Authorization object assignment on USERS
Hi,
i have to maintain authorization objects in transaction types and users in our company, such that the executives (management of all org. units) of the company are able to see all the transactions including activities within the whole company.
on the other hand the employees (<b>not executives</b>, belonging to a specific org unit) should be able to see ONLY the transactions belonging to his org. unit
useful info is avlbl at: http://help.sap.com/saphelp_crm50/helpdata/en/26/99973915e69238e10000000a11402f/frameset.htm
but where and how are these authorization objects assigned?
Kindly help, thnx, all answers appreciated.
Jacob.
hi Jacob,
Look at <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/81/0e0f61b566dc44bbb4055b3ccd25be/frameset.htm">Identity Management</a> maybe it helps you.
Regards.
Manuel
Similar Messages
-
Authorization object assigning to user profile
Hi all,
Wht are the steps involved in assigning authorization object S_GUI with activity 60 (S_GUI ACTVT=60) to the users profile.
Thanksyou can assign authorization profile to user through Role..
goto PFCG, either create a new role or change an existing role(which the user has)
go to authorization tab, change authorization, click manually button,
add S_GUI and then click on values, select 60.. save the role, generate it..
if it is new role that you have created, then go to SU01 - roles, add it.. save user.. -
Authorization Object assigned to an User
Hi
I am working on a development where I have to identify value of authorization object assigned to an user. This user will be assigned to org plan, to which a business role will be assigned.
Is there any standard FM or table linkage logic that I can use?
I have found FM SUSR_USER_AUTH_FOR_OBJ_GET but it seems that it is relevant from GUI perspective.
Thanks & Regards
HMHi,
Please use transaction code SU56, switch to the user in question.
You can see all objects or the required object and assignment of values to the user.
Regards,
Gowrinadh -
Authorization objects to avoid users to access workbook design mode
Hi all,
Does anyone knows an authorization object that stops the user to enter workbooks design mode?
We use workbook protection but this disables most of the workbook properties.
Many thanks,
MazzzHi..
see this thread.. hope it helps..
How to prevent workbook users from saving workbooks
You must set up security to control who can save workbooks, where they can be saved, and which workbooks appear in the BEx Browser for a specific user.
Workbooks can also be created in the BEx Analyzer. After executing a query, choose Save u2192 Save as new workbook.
Securing Workbooks
In order to save a workbook, a user needs two authorization objects. The two objects listed below are the minimum authorizations a user needs to save workbooks.
S_GUI: Authorization for GUI activities
S_BDS_DS: Authorizations for document set
Using both S_GUI and S_BDS_DS will enable a user to save workbooks to their Favorites folder.
The authorization object S_GUI has one field, Activity. The activity field must be set to 60. For S_BDS_DS, the user needs activities 03 and 30. The Class Type field should be set to OT.
Saving Workbooks to Roles
If a user wants to save aworkbook to a location where it can be easily accessed by others, they need to save to a Role rather than saving the workbook in their own Favorites folder. Saving to a Role means saving to a security role.
You may want to set up roles specifically for saving workbooks. You can then assign the role to all parties who need to share workbooks.
Another option is to not allow users to save workbooks, but rather only allow power users to save workbooks. This is done to maintain the roles and to ensure that the workbooks are manageable. This also prevents users from changing workbooks saved by other users.
In order to save workbooks to roles, a user needs:
S_USER_AGR: Authorizations: Role check
S_USER_TCD: Transactions in roles
The authorization object S_USER_AGR has two fields:
Activity and Role Name.
Activity field -Must have at least values 01, 02 and If the user can delete workbooks, they will also need value 06.
Role Name, you should enter the specific roles you have created for saving
workbooks. Use proper naming convention for roles so that the roles can be restricted pretty easily. The role name is the name of a role that will be used to hold workbooks. Saving a workbook to a role actually updates the Menu portion of a role, so object S_USER_AGR is a required object.
Authorization object S_USER_TCD has one field
Transaction Code. The user needs value RRMX in this field.
Once a workbooks is saved, the data and the layout is saved in the workbook. For security reasons, we recommend that users save workbooks without the data. To save the workbook without the data, the users selects from following menu path from the BEx Analyzer: Tools > All queries in Workbooks > Delete results
Sathya
Edited by: sathya prasad anumolu on Jul 30, 2008 4:58 PM -
FM that retrieve the inner authorization object BBP_ROLE using user's role
Hi Experts!
Do you know what Function Module can be use to retreive the inner authorization object BBP_ROLE using the user's role
e.g. BUYER : YT:PU:XXXX:BUYERROLE
Object : BBP_ROLE SRM: User function / Role
field name : BBP_ROLE SRM: User function / Role
Activities
Sel Activity Text
x EMP Employee
x OPP Operational Purchaser
......etc
Thanks!Hi
Execute Txn S_BCE_68001414 in debug mode, and figure out how system takes the inner authorizations through the flow of this program
Regards
Virender Singh -
Authorization Objects assigned to a TCode
Hi,
Can you please tell me how do I know which all AUTHORIZATION OBJECTS are assigned to a T-Code.
Thanks in advance,
Ishaq.hi,
check the T-codes SU24 and SU25
sudheer.A -
Authorization object P_ASRCONT
Hi Experts,
I want to assign authorization object P_ASRCONT to one user. Also I need to check the particular user has this authorization object P_ASRCONT or not.
Can anybody help me on this?
Thanks,
Helps will be appreciated.Hi,
Procedure for checking authorization object assigned to user:-
T-code: SUIM --> roles -->roles by authrorization object
Enter authorization object --> Execute
Double click on roles --> Click on user
Regards
Sudheer -
Mandatory Authorization object for the BO user
Dear All
I am facing some problem for the BO user.
can you let me know what are mandatory Authorization object for BO user to run the dashboard without error.
Fast reply appreciate.
Thanks
HajiDear All
i am working for Analysis Authorization.
i included Analysis Authorisation object to the user.
S_RS_AUTH BI Analysis Authorizations in Role.
when i checked in the BW side its working fine.
when i checked the user in the BO side.
filter values are coming correct, but the values in the column are not showing.
its throwing an error.
kindly help me to solve this issue.
Thanks
Haji -
Authorization Assigned to User
Hi,
According to error message, I can't forward incident to SAP as a processor because of lack of authorization.
Right now, I'm having an issue regarding authorization assigned to each user.
I log on as my own ID and password and try to assign authorization.
There's no more authorization being assigned under user ID I'd like to assign.
I've done with the existing authorization and mark all I can assign.
Can anyone give me a favor for this issue?
ThanksHi George,
All related information for the above can be found here:
https://websmp104.sap-ag.de/instguides
> SAP Components
> SAP Solution Manager
> Release 7.1
> 4. Operations
> choose your SP level for
Security Guide SAP Solution Manager 7.1.
Regards,
Ruth -
Link users - positions - roles - authorization objects
Hi guys,
I want to write a report that would link USERS to POSITIONS to ROLES and finally to AUTHORIZATION OBJECTS. The user would enter the SAP username in the selection screen and the report should extract all the information listed above.
I am able to link the following:
+ Users to positions via function module RH_BRANCH_GET
+ Users to roles via table AGR_USERS
+ Roles to authorization objects via function module PRGN_1251_READ_FIELD_VALUES
Unfortunately, I dont know how to link positions to roles
Does anyone know how to do that?
Also, is there a more efficient way, than the approach highlighted above, to complete this requirement
Thanks for your time
-TRHi,
you can find a link between role and HR object in table HRP1001. The field SOBID contains name of the role. You need to find way how to convert object ID into position role. Be careful about additional fields from that table.
Cheers -
Analysis Authorization Object not working
Hi Gurus,
I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
I have followed the below steps but still the report shows all data instead of restricted one.
1)RSECADMIN -> Maintenance ->zz_div ->Create
2) Add 0DIVISION in Auth structure , and in details
I EQ 32
I EQ 33
3) Add 0TCAIPROV with I EQ 0SD_C03
4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID, this having details as
I CP *
5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
Following are the authorization object in that user's Role (Reporting Only)
S_RFC
S_TCODE
S_GUI
S_BDS_D
S_BDS_DS
S_OC_SEND
S_RS_AUTH - only having zz_div
S_RS_COMP
S_RS_COMP1
S_RS_ICUBE
S_RS_RSTT
S_RS_TOOLS
S_RS_PARAM
I have surfed lots of thread for this issue but not getting a solution
Tell me what i m missing in above or any additional setting need before creating analysis authorization
Edited by: Sonal Patel on Apr 18, 2009 8:10 AMHi
Thanks a Ton for ur reply
I have checked in SPRO : Analysis Authorization
where the authorization mode is " OLD obsolete Concept With RSR Authorization Objects "
We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
Thanks
Sonal.... -
How i know Authorization object in system?
Hi all,
i create new BAdi with Enhancement Spot: ZWORKORDER_GOODSMVT (copy WORKORDER_GOODSMVT in standard SAP)
now i have Badi definition: ZWORKORDER_GOODSMVT
with Interface: ZIF_EX_WORKORDER_GOODSMVT
all ok.
now how i can see authorization object in Badi definition: WORKORDER_GOODSMVT (standard)? i already creat Authorization object but now i don't know what field and choose in maintain the authorization (from Badi definition: WORKORDER_GOODSMVT )
ex: 1. in package BSFC have interface IF_EX_BSFC_POLICY and method GET_POLICY
2. Authorzation object: B_BSFC (have field name: BSFC_APPL and ACTVT in maintain the authorzation)
because i get this and solve in my job.
when i activate the BAdI function called WORKORDER_GOODSMVT and assign to the a.m. authorization object???
Processing Logic:
The backflush errors are created after the execution of backflushing transaction in Repetitive Manufacturing (REM) t-code MF42N or MFBF
If during the backflush execution the components are not available in the respective production storage location then system by default will create backflush errors
Backflush errors will need to be cleared everyday and must be cleared before end month stock take
Backflush errors can be processed using the following t-code:
o MF45 Individual
o MF46 Collective
o MF47 Post processing List
o COGI Post processing Individual Components
Authorization will be applied only for COGI, while others will not be used in PSECI
Create new authorization object called Z_PP_COGI to be assigned later to the user id
Activate the BAdI function called WORKORDER_GOODSMVT and assign to the a.m. authorization object
For unauthorized users, an errors message will appear if they try to delete the backflush errors in COGI transaction as follows:
o You are not authorized to change/ delete the backflush errors! Please contact your superior!
Thanks so much all, ......Hi Nguyen,
Check the following links:
http://help.sap.com/saphelp_erp2004/helpdata/en/b8/bdb83b5b831f3be10000000a114084/content.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/52/6714a9439b11d1896f0000e8322d00/content.htm
Regards,
Rajesh K Soman
<b>Please reward points if found helpful.</b> -
How to add authorization field to a standard authorization object
Hi All,
I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
How to limit user to can only create & change X order type and only display the rest of order type?
I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
regards,
AndreHi,
your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
Cheers -
0Orgunit(hierarchy) and authorization object display getcell error in Webi
Hello,
We are facing with GetCellData error in WebI to SAP BEx Query.
This works perfectly fine in Bex for a particular test user who has access to particular org unit value.
But in Webi we are getting this Getcelldata error.
Tried all the options and message as recommended in sdn group.
mdxtest returns no value.
looked at all below messages but no luck.
GetCellData error in WebI to SAP BEx Query
Re: SAP BO WebI Report on top of BI Bex Query with Authorization Variable
in the rsecadmin, we get the same error like mentioned in below message
Hierarchy Authorization doesn't work for MDX but works for BEx Query.
Is any authorization required for this user to execute and view the authorized values in Webi?
or we have to assign any authorization ?(0BI_ALL is not assigned).
Please find below screenshots of BEx query auth log or Webi auth log (differences)
Bex auth log:
The Following Attributes Are Authorized and Thus Are Visible
0BBPPURGRPX
0BBPPURORGX
0BBP_BUYID
0BBP_ISCOMP
0BUS_AREA
0COMP_CODE
0CO_MST_AR
0CRMSALGRPX
0CRMSALOFFX
0CRMSALORGX
0CRMSRVTGRP
0CRM_SALGRP
0CRM_SALOFF
0CRM_SALORG
0CRM_SRVORG
0LEAVERS
0LOGSYS
0MAST_CCTR
0PERS_AREA
0PERS_SAREA
0PLANT
0PURCH_ORG
0PUR_GROUP
0SALESORG
0SALES_GRP
0SALES_OFF
This above log is missing for mdxtest auth log.
Is this the issue?
Any quick reponse or help really appreciated.
Regards,
Ravi
Edited by: Ravi Gadicherla on Feb 28, 2010 5:36 PMHi,
Here is the log of MDXtest:
Buffering the Authorization Data
Buffering for InfoProvider 0PA_C01 and Users HRTEST93
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
No, the User Does Not Have Universal Authorizion 0BI_ALL
Negative Entry in SU53 Result of Failed Check for 0BI_ALL
Indirect assignments found; no universal authorization
Regards,
Ravikanth -
MSS Authorizations to the ABAP User: Note 844639
Hi Experts,
I am implementing MSS 1.0 on mySAP ERP05 and I need information on MSS Athorizations to be assigned to the backend MSS users.
I have got a note 844639 but I have the following questions:
1. Do I have to implement note 785345 as a prerequisite? I have upgraded from 4.6c to ECC6. Do I still require to implement this note?
2. There are so many WD applications based services for MSS. Do I have to get a list of each Authorization Object assigned to all the services and then consolidate it under one single ZMSS role in PFCG?
3. What about the default values of the sub objects of all Authorization Objects?
4. Similar to the ESS composite role SAP_EMPLOYEE_ERP with all the necessary authorizations, dont we have a standard MSS composite role which we can activate directly?
I would really apreciate some help on this.
Regards,
ShobhitHi Walter,
I am putting across my questions again regarding Note 844639:
1. There are so many WD applications based services for MSS. Do I have to get a list of each Authorization Object assigned to all the services and then consolidate it under one single ZMSS role in PFCG?
2. What about the default values of the sub objects of all Authorization Objects?
3. Similar to the ESS composite role SAP_EMPLOYEE_ERP with all the necessary authorizations, dont we have a standard MSS composite role which we can activate directly?
Appreciate any help on the matter.
Thanks,
Shobhit
Maybe you are looking for
-
Error while saving dynamic row values of datagrid with record.
hi friends, i am trying to add dynamic row in datagrid and save that value with record.i succeeded in first part while i am saving the record the error show like this. errro:Property fromAmount not found on com.ci.view.Task and there is no default va
-
Smart Playlists not updating after iTunes upgrade
Since updating to iTunes 7.5.0.20, my iPod Photo no longer updates my Smart Playlists automatically Any reasons, fixes, suggestions?
-
Can someone explain to me why two grounding studs on this device as per Figure 2.2 of http://www.cisco.com/en/US/docs/wireless/access_point/1300/installation/guide/1300hig_book.pdf Thanks, Mark
-
I moved to another country and would like to change the billing country for the credit card. It doesn't allow me to switch the country only street etc.. Do I have to create a new account separately for a new country?
-
Error on Receiver Mail Adapter (SMTP)
Hi All, I'm going to exchange message within mail to mail scenario like synchronous one. Sender Mail Adapter is running well, it can take any email in inbox. but when I want to send the email back to the sender, the receiver adapter doesn't work. her