Authorization Object inative in PFCG

Similar Messages

• Authorization Object for 0TCTBISBOBJ - restriction field too short in PFCG

  Dear all,
  I created an authorization object (TA: RSSM) with the InfoObject 0TCTBISBOBJ and 1KYFNM. When I restrict my authorization object in TA: PFCG, I can only type in 11 letters for InfoObject 0TCTBISBOBJ but I need 12 because of a bad naming convention. Working with more than one asterisk (*) in this field is not working!
  Does anyone know how to manage this problem?
  Thanks in advance
  F. L.

  Martin,
  It is not possible to restrict this in CRM.  The person, organization, and group influences the type of address for the business partner.  There are no user exits available in CRM 4.0 that are at the point to perform an authorization check on this value.
  I had to unfortuantely debug and read much of BUPA_DIALOG_JOEL before reaching this conclusion.  The only way to achieve this would be to write a custom front-end to the BP transaction or PCUI screens for business partners.
  Hope this answers your question,
  Stephen

• Red Light with Authorization Object in PFCG

  Hello All - I have a question with authorization objects, there are three roles with red lights 'ON' in authorization object screen in our PRD. However users who are using these roles have no auth issues, standard procedure is to make all lights green in PFCG by maintaining these auth objects.
  Big question is "what is the down fall by leaving these objects RED, I need to support my theory when I say all lights green with auth objects.
  Why best practise says maintain all lights to green?
  Please suggest, appreciate your suggestions.
  Thanks.
  Edited by: AJ on May 12, 2009 9:44 PM

  Hi,
  > "What will be the difference between leaving that red lights 'ON' vs "disabling" these red objects? (I am bit confused on this).
  Red Object: As you know that authorization Objects comprises of Authorization fields. There are certain fields, which are known as "Organization Level" fields and need to be maintained Centrally. If you miss this fields, then the traffic light icon is RED. For all other authorization fields, light will be Yellow if you miss any blank field to maintain. During check, these fields will provide missing authorization (but you may not get error if same object is present in the role with all fields maintained status).
  Disabled Object: If you make any Object Disable, then during check, this Object will not be treated for checking Authorizations. But profile generator will keep this in mind, so you don't get Standard Objects repeatedly (if already present in Deactivated status also) whenever you go to "..Merge with New Data".
  You all other questions are very nicely answered already.
  Regards,
  Dipanjan

• Cannot modify an authorization object in pfcg role for a business role

  Hi Experts,
  I have created two z pfcg roles from the standard business role CRM_UIU_SRV_PROFESSIONAL  lets say by names zagent and zmanager. My requirement is actually to map these two pfcg roles two a service professional agent and service professional manager custom business roles respectively( I have created these custome business roles from standard business role servicepro) . I have identified an authorization object by name CRM_CO_SE which is basically used to check whether the user is authorized to create service contract transactions. So, in the agent pfcg role, I need to de activate or deselect this particular authorization object so that the agent will not be able to create service contract. (This is not a real time requirement, but an internal assignment). When I change this object in the pfcg by deselecting 'Allow' check box and try to generate, it is not getting generated. I have selected all the options from the 'Expert mode for the profile generation' and still the traffic indicator for that authorization object is yellow.  Am I doing anything wrong?
  Please help me.
  Thanks
  Ajith C

  Hi Leon,
  Thanks for helping me, I have restricted the unauthorized user from creating a new order by disabling the 'New' button by checking the business role in  the code. The pfcg configuration, I am skipping it for now.  I have one mnore requirement. When one clicks on any items in the search result for the Service Contracts, it opens the details of that service contract with an 'edit' button. I can disable this button using do_output_preparation method for the some business roles. However, I want to disable this after checking a condition. The condition is that, edit button should be active, only if that service order was created by the employee who has currently logged on. I am relatively new to CRM and I could not figure how I can check it during run time. Could any one please help me with this?
  Thanks,
  Ajith

• Authorization Object (RSSM) restriction in PFCG

  Hi experts,
  When I execute a query in RSSMQ I get the message:
  You do not have authorization to read object ZBICINFPR 'BI Cockpit'    BRAIN 804
  Does anyone know, what to do? How can I give the authorization for that authorization object in PFCG? What is the name of the authorization I need?
  Thanks in advance
  F.L.

  Hi Florian.
  Well, it's a custom made object (because of the prefixed Z), so check your documentation or look it up in tcode SUIM -> Authorization Objects -> By object name, text -> put ZBICINFPR in the name field -> hit F8 -> on the next screen hit F6 to get a where used list (go for authorisations)
  This will give you a list of the authorisations where this object is used.
  Regards
  Jacob

• PFCG - Alteration the 'authorization objects' of a profile.

  Good Morning My Friends,
  I have a profile created in PFCG, I want to change your authorization objects, using a BADI or function.
  Does anyone know which function to use?
  I've tried a lot and found nothing.
  This is an example of what I want to do.
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  Original profile.
  Profile Name: Profile_Deivison
  Object :.......... S_DEVELOP
  Auth :.............. T-TD55048100
  Field :.............. ACTVT
  Value :............ 01, 02, 03, 06, 07
  Modification of authorization objects of the profile (fictitious example).
  called function to change the profile.
  CALL FUNCTION 'CHANGES_OBJECT_AUTHORIZATION_PROFILE' "" "" This function does not exist
  EXPORTING
  name_profile = 'Profile_Deivison'
  object = 'S_DEVELOP'
  auth = 'T-TD55048100'
  field = 'ACTVT'
  value = '01, 06, 07 '
  Results function.
  Profile Name: Profile_Deivison
  Object :.......... S_DEVELOP
  Auth :.............. T-TD55048100
  Field :.............. ACTVT
  Value :............ 01, 06, 07
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  I thank.
  Edited by: Deivison.Lana on Jul 7, 2011 9:55 AM

  Thanks for the help.
  but from what I saw during the discussion was not found a solution, that with reference to 'Change Authorization Objects'.
  Edited by: Deivison.Lana on Jul 7, 2011 4:33 PM

• PFCG authorization objects vs SU53 checks

  Hi all,
  I was thinking I have understood for a long time authorization checks. But no.
  So Here's my question.
  When I ahd a transaction in PFCG menu, PFCG gets the authorization objects to maintain automatically (from SU24 checks). OK.
  When testing the role in ECC : : error. SU53 qays that authorization objects are missing. How the tests are working regarding SU53 and PFCG ?
  i.e tcode_de = MDBT in PFCG, PFCG gets M_MTDI_ORG object to maintain => OK
  When testing my role, SU53 says that other objects is missing, i.e S_ADMI_FCD. I don't understand because this object is checked with 'NO' in ECC.
  Thx.
  Laurent

  Hi
  > When testing the role in ECC : : error. SU53 qays that authorization objects are missing. How the tests are working regarding SU53 and PFCG ?
  The auth checks performed are dependent on lots of things: system config, functional config, master data setup, use of the transaction.
  The config in SU24 can't cater for all of those options so SAP gives us the ability to make them more accurate for our particular situations.
  > i.e tcode_de = MDBT in PFCG, PFCG gets M_MTDI_ORG object to maintain => OK
  >
  > When testing my role, SU53 says that other objects is missing, i.e S_ADMI_FCD. I don't understand because this object is checked with 'NO' in ECC.
  You can't deactivate a check on an S_ or P_ auth object.  These auths are fundamental methods of protecting the SAP application (S_) and personal data (P_)
  As David says, the SU53 only shows the last auth failure and there is often lots of spurious stuff reported that isn't required to allow the transaction to process.  In this respect ST01 is more useful as it (usually) shows you all the auth checks being evaluated so you can more easily focus on the important ones.

• Authorization objects in PFCG

  Hi,
  1) When trying to maintain authorization objects post upgrade in the roles, there is a notation which i gues tells about the type of auth object introduced. For eg:
  Maintained Old/New/Updated
  Standard Old/New/Updated
  Changed New etc
  Can anybody tell what this means? and is there any standard approach while maintaining these?
  2) I read somewhere that its best to download the tables USOBX,USOBx_C, USOBT and USOBT_C before and after refresh. Whats is the significance of this step? i see that the values in these tables are too many to be able to download.
  Any help on this would be appreciated.
  Thanks,
  Abhijit

  >
  Abhijit Chitale wrote:
  > 1) When trying to maintain authorization objects post upgrade in the roles, there is a notation which i gues tells about the type of auth object introduced. For eg:
  >
  > Maintained Old/New/Updated
  > Standard Old/New/Updated
  > Changed New etc
  >
  Standard -
  > Standard SAP auth. object pulled in because of addition of a tcode in menu. No Manual chnages made.
  Maintained  -
  > Field values maintained for the auth. objects for open field values.
  Changed -
  > Field values of Std. Auth. objects Changed (ones for which the field values are already present)
  old -
  > Auth. Object corresponds to an earlier change to the role (current addition of Tcodes etc ... haven't affected these objects)
  New -
  > Auth. object has been pulled in because of a new addition to the menu. (same Auth. Object did not exist previously)
  Updated -
  > Auth. Object existed earlier but the Field values have been changed because of the new Tcode in the Menu.
  Hope I have made this clear.
  Experts: Be kind enough to correct if anything is wrong in this.
  Regards,
  Partha.

• How to get all authorization objects for a certain authorization profile

  Hi ABAP experts,
  I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
  So:
  - where are these values stored (dictionary table)?
  - is there already a FM or a report to read all authoriation values for a certain authorization profile?
  Thanks in advance.
  Best regards,
  Oliver

  Hi,
  check the following it might useful for you:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
  if helpful reward points are appreciated

• Creation of a user with a particular authorization object (Very Urgent)

  Hi,
  There is a requirement in my project to create a user who can only reset his password. So for this I think a authorization object should be created and assign it to a profile which displays only the tab for reseting the password which is( Logon in SU01). I want to know two things in this regard.
  1. The whole process of creating customised authorization object and assigning it to a profile and
  2. Any other way to achieve the needed scenario.
  Thanks & Regards,
  Sujith
  Edited by: Sujith K on Feb 4, 2008 1:26 PM

  In transaction pfcg ,
  give single/composite role name
  give profile name and description in authorization tab, save it
  enter into change authorization data
  select manually tab
  give authorization objects name (creating auth. objects)
  fields will automatically come inside it
  enter the field values
  save and generate profiles (Profiles created)
  go to su01,
  create users (fill address, logon data, roles )
  In pfcg,
  select the role you created and click on the user comparison for giving the authorization to access.
  award points if useful

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan

• Creation of a new Authorization object

  Hi ,
  I need to create a new Authorization group and add three existing tables to it.
  Kindly suggest a way.
  Regards.

  Authorization Field
  Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the database table TACT and the customer-specific table TACTZ.
  Maintenance using transaction SU20.
  Authorization Object
  Repository object that forms the basis for authorizations. An authorization object comprises up to 10 authorization fields. The combination of authorization fields, which represent data and activities, is used for authorization assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
  Maintenance using transaction SU21.
  Authorization
  Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
  Maintenance in transaction SU03 or generation from transaction PFCG (profile generator for role maintenance).
  Authorization Profile
  Grouping of several individual authorizations or further authorization profiles. Can be entered in the user master record instead of individual authorizations. An authorization can be assigned to authorization profiles as often as you wish.
  Maintenance in transaction SU02 or generation from transaction PFCG (profile generator for role maintenance).

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• Mass maintenance of authorization objects

  Is there a SAP transaction available to mass maintain authorization objects?
  Let's say that I have 120 roles, in all of which I want to change the value of field Y of authorization object X.  For example, object S_TABU_DIS. I want to exclude an authorization group in all available roles. How can I do this for all roles which have this object?
  Modifying each role separately in PFCG is rather time consuming (and pretty unpleasant).

  Actually, SAP does provide a solution to promote and demote fields to org. levels. There are reports for this (use them and not the table maintenance transactions!) because they automatically adjust your roles as well - otherwise you end up with inconsistencies.
  But I agree with you, that org-levels is not a natural solution for this specific problem and although retrofitting security is the most expensive option, one cannot foresee all requirements from the start and Go-Live project pressure can be a factor as well to use * values for fields which on their own appear to be harmless...
  You could try to write an adjustment tool for PFCG, but with "only" 120 roles I think you will be faster and safer with doing it manually. I think that less than 1 day's work should fix it. However, if you are willing to invest 2 or 3 days more, you can also consider restoring the values from the SU24 proposals. Particularly if one group of transactions are in many of the roles and you can isolate the common transaction (the "guilty one...) then you can do it more centrally in future as well.
  However if you have not used the "Read old merge new" function in PFCG's expert mode, then you should be carefull with this as other objects might "correct" themselves as well. Particularly if you have been deleting standard authorizations in roles! (Why that button even exists, I don't know. No good can come of it...
  Cheers,
  Julius

• Authorization objects in web dynpro ABAP and SU24 transaction

  Hi,
  I have created a new authorization object to check a storage location for certain activities. I have added the authorization object in a specific web dynpro ABAP and I have created a new role in PFCG for my web dynpro ABAP.
  The organization level for storage location is not recognized in PFCG. Someone told me I have to maintain my authorization object in SU24 as it is done for transaction.
  I wanted to maintain my web dynpro in SU24 but I found no way to do that.
  It seems that we can maintain authorization for TADIR service and in those services there is R3TR WDYA but when I use the search help for  OBJ_NAME I don't find may web dynpro ABAP. I suppose I have to create a TADIR service for my web dynpro ABAP or something like that but I don't know how to do ?
  Does anybody  know how to deal with specific authorization in web dynpro ABAP and t ohave the organizational level recognized in PFCG.
  Thanks for your help,
  Emmanuel

  Hi,
  Please RUN the function module as "AUTH_TRACE_WRITE_USOBHASH" with following parameter
  R3TR
  "custom webdynpro application"
  SERVICE TYPE and Service can be kept blank
  after this try  SU24 it will be available in SU24 list.
  Thanks & regards