Authorization Object - Checks

Similar Messages

• Problem in transporting authorization object

  Hi,
  I am facing a problem in transporting the authorization object. We have an existing cube in development and production. In production the object has 3 authorization objects checked. Now I want to change the authorization object assignment in my cube. So I changed the assignment in the development, but when I tried to transport the authorization object it collected all the cubes where the authorization object is used.
  I want to transport only the authorization object associated with that cube, not all. I understand that logically if we are transporting the authorization object from RSSM, it takes all the assignments. But I don't want to do that because there may be some inconsistencies between the system.
  Can you tell me weather we have any other way, so that the authorization object is transported only for one particular cube assignment not all.
  Thanks in advance
  Prashant

  Hi,
  I tried that but not getting anything.
  Can you please tell me the steps.
  Steps I have done are as follows.
  1. Go to RSSM and select the authorization object.
  2. We have a button which says transport authorization object. I clicked on that.
  3. I got a list of all the authorization objects there. I selected my authorization objects and clicked on Transfer Object button.
  4. Then I get the hierarchy authorization objects.
  5. After that I selected a request and everything is included in that request. I didn't got your above mentioned option.
  Do you want me to go to the table RSSTOBJDIR and delete all the other entries??
  It would be great if you can tell me the steps to do that.
  Thanks in advance
  prashant

• Authorization object F_CN_BAPI

  Hi everyone,
  I have a question regarding the authorization object F_CN_BAPI (FS-AM Simplified Authorization Check in BAPIs) the values permitted is ' ' (not selected) and X (selected) and is connected with the F_CN_ACT.
  I need to configure the roles so that it will go through all the authorization check so that when BAPI's are called it will still check if the user has the correct authorization object.
  What should be the correct combination for this two authorization object if I want it to go through to the authorization object check. Should it be selected or not selected?
  Thanks.

  You must ensure that the value is always ' ' and the best way of doing this is to maintain SU24 for all proposals with this value so that it is always standard (which is almost completely "idiot-proof"
  Good luck,
  Julius

• PT60 the field Personnel Area( PERSA ) of the authorization object P_ORGIN

  Hi,
  When running transaction PT60 the field Personnel Area( PERSA ) of the authorization object P_ORGIN is not checked.
  I have run SU24 ,the objects are there with chech indicator of authorization object = "CHECK".
  What can I do about it ? Is there any note to fix this ?
  thanks!
  Olivia Yang

  Hi,
  In object P_ORGIN what you need to check for authorisation is it on Personnel area or PSA.Actually we have org.key for authorisation which is define in P_ORGIN.If you can define org. key as PA/PSA/EG/ESG you can check the authorisation for specific users.
  Regards,
  Snita

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• Where we check the authorization group & authorization object?

  Hi all,
  i have a  std program & tcode  like fb03 . now i want to know the authorization group & authorization object. so where we will check..?
  help me.
  thanks.
  Vipin

  Hi,
  Use transaction SU21 & SU22 for Auth Objects & Class

• Custom authorization object and check logic

  Hi gurus,
  we need to apply additional authorization check in our custom reports.
  so i created a custom fields & object, and put the statement
        AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                 ID 'ZROLEID' FIELD '03'
                 ID 'ZSOBID'  FIELD zzdwbm.
  in a abap class method centrally, so it could be called by many reports.
  but the test show that the sy-subrc always set to 0, even for users without any authorization.
  what i missed for adding custom auth check?
  for this case, do i need to maintain authorization check indicator in SU24?
  what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
  thanks and best regards.
  Jun

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• BW 3.5 which authorization objects available rssm (checks for infoprovider)

  Hi all,
  How does SAP generates the list of authorization objects in RSSM when you enter a specific infoprovider (checks for infoprovider)? Are only the authorization object related to this infoprovider listed?
  Is there any documentation about the purpose in RSSM for the button 'update check status (Authorization objects, infoprovider).
  thanks for your help.

  Based on which criteria?
  Is there somwhere detailed documentation available about the RSSM part in BW authorizations? It seems hard to find any...
  Thanks,

• RSSM: Checks Authorization Objects for Infoprovider are not activ

  Hello,
  we have BW 3.5 and we use RSSM Authorization Objects.
  When we create a new cube with an Infoobject that is authorization relevant, in our development-system in rssm the flags for the checks are automatically activ.
  When we transport the new cube to our production-system, the flags in RSSM for the authorization object are not activ.
  Sometimes the new infoprovider is not in the list of the infoprovider in rssm, so we have to "update check status" with the appropriate icon.
  My question:
  It is possible, that when we import the new cube in our production-system, that all authorization objects are activ??

  Hi,
  Normally system would check all the authorization relevant objects whenever a new Info cube is imported and in case if you want to transport these changes to Production system manually then follow the below listed steps:
  1) In Development system, check or un-check the authorization relevancy using the transaction RSSM on a given Info provider
  2) These changes are stored in table RSSTOBJDIR
  3) Create a manuall transport request and include these entries covering the required Authorization objects manually. 
  R3TR TABU RSSTOBJDIR
  Ex: If Info object 'A' is authorization relevant in Development system but not in Production system and you want to transport this change to Production system then include object 'A' table entries manually.
  Hope this helps.
  Cheers
  Bala Koppuravuri

• Authorization object in procurement that checks user role

  Hi Experts,
     Please let me know if we have any standard authorization objects in the transactions PO or PR that checks the SAP User role. Authorization check can be done by sap role, we are not botherd checking on company code, purchase group and so on, Is there any standard procedure to find out that or any function module available to check that by passing user role.  << removed >>
  Cheers
  Mohan
  Edited by: Rob Burbank on Feb 19, 2010 12:24 PM

  easiest way to find all authorization objects is to execute SU24.
  There you enter the transaction code for which you want find the authorization objects.

• How to check and maintain authorization objects

  Hi  Alll            
  Let me knowhow to check and maintain authorization objects  in SU24 ECC 6.0.
  Thanks
  sathies

  Hi Sathies,
  the old check flags
  U
  Unmaintained
  No indicator set. The check for corresponding authorization object is always executed. Field values are not displayed in the Profile Generator.
  N
  No check
  Check disabled. Field values are not displayed in the Profile Generator. This indicator cannot be set for HR and Basis authorization objects.
  C
  Check
  Check always executed. Field values are not displayed in the Profile Generator. For example: Printer authorizations.
  CM
  Check/maintain
  Check always executed. Field values are displayed for changing in the Profile Generator (yellow light).
  Have been divided now in
  Checkindicator : Check/NoCheck
  and
  Proposal: Yes/No.
  If defaults=yes, then you can modify them after clicking on the apropriate button.
  Please refer to the online help for SU24 too.
  Although the look of su24 has been changed significantly, the technique behind it is still the same.
  Once you have pressed the 'edit'-button on the top left corner, additional editing options will appear in the right-top-frame.
  b.rgds,
  Bernhard

• Authorization Object for Sale Organization check

  Hello all,
  I have create a Z Report.Now the requirement is that only certain users belonging to a particular Sales Organization can run that report.
  Which standard Authorization Objects can be used for this case.
  regards,
  Ujjwal Kumar

  P577815 wrote:>
  > Hey,
  > Thanx for your reply....)
  > Actly new to abap thats y not much idea.Instead of your Auth Obj,can i use V_KNA1_VKO.
  Hello,
  But V_KNA1_VKO also has these params:
  VTWEG      Distribution Channel
  SPART      Division
  V_VBRK_VKO also has only Sales Org(VKORG). I think that suits your req.
  But before deciding on the Auth. Obj please read the documentation & check that it suits your req.
  BR,
  Suhas

• Authorization object to display BSP check boxes

  Hello,
  I'm trying to find the authorization object so as to display the BSP check boxes. Because I can display BSP properly (I've BSP_APPL) but not the BSP check boxes. The user having all the autorizations, can see the cheks boxes ok.
  Please, can you help me?
  Thank you

  I'ts not a authorization object, just portal authorization. I'm going to open a new thread.

• Authorization Object - Availability Check in Sales Order

  Hi,
  Restriction is required for availability check  (i.e. button 'check item availability') in sales order for a given user.
  Is there authorization object to control the same ?
  Regards,
  RS

  Hello RS,
  Availability check is controller by FM AVAILABILITY_CHECK_CONTROLLER and there is no authority check in it. As per previous reply you can add additional checks in user exit EXIT_SAPLATPC_001 which is called before an atp is run.
  Thanks
  Amber

• Check for Authorization object

  Hi All,
  I have a report which will authorize the person running the report.
  I have been given a requirement which is to not accept some users and accept some users.
  Now I know this is possible with authorization object but as I never worked with it so I exactly kind of getting in confusion as to how to go about it.
  Could some one let me know how to go about it. I have few questions.
  1. what is the exact use of authorization object.
  2. I can build in the logic but what all should one start with before going for before implementing authorization object for the report.
  3. I know there is some basis work involved in this but what is that ?
  Thanks,
  Mahen

  Hi,
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Reward points if useful
  Regards
  Anji