Authorization Object Documentation

Dear Colleagues,
in earlier SAP versions there was on opportunity to download the documentation for all authorization objects in one docuemtn via
execute transaction SU03 -> Information -> Object List with Documentation -> Download
Does anyone know, where this function has gone to?
Help is appreciated
Helmut

With the help of a collegue I followed your advice.
The feature was availbale in SAP-Release 4.7, however got deprecated in ECC6.0. It was based on function module LIST_USER_DATA .
A workaround is as follows:
In order to obtain the documentation for all authorization objects (e.g. fields, activity codes and the corresponding explanations)
select from table DOKTL (Documentation: Text Lines) where ID (Documentation Class) = u201EUOu201C and LANGU (Language) = u201EENu201C and TYP (Document Type) = u201EEu201C fields OBJECT (Docu. Object), VERSION (Version of Document Modul) , DOKTEXT (Text line in documentation)
In a second step select all records from the resulkt set, where VERSION is highest.
If specific versions are required, refer to table DOKHL (Documentation: Headers).
Regards
Helmut

Similar Messages

  • How to add custom authorization object to a SAP standard transaction

    Hi All,
    I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
    Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
    - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
    - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
    - tcode SU24 - insert of new authorization field e check indicator (green)
    - tcode SU22 - check indicator - check (green)
    After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
    We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
    It seems new authorization object was not checked.
    My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
    Thanks
    Maurizio

    > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
    >
    No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
    So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
    Regards,
    Dipanjan

  • Creation of Authorization Object

    Dear All,
    Can anyone of you guide me on how to create Authorization Object?
    My Knowledge on this concept:-
    1) Mark required object as Authorization Relevant
    2) Use of T-code RSSM
    3) Select marked Authorization Object
    4) Assign fields to it, for authorization.
    thats all i know.
    There are few more additional settings we need to do for it.
    Request you to provide with step by step procedure for the same.
    Thanks & Rgds,
    Anup

    hi
    To create an authorization object:
    1) Execute transaction SU21
    2) Double-click an Object Class to select a class that should contain
    your new auth object
    3) Click on CREATE (F5)
    4) (If creating custom field) - Click the 'Field Maintenance' button -->
    Click on CREATE (Shift+F1)
    5) Enter the Name for the New Authorization field and the corresponding
    Data Element and SAVE
    6) Confirm the Change Request data for the new Authorization Field
    7) Go back two screens (F3-->F3)
    8) Enter the Authorization field name and document the object:
    9) SAVE and ACTIVATE the documentation
    10) Save the new Authorization Object
    11) Confirm the change request data for the Authorization Object and
    EXIT SU21
    12) Finally, the SAP_ALL profile must be re-generated
    the following link will be helpful
    http://209.85.175.104/search?q=cache:BigTSV4_olEJ:www.gingle.com/glenaccess%255CsdnAuthorizationObjectsimple.docHowtocreatauthorisation+object&hl=en&ct=clnk&cd=10&gl=in
    http://aroundsap.blogspot.com/2008/02/sap-bw-70bi-70-new-authorization.html
    Use of T-code RSSM
    Through BIW Authorizations (TCode RSSM)
    Authorization check log. This gives information on
    missing authorizations for reading data.

  • How to use authorization object P_PERNR ?

    Hi, Gurus~
    In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
    So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
    Authorization level:  W,S,D,E
    Infotype: 0008
    Interpretation of assignment personnel number: E
    Subtype: *
    and then, i maintain her master data 0105's subtype 0001-system user name as 00041
    i think she shouldn't maintain her own 0008 now ,but she still can maintain it
    i want to know why and how to solve it, did i do it in the right way?
    Thank you in advance!

    P_PERNR   HR: Master Data - Personnel Number Check
    You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
    The following values are possible for the PSIGN field:
    I   =          Authorization for personnel number assigned, that is for own personnel number
    E  =          Authorization for all personnel numbers excluding own personnel number
    You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
    This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
    Example of Personnel Number Check P_PERNR
    The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
    The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
    PSIGN = I
    INFTY = *
    SUBTY = * AUTHC = W, S, D, E
    PSIGN = E
    INFTY = 0008
    SUBTY = *
    In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
    The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
    As the following examples illustrate, inconsistent authorizations can be granted.
    Example 1:
    AUTHC = *
    PSIGN = I
    INFTY = 0014
    SUBTY = M* AUTHC = W, S, D, E
    PSIGN = E
    INFTY = 0014
    SUBTY = *
    The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
    The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
    The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
    Example 2:
    AUTHC = *
    PSIGN = *
    INFTY = *
    SUBTY = *
    This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
    As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
    Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
    If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
    P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.

  • BW 3.5 which authorization objects available rssm (checks for infoprovider)

    Hi all,
    How does SAP generates the list of authorization objects in RSSM when you enter a specific infoprovider (checks for infoprovider)? Are only the authorization object related to this infoprovider listed?
    Is there any documentation about the purpose in RSSM for the button 'update check status (Authorization objects, infoprovider).
    thanks for your help.

    Based on which criteria?
    Is there somwhere detailed documentation available about the RSSM part in BW authorizations? It seems hard to find any...
    Thanks,

  • Authorization object for Command Button

    Hi all,
    How can I create the Authorization object for command button which is on application server.
    if you do not have auth when you click on that command button, it should be say 'you dont have auth'.
    please help me in this.
    regards,
    Ajay reddy

    Hi,
    Tcode for Authorization Objects are,
    su20----> for defineing authorization field ,
    su21-----> for authorization class,
    su22------> for assignement authorization object
    To create an authorization object:
    1) Execute transaction SU21
    2) Double-click an Object Class to select a class that should contain
    your new auth object
    3) Click on CREATE (F5)
    4) (If creating custom field) - Click the 'Field Maintenance' button -->
    Click on CREATE (Shift+F1)
    5) Enter the Name for the New Authorization field and the corresponding
    Data Element and SAVE
    6) Confirm the Change Request data for the new Authorization Field
    7) Go back two screens (F3-->F3)
    8) Enter the Authorization field name and document the object:
    9) SAVE and ACTIVATE the documentation
    10) Save the new Authorization Object
    11) Confirm the change request data for the Authorization Object and
    EXIT SU21
    12) Finally, the SAP_ALL profile must be re-generated
    Regards,
    hema.

  • What is authorization object and how to create it for a table

    Hi All,
    What is authorization object and how to create it for a table?
    Thanks

    Hi
    Authorization
    For authorization checks, there are many ways of linking authorization objects with user actions in an SAP system. The following discusses three possibilities in the context of ABAP programming.
    Authorization Check for Transactions
    You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.
    Authorization Check for ABAP Programs
    For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.
    Authorization Check in ABAP Programs
    A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.
    AUTHORITY-CHECK OBJECT object
                            ID name1 FIELD f1
                            ID name2 FIELD f2
                            ID namen FIELD fn.
    object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With  f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the useru2019s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1  FIELD f2 with DUMMY.
    After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.
    Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:
    ·        0: The user has an authorization for all specified values.
    ·        4: The user does not have the authorization.
    ·        8: The number of specified fields is incorrect.
    ·        12: The specified authorization object does not exist.
    A list of all possible return values is available in the ABAP keyword documentation. The content of sy-subrc has to be closely examined to ascertain the result of the authorization check and react accordingly.
    REPORT demo_authorithy_check.
    PARAMETERS pa_carr LIKE sflight-carrid.
    DATA wa_flights LIKE demo_focc.
    AT SELECTION-SCREEN.
      AUTHORITY-CHECK OBJECT 'S_CARRID'
                      ID 'CARRID' FIELD pa_carr
                      ID 'ACTVT' FIELD '03'.
      IF sy-subrc = 4.
        MESSAGE e045(sabapdocu) WITH pa_carr.
      ELSEIF sy-subrc <> 0.
        MESSAGE e184(sabapdocu) WITH text-010.
      ENDIF.
    START-OF-SELECTION.
      SELECT  carrid connid fldate seatsmax seatsocc
        FROM  sflight
        INTO  CORRESPONDING FIELDS OF wa_flights
        WHERE carrid = pa_carr.
        WRITE: / wa_flights-carrid,
                 wa_flights-connid,
                 wa_flights-fldate,
                 wa_flights-seatsmax,
                 wa_flights-seatsocc.
      ENDSELECT.
    Regards
    Hitesh

  • Assign authorization objects to newly created transaction

    I have just created a new transaction YMM02 as a copy of MM02. When I create a role using PFCG and enter in the new transaction there are no authorization objects proposed. Do these come from the original transaction or can I assign them through a SAP transaction or via a table entry?
    Regards,
    Brian

    Hi Brian,
    that's transaction SU24.
    See also its documentation if needed : http://help.sap.com/saphelp_nw70/helpdata/en/52/671449439b11d1896f0000e8322d00/frameset.htm
    BR
    Sandra

  • Obsolete authorization objects in APO

    Hi Experts,
    I have to create one role in APO in which I have to manually insert authorization objects.When I try to do so, for some authorization objects I get error message "Authorization object is obsolete" and the authorization object does not get inserted.This might have happened because of upgrade.
    Is there anyway to determine how to find authorization object corresponding to obsolete authorization objects in upgraded system?
    Edited by: AnikaGupta on Dec 20, 2011 1:41 PM

    Hi
    I don't have much experience with APO security specifically or with regards to do what do with obsolete objects; but in general - I would say that obsolete auth object's description/documentation would provide hints to the object which should replace the object in context (for example object S_XMB_DSP). I would like to ask as to why are you trying to add this object manually - accepting if its an exception/necessary but see if you can resolve it by t-code addition in menu and checking what all auth objects are pulled - and building a solution based on SU24 proposals (depends if the obsolete object is called for this transaction in SU24 - maybe it does not)  -  if its an obsolete object you might want to edit its status in SU24 as do not check (apart from basis/hr objects)
    Best Regards
    Prashant

  • Manually added Authorization object

    All ,
    What is the impact for manually added authorization objects in the roles after the system upgrade??

    My 2 cents, since I don't see any replies.
    I try to avoid manual auth objects on a role as much as possible.  One problem with manually auth object is in PFCG, it will not give a reference to what transaction the auth object came from.  Unless thoroughly documented this can be an audit issue. 
    In regards to upgrades, I don't this it will have any affect.  It is usually the tcodes that are affected.

  • Authorization Object for Sale Organization check

    Hello all,
    I have create a Z Report.Now the requirement is that only certain users belonging to a particular Sales Organization can run that report.
    Which standard Authorization Objects can be used for this case.
    regards,
    Ujjwal Kumar

    P577815 wrote:>
    > Hey,
    > Thanx for your reply....)
    > Actly new to abap thats y not much idea.Instead of your Auth Obj,can i use V_KNA1_VKO.
    Hello,
    But V_KNA1_VKO also has these params:
    VTWEG      Distribution Channel
    SPART      Division
    V_VBRK_VKO also has only Sales Org(VKORG). I think that suits your req.
    But before deciding on the Auth. Obj please read the documentation & check that it suits your req.
    BR,
    Suhas

  • Authorization Object: P_ORGXX - fields can be from a custom infotype ?

    I need to create a customer-Specific Authorization Object, but the documentation states that we can use any of the fields in IT0001, and also customer-specific additionald fields. But we need to know if those additional fields can be from a custom infotype.
    If it is not possible, we need to replicate the std P_ORGXX and the way it validates the field pa0001- SACHZ. But with fields from a custom infotype. Is there any way to do it?
    I hope you can help me with this.
    Regards,

    Hi,
    Try the link from SAP as reference for authorization object creation and how functionality for authorization object works w/ infotype.
    http://help.sap.com/saphelp_470/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm
    http://help.sap.com/saphelp_470/helpdata/en/16/b8b83b5b831f3be10000000a114084/content.htm
    Thanks,
    Ameet

  • Reg :authorization objects

    hai..
      This is manny...i would like to congrats for all sdn users.plz let me know about.. what is the exact meaning of authorization object and object classes and authorization fields.i have little bit confusion regarding dis on.i want exact meaning of those ones.plz provide any documentations.
    what is the use of authorization object and authorization fields and object clases and .where we used..?
    Thanks and Regards,
    MANNY..

    Hi Manyam,
    Please see the links and get the solutions.
    http://help.sap.com/saphelp_nwmobile71/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
    http://help.sap.com/saphelp_nw70/helpdata/en/52/6716a6439b11d1896f0000e8322d00/content.htm
    Regards,
    Anil

  • BW Custom Authorization Objects

    We are in need of enabling authorization checking on several characteristics in BW.  I have enabled authorization on the characteristic and created authorization objects for them.  When I add them to a role and try to add values, I get a message SA303 saying that table /BI0/M**** (eg. SALES_OFF) does not exist.  I have narrowed this to occuring only on characteristics that do not have attributes.
    Is it possible to use a text only characteristic as a authorization object?  If so, how do I get past the message during creation/maintenace of the role.  I tried just typing in the values.  The system accepts them, but does not appear to execute the check correctly.
    Thanks in advance for your assistance.
    Regards,
    Kevin

    Hi Kevin,
    please have a look at the documentation on authorizations for master data:
    http://help.sap.com/saphelp_nw04s/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
    regards,
    Tanja

  • Authorization object for Profit Center in BW

    Hi,
    I have question regarding BW security. I want to restrict users access based on profit center ie i mean to ask is there any authorization object in BW, where i can specify Profit Center values and create role, where i can further assign this role ans restrict authorization to that particulat profit center.
    Thanks in Advance
    Shiv

    Hi Siva
    The security concept in BW is a bit different from the R/3 security concept.
    In BW you need to create an authorization object in RSSM (or rsecadmin in NW2004 and forward), for these kind of organizational/Data driven authorization checks. In RSSM you'll need to link it to the Info Object for your profitcenter and to activate it for the relevant cubes.
    My guess is that your working with at profitcenter hierarchy - in this case you need to look at the authorization for hierarchies concept - this is maintained in RSSM as well - for documentation on this check this link:
    http://help.sap.com/saphelp_bw33/helpdata/en/8b/134c3b5710486be10000000a11402f/frameset.htm
    The actual roles can still created i PFCG.
    regards
    Morten Nielsen

Maybe you are looking for

  • ITunes movie will not play on my plasma tv

    when i connect my imac to my samsung plasma tv and try to play an itunes movie i rented - an error message pops up.  I can't view the movie on my tv - it won't allow it to play

  • Can't select WEP security setting.

    Hi, I just set up a DPC3825 router, and I wanted to use WEP security settings so my DS Lite can connect to the internet, but it appear the only options in the Wireless > Wireless Security dropdown list are : WPA-Personal WPA2-Personal WPA or WPA2-Pe

  • How to add purchased filter to Photoshop CC? [was:filter]

    как добавить купленный  фильтр в Photoshop cc? How can i add bought filter at photoshop cc?

  • Creative cloud problem for loading

    Hello, in creative cloud, when I click on App , there is the round for "loading" and never end . I have Pc and I would to up load Illustrator . thanks for your help

  • SSL_ERROR_NO_CYPHER_OVERLAP

    Hi, We just installed 6.1 SP2 on Solaris 9 (Sun V220). Does anyone know what this error means? [04/Oct/2004:14:50:16] failure (13865): HTTP3068: Error receiving request from 64.63.212.52 (SSL_ERROR_NO_CYPHER_OVERLAP: no common encryption algorithm(s)