Authorization object and document management

Similar Messages

• Table Name - For Authorization objects and fields.

  Hi
  Could any  one let me Know In which Table Authorization Objects and Authorization fields are stored.
  Thanks N Regards.
  Priya

  hi,
  TOBJ ---> Authorisation Objects
  Refer to the link.
  http://saptechnicalinfo.blogspot.com/2008/07/sap-authorization-objects-tables.html
  Regards
  Sumit Agarwal

• What is authorization object and how to create it for a table

  Hi All,
  What is authorization object and how to create it for a table?
  Thanks

  Hi
  Authorization
  For authorization checks, there are many ways of linking authorization objects with user actions in an SAP system. The following discusses three possibilities in the context of ABAP programming.
  Authorization Check for Transactions
  You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.
  Authorization Check for ABAP Programs
  For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.
  Authorization Check in ABAP Programs
  A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.
  AUTHORITY-CHECK OBJECT object
                          ID name1 FIELD f1
                          ID name2 FIELD f2
                          ID namen FIELD fn.
  object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With  f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the useru2019s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1  FIELD f2 with DUMMY.
  After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.
  Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:
  ·        0: The user has an authorization for all specified values.
  ·        4: The user does not have the authorization.
  ·        8: The number of specified fields is incorrect.
  ·        12: The specified authorization object does not exist.
  A list of all possible return values is available in the ABAP keyword documentation. The content of sy-subrc has to be closely examined to ascertain the result of the authorization check and react accordingly.
  REPORT demo_authorithy_check.
  PARAMETERS pa_carr LIKE sflight-carrid.
  DATA wa_flights LIKE demo_focc.
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'S_CARRID'
                    ID 'CARRID' FIELD pa_carr
                    ID 'ACTVT' FIELD '03'.
    IF sy-subrc = 4.
      MESSAGE e045(sabapdocu) WITH pa_carr.
    ELSEIF sy-subrc <> 0.
      MESSAGE e184(sabapdocu) WITH text-010.
    ENDIF.
  START-OF-SELECTION.
    SELECT  carrid connid fldate seatsmax seatsocc
      FROM  sflight
      INTO  CORRESPONDING FIELDS OF wa_flights
      WHERE carrid = pa_carr.
      WRITE: / wa_flights-carrid,
               wa_flights-connid,
               wa_flights-fldate,
               wa_flights-seatsmax,
               wa_flights-seatsocc.
    ENDSELECT.
  Regards
  Hitesh

• Authorization Object and Authorization...!!!

  Hi BW Experts,
  Could anyone plz tell me what is the difference between Authorization Object and Authorization..!!!
  Thanks in Advance.
  Regards,
  Giftedbrain.

  Giftedbrain,
  Authorization Object:
  An authorization object groups up to ten fields that are related by AND.
  An authorization object allows complex tests of an authorization for multiple conditions. Authorizations allow users to execute actions within the system. For an authorization check to be successful, all field values of the authorization object must be appropriately maintained in the user master.
  Authorization objects are divided into classes for comprehensibility. An object class is a logical combination of authorization objects and corresponds, for example, to an application (financial accounting, human resources, and so on). The line of the authorization object class is colored orange in the profile generator.
  For information about maintaining the authorization values, double click an authorization object.
  The line of the authorization object is colored green in the profile generator.
  Authorization:
  Definition of an authorization object, that is, a combination of permissible values in each authorization field of an authorization object.
  An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  Authorizations allow you to specify any number of single values or value ranges for a field of an authorization object. You can also allow all values, or allow an empty field as a permissible value.
  If you change authorizations, all users whose authorization profile contains these authorizations are affected.
  As a system administrator, you can change authorizations in the following ways:
  ·        You can extend and change the SAP defaults with role maintenance.
  ·        You can change authorizations manually. These changes take effect for the relevant users as soon as you activate the authorization.
  The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user has sufficient authorization for a particular activity. To do this, it compares the field values specified in the program with the values contained in the authorizations of the user master record.
  The line of the authorization is colored yellow in the profile generator.
  -Doodle

• Authorization Object And Roles For  Functional Consultant

  Dear Expert,
  What kind of respective Authorization Object And Roles would be provided to  Functional Consultant (FI,MM, SD, PM, PS, CO, HR )at the time of implementation ?
  Thanx in advance
  Pavel

  Thanks Juan,
  We now already have it here and in the NW IDM forum a few times as well...
  Cheers,
  Julius

• OLE2_OBJECT AND DOCUMENT MANAGEMENT SYSTEM (DMS)

  Hi Experts.
  I'm trying to make a excel inform like a catalog with materials and images which are in a Document Management System.
  I'm using OLE2_OBJECT to make the inform in EXCEL, because I'm trying to do it with SMARTFORMS, and I cannot because I need to resize and put ok the images and with SMARTFORMS I cannot.
  To see the information I have a ALV Objects with a custom container with the information to the database..., material, price, etc..., and in other container when you click in a row I show the picture which is in the DMS.
  To do it, I use this method to get the URL to the image.
  CALL METHOD cl_dms_thumbnail_display=>get_url
  EXPORTING
  i_doc = ls_doc "IMPORTING
  e_url = g_graphic_url.
  And after I call the method of instance of class cl_gui_picture to show the picture in the cl_gui_alv_container
  CALL METHOD g_picture1->load_picture_from_url
  EXPORTING
  url = p_graphic_url
  IMPORTING
  RESULT = p_result.
  In the code to excel print to insert the picture if I put this URL to my local pc, it's ok,
  CALL METHOD OF picture 'INSERT'
  EXPORTING
  #1 = 'C:Documents and SettingsadministradorMis documentosMis imágenesprueba.bmp'.
  but the URL of the g_graphics_url it's
  SAPR3://SAPR3CMS/get/200/ZAFD_5F100/DC99BBC5172158F18A14005056C00008/DSR_20DEP_202_20BANDAS_20BROWN_20389_2020070719.JPG
  and this URL it's nothing if I put in the internet explorer...
  What can I do to do this??
  If you have another idea I appreciate it.
  Thanks.

  Hi,
  May be try this way . ( I am not 100% sure about this)
  data : g_picture   type ref to cl_gui_picture.
  data : g_thumbnail type ref to cl_gui_custom_container.
  CALL METHOD cl_dms_thumbnail_display=>get_url
  EXPORTING
  i_doc = ls_doc "IMPORTING
  e_url = g_graphic_url.
  if not g_graphic_url is initial.
  create object g_thumbnail
        exporting container_name = <Your container name>.
  create object g_picture
         exporting parent = g_thumbnail.
  call method g_picture->set_display_mode.
  endif.
  aRs

• Using Sharepoint as an archival and document management

  Hello, 
  I was asked by my manager to look for possible solutions to convert our archive paper file cabinets that are full of student records into digital format. We do not utilize sharepoint yet at the school but I was researching and found that sharepoint does a good
  job in archiving and content management. The ultimate goal for us is:
  1-  to be able to scan the documents in the file cabinets and save them into folders on sharepoint. We want to be able to create a folder under a specific students' name and then scan all documents related to that student into that specific folder. 
  2- Give permission to specific staff members to access and search for docs by student name. 
  I wanted to ask if  and how this is possible to achieve by Sharepoint knowing that we have an estimate of 120,0000 paper docs to scan. 
  I would much appreciate your help. 
  Thanks! 
  Nancy

  Hi
  There are many options to scan your documents and directly save and place in Sharepoint with very effective manner, you can Save directly from Scanner Deive, versioning, searching,
  ordering, automatic workflow and you can set the RCM policy in that if the documents is saved since very long time you can automatic arrive them from one location to another or can remove them apart from this there is many nice feature for content management
  you will get out of the box using SharePoint content management.
  You can use following application along with SharePoint to scan the contents.
  here are some of them.
  KnowledgeLake provides an affordable, platform based solution for managing
  your company’s unstructured content right
  within SharePoint. KnowledgeLake is an enterprise scalable and comprehensive SharePoint solution for searching, viewing,
  securing, routing and annotating your company’s mission critical electronic content. The KnowledgeLake solution is fully
  integrated with SharePoint, so it is easy to implement, easy to administer, presents low risk, and is cost effective.
  2. ScanSnap and Microsoft SharePoint enable you
  to expand the benefits of your Enterprise Content Management (ECM) system, right from your desk.  Fujitsu bundles the KnowledgeLake ‘Scan to Microsoft SharePoint’ application with the scanning software, making it easy to onramp scanned documents directly
  to SharePoint.
  Scan to Microsoft SharePoint is a desktop application enabling users to easily index, store and retrieve any document to SharePoint 2003/2007/2010 or Office Live. It eliminates
  the conventional multi-step, manual process that standard SharePoint constructs require, replacing it with a fully integrated and automated solution.
  Here is nice article you can find some good details about content management automate.
  http://www.technologyfirst.org/magazine-articles/120-march-2013/823-bizdocshow-to-make-your-small-business-paperless-using-sharepoint-with-integrated-imaging-and-scanning.html
  Krishana Kumar http://www.mosstechnet-kk.com

• Interface between SAP and Document management system

  Hi,
  I have a requirement to interface SAP 4.7 with a Document management system(Fakta).A  vendor invoice will be created in SAP using FB60 transaction.The vendor invoice(in paper form) will be scanned by the Fakta digital document system.The Fakta system will handle the approval process for the vendor invoice and update the status of invoice in SAP as APPROVED.
      My requirement is when an SAP user wants to see the scanned invoice stored in the fakta system,he should be able to view it from SAP preferably from FB60 or the document overview for the invoice in SAP.What is the best way to do this.
  I found one option of using RSDEMO_HTML_VIEWER which may not be useful as we think.Is there a better option available?
  Please share your experience.
  Thanks in millions,
  Leo

  Hi
  I'm sorry but I've never worked on this problem, but I think the better solution should be use SAP Archivelink, I know It should do what you want.
  See here:
  http://help.sap.com/saphelp_46c/helpdata/en/93/51b7569e0811d1a55e0000e82deaaa/frameset.htm
  Max
  Message was edited by: max bianchi

• Custom authorization object and check logic

  Hi gurus,
  we need to apply additional authorization check in our custom reports.
  so i created a custom fields & object, and put the statement
        AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                 ID 'ZROLEID' FIELD '03'
                 ID 'ZSOBID'  FIELD zzdwbm.
  in a abap class method centrally, so it could be called by many reports.
  but the test show that the sy-subrc always set to 0, even for users without any authorization.
  what i missed for adding custom auth check?
  for this case, do i need to maintain authorization check indicator in SU24?
  what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
  thanks and best regards.
  Jun

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• Integration of CHARM and Document Management

  Dear All
  After a lot of time on sdn wiki and thanks to the key blogging contributors , I now have a decent understanding of how to configure CHARM
  To go into more details, i would like to integrate CHARM with the Document Management within Solution MAnager
  Would i be right to assume that this integration is currently today in use only by a few GXP kind of customers
  But it seems the configuration of document management itself is not so difficult (eg creating document types, statuses, status schemes, signature strategy etc) The IMG has the steps described though in not great detail. Some topics are still bit specialized eg document versioning etc
  I was wondering if someone who has already spent time in this area could write a SDN blog or SAP experts coudl write a wiki section
  I see this as the next big improvement since everything would be out of the box and external document databases can be discarded etc
  Also the workflow of informing and signing documents for clear visibility is on the same system etc
  Some requirements could be
  1) what could be the minimal document workflow
  2) what kind of checks can be implemnet to prevent CD to move forward if a document is not in 'Approved' status
  3) at what point could a QM come into picture
  etc
  Though the documentation is in bits and pieces, if we could have alll at one place - lets say how its done , would be very helpful
  Like a Wiki or the SAP CHARM configuration guide
  or like the ITSM book by Nathan Williams with illustrations  :-)
  Thx
  Chandrakanth

  This is very far from the type of integration I expect to see. Proper incident management means when a problem occurs and incident is logged into the sap service desk. If this incident requires a change it should be forwarded to the CHange Reqest Management (CHaRM). From there it should have a business impact analysis, then a system or architecture review, only then if it is approved should development be started, after the development, it goes into QA for testing. Since the business process is defined in the solman and there are test cases for this business process. It makes sense that one can use the test workbench to verify the business process, and document the testing. If there is a problem with the testing and it needs to go back to development, it should be connected to the same incident logged initially. There should not be a second problem logged. It is still part of the same incident and should be managed as such.
  This question exists also for a maintenance project. Once I have an operational system and all the business process defined in the project and a change arrives into ChaRM, why canu2019t the change be done in the project like and implementation?
  How can one find out the direction of this product? Does SAP have any plans to develop solman into an integrated tool or will it remain a bunch of simple tools that co-exist on the same server?

• Get Authorization Object and Tcode

  Hi,
  I have a requirement to get a report of
  Role Name, Date of Validity, Authorization Object in User Master Maintance (TCode) and Description of Tcode
  I used SQVI
  and joined Tables
  AGR_USERS, AGR_1251, USTSTCAP
  From the first two tables I get all most all fields Except the description of T-Code for that I used the table USTSTCAP but it is not working.
  is there any table to get text description. please give guidence
  Regards
  Nausal

  Hi,
  From TSTCT We get TCode Description
  but it is not possible to join with AGR_USERS and AGR_1251 in SQVI
  Regards
  Nausal

• Authorization Objects and RSABAPSC

  Hi All,
  I'm trying to get all the authorization objects associated with a program, without using system trace. I've tried using RSABAPSC but there are some programs that it doesn't output any authorization objects. When I checked using system trace, these programs do have auth objects. Does this mean that there are no authorization checks written in the program code?
  Apart from using system trace and RSABAPSC, are there other ways of getting the authorization objects?

  Hello Benedict,
  I think that a trace (ST01) would be better. You can try with a user that has all the authorizations and you'll be able to see all the checks that were performed.
  Anyway, I think that there's no "perfect method" and as I said before the checks depend on the program flow. Also have a look at here: http://forums.sdn.sap.com/thread.jspa?threadID=1837972
  Are you trying to get the authorizations for a custom program? If not, why don't you start with SU24 proposals and testing scenarios? You'll probably get better answers in the Security forum.
  Cheers,
  Diego.

• Authorization objects and screen elements

  i would like to enable/disable a button on screen using authorization object.
  haw this can be done.
  please help....

  In the PBO of that screen just do an authority-check on the authotization object (if there is no standard object you can use, you have to create a custom one). In case the authorization fails set the button to inactive.
  authority-check object 'authorization object'
     ID 'object id name'
     field 'field value'.
  lv_subrc = sy-subrc.
  loop at screen.
    if screen-name eq 'field name of button'.
      if lv_subrc eq 0.
        screen-active = 1.
      else.
        screen-active = 0.
      endif.
      modify screen.
    endif.
  endloop.
  That should do it,
  Michael

• Structual Authorization Training and event management

  Hi
  We have implemented structural authorization using evaluation path O-S-P. The structural authorization is working fine for org unit and positions.
  After implementing structural authorization, user lost access to business event catalog ( transaction code PSV2). Now the users are not able to see any business events and cannot book any employee for business events.
  Can we disable structural authorization check just for L-D-E structure for TEM? If not, is that any evaluation path which provide access to FULL business event catalog to all users?
  Thanks for your help.

  Hi
  Thanks for taking time to review the question.
  After we implemented structural authorization, users cannot see events in business event catalog. Before structural authorization, when they execute PSV2 the list was coming for all business event group (L) --- business event type (D) -
  business event (E). But now they are not getting any list.
  In development client, I played with some evaluation path. Using evaluation path L-D-E, i can able to get business event group and business events. But still they cannot see business events. Because of this, they are not able to book any employee to events.
  Thanks again,
  Tejas

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM