Authorization object M_MATE_STA problem at MM17.

Similar Messages

• Authorization object coding -problem. Pls suggest.

  Hi experts
  I have created authorization fields and assigned in objects properly.
  My case is i am calling the transaction ZMAST which is create through table maintenance(ZMASTER) of the table ZMASTER.
  Now where to implement this coding part and how to do.
  Please explain me clearly the steps , the following coding part i put in dialog programming right now and can you tell me will this code work fine.
  If we can do in Table maintenance Events, do we need to write in standard program. pls suggest me on this.
  WHEN 'MAST'.
  AT SELECTION-SCREEN.
  AUTHORITY-CHECK OBJECT 'ZRAJ_TEST1'
  0 ID 'ACTVT' FIELD '03'.
  IF sy-subrc <> 0.
  MESSAGE 'No authorization' TYPE 'E'.
  ENDIF.
  CALL TRANSACTION 'ZMAST'.
  Thanks in advance.
  Regards
  Rajaram

  Hi,
  The coding can be done in the "Events" section of the table maintenance.
  Chk this link for further help on this:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/abap/how%20to%20implement%20events%20in%20table%20maintenance.doc
  Best Regards,
  Anjali

• USE Standard Authorization object in Z Program

  Hi Experts,
  I have already checked other threads regarding this but could not resolve my problem.
  I have created a Z program to update Material Master. I need to use the Authorization object  M_MATE_STA in my program for performing authorization check. Please help me how can I do that?
  Thanks

  hI,
     below is a similar code...
  CONSTANTS:  lc_authobj  TYPE char15 VALUE 'F_BKPF_BUK',
  AUTHORITY-CHECK OBJECT lc_authobj
             ID lc_id_bukrs FIELD v_bukrs
             ID lc_id_actvt FIELD lc_activity.
    IF sy-subrc NE 0.
    ENDIF.
  Amol

• Help! MM17 Authorization(M_MATE_STA) problem.

  Hi, experts!
  I have a problem of Mass change  (T-code:MM17)  authorization.
  I want to control our user that only can change data through MM17 and not allow to create new data to prevent accident.
  So, I set an authorization obj. M_MATE_STA(Material Master: Maintenance Statuses) as ACTVT:02 (Change)
  with STATM:all view(*) into user role,but it doesn`t work during Mass change test. : -(
  When I checked SU53, It shows that user doesn`t have authorization of 
  M_MATE_STA, ACTVT:01 (Create)   STATM : G (costing view). However, I tested changing Pur.grp through MM17 and it was not creation and Pur.grp field is located at purchaing view.
  What`s wrong with M_MATE_STA authorization setting at MM17 ?
  I cannot understand why M_MATE_STA  ACTVT:01 (Create) is neccesaary when I want to CHANGE(Not create) data at MM17.
  Our system is ECC 6.0 ehp4 Support package : 05 and there is no decent SAP Note to apply. Plz, help~!

  Hi, jurgen.
  I choosen MARC Table EKGRP(Pur.grp) Field  and material master purchasing view was extended already.
  I add MM02 to MM17 belogned role through PFCG and set further auth. obj from MM02 but still cannot change Pur.org
  at MM17.
  The weired thing is when I set M_MATE_STA ACTIV:01 (Create), then I can change pur.org
  Is that SAP bug? Our system is ECC 6.0 Ehp4 SP level : 05 and could not find appropriate note yet.

• Problem in transporting authorization object

  Hi,
  I am facing a problem in transporting the authorization object. We have an existing cube in development and production. In production the object has 3 authorization objects checked. Now I want to change the authorization object assignment in my cube. So I changed the assignment in the development, but when I tried to transport the authorization object it collected all the cubes where the authorization object is used.
  I want to transport only the authorization object associated with that cube, not all. I understand that logically if we are transporting the authorization object from RSSM, it takes all the assignments. But I don't want to do that because there may be some inconsistencies between the system.
  Can you tell me weather we have any other way, so that the authorization object is transported only for one particular cube assignment not all.
  Thanks in advance
  Prashant

  Hi,
  I tried that but not getting anything.
  Can you please tell me the steps.
  Steps I have done are as follows.
  1. Go to RSSM and select the authorization object.
  2. We have a button which says transport authorization object. I clicked on that.
  3. I got a list of all the authorization objects there. I selected my authorization objects and clicked on Transfer Object button.
  4. Then I get the hierarchy authorization objects.
  5. After that I selected a request and everything is included in that request. I didn't got your above mentioned option.
  Do you want me to go to the table RSSTOBJDIR and delete all the other entries??
  It would be great if you can tell me the steps to do that.
  Thanks in advance
  prashant

• AUTHORIZATION OBJECT PROBLEM

  Hi,
  I had added a Authorization Object on basis of Plant in my report and it is giving the problem that instead of displaying the Plant it is displaying as IEQPlant 1. i had taken plant as a selection screen instead of parameter.
  Please tell provide me guidelines how to display the Plant name only instead of IEQPlant Name.
  AUTHORITY-CHECK OBJECT 'ZPLANT1'
  ID 'WERKS' FIELD P_WERKS.
  IF SY-SUBRC <> 0.
    MESSAGE E045(ZMSG) WITH P_WERKS.
  ENDIF.

  Hi,
  Please see the sample code below that I used to have the same functionality in one of my programs.
  *---Authorization for Company code entered by the users.
  *---This code will restrict users to see data for company
  *---codes which they are not authorized to.
  *---Select all the company codes based upon selection entered by the
  *---user
  DATA: li_bukrs TYPE TABLE OF bukrs,
         lwa_bukrs TYPE bukrs,
         lv_flag TYPE c.
  SELECT bukrs
     FROM t001
     INTO TABLE li_bukrs
    WHERE bukrs IN bukrs.
  IF sy-subrc EQ 0.
  *---Clear Screen variable for Company code
     CLEAR bukrs.
     REFRESH bukrs.
  *---Filter and prepare Select options for Company code table to be
  *---passed to query. Table will only have values of company codes he is
  *---authorized to for display.
     LOOP AT li_bukrs INTO lwa_bukrs.
       AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
                         ID 'BUKRS' FIELD lwa_bukrs
                         ID 'ACTVT' FIELD '03'.
       IF sy-subrc = 0.
         bukrs-sign = 'I'.
         bukrs-option = 'EQ'.
         bukrs-low = lwa_bukrs.
         bukrs-high = space.
         APPEND bukrs.
       ELSE.
         lv_flag = 'X'.
       ENDIF.
     ENDLOOP.
  *---Give warning message to the user in case he is not authorized to see
  *---data for all the company codes that he has entered.
     IF lv_flag = 'X'.
       MESSAGE ID 'ZF_MSS_FNG' TYPE 'W' NUMBER '015'.
     ENDIF.
  ENDIF.
  KR Jaideep,

• Problem while loading texts and authorization objects file in RAR

  Hi all,
         i am getting internet explorer error while loading the texts and authorization objects text files in RAR .actually we uploaded rule file before this,does this step causes any error ?if so how to resolve this error.do i need to remove all rules/risks and then load text and authorization files? is there any shortcut to renove all risks generated in one shot? please reply me soon to resolve this.
  Thanks,
  Joseph.

  Hi Joseph,
  Please make sure to convert both the files in UTF-8 encoding format and then try to upload the files again. This should resolve the issue and if not then please paste the logs here.
  Regards
  Harleen

• Authorization objects problem , unable to delete

  hi all,
  i hv created authorization object via SU21. ZZ_program, I am trying to modify but it prompts warning:
  <b>Field assignment for object ZZ_PROGRAM cannot be changed as auth. for it exist
  Message no. 01221
  Diagnosis
  You attempted to change an object for which authorizations exist. Authorization fields for the object cannot be changed here.
  Procedure
  If you want to change the object anyway, you must first delete all authorization belonging to this object.  Consider that other systems may also be affected.</b>
  after i enter the message, it prompts the whereuse list
  <b>Where-Used List                  
  Authorization Object             
  ZZ_PROGRAM                       
  Berechtigungen                   
  AA________00                     
  Rollen                           
  ZZPROGRAM   </b>      
  after that, the  fields are all greyed off, i am unable to change the authorizatiion fields  and i do not understand the where use list result, can anybody pls help ?
  i am working on sap 4.7

  There  is one particular check with Table <b>USR12</b> (User Master Authorization Values) and also with table <b>AGR_1251</b> (Authorization data for the activity group).
    SELECT distinct AUTH FROM USR12     
         appending table list              
         WHERE OBJCT =  OBJECT             
           and AUTH  ne '&_SAP_ALL'        
           and AUTH  ne '&_SAP_APP'        
         order by auth.
    if sy-subrc = 0.                                       
      insert 'Berechtigungen' into list index 1.           
      RC = 1.                                              
    endif.                                                 
    append 'Rollen' to list.                               
    index = sy-tabix.                                      
         SELECT distinct agr_name FROM AGR_1251            
           appending table list                            
           WHERE OBJECT =  OBJECT                          
           order by agr_name.   
  If that is sucessful , you cannot change the authorization object.
  See the content of <b>AGR_1251</b> table using your authorization object name. Then you will Role name from field AGR_1251-AGR_NAME
  with this role name, go to Tcode: <b>PFCG</b>
  and give the Role name and click on change button
  In authorization tab.Chick on Change Authorization Data.
  And find and remove this authorization object from there.
  And then proceed with changing the Authorization object.
  Hope this will solve ur issue.

• How to get all authorization objects for a certain authorization profile

  Hi ABAP experts,
  I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
  So:
  - where are these values stored (dictionary table)?
  - is there already a FM or a report to read all authoriation values for a certain authorization profile?
  Thanks in advance.
  Best regards,
  Oliver

  Hi,
  check the following it might useful for you:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
  if helpful reward points are appreciated

• Mass update to FILENAME field in S_DATASET authorization object

  We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value.  I'd like to do this programmatically if possible.
  What I've learned so far is that I need to update the value in table USR12, but the value is encoded.  When I look at the table in SE16, I do not see the encoded value field.  The value does show in UST12, but I'm told this is an unreliable table.
  So I'd like to know..
  1. How can I look at the value if not in SE16?
  2. Is there an API I can use to encode/decode the value?  If not, where is the specification on how to build it?
  If this is better addressed in a different forum, which one should I try next?
  Thanks,
  Dan

  Hi there,
  Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
  But the behaviour as you have described:
  >
  > Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
  > =============================================================
  > *                                 X         X            DUMY
  > /temp/FI/..                       X         X            DUMY
  > /temp/FI               X                                 FIFI
  >
  ... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
  > Caution:
  > - If you enter paths generically in the table SPTH, the most precise specification counts.
  > - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
  So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
  So, the only check which is effective to protect the path, is:
  Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
  =============================================================
  /temp/FI               X                                           FIFI
  ... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
  Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
  form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                              MODE       type CLIKE
                              SUBRC      type SY-SUBRC.
  data: ACTIVITY like AUTHB-ACTVT.
     SUBRC = 0.
     case MODE.
       when 'R'.
            ACTIVITY = '03'.
       when 'W'.
            ACTIVITY = '02'.
       when 'D'.
            ACTIVITY = '02'.
     endcase.
     if ISPTH_HEAD-FS_BRGRU <> SPACE.  "Here it is... for BEGRU checks there must be a value...
        authority-check object 'S_PATH'
            id  'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
            id  'ACTVT'    field ACTIVITY.
         if SY-SUBRC <> 0.
            SUBRC = 3.
         endif.
     endif.
  endform.
  Cheers,
  Julius

• Authorization Object is not working when report is modified.

  Hi BW Guru's
  We have Company Code as Authorization Object .and we have 3 company Codes (xxxx,yyyy,zzzz).where the users under Company code xxxx are not supposed to view company code yyyy,zzzz data etc.
  I modified an existing Report and transported to production.But the Authorization Object is not working for that report.The Report is defaultly displaying all the company codes data(xxxx,yyyy) for all the users.But for the other reports its(company code ) is working fine.
  What could be the problem?Is theproblem in transporting the objects.But i transported all the objects inluding auhorization object.
  Please send me the solution as it is very much urgent.
  The solution will be def. awarded with full points.
  Regards
  Sanjay

  hi Sanjay,
  please don't post the same question again, check and response back from your previous thread
  Re: Authorization Object is not working when report is Modified.
  hope this helps.
  would be nice if you reward for helpful answers to all of your previous postings, e.g
  docs related to RRI

• Authorization object for running a report in background

  Good day experts,
  I tried running a report in background, I choose immediately so that it doesn't have to be scheduled. But when I checked it in my own jobs, It remains at scheduled status. When I tried it on my admin account, It works and with status finished. It seems to be an authorization problem. What object could I be missing with my user account? I tried S_TCODE SMX and SP02 but still not working.
  Thanks in advance!

  Hi karshbax,
  What you're looking for is authorization object S_BTCH_JOB. You need authorization for field JOBACTION = RELE.
  In future use transaction SU53. It shows last error authorization error, so if this is authorization problem then after try of manual releasing of job you'll find in SU53 precise info what went wrong.
  Best Regards
  Marcin Cholewczuk

• How to restrict provide to a single account(by authorization object)

  Hello, i have two types of accounts.
  Account range 1: 10000000 -19999999
  Account range 2: 20000000 - 29999999
  For range 1 i have assigned authorization group AUT1.
  For range 2 i have assigned authorization group AUT2 (by transaction OB_GLACC12).
  So the general idea is some users will have access only to group 1 , etc. i have used autorization object F_BKPF_BES in  the role btw.
  I have created 4 roles:
  1) RANGE1_ALL (means user can create / modify delete GL from range 1)
  2) RANGE1_DISP(means user can only disp  GL from range 1)
  3) RANGE2_ALL(means user can create / modify delete GL from range 2)
  4) RANGE2_DISP(means user can only disp  GL from range 1)
  If i give RANGE1_ALL + RANGE2_DISP to the user, he can create/modify/delete for range1 and only display GLS from range2.
  Now the problem is if i want user to create/modify/delete for range1 but only display a specific account from range 2 ; say GL 29999000.
  Which authorization object can i use to specify the range 2 GL account directly?thx.

  Hi,
  The only option for you is to have a different authorisation object for that GL alone and assign it to the user. You dont assign RANGE2-DISPLAY object to that user.
  From FS00, you have to change the Auth group of that specific GL.
  Regards,
  Mike

• BI authorization objects not appearing in RAR, error while generating role

  Hi
  I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
  (a)  In Risk Analysis and Remediation (RAR) component, I am creating Functions and
        Risks for Business Intelligence (BI) module. For that I have downloaded the
        descriptive text and authorization object data from BI development system and
        uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
        RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
        Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
        the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
        authorization objects for the actions in them.
  (b)  In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
         in DBI 100 and I put the  BI transaction codes in authorization data , I get the
         authorization objects . Risk analysis is also being done successfully. But at the time
         of Role generation in background mode , it is giving an error message :
         Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
         I am thus unable to generate any role in DBI 100.
  (c)  In Compliance User Provisioning (CUP), I have imported a standard role from DBI
        100. Then I have added Functional Area, Business Process, Subprocess  and
        Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
         gives an error Error creating request. But requests are getting created and roles are
         being assigned to users in ECC development  systems using the same Initiator, CAD, stage
         and path.
  Can anyone please help me ?

  -

• Error while generation of the Authorization object (

  Hi Gurus,
  I have created a Authorization object Z_CCTR3 for 0costcenter authorization.
  but getting following error while generation of the Authorization object (type is Flat authorization)
  "Error occurred when reading the data from DataStore object Z_CCTR3"
  Any inputs will helpful...
  Sonal.....

  Hello everybody,
                           my problem is solved.For the UDConnect, whatever DATA SOURCES you create gets registered in a FUNCTION MODULE which has a capacity of only 99 enties, so to increase it implement the SAP NOTE 876340 - UDC Error available on SERVICE MARKET PLACE.
  This problem occurs with BW version 3.5 level 17 or below.
  Regards,
  Priyanka
  Edited by: Priyanka Joshi on Jun 10, 2008 11:03 AM