Authorization object assignment on USERS

Hi,
i have to maintain authorization objects in transaction types and users in our company, such that the executives (management of all org. units) of the company are able to see all the transactions including activities within the whole company.
on the other hand the employees (<b>not executives</b>, belonging to a specific org unit) should be able to see ONLY the transactions belonging to his org. unit
useful info is avlbl at: http://help.sap.com/saphelp_crm50/helpdata/en/26/99973915e69238e10000000a11402f/frameset.htm
but where and how are these authorization objects assigned?
Kindly help, thnx, all answers appreciated.
Jacob.

hi Jacob,
Look at <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/81/0e0f61b566dc44bbb4055b3ccd25be/frameset.htm">Identity Management</a> maybe it helps you.
Regards.
Manuel

Similar Messages

  • Authorization object  assigning to user profile

    Hi all,
      Wht are the steps involved in assigning authorization object S_GUI with activity 60 (S_GUI ACTVT=60) to the users profile.
    Thanks

    you can assign authorization profile to user through Role..
    goto PFCG, either create a new role or change an existing role(which the user has)
    go to authorization tab, change authorization, click manually button,
    add S_GUI and then click on values, select 60.. save the role, generate it..
    if it is new role that you have created, then go to SU01 - roles, add it.. save user..

  • Authorization Object assigned to an User

    Hi
    I am working on a development where I have to identify value of authorization object assigned to an user. This user will be assigned to org plan, to which a business role will be assigned.
    Is there any standard FM or table linkage logic that I can use?
    I have found FM SUSR_USER_AUTH_FOR_OBJ_GET but it seems that it is relevant from GUI perspective.
    Thanks & Regards
    HM

    Hi,
    Please use transaction code SU56, switch to the user in question.
    You can see all objects or the required object and assignment of values to the user.
    Regards,
    Gowrinadh

  • Authorization objects to avoid users to access workbook design mode

    Hi all,
    Does anyone knows an authorization object that stops the user to enter workbooks design mode?
    We use workbook protection but this disables most of the workbook properties.
    Many thanks,
    Mazzz

    Hi..
    see this thread.. hope it helps..
    How to prevent workbook users from saving workbooks
    You must set up security to control who can save workbooks, where they can be saved, and which workbooks appear in the BEx Browser for a specific user.
    Workbooks can also be created in the BEx Analyzer. After executing a query, choose Save u2192 Save as new workbook.
    Securing Workbooks
    In order to save a workbook, a user needs two authorization objects. The two objects listed below are the minimum authorizations a user needs to save workbooks.
    S_GUI: Authorization for GUI activities
    S_BDS_DS: Authorizations for document set
    Using both S_GUI and S_BDS_DS will enable a user to save workbooks to their Favorites folder.
    The authorization object S_GUI has one field, Activity. The activity field must be set to 60. For S_BDS_DS, the user needs activities 03 and 30. The Class Type field should be set to OT.
    Saving Workbooks to Roles
    If a user wants to save aworkbook to a location where it can be easily accessed by others, they need to save to a Role rather than saving the workbook in their own Favorites folder. Saving to a Role means saving to a security role.
    You may want to set up roles specifically for saving workbooks. You can then assign the role to all parties who need to share workbooks.
    Another option is to not allow users to save workbooks, but rather only allow power users to save workbooks. This is done to maintain the roles and to ensure that the workbooks are manageable. This also prevents users from changing workbooks saved by other users.
    In order to save workbooks to roles, a user needs:
    S_USER_AGR: Authorizations: Role check
    S_USER_TCD: Transactions in roles
    The authorization object S_USER_AGR has two fields:
    Activity and Role Name.
    Activity field -Must have at least values 01, 02 and If the user can delete workbooks, they will also need value 06.
    Role Name, you should enter the specific roles you have created for saving
    workbooks. Use proper naming convention for roles so that the roles can be restricted pretty easily.  The role name is the name of a role that will be used to hold workbooks. Saving a workbook to a role actually updates the Menu portion of a role, so object S_USER_AGR is a required object.
    Authorization object S_USER_TCD has one field
    Transaction Code. The user needs value RRMX in this field.
    Once a workbooks is saved, the data and the layout is saved in the workbook. For security reasons, we recommend that users save workbooks without the data. To save the workbook without the data, the users selects from following menu path from the BEx Analyzer: Tools > All queries in Workbooks > Delete results
    Sathya
    Edited by: sathya prasad anumolu on Jul 30, 2008 4:58 PM

  • FM that retrieve the inner authorization object BBP_ROLE using user's role

    Hi Experts!
    Do you know what Function Module can be use to retreive the inner authorization object BBP_ROLE using the user's role
    e.g. BUYER : YT:PU:XXXX:BUYERROLE
    Object       : BBP_ROLE      SRM: User function / Role
    field name : BBP_ROLE      SRM: User function / Role
    Activities
    Sel      Activity      Text
    x       EMP             Employee
    x       OPP             Operational Purchaser
    ......etc
    Thanks!

    Hi
    Execute Txn S_BCE_68001414 in debug mode, and figure out how system takes the inner authorizations through the flow of this program
    Regards
    Virender Singh

  • Authorization Objects assigned to a TCode

    Hi,
    Can you please tell me how do I know which all AUTHORIZATION OBJECTS are assigned to a T-Code.
    Thanks in advance,
    Ishaq.

    hi,
        check the T-codes SU24 and SU25
    sudheer.A

  • Authorization object P_ASRCONT

    Hi Experts,
    I want to assign authorization object P_ASRCONT to one user. Also I need to check the particular user has this authorization object P_ASRCONT or not.
    Can anybody help me on this?
    Thanks,
    Helps will be appreciated.

    Hi,
    Procedure for checking authorization object assigned to user:-
    T-code: SUIM --> roles -->roles by authrorization object
    Enter authorization object --> Execute
    Double click on roles --> Click on user
    Regards
    Sudheer

  • Mandatory Authorization object for the BO user

    Dear All
    I am facing some problem for the BO user.
    can you let me know what are mandatory Authorization object for BO user to run the dashboard without error.
    Fast reply appreciate.
    Thanks
    Haji

    Dear All
    i am working for Analysis Authorization.
    i included Analysis Authorisation object  to the user.
    S_RS_AUTH  BI Analysis Authorizations in Role.
    when i checked in the BW side its working fine.
    when i checked the user in the BO side.
    filter values are coming correct, but the values in the column are not showing.
    its throwing an error.
    kindly help me to solve this issue.
    Thanks
    Haji

  • Authorization Assigned to User

    Hi,
    According to error message, I can't forward incident to SAP as a processor because of lack of authorization.
    Right now, I'm having an issue regarding authorization assigned to each user.
    I log on as my own ID and password and try to assign authorization.
    There's no more authorization being assigned under user ID I'd like to assign.
    I've done with the existing authorization and mark all I can assign.
    Can anyone give me a favor for this issue?
    Thanks

    Hi George,
    All related information for the above can be found here:
    https://websmp104.sap-ag.de/instguides
     > SAP Components
     > SAP Solution Manager
     > Release 7.1
     > 4. Operations
    > choose your SP level for
    Security Guide SAP Solution Manager 7.1.
    Regards,
    Ruth

  • Link users - positions - roles - authorization objects

    Hi guys,
    I want to write a report that would link USERS to POSITIONS to ROLES and finally to AUTHORIZATION OBJECTS. The user would enter the SAP username in the selection screen and the report should extract all the information listed above.
    I am able to link the following:
    + Users to positions via function module RH_BRANCH_GET
    + Users to roles via table AGR_USERS
    + Roles to authorization objects via function module PRGN_1251_READ_FIELD_VALUES
    Unfortunately, I dont know how to link positions to roles
    Does anyone know how to do that?
    Also, is there a more efficient way, than the approach highlighted above, to complete this requirement
    Thanks for your time
    -TR

    Hi,
    you can find a link between role and HR object in table HRP1001. The field SOBID contains name of the role. You need to find way how to convert object ID into position role. Be careful about additional fields from that table.
    Cheers

  • Analysis Authorization Object not working

    Hi Gurus,
    I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
    For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
    I have followed the below steps but still the report shows all data instead of restricted one.
    1)RSECADMIN -> Maintenance ->zz_div ->Create
    2) Add 0DIVISION in Auth structure , and in details 
    I     EQ     32
    I     EQ     33
    3) Add 0TCAIPROV with I     EQ     0SD_C03
    4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
    I     CP     *
    5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
    6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
    Following are the authorization object in that user's Role (Reporting Only)
    S_RFC 
    S_TCODE
    S_GUI
    S_BDS_D  
    S_BDS_DS 
    S_OC_SEND
    S_RS_AUTH - only having zz_div
    S_RS_COMP
    S_RS_COMP1
    S_RS_ICUBE
    S_RS_RSTT
    S_RS_TOOLS
    S_RS_PARAM
    I have surfed lots of thread for this issue but not getting a solution
    Tell me what i m missing in above or any additional setting need before creating analysis authorization
    Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

    Hi
    Thanks a Ton for ur reply
    I have checked in SPRO : Analysis Authorization
    where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
    We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
    Thanks
    Sonal....

  • How i know Authorization object in system?

    Hi all,
    i create new BAdi with Enhancement Spot: ZWORKORDER_GOODSMVT (copy WORKORDER_GOODSMVT in standard SAP)
    now i have Badi definition: ZWORKORDER_GOODSMVT
    with Interface: ZIF_EX_WORKORDER_GOODSMVT
    all ok.
    now how i can see authorization object in Badi definition: WORKORDER_GOODSMVT (standard)? i already creat Authorization object but now i don't know what field and choose in maintain the authorization (from Badi definition: WORKORDER_GOODSMVT )
    ex: 1. in package BSFC have interface IF_EX_BSFC_POLICY and method GET_POLICY
         2. Authorzation object: B_BSFC (have field name: BSFC_APPL and ACTVT in maintain the authorzation)
    because i get this and solve in my job.
    when i activate the BAdI function called WORKORDER_GOODSMVT and assign to the a.m. authorization object???
    Processing Logic: 
    •     The backflush errors are created after the execution of backflushing transaction in Repetitive Manufacturing (REM) – t-code MF42N or MFBF
    •     If during the backflush execution the components are not available in the respective production storage location then system by default will create backflush errors
    •     Backflush errors will need to be cleared everyday and must be cleared before end month stock take
    •     Backflush errors can be processed using the following t-code:
    o     MF45 – Individual
    o     MF46 – Collective
    o     MF47 – Post processing List
    o     COGI – Post processing Individual Components
    Authorization will be applied only for COGI, while others will not be used in PSECI
    •     Create new authorization object called Z_PP_COGI to be assigned later to the user id
    •     Activate the BAdI function called WORKORDER_GOODSMVT and assign to the a.m. authorization object
    •     For unauthorized users, an errors message will appear if they try to delete the backflush errors in COGI transaction as follows:
    o     You are not authorized to change/ delete the backflush errors! Please contact your superior!
    Thanks so much all, ......

    Hi Nguyen,
    Check the following links:
    http://help.sap.com/saphelp_erp2004/helpdata/en/b8/bdb83b5b831f3be10000000a114084/content.htm
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/6714a9439b11d1896f0000e8322d00/content.htm
    Regards,
    Rajesh K Soman
    <b>Please reward points if found helpful.</b>

  • How to add authorization field to a standard authorization object

    Hi All,
    I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
    But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
    How to limit user to can only create & change X order type and only display the rest of order type?
    I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
    regards,
    Andre

    Hi,
    your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
    The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
    Cheers

  • 0Orgunit(hierarchy) and authorization object display getcell error in Webi

    Hello,
             We are facing with GetCellData error in WebI to SAP BEx Query.
             This works perfectly fine in Bex for a particular test user who has access to particular org unit value.
             But in Webi we are getting this Getcelldata error.
            Tried all the options and message as recommended in sdn group.
            mdxtest returns no value.
            looked at all below messages but no luck.
    GetCellData error in WebI to SAP BEx Query
    Re: SAP BO WebI Report on top of BI Bex Query with Authorization Variable
    in the rsecadmin, we get the same error like mentioned in below message
    Hierarchy Authorization doesn't work for MDX but works for BEx Query.
    Is any authorization required for this user to execute and view the authorized values in Webi?
    or we have to assign any authorization ?(0BI_ALL is not assigned).
    Please find below screenshots of BEx query auth log or Webi auth log (differences)
    Bex auth log:
    The Following Attributes Are Authorized and Thus Are Visible
    0BBPPURGRPX
    0BBPPURORGX
    0BBP_BUYID
    0BBP_ISCOMP
    0BUS_AREA
    0COMP_CODE
    0CO_MST_AR
    0CRMSALGRPX
    0CRMSALOFFX
    0CRMSALORGX
    0CRMSRVTGRP
    0CRM_SALGRP
    0CRM_SALOFF
    0CRM_SALORG
    0CRM_SRVORG
    0LEAVERS
    0LOGSYS
    0MAST_CCTR
    0PERS_AREA
    0PERS_SAREA
    0PLANT
    0PURCH_ORG
    0PUR_GROUP
    0SALESORG
    0SALES_GRP
    0SALES_OFF
    This above log is missing for mdxtest auth log.
    Is this the issue?
    Any quick reponse or help really appreciated.
    Regards,
    Ravi
    Edited by: Ravi Gadicherla on Feb 28, 2010 5:36 PM

    Hi,
        Here is the log of MDXtest:
    Buffering the Authorization Data  
      Buffering for InfoProvider 0PA_C01 and Users HRTEST93  
    InfoObject Properties Defined
    Reading of Directly Assigned Authorizations
    Direct Assignment Does Not Include Universal Authorization 0BI_ALL
    Reading the Indirect Assignments with Authorization Object S_RS_AUTH
    Does user have OBI_ALL?
    No, the User Does Not Have Universal Authorizion 0BI_ALL
    Negative Entry in SU53 Result of Failed Check for 0BI_ALL
    Indirect assignments found; no universal authorization
    Regards,
    Ravikanth

  • MSS Authorizations to the ABAP User: Note 844639

    Hi Experts,
    I am implementing MSS 1.0 on mySAP ERP05 and I need information on MSS Athorizations to be assigned to the backend MSS users.
    I have got a note 844639 but I have the following questions:
    1. Do I have to implement note 785345 as a prerequisite? I have upgraded from 4.6c to ECC6. Do I still require to implement this note?
    2. There are so many WD applications based services for MSS. Do I have to get a list of each Authorization Object assigned to all the services and then consolidate it under one single ZMSS role in PFCG?
    3. What about the default values of the sub objects of all Authorization Objects?
    4. Similar to the ESS composite role SAP_EMPLOYEE_ERP with all the necessary authorizations, dont we have a standard MSS composite role which we can activate directly?
    I would really apreciate some help on this.
    Regards,
    Shobhit

    Hi Walter,
    I am putting across my questions again regarding Note 844639:
    1. There are so many WD applications based services for MSS. Do I have to get a list of each Authorization Object assigned to all the services and then consolidate it under one single ZMSS role in PFCG?
    2. What about the default values of the sub objects of all Authorization Objects?
    3. Similar to the ESS composite role SAP_EMPLOYEE_ERP with all the necessary authorizations, dont we have a standard MSS composite role which we can activate directly?
    Appreciate any help on the matter.
    Thanks,
    Shobhit

Maybe you are looking for