.com/images/awesöme.jpg
  If I try this with a player earlier than 10.1.82.76, it works. It also works if I move the file to the same domain as the SWF (http://myawesomedomain.com/images/awesöme.jpg) -- but that's not an option for me. Files without unusual characters work regardless of the player version.
  The error occurs when I try to access the bitmap data of the loaded image. I've tried encoding the URL differently, but Flash always reports it as "http://photos.myawesomedomain.com/images/awesöme.jpg" - with the umlaut converted to strange characters. The cross domain file allow-access-from "*.myawesomedomain.com"
  Has anyone run into this? Is there a way I can fix it without renaming the users' photos (we have tens of thousands of these)?
  I feel like I must be missing something obvious; hardly anything comes up in Google for this, but I don't think it would be an uncommon problem.  I believe https://bugs.adobe.com/jira/browse/FP-5580 is related.
  Thanks!

  The problem is based on the player version, not the browser.
  The problem showed up in Chrome first because it auto-updates the player; when Firefox users installed the updated player, they started having the problem, too.

• Creating the Authorization Matrix?

  How requirement gathering should be done?
  What is procedure to Create Authorization Matrix in SAP Secuirty Project?

  Hi Ajit,
  If you are starting new to security, then you can go through books like authorizations made easy, and can also enroll for the SAP ADM courses. There are also good books for authorizations and the procedures for implementing it on SAP-PRESS. You can buy them too.
  You can search this forum for certification too:
  SAP Security Certification
  To answer your question on job and process based roles:
  Process roles are roles that contain at least one tcode, but are usually a set of tcodes, reports and programs.  They represent a defined granular business process with specific functions within the R/3 environments. Set of these roles make up a job for a user.
  Job roles are roles containing multiple tcodes, reports and programs which make up specific Job Functions .These may also be referenced as Position-Based Roles. In most cases, users are only assigned one Job Role
  Hope this helps
  Abhishek

• Updation of Authorization Matrix

  Dear Experts,
    We have implemented SAP in July 2010. At that time we were provided with a Authorization Matrix Sheet (Excell Sheet) for all users in SAP. But after that so many changes were made, authorizations added or removed / new users added / users blocked.
  Is there any method in SAP to update the authorization matrix.
  thanks.

  It has to be done manually.

• Devlopment of authorization matrix

  Hi All,
  I need to devlop an authorization matrix using resecadmin transaction.
  what is a genral idea behind authorization matrix?
  What should be the steps to create authorization matrix?
  What things should be included for creation of the authoriaztion matrix?
  Regards,
  deepak

  Hi,
     Check these links.
  Authorization Matrix
  What is Authorization Matrix?
  Regarding Making user authorization matrix
  Regards,
  Balaji V

• What is Authorization Matrix?

  Dear Friends,
  What is Authorization Matrix?? Can someone clarify with an example??
  Regards,
  Alok.

  Hi,
  As per my knowledge, the auhtorization matrix will have a set of roles that are required for a business user. It is a normal spreadsheet document with list of roles. Further, it also contains the list of transaction in every role. When a new user joins the organization, he can find out the roles for which access is required based on the FUG (Functional User Group) in the authorzation matrix.
  Regards,
  Raghu

• Custom authorization provider for WL7 problem (not getting all parameters from ContextHandler)

  I'm implementing a custom authorization provider for WebLogic 7.
  In my Access Decision isAccessAllowed method I need to check values of
  the parameters passed to an EJB method. Now, if an EJB method I have
  two parameters of the same type, for example int, when I get
  ContextElement array from ContextHandler and iterate through it to get
  names and values of the parameters I get the same value (value of the
  first int parameter) from both ContextElement's.
  Here is the code:
  String [] names = ch.getNames();
  for (int i = 0; i < names.length; i++)
  String name = names;
  System.out.println("name = " + name);//here it gets array of
  Strings, which contains two parameter names: "int","int",
  which are the types of EJB method parameters
  ContextElement[] ces= ch.getValues(names);
  for (int j = 0; j < ces.length; j++)
       ContextElement ce = ces[j];
       System.out.println(ce.getName()+ " = " + ce.getValue());
  //here if the value of the first int was 2 and the second 0,
  it would get 2 from both ContextElements (each of ContextElements will
  have name "int"
  If I try this with method parameters of different types, for example
  int with value 2 and long with value 0, then this code work fine -
  first ContextEleement has name int and value 2 and the second has name
  long and value 0.
  Thanks,
  -Oleg Kozlov.

  I'm implementing a custom authorization provider for WebLogic 7.
  In my Access Decision isAccessAllowed method I need to check values of
  the parameters passed to an EJB method. Now, if an EJB method I have
  two parameters of the same type, for example int, when I get
  ContextElement array from ContextHandler and iterate through it to get
  names and values of the parameters I get the same value (value of the
  first int parameter) from both ContextElement's.
  Here is the code:
  String [] names = ch.getNames();
  for (int i = 0; i < names.length; i++)
  String name = names;
  System.out.println("name = " + name);//here it gets array of
  Strings, which contains two parameter names: "int","int",
  which are the types of EJB method parameters
  ContextElement[] ces= ch.getValues(names);
  for (int j = 0; j < ces.length; j++)
       ContextElement ce = ces[j];
       System.out.println(ce.getName()+ " = " + ce.getValue());
  //here if the value of the first int was 2 and the second 0,
  it would get 2 from both ContextElements (each of ContextElements will
  have name "int"
  If I try this with method parameters of different types, for example
  int with value 2 and long with value 0, then this code work fine -
  first ContextEleement has name int and value 2 and the second has name
  long and value 0.
  Thanks,
  -Oleg Kozlov.

• Authorization Group for G/L Account

  Hi,
  What?
  - I wish to restrict the 'posting' of a G/L account to be done by certain users only
  How?
  - What I have done was...
  a) From FS00, I have added a free-text (BANK) into the Authorization Group for a G/L account
  b) From PFCG, a new role was created to allow these 2 Authorization Objects, F_BKPF_BES and F_SKA1_BES
  c) 'BANK' was entered for the Authorization Group for both these 2 Authorization Objects
  d) From there, I have assigned this new role to the user that I wish to allow Posting of the G/L account
  Problem?
  - Other users still can do Posting for this G/L account
  - Any steps which I have missed out here or done wrongly?
  Thanks,
  Brandon

  Hi,
  Some other roles of the users may override and cause the users to post against this GL account.
  Check all the roles relevant for the restricted users. 
  Use SUIM t-code to find if the auth object mentioned above is included in any other role.
  If it be, restrict that again.
  Generally if one role as no restriction against this auth and not all, this issue tends to happen.
  Regards,
  Sridevi

• Analysis Authorization failed for Multiprovider

  Hi all,
  We are facing an issue pertaining to the Analysis Authorization for a multiprovider. When we attempt to access a query base on a multiprovider, the program complains that it has insufficient authorization. So we did debugging in the customer exit and we realise it fails to populate the rest of the authorization variables in I_step = 0. Base on our initial investigation this only happens on queries on multiprovider, so is there anything I need to set or do to curb this error?
  Many thanks!

  Best solution is to trace the authorization for your issue in ST01.
  Switch on the trace in ST01 and start your work. if you face authoirzation check failed. look into the trace there you will find the logs and authorization failed for your userid.
  And one more thing, have you got anything in SU53 as authorization check failed?
  Hope this would help you.

• I can't synchronize my iPod's with my iTunes software (Windows Vista Home Premium) due to problems with the access authorization / rights for this operation

  Hi there,
  I'd like to ask you something:
  I'm trying to synchronize all my iPod's (I have as many as 4 iPods: 2 iPod touch a 8 GB each and 2 iPod classic a 160 GB each) with my iTunes software (Version 11.3.1 which is installed on a Windows PC (Windows Vista Home Premium)). Unfortunately, the iTunes software refuses to run the command "synchronize with the iPod connected" regarding each and every iPod I have. iTunes just declares:
  Synchronizing is impossible because I wouldn't hold the access authorization / rights for this operation.
  I uploaded the songs at issue to my iTunes folder from CD's (all songs are in AAC format now).
  What is this access authorization, why was something like that invented and what can I do to get it?
  How do I have to proceed in detail?
  What would it cost?
  I am brand new here and have never ever made a post in any support community anywhere in the world in my life. Well, and I am not excessively knowledgeable about the particular computer or mac language but I know the very basics or can find out about them.
  Anyways - can you help me please?
  If you can't help me, who can do so?
  It would be nice if you could answer me as soon as possible!
  Thank you guys
  Prying Pedro

  Yes, others have experienced the problem, a simple search of the forums would have revealed that and the simple solution.
  Termporarily disable any security software on the computer.

• Authorization restriction for Goods issue against an Order

  Hello All,
  We have a situation wherein the user is able to issue goods using tcode MIGO by choosing Goods issue --> Others and mentioning an order number that belongs to another plant in the account assignment tab and issues a material which belongs another plant.
  For eg we have material A that has been created for plant 1. The user issues the material (movement type 261)and the account is assigned to an order which has been created for plant 2.
  I could not find any authorization object that restricts this.
  I checked the objects M_MSEG_BWA and M_MSEG_WWA and he has authorizations only for plant 1 and all movement types.
  Any pointers to restrict this access will be appreciated.
  Thanks & Regards,
  Subramaniam Iyer

  Hi,
  MIGO transaction by default restricted with Plant.  If you say that the user A is having access to only Plant 1 & 3, but not for 2, please check the below authorization objects does not have any manual objects inserted into the Role and restricted with the value only in organization field.
  M_MSEG_LGO
  M_MSEG_WMB
  M_MSEG_WWA
  M_MSEG_WWE
  This issue may occur because if the objects are maintained manually in the role.  If so, when you check in the organization field, it may not be showing the value which are manually added into the manual object.
  Also, please check the other roles are assigned to the user.  If any of the other roles assigned to the user having any of the above objects with * value, this may provide the user to do the Goods movement for any plant.
  To check the issue, please go to SUIM and check the user under "Roles by Complex Selection Criteria" and make sure that you are checking the objects for the particular user.  This should be able to identify whether the user is getting access from any other roles assigned to the user.
  Regards
  Anandm

• Authorization checks for PNP LDB

  question    : how to validate authorization checks for pnp logical database?
  2 nd question: hr report
  this report is basically for salary survey. in this i had so many fields can any body let me know how
  can i form the internal tables. and i have to display overall 150 fields in csv file for that
  how can i take in to the final internal table.
  what is the logic behind this:
  T71JPR09-JOBCODE
  PA0000-PERNR
  HRP1000-STEXT
  P0006-PSTLZ
  PA0008-ANSAL * 100 / PA0008-BSGRD
  PA0015-BETRG
  PA0761-LTEXT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-GRADT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
  like that i had.
  please give me the steps how can i proceed.

  Hi,
  The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
  Hope this helps.