Authorization object in SAP BI Role

Similar Messages

• Change authorization object in a derived role

  Hi Gurus,
  What's happen if someone has added a new authorization object in a derived role?
  He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
  <u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
  What do you think about this ?
  Thanks
  Hery-zo

  Do i understand this right??? do functional teams have access to PFCG to create roles???
  If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
  1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
  2 ask all functional teams to describe the roles points to be adressed:
     A TRX in every role
     B all wanted restrictions on every TRX (described functionally)
     C orglevels on which restrictions should be build.
     D Test process for every TRX in every role (both positive and negative)
     E  check all roles against table USOBT and look for manually added objects,  
         if they can not give a good reason for adding these REMOVE them.
  3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
  4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
  5 check your roles for the corrected TRX after this change and update the other roels involved as well.
  6 ONLY allow roles that have followed the above process to go to Production.
  The above steps are the only way to create a secure SAP Production system for you!

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• Authorization object for a technical role

  Hi all,
  I have a technical role "SM_ORDERAPPROV_00", to which I need to find out the authorization object.  Could anybody help me in finding this.  I searched this in SUIM also, but I didn't find any.
  Thanks,
  bsv.

  Hi,
  Please check in transaction PFCG.
  Regards,
  Renjith Michael.

• Webdynpro ABAP content authorization object in SAP portal ?

  Hi
  We are on EHP 6.06 , we have an authorization problem in sap portal for the webdynpro abap content. our standart users got the error "page can not be found" for the services provided from webdynpro abap. when I assign the user to administrator group in sap portal the services working fine. I also checked the SAP ERP roles no problem is there.  I guess I should create a new portal role for them cause its the only difference between users who can reach or not but have no idea what to put in it in SAP portal. Any idea ?

  in portal content directory => double click on the Content provided by sap folder. Than you should have a dropdown somewhere where you can select "Authorizations". You should add the group endusers and check the checkbox.

• Newly Created authorization Objects after SAP Upgrade

  Can someone tell me whether there is any transaction or table that display the added object authorizations after a Sap Upgrade ?
  Thanks in advance.

  Also, you can check SAP_NEW profile which shows which authorization objects have been added in which release.

• Authorization object for SAP PO price change

  Hi Experts,
  Our customer has a requirement regarding PO Price change. The user should be able to create PO, Change the PO except the PO price once it putted.
  What is the authorization object and authorization value for it ?
  Can anybody help me?
  Thanks
  Asad

  Dear Asaduzzaman,
  You can achieve the same by creating transaction variant using SHD0 transaction.
  I think below mentioned document may help you to resolve your issue.
  How to Create a Transaction Variant
  Regards,
  Hardik Patel

• BI Authorization Objects paste into a Role,

  Hello,
  i want a User, wich can work only with one Hierarchie node.. Wich Object i Need !??
  Best Regards
  barish

  Hi,
  With  Node, can select nodes for a hierarchy that you created previously for the characteristic 0TCTAUTH in hierarchy maintenance. The authorizations are available as virtual master data for the characteristic 0TCTAUTH and can be grouped hierarchically in order to create thematic arrangements.
  The authorizations that were just inserted are marked. This allows you to undo incorrect entries immediately.
  GTR

• Mass change of authorization objects in several roles

  Hello,
  we have to change a authorization object in almost 200 roles. Is there any possibility for mass change of authorization objects in several roles? We don't use the central SAP user administration.
  Best Regards
  Andreas Walter

  > at the moment all entries has the value "*". We want to change this value into "0001".
  Good!
  Here comes:
  1- download all relevant roles in once from PFCG. Make sure you use an appropriate codepage so you don't loose special characters in the role and menu texts.
  2- copy and backup the download file
  3- in the download file (is a text file)  look for all lines starting with AGR_1251 and conatining M_MATE_WGR and the field you want to change
  4- take out the star and two spaces and replace by 001. This file is a set of fixed record length table exports and keeping the original length is very important.
  5- upload the edited file and generate the profiles.
  As you may see this is not SAP standard and completely at your own risk. Best try in a sandbox client first.
  Good luck!
  Jurjen

• [SAP-PM] Restrict authorization object

  Dear All,
  Currently, I have some querries with authorization. Below are the details:
  1. Authorization Object : I_AUART --> Order type
  2. 2 roles use same authorization object (Let's say Role 1 and Role 2)
  3. One is to change and other is only display
  4. Let's say the order type are (I_AUART) : PM01 - PM05
  5. Role 1 (change) contains PM05
  6. Role 2 (Display) contains PM01-PM04
  And the question is:
  What should I do to assign that roles into one user name. In condition that the related user name only able to change order type PM05, and on the other side user still able to display all order types?
  Many thanks for your incoming advice.
  Kind Regards,
  MD

  hi
  while creating roles itself in the USER tab page assign this to the user id .after specified the user id then both the roles will be seen for that user id
  for other user create seprate role for diplay only for all order types and assign to the respective user id
  or use T code SU10 select the user id and specify the roles created for the respective user
  regards
  thyagarajan
  Edited by: thyagarajan krishnamurthy on Jan 15, 2008 4:07 PM

• Copying values of a singular authorization object between roles?

  Suppose I have an authorization object assigned to a role and its fields hold a large amount of data (say S_TCODE with a lot of transaction codes specified via ranges). Suppose further that I want to have this same object with this same data in another role. The other objects of the two roles are different and I'd rather not type the large amount of data into the authorization object again.
  Is there a way to copy/paste just one authorization object between two roles?
  I know how to make a copy of an authorization object and its values within the same role, but I haven't found a way to copy between roles.
  ursa

  Hi Ursa,
  I havent come across any export object kinda thing...
  This may help you in practical situation...
  Let us consider your particular requirement related to s_tcode.
  for that go to suim -
  transactions -> executable for role .
  Give the role name get the list of transaction codes.
  Download into excel file. then copy from there and paste into your new role menu or in s_tcode object.
  Mostly we dont get that much list for other objects.
  One more thing you can do.
  click on display tab beside the object in your source role, you get the list window.
  type ctrl + Y and then copy the 7-8 lines and paste it in the object of new role.
  Cheers.
  Shamish
  Message was edited by:
          Shamish Lele

• BSP_ALL authorization object for BSP Application

  We develop a BSP Application and want to give the correct authorization object in the user roles.
  After looking on help.sap.com We see, we must add the BSP_ALL object and give the name of the application.
  I add the object in the role but it not visible in the role. In the profile I see the object but it's not possible to me to change the value ' '.
  Why can I see this object in the role ? and how can I adapt the value of this object ?

  The class of this Object CRM is not defined on the table TOBCT

• Authorization Object for data downloading from application server

  Hi friends ,
     My program downloads and uploads data from the application server .
  My requirement is  ,
  Authorization checks should be performed on the Server directories to ensure that the user has access to read and write to the directory. It should check the s_dataset authorisation object for this.. If a user does not have the s_dataset authorisation object no upload or download should be allowed.
  Can you please tell me how to deal with this ? how do we check the above condition ??
  Many thanks ,
  Hemant

  hi,
  This is not a single step process.
  First of all you have to create a field for authorization for server directories from su20 and then create authorization object from su21.then define a role from pfcg with this authorization object and assign this role to user profile from su01 with values defined.
  Then you have to call this authorization object in your program at selection screen.

• Authorization objects in RAR not updated

  Hi everyone,
  i'm facing an issue with RAR (GRC 5.3, SP10): i've just imported the authorization objects from SAP (SE38 -> /VIRSA/ZCC_DOWNLOAD_SAPOBJ -> saved in UTF8 format), but when i look the  function in the rule architet the authorization objects setting are not the same:
  Example: in SAP the transaction F-04 needs the auth obj  F_BKPF_BLA/BUK/KOA (i use transaction SU22 to check the auth obj) and the export file has the same settings:
  F-04     F_BKPF_BLA     ACTVT          
  F-04     F_BKPF_BLA     BRGRU          
  F-04     F_BKPF_BUK     ACTVT     01     
  F-04     F_BKPF_BUK     BUKRS     $BUKRS     
  F-04     F_BKPF_KOA     ACTVT          
  F-04     F_BKPF_KOA     KOART     $KOART     
  In RAR the transaction F-04 is in the function AP01, AR01, AR02, GL01. The transaction has different settings in every function: in AP01 there is only F_BKPF_KOA in status active, in AR01 there are F_BKPF_BUK and KOA in status active,...
  I re-generated all the rules, but the settings are still the same.
  I think the settings must be the same.
  Am i right?
  Thanks in advance!
  Luigi

  Luigi,
    The function has all the associated auth objects, right? All the auth objects/permissions may not be enabled in the function. As you are using standard SAP ruleset, SAP has determined that the combination of F-04 and associated enabled auth objects create violation when assigned with another set of tcodes and auth objects. You can always enable all the auth objects if that is what makes sense as per your business.
  Can you go through the RAR config guide to get an understanding on this?
  Regards,
  Alpesh

• F9K3 and authorization object in su24

  Hello,
  We want to add authorization object F_KNA1_BUK to new role for check in F9K3 transaction.
  The problem is it is not being checked. I tried to debug and stop on authority-check but it's not stopping on this object.
  But the object is showned in transaction SU24 - as CHECK / NO.
  So it should be checked during F9K3 transaction run, correct?
  Anyone knows what we're missing here ?
  Thank You in advance for help,
  Best regards,
  Artur

  Hi,
  What appears in SU24 is not a reliable indicator of what is actually checked.  It may be that F_KNA1_BUK is checked at some point depending on either how the tx is used or what menu options are used but I wouldn't bet my house on it.
  Cheers