Authorization object - Compliance Certification Review

Hy Guys,
I need to disappear in GRC AC with options Compliance Certification Review.
Is necessary  the end user not see this option.
I'm block object GRAC_REQ in my roles type=11, but the option not disappear in GRC AC option Compliance Certification Review.
Please, someone could help me
Regards
Martha

Hi Martha,
Did you try to deactivate the request type at "SPRO > GRC Access Control > User Provisioning > Define Request Types"?
Regards,
Aldo Kusuke

Similar Messages

  • Report to check authorization object used in customized programs

    Hi Guys,
    An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
    Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

    Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
    To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
    Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
    Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
    Code review is an art form!
    Cheers,
    Julius

  • BI authorization objects not appearing in RAR, error while generating role

    Hi
    I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
    (a)  In Risk Analysis and Remediation (RAR) component, I am creating Functions and
          Risks for Business Intelligence (BI) module. For that I have downloaded the
          descriptive text and authorization object data from BI development system and
          uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
          RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
          Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
          the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
          authorization objects for the actions in them.
    (b)  In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
           in DBI 100 and I put the  BI transaction codes in authorization data , I get the
           authorization objects . Risk analysis is also being done successfully. But at the time
           of Role generation in background mode , it is giving an error message :
           Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
           I am thus unable to generate any role in DBI 100.
    (c)  In Compliance User Provisioning (CUP), I have imported a standard role from DBI
          100. Then I have added Functional Area, Business Process, Subprocess  and
          Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
           gives an error Error creating request. But requests are getting created and roles are
           being assigned to users in ECC development  systems using the same Initiator, CAD, stage
           and path.
    Can anyone please help me ?

    -

  • Authorization Object for Clear G/L account (trx F-03)

    Hi,
    my client wants need to restrict some G/L accounts for certain company codes when clearing G/L accounts. In other words, I need to check that some users are cannot clear (trx F-03) some G/L accounts for some company codes.
    I have reviewed the authorization objects (FI & FI_T) and I could not find one for that purpose. It seems that 'clearing' is not an activity for authorizations as create, display, delete, post... are.
    Do you know if an authorization object (or activity) for clearing G/L account exists?
    Thanks you in advance
    Rafa

    ST01 shows all the objects checked in F-03 from calling the transaction, through simulation, till clearing:
    S_TCODE    RC=0  TCD=F-03;          
    F_BKPF_BUK RC=0  ACTVT=01;BUKRS= ;  
    F_BKPF_BUK RC=0  ACTVT=01;BUKRS=1000; 
    F_BKPF_BUK RC=0  ACTVT=01;BUKRS=2000; 
    F_BKPF_BUK RC=0  ACTVT=01;BUKRS=2000; 
    F_BKPF_BUP RC=0  BRGRU=0001;  
    S_TCODE    RC=0  TCD=F-03;              
    F_BKPF_BUK RC=0  ACTVT=01;BUKRS= ;      
    (I have cleard an account between company code 1000 and 2000.)
    Activity "post" means in this case "clear". There is no different activity for clearing.

  • Authorization objects for FM (EA-PS) after upgrade

    Hi,
    We are upgrading from ERP 4.6c to ECC 6.0 (IS-PS 462 to EA-PS 6.00).
    On preliminary tests we have found that we need to add a few authorization objects to the users, but we want to minimize that.
    We opted to deactivate BAdi implementation "FMBS_ADDON_AUTH_FI" and to mark the two checks inside IMG "Activate Old Authorization Check"
    Although we have found authorization issues with objects:
    F_FICA_FTR and
    F_FICA_FCD
    Is there a list of Objects that we need to add to the roles that I can review? or maybe an OSS Note or SDN article about this?
    Best regards,
    Nelson

    Hi, I have been studying this, and I have found that the error message I saw yesterday definitely speaks to the problem I have been having. 
    I created a test role with one transaction, then went into SU24 for that transaction and made a new auth check with display 03.  After I updated that role in PFCG (maintaining the new authorization), I went back to SU24, changed that new auth check by removing 03.
    When I went back into the role in expert mode, the maintained authorization was gone and replaced with a new standard authorization with no values.
    My concern is that wherever the authorization checks are coming from, their construction is corrupt!  I'm not even sure that the original auth checks are OK -- if they had values that were later taken out, I am concerned that they will cause this error I am seeing.
    I'm getting ready to upload the auth check tables from QA back to the Sandbox, but I'm not sure that will solve the problem if there is another cause for this.  Is there some other setting/selection that someone must have clicked on that is now causing this problem?  I still don't have a clear answer on that, and I would love to know.
    Thanks,
    Ed

  • Authorization objects for EA-PS after upgrade

    Hi,
    We are upgrading from ERP 4.6c to ECC 6.0 (IS-PS 462 to EA-PS 6.00).
    On preliminary tests we have found that we need to add a few authorization objects to the users, but we want to minimize that.
    We opted to deactivate BAdi implementation "FMBS_ADDON_AUTH_FI" and to mark the two checks inside IMG "Activate Old Authorization Check"
    Although we have found authorization issues with objects:
    F_FICA_FTR and
    F_FICA_FCD
    Is there a list of Objects that we need to add to the roles that I can review? or maybe an OSS Note or SDN article about this?
    Best regards,
    Nelson

    Hi, I have been studying this, and I have found that the error message I saw yesterday definitely speaks to the problem I have been having. 
    I created a test role with one transaction, then went into SU24 for that transaction and made a new auth check with display 03.  After I updated that role in PFCG (maintaining the new authorization), I went back to SU24, changed that new auth check by removing 03.
    When I went back into the role in expert mode, the maintained authorization was gone and replaced with a new standard authorization with no values.
    My concern is that wherever the authorization checks are coming from, their construction is corrupt!  I'm not even sure that the original auth checks are OK -- if they had values that were later taken out, I am concerned that they will cause this error I am seeing.
    I'm getting ready to upload the auth check tables from QA back to the Sandbox, but I'm not sure that will solve the problem if there is another cause for this.  Is there some other setting/selection that someone must have clicked on that is now causing this problem?  I still don't have a clear answer on that, and I would love to know.
    Thanks,
    Ed

  • Authorization Objects in Transaction codes

    Dear Experts
    we are trying to make Authorization Matrix for users authorizations , so what i need to know if is there any way i can get template list includes Tcodes and the Authorization objects corresponding to each Tcode , it will be a lot easier to make the roles .
    please if anyone can advice how i can get the tcode list with its objects it will be great.
    thanks
    Sameh Essa

    Authorization Matrix - Not any table / programme will work for you in this case, you better maintain below checklist :
    1) Gather company data : Organization Structure HR will help you in this. (you need to get all details on Organization values such as Company Code, Plant, Purchasing / Sales Organization etc.,
    2) Prepare a sheet for every module (PP,MM,SD,FI,CO,HR etc.,)
    3) Study the Organization structure & Identify the Job responsibility of the person in current organization & what function he / she will do in SAP.
    4) A sheet contains T-codes & description (you can get list of tcodes from respective functional consultant), Role Name, Activity - create/change/display et.,
    5) Don't add all t-codes Ex- PP : Add only those tcodes access by you users : End or Core users. Sometime it doesn;t make sense to give create / change / delete t-codes to a user who's only responsible for doing data entry job or a user who is responsible only for creating materials not approving / sending.
    6) Make a sheet that maps you users to role
    7) Always review / approve your Matirx from respective Functional Head, as a BASIS we can't take decision on Functional side.
    8) Always test you roles in DEV / QAS (training client) assigned to a test user by your functional cunsultant.
    9) Always remember of cross functionality authorizations (like some time they may
    10) Always make sure that none of the user gets any BASIS activity authorization.
    I gather above points from my experience where I was involved in designing Matrix, It can be defferent depends upon the organization.
    Regards;

  • Prompt for Authorization Object

    Dear Experts,
    I would like to have control on certain authorization objects which are common among the roles while creating them.
    Is it possible that while maintaining or creating a role, if by mistake the administrator does not block the object OR add an entry which we do not authorize, the system should alert the administrator as a popup or alert message?
    I am aware about the report "RSUSR008_009_NEW" for maintaing critical authorizations, however, running a report and giving a prompt are two different things.
    Any possibility of an alert?
    Thanks and Regards,

    Hi J K
    I take the following approach with SU24:
    Complete Proposal - completely maintain an authorisation proposal when that values applies for any situation in PFCG role build. E.g. transaction FB03 for object F_BKPF_BUK has fields ACTVT and BUKRS. You can allow the value as ACTVT = 03 and BURKS = $BUKRS (org value) or each scenario
    Partial Proposal - only maintain some of the fields where it will be consistent. E.g transaction OB52 for posting periods and S_TABU_DIS with field ACTVT and DIBERCLS. You leave ACTVT blank as sometimes you want change whilst DIBERCLS for auth group is static so you can enter a value there
    Empty Proposal - leave the proposal values completely blank as the requirement will depend on the scenario. E.g transaction SM30 you might leave S_TABU_DIS empty as it will depend on the role for both fields.
    If you take this approach, you minimise the need for deactivating object, copying/changing and manual objects in PFCG. You maximise role authorisation under status of Standard or Maintained.
    Now if we set the proposals in su24, it will be applicable for other new roles as well for which we DO want the proposals to exist.
    Yes if you change SU24 you should clean up all impacted roles but before you build roles you should review
    At the end of the day your need to have competent security administrators who know what a display activity is and have attention to detail/meticulous enough to build the role with appropriate restrictions (i.e. do not put change access in a display role).
    How can we avoid the "new authorizaiton objects" to be added to this display role.
    To avoid this you are trying to avoid using SU24 integration. If you are tying to build a SAP display all role then you might as well copy SAP_ALL and go through and deactivate/remove any display access from the role. In this case you would not use the role menu.
    Not all solutions are technical. It's why you need to have a clearly defined process that is adhered to.
    My trick of display roles - I got the AGR_1251 role and look at the entire contents of the role and scan this list of objects and what's in the role. However, I do this as I know the objects relatively well and can identify the specific objects that are change/display  but do not use ACTVT field (e.g. PLOG/P_ORGIN/P_PERNR)
    Wonder why SAP prompts warning and errors messages doing a business/financial transaction and not security.
    Exactly what would you want the system to prompt? How would SAP know what a display role is?
    We noted that every time we add a t-code, the authorization object added is marked as "new" in the list. we jsut disable those and generate it
    If you take this approach you cannot guarantee the transaction code will work. The user may need the underlying values and that is why SU24 has them marked as proposal.
    My summary - defined your process to include a quality check after building a role and hire security administrators who know more than how to tick and click buttons in PFCG (i.e. they understand security objects and why some are sensitive).
    Regards
    Colleen

  • The scope of the customer-specific authorization object

    Dears,
    Could someone please feedback about the scope of the customer-specific authorization object; e.g. if we are to create a customer-specific authorization object to replace authorization object P_ORGIN in the HR module, to be able to add an extra authorization field to the newly created authorization object, the scope of the newly create authorization object (which will have a new validation code generated by report RPUACG00) will be the whole ERP system ? 
    The worry is caused by the fact that P_ORGIN is already used in several authorization roles granted to users in the different ERP modules (i.e. FI, SD, MM, CS), so the replacement would affect these modules.
    Thanks.
    Reda

    Hello Reddy,
    We are about to implement the HCM module (We are now in the testing
    phase), on the same client as that of our SAP ERP implementation.
    We need to authorize on the personnel number grouped by 'Payroll Area'
    in transactions PA30, PA40
    In authorization object P_ORGIN, the field VDSK1 is already used to
    authorize on an attribute : cost center (organizational key) for each
    organizational unit, so we can't configure it to authorize on other
    fields from info type 0001 (e.g. Payroll Area).
    We need to continue using the conventional / general authorization and
    not the structural authorization, to stay in compliance with our
    authorization schema already implemented in our FI, MM, SD & CS modules.
    ( Also, as per thread : Steps for creating structural authorization profile using trans. OOSP
    the structural authorization cannot be used to authorize on Payroll Area.)
    We need to go through the HR module implementation without any changes
    in the ABAP code.
    So, the last way out is the custom-specific authorization object, and as I mentioned before, the authorization object P_ORGIN was already used in other ERP modules; e.g. FI, MM, SD & CS,
    ( Note : I haven't started yet implementing this solution.)
    Thanks.
    Reda

  • How to assign authorization objects to a cube

    Hello,
    My cube includes 0profit_ctr which is marked as authorization relevant. Still in RSSM my cube is not included in the list of infocubes for an authorization object (zprofit) linked to 0profit_ctr. I'm therefore not able to enable that authorization object for my cube. I have a few ODSs which are included in the list. Why is my cube missing? Is there something I must do to include it, or is it a bug?
    When checking the infocube for authorization objects in RSSM this list is empty as well. I don't see any option to add authorization objects in that list.
    I have read the following document:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b849e690-0201-0010-9b88-c00cca40736f
    I'm using BW 3.5.
    Regards,
    Christoffer

    Hi Christoffer,
    In RSSM  you will find a button  "Update Check Status ( Authorization Objects, Info providers) ". After this update you should find your cube in the list.
    Jaya

  • How to get all authorization objects for a certain authorization profile

    Hi ABAP experts,
    I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
    So:
    - where are these values stored (dictionary table)?
    - is there already a FM or a report to read all authoriation values for a certain authorization profile?
    Thanks in advance.
    Best regards,
    Oliver

    Hi,
    check the following it might useful for you:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
    if helpful reward points are appreciated

  • Mass update to FILENAME field in S_DATASET authorization object

    We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value.  I'd like to do this programmatically if possible.
    What I've learned so far is that I need to update the value in table USR12, but the value is encoded.  When I look at the table in SE16, I do not see the encoded value field.  The value does show in UST12, but I'm told this is an unreliable table.
    So I'd like to know..
    1. How can I look at the value if not in SE16?
    2. Is there an API I can use to encode/decode the value?  If not, where is the specification on how to build it?
    If this is better addressed in a different forum, which one should I try next?
    Thanks,
    Dan

    Hi there,
    Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
    But the behaviour as you have described:
    >
    > Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
    > =============================================================
    > *                                 X         X            DUMY
    > /temp/FI/..                       X         X            DUMY
    > /temp/FI               X                                 FIFI
    >
    ... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
    > Caution:
    > - If you enter paths generically in the table SPTH, the most precise specification counts.
    > - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
    So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
    So, the only check which is effective to protect the path, is:
    Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
    =============================================================
    /temp/FI               X                                           FIFI
    ... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
    Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
    form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                                MODE       type CLIKE
                                SUBRC      type SY-SUBRC.
    data: ACTIVITY like AUTHB-ACTVT.
       SUBRC = 0.
       case MODE.
         when 'R'.
              ACTIVITY = '03'.
         when 'W'.
              ACTIVITY = '02'.
         when 'D'.
              ACTIVITY = '02'.
       endcase.
       if ISPTH_HEAD-FS_BRGRU <> SPACE.  "Here it is... for BEGRU checks there must be a value...
          authority-check object 'S_PATH'
              id  'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
              id  'ACTVT'    field ACTIVITY.
           if SY-SUBRC <> 0.
              SUBRC = 3.
           endif.
       endif.
    endform.
    Cheers,
    Julius

  • Authorization Object is not working when report is modified.

    Hi BW Guru's
    We have Company Code as Authorization Object .and we have 3 company Codes (xxxx,yyyy,zzzz).where the users under Company code xxxx are not supposed to view company code yyyy,zzzz data etc.
    I modified an existing Report and transported to production.But the Authorization Object is not working for that report.The Report is defaultly displaying all the company codes data(xxxx,yyyy) for all the users.But for the other reports its(company code ) is working fine.
    What could be the problem?Is theproblem in transporting the objects.But i transported all the objects inluding auhorization object.
    Please send me the solution as it is very much urgent.
    The solution will be def. awarded with full points.
    Regards
    Sanjay

    hi Sanjay,
    please don't post the same question again, check and response back from your previous thread
    Re: Authorization Object is not working when report is Modified.
    hope this helps.
    would be nice if you reward for helpful answers to all of your previous postings, e.g
    docs related to RRI

  • Issue on authorization object

    hi all,
      in me52n transaction, in account assignment tab there is field called costcenter. its  field name is kostl and strucutre is cobl. now i have requirement to create an authorization object on this costcenter. that is for example , if i try to make any changes in the cost center field it should allow me to do it. but if some others are using it should not allow them to make any changes. plz let me know the solution how to do step by step. points will be awarded . this is urgent requirement. plz reply fast.
    thanking u in advance,
    a.srinivas

    Hi deniz,
    Use this to set up the autherisation object
          AUTHORITY-CHECK OBJECT '<objectname>'
                          ID 'ID FIELD SY-UNAME.
          IF SY-SUBRC NE 0.
            MESSAGE S999 WITH 'You are not Authorised to change entries'.
            EXIT.
          ENDIF.
    Inform the Basis team to assign the role only to ur id...so that no other person wil u autherized
    Award points if useful
    Regards
    Gowri

  • Analysis Authorization Object not working

    Hi Gurus,
    I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
    For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
    I have followed the below steps but still the report shows all data instead of restricted one.
    1)RSECADMIN -> Maintenance ->zz_div ->Create
    2) Add 0DIVISION in Auth structure , and in details 
    I     EQ     32
    I     EQ     33
    3) Add 0TCAIPROV with I     EQ     0SD_C03
    4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
    I     CP     *
    5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
    6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
    Following are the authorization object in that user's Role (Reporting Only)
    S_RFC 
    S_TCODE
    S_GUI
    S_BDS_D  
    S_BDS_DS 
    S_OC_SEND
    S_RS_AUTH - only having zz_div
    S_RS_COMP
    S_RS_COMP1
    S_RS_ICUBE
    S_RS_RSTT
    S_RS_TOOLS
    S_RS_PARAM
    I have surfed lots of thread for this issue but not getting a solution
    Tell me what i m missing in above or any additional setting need before creating analysis authorization
    Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

    Hi
    Thanks a Ton for ur reply
    I have checked in SPRO : Analysis Authorization
    where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
    We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
    Thanks
    Sonal....

Maybe you are looking for

  • I am getting an activation error message when trying to imessage

    I have an Ipod touch 5th generation running IOS 8.1.2, recently it will not let me imessage or facetime. It is telling me that there is an activation error. Any suggestions? I have seen on apple support to "turn off" Imessage and turn it back on, but

  • Can I easily add my wife to Find iPhone?

    My wife misplaced her iPhone this weekend and didn't have her computer with her and doesn't own an iPad. she had no way to access Find iPhone app. if we could easily add each other's devices to each other's Find iPhone app, we'd be able to assist eac

  • Conditional build tags disappeared

    Hi All, For info, we are using Tech Comms Suite 3.5 with RoboHelp 9. We have an interesting problem in that some of our conditional build tags have somehow gone missing! We are unable to select them to apply to content/topics for selection, however w

  • Replacing ink cartridges

    I have a 7520 All in one printer and it has 4 small cartridges and 1 large black.  The small black is for photo and my question is, do I have to replace the small black cartridge since I have the large one.  Doesn't the printer use from the large 564

  • Update from OS X 10.4.11 to OS X 10.5

    I would like to upgrade my iMac G5 from OS X 10.4.11 to OS X 10.5. I don't want to spend a bundle to do this . Is there any online updates that can be done or do you have to purchase a hard cpoy?