Authorization object assigning to user profile
Hi all,
Wht are the steps involved in assigning authorization object S_GUI with activity 60 (S_GUI ACTVT=60) to the users profile.
Thanks
you can assign authorization profile to user through Role..
goto PFCG, either create a new role or change an existing role(which the user has)
go to authorization tab, change authorization, click manually button,
add S_GUI and then click on values, select 60.. save the role, generate it..
if it is new role that you have created, then go to SU01 - roles, add it.. save user..
Similar Messages
-
Authorization object assignment on USERS
Hi,
i have to maintain authorization objects in transaction types and users in our company, such that the executives (management of all org. units) of the company are able to see all the transactions including activities within the whole company.
on the other hand the employees (<b>not executives</b>, belonging to a specific org unit) should be able to see ONLY the transactions belonging to his org. unit
useful info is avlbl at: http://help.sap.com/saphelp_crm50/helpdata/en/26/99973915e69238e10000000a11402f/frameset.htm
but where and how are these authorization objects assigned?
Kindly help, thnx, all answers appreciated.
Jacob.hi Jacob,
Look at <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/81/0e0f61b566dc44bbb4055b3ccd25be/frameset.htm">Identity Management</a> maybe it helps you.
Regards.
Manuel -
Authorization Object assigned to an User
Hi
I am working on a development where I have to identify value of authorization object assigned to an user. This user will be assigned to org plan, to which a business role will be assigned.
Is there any standard FM or table linkage logic that I can use?
I have found FM SUSR_USER_AUTH_FOR_OBJ_GET but it seems that it is relevant from GUI perspective.
Thanks & Regards
HMHi,
Please use transaction code SU56, switch to the user in question.
You can see all objects or the required object and assignment of values to the user.
Regards,
Gowrinadh -
Authorization key for the user profile
In SAP, there is a provision where we can create the authorization key and assign this key to the various user statuses in the user status profile.
The application is that when the user status is changed from one to other and if to the user status, the authorisation key is assigned then the authorised person should be only able to change the status.
But my query is that i have not come across any customization where a SAP user can be assigned to the auth. key so that he can only change the user status.
Can anybody let me know that whatever i understood, is it correct? And if yes, let me know where to assign the user to the authorisation key?
ThanksHi Iyer ,
Please see the below,if it solves your requirement
M/CS Autorisation Objects
SAP Standard Authorisation Objects:
I_ALM_ME: Mobile Asset Management (ACTVT)
I_AUART: Order Type (IWERK, AUFART)
I_BEGRP: Authorization Group (TCD, BEGRP)
I_BETRVORG: Business Operation (BETRVORG)
I_CCM_ACT: Configuration Control authorization object (CCACT, ACTVT)
I_CCM_STRC: Structure gap maintenance authority (ACTVT)
I_ILOA: Change location and accounting data in order (IWERK, AUFART)
I_INGRP: Maintenance Planner Group (TCD, IWERK, INGRP)
I_IWERK: Maintenance Planning Plant (TCD, IWERK)
I_KOSTL: Cost Centres (TCD, KOKRS, KOSTL)
I_QMEL: Notification Types (TCD, QMART)
I_ROUT: Task List (ACTVT)
I_ROUT1: Task Lists by PM Planning Plant, Work Sched., Status (TCD, IWERK, VAGRP, STATU)
I_SOGEN: Permit (SWERK, PMSOG)
I_SWERK: Maintenance Plant (TCD, SWERK)
I_TCODE: Transaction Code (TCD)
I_VORG_MEL: Business Operation for Notifications (QMART, BETRVORG)
I_VORG_MP: Business Operation for Maintenance Planning (MPTYP, BETRVORG)
I_VORG_ORD: Business Operation for Orders (AUFART, BETRVORG)
I_WPS_MEB: Maintenance Event Builder (DIWPSMEBAR)
I_WPS_REV: Revision authorization object (REVTY, ARBPL, WERKS, WPS_REV_AC)
S_NUMBER: Number Range Maintenance (NROBJ, ACTVT)
C_TCLA_BKA: Authorization for Class Types (KLART)
*Authorisation Tables:*
TOBJ: Authorisation objects
TOBJT: Authorisation object texts
AGR_1250: Authorisation object assigned to role
AGR_USERS: Users assigned to a role
AGR_TCODES: Assignment of roles to Tcodes
Authorisation Objects for System-Statuses:
Order: I_VORG_ORD (AUFART, BETRVORG)
(REL = BFRE, TECO = BTAB, delete component = RMKL)
Notification: I_VORG_MEL (QMART, BETRVORG (NOPR = PMM2, NOCO = PMM4))
Maint. plan: I_VORG_MP (MPTYP, BETRVORG)
User-Exits:
CPAU0001: Enhancement for Authorization Check in Task Lists
IMRC0005: Measure point: Exit in AUTHORITY_CHECK_IMPT
IWOC0003: PM/SM authorization check of ref. object and planner group
QQMA0026: PM/SM: Auth. check when accessing notification transaction
QQMA0030: Check validity of status change
BADIs:
DIP_SET_USERSETTINGS: Initial Object Check in DP Processor
INST_AUTHORITY_CHECK: PM/CS Enhanced Authorization Checks
IWO1_ORDER_BADI: Maintenance, Service, and Refurbishment Order
NOTIF_AUTHORITY_01: Additional Authorization Checks for the Notification
WORKORDER_GOODSMVT: PM/PP/PS/PI orders: auto. goods movement
Authorisation Groups:
These can be created via TCode SM30 and table T370B. They can then be assigned to the following objects:
a. Equipment (IE02)
b. Functional Locations (IL02)
c. Maintenance plans (IP02)
d. Entry List for Measurement Documents (IK32)
e. Object links (IN05, IN08)
f. User-statuses
Authorisation Debugging:
TCode SU53: Evaluate Authorization Check -
Authorization objects to avoid users to access workbook design mode
Hi all,
Does anyone knows an authorization object that stops the user to enter workbooks design mode?
We use workbook protection but this disables most of the workbook properties.
Many thanks,
MazzzHi..
see this thread.. hope it helps..
How to prevent workbook users from saving workbooks
You must set up security to control who can save workbooks, where they can be saved, and which workbooks appear in the BEx Browser for a specific user.
Workbooks can also be created in the BEx Analyzer. After executing a query, choose Save u2192 Save as new workbook.
Securing Workbooks
In order to save a workbook, a user needs two authorization objects. The two objects listed below are the minimum authorizations a user needs to save workbooks.
S_GUI: Authorization for GUI activities
S_BDS_DS: Authorizations for document set
Using both S_GUI and S_BDS_DS will enable a user to save workbooks to their Favorites folder.
The authorization object S_GUI has one field, Activity. The activity field must be set to 60. For S_BDS_DS, the user needs activities 03 and 30. The Class Type field should be set to OT.
Saving Workbooks to Roles
If a user wants to save aworkbook to a location where it can be easily accessed by others, they need to save to a Role rather than saving the workbook in their own Favorites folder. Saving to a Role means saving to a security role.
You may want to set up roles specifically for saving workbooks. You can then assign the role to all parties who need to share workbooks.
Another option is to not allow users to save workbooks, but rather only allow power users to save workbooks. This is done to maintain the roles and to ensure that the workbooks are manageable. This also prevents users from changing workbooks saved by other users.
In order to save workbooks to roles, a user needs:
S_USER_AGR: Authorizations: Role check
S_USER_TCD: Transactions in roles
The authorization object S_USER_AGR has two fields:
Activity and Role Name.
Activity field -Must have at least values 01, 02 and If the user can delete workbooks, they will also need value 06.
Role Name, you should enter the specific roles you have created for saving
workbooks. Use proper naming convention for roles so that the roles can be restricted pretty easily. The role name is the name of a role that will be used to hold workbooks. Saving a workbook to a role actually updates the Menu portion of a role, so object S_USER_AGR is a required object.
Authorization object S_USER_TCD has one field
Transaction Code. The user needs value RRMX in this field.
Once a workbooks is saved, the data and the layout is saved in the workbook. For security reasons, we recommend that users save workbooks without the data. To save the workbook without the data, the users selects from following menu path from the BEx Analyzer: Tools > All queries in Workbooks > Delete results
Sathya
Edited by: sathya prasad anumolu on Jul 30, 2008 4:58 PM -
Password expire date back to 2011 from 2012 after assigned a user profile
Friends,
I created a profile test as
COMPOSITE_LIMIT UNLIMITED
SESSIONS_PER_USER UNLIMITED
CPU_PER_SESSION UNLIMITED
CPU_PER_CALL UNLIMITED
LOGICAL_READS_PER_SESSION UNLIMITED
LOGICAL_READS_PER_CALL UNLIMITED
IDLE_TIME 60
CONNECT_TIME UNLIMITED
PRIVATE_SGA UNLIMITED
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LIFE_TIME 120
PASSWORD_REUSE_TIME 60
PASSWORD_REUSE_MAX 30
PASSWORD_VERIFY_FUNCTION NULL
PASSWORD_LOCK_TIME 1
PASSWORD_GRACE_TIME 7;
the user default profile default PASSWORD_LIFE_TIME is 180 and password expired date is 1/7/2012. the test account was created in 7/11/2011.
Now I assign test user to test profile successfully.
However. expire date becomes 11/8/2011 1 from 1/7/2012 by select dba_users
which wrong is in my profile or somewhere?
As I think, the account password expired should be start after assigned new profile with PASSWORD_LIFE_TIME. but is seems expire date is start from original account created date.
Thanks
newdba
Edited by: Oradb on May 24, 2012 1:56 PMI would think the expire time would be based on the last password change time which Oracle stores in the rdbms base table for user information (user$). Find a second user, alter the password, check the expire date, then assign the user to the new profile, re-check the expiration date. Post back. Behavior may vary between releases so include full Oracle version of test.
HTH -- Mark D Powell -- -
Query on new Authorization Objects after Upgrade&SAP_NEW profile
Dear Experts,
We have upgraded our system from 4.5 to 7.0 version, i was checking what are the new authorization Objects introduced after upgrade comparing older system ojects. I got few objects which are new in upgraded system,
But when i check SAP_NEW profile, and in the latest profile SAP_NEW_7000 profile i can not see all those new Ojects which are new.
generally SAP_NEW should contain all new objects which come after upgrade? i can see those in SAP_ALL but not in SAP_NEW
is there any issue in system? how should I know and where should i check what are the new Objects come in upgrade,
Please advise.
Thanks#Regards,
VijayHi Jurjen Heeck ,
see my previous post
I did 'nt get this.
SAP_NEW is your friend here
does the SAP_NEW profile contains all the new authorization Objects.
Regards,
Anthony -
FM that retrieve the inner authorization object BBP_ROLE using user's role
Hi Experts!
Do you know what Function Module can be use to retreive the inner authorization object BBP_ROLE using the user's role
e.g. BUYER : YT:PU:XXXX:BUYERROLE
Object : BBP_ROLE SRM: User function / Role
field name : BBP_ROLE SRM: User function / Role
Activities
Sel Activity Text
x EMP Employee
x OPP Operational Purchaser
......etc
Thanks!Hi
Execute Txn S_BCE_68001414 in debug mode, and figure out how system takes the inner authorizations through the flow of this program
Regards
Virender Singh -
Authorization Objects assigned to a TCode
Hi,
Can you please tell me how do I know which all AUTHORIZATION OBJECTS are assigned to a T-Code.
Thanks in advance,
Ishaq.hi,
check the T-codes SU24 and SU25
sudheer.A -
Authorization object P_ASRCONT
Hi Experts,
I want to assign authorization object P_ASRCONT to one user. Also I need to check the particular user has this authorization object P_ASRCONT or not.
Can anybody help me on this?
Thanks,
Helps will be appreciated.Hi,
Procedure for checking authorization object assigned to user:-
T-code: SUIM --> roles -->roles by authrorization object
Enter authorization object --> Execute
Double click on roles --> Click on user
Regards
Sudheer -
Updating users profile when infoobject marked as authorization relevant
Hi All,
Consider a scenario where there are some projects in which perticuler infoobject is not authorization relevant but in some upcomming project the same infoobject needs to be authorization relevant.but when i marked this infoobject as authorization relevant then i need to manually insert this new authorization infoobject in each user profile. If there are more than 200 users available then it is not very good idea to include this infoobject in each profile manually. Is there any other way through which we can insert this infoobject in all user profile automatically.
Regards,
DeepakHi again.
Go to transaction se38 and create a program with the name ZCHANGE_APPEND_AUT.
Insert the following code:
REPORT ZCHANGE_APPEND_AUT .
TABLES RSECVAL.
DATA: T_RSECVAL TYPE RSECVAL OCCURS 0 WITH HEADER LINE,
T_RANGE TYPE RSEC_S_AUTH_VALUES_RANGE.
SELECT-OPTIONS: ZAUT FOR RSECVAL-TCTAUTH NO INTERVALS.
PARAMETERS: ZOBJN LIKE RSECVAL-TCTIOBJNM DEFAULT '0TCAIPROV'.
SELECT-OPTIONS: ZVALUES FOR RSECVAL-TCTLOW NO INTERVALS.
LOOP AT ZAUT.
LOOP AT ZVALUES.
T_RANGE-IOBJNM = ZOBJN.
T_RANGE-SIGN = 'I'.
T_RANGE-OPT = 'EQ'.
T_RANGE-LOW = ZVALUES-LOW.
CALL FUNCTION 'RSEC_INSERT_FLAT_AUTH'
EXPORTING
I_AUTH = ZAUT-low
I_RANGE = T_RANGE.
CLEAR T_RANGE.
ENDLOOP.
ENDLOOP.
Activate the program.
Now when you run this program you'll be prompted for 3 parameters.
The first is a list of Analysis Authorizations names that you wish to change.
The second is the name of the InfoObject you want to insert to those authorizations, by default is 0TCAIPROV but you can change it to whatever you want
The third is a list of values that will be inserted for those InfoObject.
Therefore imagine that for authorization ZZZA, ZZZB and ZZZC you want to insert the object 0CUSTOMER with the values xpto, yyyy, and wwww.
You would in this case run the program with the following parameters:
AUT:
ZZZA
ZZZB
ZZZC
OBJN:
0CUSTOMER
VALUES:
xpto
yyyy
wwww
Please assign points,
Diogo. -
Mandatory Authorization object for the BO user
Dear All
I am facing some problem for the BO user.
can you let me know what are mandatory Authorization object for BO user to run the dashboard without error.
Fast reply appreciate.
Thanks
HajiDear All
i am working for Analysis Authorization.
i included Analysis Authorisation object to the user.
S_RS_AUTH BI Analysis Authorizations in Role.
when i checked in the BW side its working fine.
when i checked the user in the BO side.
filter values are coming correct, but the values in the column are not showing.
its throwing an error.
kindly help me to solve this issue.
Thanks
Haji -
Authorization Assigned to User
Hi,
According to error message, I can't forward incident to SAP as a processor because of lack of authorization.
Right now, I'm having an issue regarding authorization assigned to each user.
I log on as my own ID and password and try to assign authorization.
There's no more authorization being assigned under user ID I'd like to assign.
I've done with the existing authorization and mark all I can assign.
Can anyone give me a favor for this issue?
ThanksHi George,
All related information for the above can be found here:
https://websmp104.sap-ag.de/instguides
> SAP Components
> SAP Solution Manager
> Release 7.1
> 4. Operations
> choose your SP level for
Security Guide SAP Solution Manager 7.1.
Regards,
Ruth -
Link users - positions - roles - authorization objects
Hi guys,
I want to write a report that would link USERS to POSITIONS to ROLES and finally to AUTHORIZATION OBJECTS. The user would enter the SAP username in the selection screen and the report should extract all the information listed above.
I am able to link the following:
+ Users to positions via function module RH_BRANCH_GET
+ Users to roles via table AGR_USERS
+ Roles to authorization objects via function module PRGN_1251_READ_FIELD_VALUES
Unfortunately, I dont know how to link positions to roles
Does anyone know how to do that?
Also, is there a more efficient way, than the approach highlighted above, to complete this requirement
Thanks for your time
-TRHi,
you can find a link between role and HR object in table HRP1001. The field SOBID contains name of the role. You need to find way how to convert object ID into position role. Be careful about additional fields from that table.
Cheers -
What is authorization object and how to create it for a table
Hi All,
What is authorization object and how to create it for a table?
ThanksHi
Authorization
For authorization checks, there are many ways of linking authorization objects with user actions in an SAP system. The following discusses three possibilities in the context of ABAP programming.
Authorization Check for Transactions
You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.
Authorization Check for ABAP Programs
For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.
Authorization Check in ABAP Programs
A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
ID namen FIELD fn.
object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the useru2019s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1 FIELD f2 with DUMMY.
After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.
Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:
· 0: The user has an authorization for all specified values.
· 4: The user does not have the authorization.
· 8: The number of specified fields is incorrect.
· 12: The specified authorization object does not exist.
A list of all possible return values is available in the ABAP keyword documentation. The content of sy-subrc has to be closely examined to ascertain the result of the authorization check and react accordingly.
REPORT demo_authorithy_check.
PARAMETERS pa_carr LIKE sflight-carrid.
DATA wa_flights LIKE demo_focc.
AT SELECTION-SCREEN.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD pa_carr
ID 'ACTVT' FIELD '03'.
IF sy-subrc = 4.
MESSAGE e045(sabapdocu) WITH pa_carr.
ELSEIF sy-subrc <> 0.
MESSAGE e184(sabapdocu) WITH text-010.
ENDIF.
START-OF-SELECTION.
SELECT carrid connid fldate seatsmax seatsocc
FROM sflight
INTO CORRESPONDING FIELDS OF wa_flights
WHERE carrid = pa_carr.
WRITE: / wa_flights-carrid,
wa_flights-connid,
wa_flights-fldate,
wa_flights-seatsmax,
wa_flights-seatsocc.
ENDSELECT.
Regards
Hitesh
Maybe you are looking for
-
I was in the middle of working on a document when my laptop screen went white and then went black. The fan started getting really loud. The caps light would still work but I could not get the screen to come back on again. After shutting it down, now
-
Hi, i have one problem when i am coping from Model wage type i am getting one error in yellow msg,in table T539j&t539a like Wage type is not a key:please maintain manualy. Can U any body help me how should i maintain in that tables. Thanks in Advance
-
Error Message flashing on Screen of 7410 All in One
The screen on my officejet 7410 all in one printer fax is flashing the word error (Ox84714145e1) and the auto answer light is alternatingly flashing. We have done the obvious by unplugging everything and trying to reboot but it is frozen. Cannot tu
-
Can I share internet from a airport express via the ethernet port
I have a older airport express that I am trying to you to share the internet with a Marantz AV receiver. I used to be able to share the internet to a PS2 a few years back. I was able to set up another network parallel to my normal wireless network wi
-
After Effects plugins for FCP 6
Hi folks, I'm trying to install the plugins for AE 6.5 Pro into my nice new FCP 6 set up. When I fire up FCP, it rejects all the plugins and then shuts down. Any ideas? G5 Mac OS X (10.4.9) Running FCP Studio