Authorization object in procurement that checks user role

Similar Messages

• Check user role/authorization during Web report run-time?

  Hello again,
  I ran into a problem. I need to check <b>user's authorization during webtemplate execution (run-time)</b>. I want to have a possibility to allow in one web template extra functionality (through template menu) to key users. Normal users, who are running same report, should not have this extra menu visible.
  Is it possible to check user authorizations or roles during web-template run-time?
  Thank you!
  Vitaliy

  Hi Harinam,
  From my logic your are right.
  The restriction is in two new roles (Requestor and Approver role).
  But ->
  If I assign my approver role the selection possiblities of the request types during the AR creation is restricted and the AR search function does not work.
  If I assign my requestor role the restriction of the request type is not there, but the AR search function works again. :-(
  If I assign the original approver role of sap I have the same behavoiur for the AR search.
  Both new roles are a 1:1 copy of the SAP standard roles - > Exception, ristriction on request type 'Execption Approval' is not displ.
  I have execute ST01 now. If I try to open the log, the system syst "No records that correspond to these search criteria".
  But I have found something else.
  The problem appears only if I search for Process ID "Access Request Approval Workflow".
  If I select other Process ID such as "Control Assignment Approval Workflow" or "Fire Fighter Log Report Review Workflow", everything works fine.
  Very strange!
  BR
  Melanie

• Error in LIME Query-Authorization object C_Lime_Loc  cannot be checked..

  hi,
  I am very new to SAP Basis. i am facing the subject mentioned error in one of the user in a client when i run MM03 T.code.Su53 is showing Successful.
  Temporaily ,I have provided the user with Profile SAP_ALL  along with roles specified for the user and things are working fine.
  i have tried assigning this object to all the Roles in the user but still in vain. Request  some guidance to resolve this problem and thus removing the SAP_ALL profile to the concern user.Thanks in advance.
  Edited by: Selva kannan on May 5, 2008 2:13 PM

  Hi,
  Heartly thanks for your feedback.
  Actally the error reads: Error in Lime Query:Authrization object C_Lime_Loc cannot be checked.
  SU53 is displaying last authorization is successful.
  i have already added the object C_LIME_Loc to all the roles and checked the T.code MM03 without SAP_ALL profile.but failed.
  I had compared the t.code su24 output in  the user  once with SAP_ALL profile and once without SAP_ALL and found both has same(identical) checked value. need help as i can feel that there is some authrization in SAP_ALL which is missing in my roles. how do i detect this....how do i check the objects in SAP_ALL related to this error.

• Authorization object not to allow certain user to enter sloc PO

  Dear All,
  i have manage to go su21 to create under mm purchasing authorization object called Y_BEST_LOC with Acty and LGORT field. other than that i have insert check item under program RM06ENHI. after that i go to su24 to assign the transaction code check for me21 and me22. under field value for me21, my new object i want to assign value (interval) = $LGORT, but don;t know how so i leave it blank.
  Come to user profile i adding this object into the authorization to check, and put in only allow for 0001 and 0002 location. But the user still can save the PO when choose 0004 without error. I want to know missing step that should be done to prevent certain user to order under 0004 storage location.
  Kindly suggest and guide me. thanks in advance
  Regards
  Aishah

  ME21/ME21N doesn't even check if the material is extended to the storage location entered in the PO. I don't think what you did is enough to restrict users per storage location, you need to find a user exit or BAdi and do the authorization check in the your custom code
  AUTHORITY-CHECK OBJECT 'Y_BEST_LOC'
           ID 'ACTVT' FIELD '01'  "Create
           ID 'LGORT' FIELD '0002'. "Storage Location 0002
  IF SY-SUBRC = 0.
  " User has authorization
  ELSE.
  message 'Not authorized for storage location' type E
  ENDIF.
  You may have to use the following Business Add-in (TCode SE18)
  ME_CHECK_ALL_ITEMS                    :  Run Through Items Again in the Event of Changes in EKKO

• Authorization Object for Sale Organization check

  Hello all,
  I have create a Z Report.Now the requirement is that only certain users belonging to a particular Sales Organization can run that report.
  Which standard Authorization Objects can be used for this case.
  regards,
  Ujjwal Kumar

  P577815 wrote:>
  > Hey,
  > Thanx for your reply....)
  > Actly new to abap thats y not much idea.Instead of your Auth Obj,can i use V_KNA1_VKO.
  Hello,
  But V_KNA1_VKO also has these params:
  VTWEG      Distribution Channel
  SPART      Division
  V_VBRK_VKO also has only Sales Org(VKORG). I think that suits your req.
  But before deciding on the Auth. Obj please read the documentation & check that it suits your req.
  BR,
  Suhas

• Update the authorization object value for more than 1000 role

  I need to remove one of the activity value (06) from authorization object S_SCD0.
  I do a search and found out that there are more than 1000 roles which having the activity value = 06 for authorization object S_SCD0.
  However, I don't think I can create a SCAT script to update all these 1000 roles and I believe its going to be a very tedious if I am going to manually change it one-by-one. Hence, I am wondering is there any standard program/function which I can use to automate the above changes for all these 1000 over roles.
  Kindly advise.
  Thanks

  Direct update the table is the easiest way, but should be discourage for the obvious reason.
  Should take a step back, take a long term view, when you need to update 1000 roles, maybe a role redesign might be needed. For example, if you can change the role model to derive role model, once update to the parent role will take care of all the child role.
  Thanks,
  Lye

• Checking user roles in FI Module

  Hi,
  Please let me know the points to be considered while checking the security and authorization in FI modules based on a user role.
  Thanks,
  Sridevi

  Hi,
  While defining the security roles, as a first step Composite roles, Single Roles are created. Transaction codes are attached to Single roles. A group of Single roles are attached to a Composite roles.
  Based of Business requirements / Orgnaization structure in the Company  in the sense VP. Finance / Controller / Sr.Manager / Manager etc., the composite roles and single roles are assigned to the positions. For example Vice President Finance will have full authorization to all composite roles.
  Some of the users require only display authorization, in which case a role is created only incorporating transaction codes which display documents.
  Thanks
  Murali.

• Authorization object to display BSP check boxes

  Hello,
  I'm trying to find the authorization object so as to display the BSP check boxes. Because I can display BSP properly (I've BSP_APPL) but not the BSP check boxes. The user having all the autorizations, can see the cheks boxes ok.
  Please, can you help me?
  Thank you

  I'ts not a authorization object, just portal authorization. I'm going to open a new thread.

• One or more Object are missing in the User Role

  How to assign/add Objects to the User Role?
  Thank you in advance

  I dont understand exactly what you want to say...r u talking about how to generates roles..
  Pls visit the PFCG transaction enter the role name
  now goto change mode and maitain the values..or the object..
  From the SAP menu you can switch on the technical names for ur reference.
  Regards
  Prakhar

• Authorization Object for BPs that works like CRM_ORD_LP (via Org Model)

  Hello Community,
  we have the requirement to restrict users to create BPs for specifc sales organizations only. I know there is CRM_BP_SA, this works perfectly but has the disadvantage that the Sales Org ID needs to be maintained in the PFCG role. As the IDs are different on D, Q and P we have to maintain PFCG roles on all these systems.
  To avoid this we need something like the object CRM_ORD_LP for Business Partners,  to derive the users sales org from the organizational model assignment of the user.
  I don't think that there is a standard object for that, did anyone of you implement something like that?
  Thanks for your answers,
  Fabian
  Edited by: Fabian Nothacker on Jan 28, 2010 4:41 PM

  Fabian, I have two suggestions.
  One:
  If possible keep the same Sales Org ID changing it
  In SPRO, CRM->Master Data->Organizational Management->Maintain number ranges
  Select subgroup 01$$ and select "Number range maintenance" . Here you can change the intervals.
  Second:
  You might think about creating your on authority object.
  To do this, basically you have to:
  Creating a new auth. object at SU21 tx, adding parameters fields
  Implement BADI CRM_ORDER_AUTH_CHECK , methods CRM_ORDER_ADD_AUTH_CHECK e CRM_RFW_CALL_AUTHORITY.
  Adding the new object for your pfcg profile.
  Godo luck,
  Lalas
  Edited by: Laercio P. Azevedo on Feb 1, 2010 9:51 PM

• How to check user role/profile

  Dear all,
  I'm finding function module to get a list of profile/role of user. Would you please suggest me on this?
  Btw, if you have any other advise please feel free to let me know.
  Thanks in advance.
  Peersit

  I've just found the related threads on this site.
  User Profile Details
  Re: User Profile Details
  User Wise Authorization/profile report needed
  User Wise Authorization/profile report needed
  Have a good day.

• Authorization Object - Checks

  Hello Experts,
  We make use of Authority checks in our applications which require User authorization .
  For example Sales application makes use of Standard authorization object 'V_VBAK_VKO' .
  AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
         ID 'VKORG' FIELD VBAK-VKORG
         ID 'VTWEG' FIELD VBAK-VTWEG
         ID 'SPART' FIELD VBAK-SPART
         ID 'ACTVT' FIELD DA_ACTVT.
  The above check is a combination of Business fields like Sales org(VBAK-VKORG) etc and Type of a Activity (DA_ACTVT)
  for example '01' for create and '02' for change .
  My requirement is to have pure activity based check .
  Can we use the same check without Business fields and have only the Activity type . for example
  AUTHORITY-CHECK OBJECT 'ZOBJ'
         ID 'ACTVT' FIELD '02'.
  Syntactically seems to correct .
  Is this a correct usage ?
  Thanks and Regards,
  Ravish.

  Hi,
  Ya u can do do, but its not a good option atleast one field u should maintain in Authorization check.
  e.g.
  AUTHORITY-CHECK OBJECT 'ZOBJ'
  ID 'VKORG' FIELD wa_VBAK-VKORG
  ID 'ACTVT' FIELD '02'.
  But there is no harm w/o field also u can create.
  Regards
  Arbind

• Authorization object assignment on USERS

  Hi,
  i have to maintain authorization objects in transaction types and users in our company, such that the executives (management of all org. units) of the company are able to see all the transactions including activities within the whole company.
  on the other hand the employees (<b>not executives</b>, belonging to a specific org unit) should be able to see ONLY the transactions belonging to his org. unit
  useful info is avlbl at: http://help.sap.com/saphelp_crm50/helpdata/en/26/99973915e69238e10000000a11402f/frameset.htm
  but where and how are these authorization objects assigned?
  Kindly help, thnx, all answers appreciated.
  Jacob.

  hi Jacob,
  Look at <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/81/0e0f61b566dc44bbb4055b3ccd25be/frameset.htm">Identity Management</a> maybe it helps you.
  Regards.
  Manuel

• What User authorization objects needed for connecting to SAP from xMII?

  We eneter a SAP user and password for connecting to SAP from xMII to retrieve the metadata of the incoming IDocs.
  When I specify a user with SAP_ALL user profiles, the IDocs are received properly in xMII. If I specify a user with privileges to run only certain transactions, IDocs are not received in xMII.
  What user authorization objects are needed for this user to connect to SAP from xMII?
  Thanks,
  Sara

  Sam,
  I turned on the SAP System trace for this user and figured out the following auth. objects are required for receiving IDocs in xMII:
  C_TCLA_BKA
  S_RFC
  S_CTS_ADMI
  B_ALE_MAST
  S_IDOCDEFT
  The following auth. object is required for making JCO call to SAP from xMII:
  C_AFRU_AWK
  Thanks,
  Sara

• Authorization Object for data downloading from application server

  Hi friends ,
     My program downloads and uploads data from the application server .
  My requirement is  ,
  Authorization checks should be performed on the Server directories to ensure that the user has access to read and write to the directory. It should check the s_dataset authorisation object for this.. If a user does not have the s_dataset authorisation object no upload or download should be allowed.
  Can you please tell me how to deal with this ? how do we check the above condition ??
  Many thanks ,
  Hemant

  hi,
  This is not a single step process.
  First of all you have to create a field for authorization for server directories from su20 and then create authorization object from su21.then define a role from pfcg with this authorization object and assign this role to user profile from su01 with values defined.
  Then you have to call this authorization object in your program at selection screen.