Authorization object  assigning to user profile

Similar Messages

• Authorization object assignment on USERS

  Hi,
  i have to maintain authorization objects in transaction types and users in our company, such that the executives (management of all org. units) of the company are able to see all the transactions including activities within the whole company.
  on the other hand the employees (<b>not executives</b>, belonging to a specific org unit) should be able to see ONLY the transactions belonging to his org. unit
  useful info is avlbl at: http://help.sap.com/saphelp_crm50/helpdata/en/26/99973915e69238e10000000a11402f/frameset.htm
  but where and how are these authorization objects assigned?
  Kindly help, thnx, all answers appreciated.
  Jacob.

  hi Jacob,
  Look at <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/81/0e0f61b566dc44bbb4055b3ccd25be/frameset.htm">Identity Management</a> maybe it helps you.
  Regards.
  Manuel

• Authorization Object assigned to an User

  Hi
  I am working on a development where I have to identify value of authorization object assigned to an user. This user will be assigned to org plan, to which a business role will be assigned.
  Is there any standard FM or table linkage logic that I can use?
  I have found FM SUSR_USER_AUTH_FOR_OBJ_GET but it seems that it is relevant from GUI perspective.
  Thanks & Regards
  HM

  Hi,
  Please use transaction code SU56, switch to the user in question.
  You can see all objects or the required object and assignment of values to the user.
  Regards,
  Gowrinadh

• Authorization key for the user profile

  In SAP, there is a provision where we can create the authorization key and assign this key to the various user statuses in the user status profile.
  The application is that when the user status is changed from one to other and if to the user status, the authorisation key is assigned then the authorised person should be only able to change the status.
  But my query is that i have not come across any customization where a SAP user can be assigned to the auth. key so that he can only change the user status.
  Can anybody let me know that whatever i understood, is it correct? And if yes, let me know where to assign the user to the authorisation key?
  Thanks

  Hi Iyer ,
  Please see the below,if it solves your requirement
  M/CS Autorisation Objects
  SAP Standard Authorisation Objects:
  I_ALM_ME: Mobile Asset Management  (ACTVT)
  I_AUART: Order Type  (IWERK, AUFART)
  I_BEGRP: Authorization Group  (TCD, BEGRP)
  I_BETRVORG: Business Operation  (BETRVORG)
  I_CCM_ACT: Configuration Control authorization object  (CCACT, ACTVT)
  I_CCM_STRC: Structure gap maintenance authority  (ACTVT)
  I_ILOA: Change location and accounting data in order  (IWERK, AUFART)
  I_INGRP: Maintenance Planner Group  (TCD, IWERK, INGRP)
  I_IWERK: Maintenance Planning Plant  (TCD, IWERK)
  I_KOSTL: Cost Centres  (TCD, KOKRS, KOSTL)
  I_QMEL: Notification Types  (TCD, QMART)
  I_ROUT: Task List  (ACTVT)
  I_ROUT1: Task Lists by PM Planning Plant, Work Sched., Status  (TCD, IWERK, VAGRP, STATU)
  I_SOGEN: Permit  (SWERK, PMSOG)
  I_SWERK: Maintenance Plant  (TCD, SWERK)
  I_TCODE: Transaction Code  (TCD)
  I_VORG_MEL: Business Operation for Notifications  (QMART, BETRVORG)
  I_VORG_MP: Business Operation for Maintenance Planning  (MPTYP, BETRVORG)
  I_VORG_ORD: Business Operation for Orders  (AUFART, BETRVORG)
  I_WPS_MEB: Maintenance Event Builder  (DIWPSMEBAR)
  I_WPS_REV: Revision authorization object  (REVTY, ARBPL, WERKS, WPS_REV_AC)
  S_NUMBER: Number Range Maintenance  (NROBJ, ACTVT)
  C_TCLA_BKA: Authorization for Class Types  (KLART)
  *Authorisation Tables:*
  TOBJ: Authorisation objects
  TOBJT: Authorisation object texts
  AGR_1250: Authorisation object assigned to role
  AGR_USERS: Users assigned to a role
  AGR_TCODES: Assignment of roles to Tcodes
  Authorisation Objects for System-Statuses:
  Order: I_VORG_ORD  (AUFART, BETRVORG)
  (REL = BFRE, TECO = BTAB, delete component = RMKL)
  Notification: I_VORG_MEL  (QMART, BETRVORG (NOPR = PMM2, NOCO = PMM4))
  Maint. plan: I_VORG_MP  (MPTYP, BETRVORG)
  User-Exits:
  CPAU0001: Enhancement for Authorization Check in Task Lists
  IMRC0005: Measure point: Exit in AUTHORITY_CHECK_IMPT
  IWOC0003: PM/SM authorization check of ref. object and planner group
  QQMA0026: PM/SM: Auth. check when accessing notification transaction
  QQMA0030: Check validity of status change
  BADIs:
  DIP_SET_USERSETTINGS: Initial Object Check in DP Processor
  INST_AUTHORITY_CHECK: PM/CS Enhanced Authorization Checks
  IWO1_ORDER_BADI: Maintenance, Service, and Refurbishment Order
  NOTIF_AUTHORITY_01: Additional Authorization Checks for the Notification
  WORKORDER_GOODSMVT: PM/PP/PS/PI orders: auto. goods movement
  Authorisation Groups:
  These can be created via TCode SM30 and table T370B. They can then be assigned to the following objects:
  a.     Equipment (IE02)
  b.     Functional Locations (IL02)
  c.     Maintenance plans (IP02)
  d.     Entry List for Measurement Documents (IK32)
  e.     Object links (IN05, IN08)
  f.     User-statuses
  Authorisation Debugging:
  TCode SU53: Evaluate Authorization Check

• Authorization objects to avoid users to access workbook design mode

  Hi all,
  Does anyone knows an authorization object that stops the user to enter workbooks design mode?
  We use workbook protection but this disables most of the workbook properties.
  Many thanks,
  Mazzz

  Hi..
  see this thread.. hope it helps..
  How to prevent workbook users from saving workbooks
  You must set up security to control who can save workbooks, where they can be saved, and which workbooks appear in the BEx Browser for a specific user.
  Workbooks can also be created in the BEx Analyzer. After executing a query, choose Save u2192 Save as new workbook.
  Securing Workbooks
  In order to save a workbook, a user needs two authorization objects. The two objects listed below are the minimum authorizations a user needs to save workbooks.
  S_GUI: Authorization for GUI activities
  S_BDS_DS: Authorizations for document set
  Using both S_GUI and S_BDS_DS will enable a user to save workbooks to their Favorites folder.
  The authorization object S_GUI has one field, Activity. The activity field must be set to 60. For S_BDS_DS, the user needs activities 03 and 30. The Class Type field should be set to OT.
  Saving Workbooks to Roles
  If a user wants to save aworkbook to a location where it can be easily accessed by others, they need to save to a Role rather than saving the workbook in their own Favorites folder. Saving to a Role means saving to a security role.
  You may want to set up roles specifically for saving workbooks. You can then assign the role to all parties who need to share workbooks.
  Another option is to not allow users to save workbooks, but rather only allow power users to save workbooks. This is done to maintain the roles and to ensure that the workbooks are manageable. This also prevents users from changing workbooks saved by other users.
  In order to save workbooks to roles, a user needs:
  S_USER_AGR: Authorizations: Role check
  S_USER_TCD: Transactions in roles
  The authorization object S_USER_AGR has two fields:
  Activity and Role Name.
  Activity field -Must have at least values 01, 02 and If the user can delete workbooks, they will also need value 06.
  Role Name, you should enter the specific roles you have created for saving
  workbooks. Use proper naming convention for roles so that the roles can be restricted pretty easily.  The role name is the name of a role that will be used to hold workbooks. Saving a workbook to a role actually updates the Menu portion of a role, so object S_USER_AGR is a required object.
  Authorization object S_USER_TCD has one field
  Transaction Code. The user needs value RRMX in this field.
  Once a workbooks is saved, the data and the layout is saved in the workbook. For security reasons, we recommend that users save workbooks without the data. To save the workbook without the data, the users selects from following menu path from the BEx Analyzer: Tools > All queries in Workbooks > Delete results
  Sathya
  Edited by: sathya prasad anumolu on Jul 30, 2008 4:58 PM

• Password expire date back to 2011 from 2012  after assigned  a user profile

  Friends,
  I created a profile test as
  COMPOSITE_LIMIT UNLIMITED
  SESSIONS_PER_USER UNLIMITED
  CPU_PER_SESSION UNLIMITED
  CPU_PER_CALL UNLIMITED
  LOGICAL_READS_PER_SESSION UNLIMITED
  LOGICAL_READS_PER_CALL UNLIMITED
  IDLE_TIME 60
  CONNECT_TIME UNLIMITED
  PRIVATE_SGA UNLIMITED
  FAILED_LOGIN_ATTEMPTS 5
  PASSWORD_LIFE_TIME 120
  PASSWORD_REUSE_TIME           60
  PASSWORD_REUSE_MAX           30
  PASSWORD_VERIFY_FUNCTION NULL
  PASSWORD_LOCK_TIME 1
  PASSWORD_GRACE_TIME 7;
  the user default profile default PASSWORD_LIFE_TIME is 180 and password expired date is 1/7/2012. the test account was created in 7/11/2011.
  Now I assign test user to test profile successfully.
  However. expire date becomes 11/8/2011 1 from 1/7/2012 by select dba_users
  which wrong is in my profile or somewhere?
  As I think, the account password expired should be start after assigned new profile with PASSWORD_LIFE_TIME. but is seems expire date is start from original account created date.
  Thanks
  newdba
  Edited by: Oradb on May 24, 2012 1:56 PM

  I would think the expire time would be based on the last password change time which Oracle stores in the rdbms base table for user information (user$). Find a second user, alter the password, check the expire date, then assign the user to the new profile, re-check the expiration date. Post back. Behavior may vary between releases so include full Oracle version of test.
  HTH -- Mark D Powell --

• Query on new Authorization Objects after Upgrade&SAP_NEW profile

  Dear Experts,
  We have upgraded our system from 4.5 to 7.0 version,  i  was checking what are the new authorization Objects  introduced after upgrade comparing older system ojects.  I got few objects which are new in upgraded system,
  But when i check SAP_NEW profile,   and in the latest profile SAP_NEW_7000 profile i can not see all those new Ojects which are new.
  generally SAP_NEW should contain all new objects which come after upgrade?  i can see those in SAP_ALL  but not in SAP_NEW
  is there any issue  in system?  how should I know and where should i check what are the new Objects come in upgrade,
  Please advise.
  Thanks#Regards,
  Vijay

  Hi Jurjen Heeck ,
  see my previous post
  I did 'nt get this.
  SAP_NEW is your friend here
  does the SAP_NEW profile contains all the new authorization Objects.
  Regards,
  Anthony

• FM that retrieve the inner authorization object BBP_ROLE using user's role

  Hi Experts!
  Do you know what Function Module can be use to retreive the inner authorization object BBP_ROLE using the user's role
  e.g. BUYER : YT:PU:XXXX:BUYERROLE
  Object       : BBP_ROLE      SRM: User function / Role
  field name : BBP_ROLE      SRM: User function / Role
  Activities
  Sel      Activity      Text
  x       EMP             Employee
  x       OPP             Operational Purchaser
  ......etc
  Thanks!

  Hi
  Execute Txn S_BCE_68001414 in debug mode, and figure out how system takes the inner authorizations through the flow of this program
  Regards
  Virender Singh

• Authorization Objects assigned to a TCode

  Hi,
  Can you please tell me how do I know which all AUTHORIZATION OBJECTS are assigned to a T-Code.
  Thanks in advance,
  Ishaq.

  hi,
      check the T-codes SU24 and SU25
  sudheer.A

• Authorization object P_ASRCONT

  Hi Experts,
  I want to assign authorization object P_ASRCONT to one user. Also I need to check the particular user has this authorization object P_ASRCONT or not.
  Can anybody help me on this?
  Thanks,
  Helps will be appreciated.

  Hi,
  Procedure for checking authorization object assigned to user:-
  T-code: SUIM --> roles -->roles by authrorization object
  Enter authorization object --> Execute
  Double click on roles --> Click on user
  Regards
  Sudheer

• Updating users profile when infoobject marked as authorization relevant

  Hi All,
  Consider a scenario where there are some projects in which perticuler infoobject is not authorization relevant but in some upcomming project the same infoobject needs to be authorization relevant.but when i marked this infoobject as authorization relevant then i need to manually insert this new authorization infoobject in each user profile. If there are more than 200 users available then it is not very good idea to include this infoobject in each profile manually. Is there any other way through which we can insert this infoobject in all user profile automatically.
  Regards,
  Deepak

  Hi again.
  Go to transaction se38 and create a program with the name ZCHANGE_APPEND_AUT.
  Insert the following code:
  REPORT  ZCHANGE_APPEND_AUT                             .
  TABLES RSECVAL.
  DATA: T_RSECVAL TYPE RSECVAL OCCURS 0 WITH HEADER LINE,
        T_RANGE TYPE RSEC_S_AUTH_VALUES_RANGE.
  SELECT-OPTIONS: ZAUT    FOR RSECVAL-TCTAUTH NO INTERVALS.
  PARAMETERS:     ZOBJN   LIKE RSECVAL-TCTIOBJNM DEFAULT '0TCAIPROV'.
  SELECT-OPTIONS: ZVALUES FOR RSECVAL-TCTLOW NO INTERVALS.
  LOOP AT ZAUT.
     LOOP AT ZVALUES.
        T_RANGE-IOBJNM = ZOBJN.
        T_RANGE-SIGN = 'I'.
        T_RANGE-OPT = 'EQ'.
        T_RANGE-LOW = ZVALUES-LOW.
        CALL FUNCTION 'RSEC_INSERT_FLAT_AUTH'
           EXPORTING
              I_AUTH = ZAUT-low
              I_RANGE = T_RANGE.
         CLEAR T_RANGE.
      ENDLOOP.
  ENDLOOP.
  Activate the program.
  Now when you run this program you'll be prompted for 3 parameters.
  The first is a list of Analysis Authorizations names that you wish to change.
  The second is the name of the InfoObject you want to insert to those authorizations, by default is 0TCAIPROV but you can change it to whatever you want
  The third is a list of values that will be inserted for those InfoObject.
  Therefore imagine that for authorization ZZZA, ZZZB and ZZZC you want to insert the object 0CUSTOMER with the values xpto, yyyy, and wwww.
  You would in this case run the program with the following parameters:
  AUT:
  ZZZA
  ZZZB
  ZZZC
  OBJN:
  0CUSTOMER
  VALUES:
  xpto
  yyyy
  wwww
  Please assign points,
  Diogo.

• Mandatory Authorization object for the BO user

  Dear All
  I am facing some problem for the BO user.
  can you let me know what are mandatory Authorization object for BO user to run the dashboard without error.
  Fast reply appreciate.
  Thanks
  Haji

  Dear All
  i am working for Analysis Authorization.
  i included Analysis Authorisation object  to the user.
  S_RS_AUTH  BI Analysis Authorizations in Role.
  when i checked in the BW side its working fine.
  when i checked the user in the BO side.
  filter values are coming correct, but the values in the column are not showing.
  its throwing an error.
  kindly help me to solve this issue.
  Thanks
  Haji

• Authorization Assigned to User

  Hi,
  According to error message, I can't forward incident to SAP as a processor because of lack of authorization.
  Right now, I'm having an issue regarding authorization assigned to each user.
  I log on as my own ID and password and try to assign authorization.
  There's no more authorization being assigned under user ID I'd like to assign.
  I've done with the existing authorization and mark all I can assign.
  Can anyone give me a favor for this issue?
  Thanks

  Hi George,
  All related information for the above can be found here:
  https://websmp104.sap-ag.de/instguides
   > SAP Components
   > SAP Solution Manager
   > Release 7.1
   > 4. Operations
  > choose your SP level for
  Security Guide SAP Solution Manager 7.1.
  Regards,
  Ruth

• Link users - positions - roles - authorization objects

  Hi guys,
  I want to write a report that would link USERS to POSITIONS to ROLES and finally to AUTHORIZATION OBJECTS. The user would enter the SAP username in the selection screen and the report should extract all the information listed above.
  I am able to link the following:
  + Users to positions via function module RH_BRANCH_GET
  + Users to roles via table AGR_USERS
  + Roles to authorization objects via function module PRGN_1251_READ_FIELD_VALUES
  Unfortunately, I dont know how to link positions to roles
  Does anyone know how to do that?
  Also, is there a more efficient way, than the approach highlighted above, to complete this requirement
  Thanks for your time
  -TR

  Hi,
  you can find a link between role and HR object in table HRP1001. The field SOBID contains name of the role. You need to find way how to convert object ID into position role. Be careful about additional fields from that table.
  Cheers

• What is authorization object and how to create it for a table

  Hi All,
  What is authorization object and how to create it for a table?
  Thanks

  Hi
  Authorization
  For authorization checks, there are many ways of linking authorization objects with user actions in an SAP system. The following discusses three possibilities in the context of ABAP programming.
  Authorization Check for Transactions
  You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.
  Authorization Check for ABAP Programs
  For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.
  Authorization Check in ABAP Programs
  A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.
  AUTHORITY-CHECK OBJECT object
                          ID name1 FIELD f1
                          ID name2 FIELD f2
                          ID namen FIELD fn.
  object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With  f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the useru2019s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1  FIELD f2 with DUMMY.
  After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.
  Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:
  ·        0: The user has an authorization for all specified values.
  ·        4: The user does not have the authorization.
  ·        8: The number of specified fields is incorrect.
  ·        12: The specified authorization object does not exist.
  A list of all possible return values is available in the ABAP keyword documentation. The content of sy-subrc has to be closely examined to ascertain the result of the authorization check and react accordingly.
  REPORT demo_authorithy_check.
  PARAMETERS pa_carr LIKE sflight-carrid.
  DATA wa_flights LIKE demo_focc.
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'S_CARRID'
                    ID 'CARRID' FIELD pa_carr
                    ID 'ACTVT' FIELD '03'.
    IF sy-subrc = 4.
      MESSAGE e045(sabapdocu) WITH pa_carr.
    ELSEIF sy-subrc <> 0.
      MESSAGE e184(sabapdocu) WITH text-010.
    ENDIF.
  START-OF-SELECTION.
    SELECT  carrid connid fldate seatsmax seatsocc
      FROM  sflight
      INTO  CORRESPONDING FIELDS OF wa_flights
      WHERE carrid = pa_carr.
      WRITE: / wa_flights-carrid,
               wa_flights-connid,
               wa_flights-fldate,
               wa_flights-seatsmax,
               wa_flights-seatsocc.
    ENDSELECT.
  Regards
  Hitesh