Authorization object M_MATE_STA problem at MM17.
Hi, experts!
I have a problem of Mass change (T-code:MM17) authorization.
I want to control our user that only can change data through MM17 and not allow to create new data to prevent accident.
So, I set an authorization obj. M_MATE_STA(Material Master: Maintenance Statuses) as ACTVT:02 (Change)
with STATM:all view(*) into user role,but it doesn`t work during Mass change test. : -(
When I checked SU53, It shows that user doesn`t have authorization of
M_MATE_STA, ACTVT:01 (Create) STATM : G (costing view). However, I tested changing Pur.grp through MM17 and it was not creation and Pur.grp field is located at purchaing view.
What`s wrong with M_MATE_STA authorization setting at MM17 ?
I cannot understand why M_MATE_STA ACTVT:01 (Create) is neccesaary when I want to CHANGE(Not create) data at MM17.
Our system is ECC 6.0 ehp4 Support package : 05 and there is no appropriate SAP Note to apply. Plz, help~!
Plz, help~!
Hi,
I suggest to post this question in the security forum.
Regards,
Similar Messages
-
Authorization object coding -problem. Pls suggest.
Hi experts
I have created authorization fields and assigned in objects properly.
My case is i am calling the transaction ZMAST which is create through table maintenance(ZMASTER) of the table ZMASTER.
Now where to implement this coding part and how to do.
Please explain me clearly the steps , the following coding part i put in dialog programming right now and can you tell me will this code work fine.
If we can do in Table maintenance Events, do we need to write in standard program. pls suggest me on this.
WHEN 'MAST'.
AT SELECTION-SCREEN.
AUTHORITY-CHECK OBJECT 'ZRAJ_TEST1'
0 ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
MESSAGE 'No authorization' TYPE 'E'.
ENDIF.
CALL TRANSACTION 'ZMAST'.
Thanks in advance.
Regards
RajaramHi,
The coding can be done in the "Events" section of the table maintenance.
Chk this link for further help on this:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/abap/how%20to%20implement%20events%20in%20table%20maintenance.doc
Best Regards,
Anjali -
USE Standard Authorization object in Z Program
Hi Experts,
I have already checked other threads regarding this but could not resolve my problem.
I have created a Z program to update Material Master. I need to use the Authorization object M_MATE_STA in my program for performing authorization check. Please help me how can I do that?
ThankshI,
below is a similar code...
CONSTANTS: lc_authobj TYPE char15 VALUE 'F_BKPF_BUK',
AUTHORITY-CHECK OBJECT lc_authobj
ID lc_id_bukrs FIELD v_bukrs
ID lc_id_actvt FIELD lc_activity.
IF sy-subrc NE 0.
ENDIF.
Amol -
Help! MM17 Authorization(M_MATE_STA) problem.
Hi, experts!
I have a problem of Mass change (T-code:MM17) authorization.
I want to control our user that only can change data through MM17 and not allow to create new data to prevent accident.
So, I set an authorization obj. M_MATE_STA(Material Master: Maintenance Statuses) as ACTVT:02 (Change)
with STATM:all view(*) into user role,but it doesn`t work during Mass change test. : -(
When I checked SU53, It shows that user doesn`t have authorization of
M_MATE_STA, ACTVT:01 (Create) STATM : G (costing view). However, I tested changing Pur.grp through MM17 and it was not creation and Pur.grp field is located at purchaing view.
What`s wrong with M_MATE_STA authorization setting at MM17 ?
I cannot understand why M_MATE_STA ACTVT:01 (Create) is neccesaary when I want to CHANGE(Not create) data at MM17.
Our system is ECC 6.0 ehp4 Support package : 05 and there is no decent SAP Note to apply. Plz, help~!Hi, jurgen.
I choosen MARC Table EKGRP(Pur.grp) Field and material master purchasing view was extended already.
I add MM02 to MM17 belogned role through PFCG and set further auth. obj from MM02 but still cannot change Pur.org
at MM17.
The weired thing is when I set M_MATE_STA ACTIV:01 (Create), then I can change pur.org
Is that SAP bug? Our system is ECC 6.0 Ehp4 SP level : 05 and could not find appropriate note yet. -
Problem in transporting authorization object
Hi,
I am facing a problem in transporting the authorization object. We have an existing cube in development and production. In production the object has 3 authorization objects checked. Now I want to change the authorization object assignment in my cube. So I changed the assignment in the development, but when I tried to transport the authorization object it collected all the cubes where the authorization object is used.
I want to transport only the authorization object associated with that cube, not all. I understand that logically if we are transporting the authorization object from RSSM, it takes all the assignments. But I don't want to do that because there may be some inconsistencies between the system.
Can you tell me weather we have any other way, so that the authorization object is transported only for one particular cube assignment not all.
Thanks in advance
PrashantHi,
I tried that but not getting anything.
Can you please tell me the steps.
Steps I have done are as follows.
1. Go to RSSM and select the authorization object.
2. We have a button which says transport authorization object. I clicked on that.
3. I got a list of all the authorization objects there. I selected my authorization objects and clicked on Transfer Object button.
4. Then I get the hierarchy authorization objects.
5. After that I selected a request and everything is included in that request. I didn't got your above mentioned option.
Do you want me to go to the table RSSTOBJDIR and delete all the other entries??
It would be great if you can tell me the steps to do that.
Thanks in advance
prashant -
Hi,
I had added a Authorization Object on basis of Plant in my report and it is giving the problem that instead of displaying the Plant it is displaying as IEQPlant 1. i had taken plant as a selection screen instead of parameter.
Please tell provide me guidelines how to display the Plant name only instead of IEQPlant Name.
AUTHORITY-CHECK OBJECT 'ZPLANT1'
ID 'WERKS' FIELD P_WERKS.
IF SY-SUBRC <> 0.
MESSAGE E045(ZMSG) WITH P_WERKS.
ENDIF.Hi,
Please see the sample code below that I used to have the same functionality in one of my programs.
*---Authorization for Company code entered by the users.
*---This code will restrict users to see data for company
*---codes which they are not authorized to.
*---Select all the company codes based upon selection entered by the
*---user
DATA: li_bukrs TYPE TABLE OF bukrs,
lwa_bukrs TYPE bukrs,
lv_flag TYPE c.
SELECT bukrs
FROM t001
INTO TABLE li_bukrs
WHERE bukrs IN bukrs.
IF sy-subrc EQ 0.
*---Clear Screen variable for Company code
CLEAR bukrs.
REFRESH bukrs.
*---Filter and prepare Select options for Company code table to be
*---passed to query. Table will only have values of company codes he is
*---authorized to for display.
LOOP AT li_bukrs INTO lwa_bukrs.
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD lwa_bukrs
ID 'ACTVT' FIELD '03'.
IF sy-subrc = 0.
bukrs-sign = 'I'.
bukrs-option = 'EQ'.
bukrs-low = lwa_bukrs.
bukrs-high = space.
APPEND bukrs.
ELSE.
lv_flag = 'X'.
ENDIF.
ENDLOOP.
*---Give warning message to the user in case he is not authorized to see
*---data for all the company codes that he has entered.
IF lv_flag = 'X'.
MESSAGE ID 'ZF_MSS_FNG' TYPE 'W' NUMBER '015'.
ENDIF.
ENDIF.
KR Jaideep, -
Problem while loading texts and authorization objects file in RAR
Hi all,
i am getting internet explorer error while loading the texts and authorization objects text files in RAR .actually we uploaded rule file before this,does this step causes any error ?if so how to resolve this error.do i need to remove all rules/risks and then load text and authorization files? is there any shortcut to renove all risks generated in one shot? please reply me soon to resolve this.
Thanks,
Joseph.Hi Joseph,
Please make sure to convert both the files in UTF-8 encoding format and then try to upload the files again. This should resolve the issue and if not then please paste the logs here.
Regards
Harleen -
Authorization objects problem , unable to delete
hi all,
i hv created authorization object via SU21. ZZ_program, I am trying to modify but it prompts warning:
<b>Field assignment for object ZZ_PROGRAM cannot be changed as auth. for it exist
Message no. 01221
Diagnosis
You attempted to change an object for which authorizations exist. Authorization fields for the object cannot be changed here.
Procedure
If you want to change the object anyway, you must first delete all authorization belonging to this object. Consider that other systems may also be affected.</b>
after i enter the message, it prompts the whereuse list
<b>Where-Used List
Authorization Object
ZZ_PROGRAM
Berechtigungen
AA________00
Rollen
ZZPROGRAM </b>
after that, the fields are all greyed off, i am unable to change the authorizatiion fields and i do not understand the where use list result, can anybody pls help ?
i am working on sap 4.7There is one particular check with Table <b>USR12</b> (User Master Authorization Values) and also with table <b>AGR_1251</b> (Authorization data for the activity group).
SELECT distinct AUTH FROM USR12
appending table list
WHERE OBJCT = OBJECT
and AUTH ne '&_SAP_ALL'
and AUTH ne '&_SAP_APP'
order by auth.
if sy-subrc = 0.
insert 'Berechtigungen' into list index 1.
RC = 1.
endif.
append 'Rollen' to list.
index = sy-tabix.
SELECT distinct agr_name FROM AGR_1251
appending table list
WHERE OBJECT = OBJECT
order by agr_name.
If that is sucessful , you cannot change the authorization object.
See the content of <b>AGR_1251</b> table using your authorization object name. Then you will Role name from field AGR_1251-AGR_NAME
with this role name, go to Tcode: <b>PFCG</b>
and give the Role name and click on change button
In authorization tab.Chick on Change Authorization Data.
And find and remove this authorization object from there.
And then proceed with changing the Authorization object.
Hope this will solve ur issue. -
How to get all authorization objects for a certain authorization profile
Hi ABAP experts,
I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
So:
- where are these values stored (dictionary table)?
- is there already a FM or a report to read all authoriation values for a certain authorization profile?
Thanks in advance.
Best regards,
OliverHi,
check the following it might useful for you:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
if helpful reward points are appreciated -
Mass update to FILENAME field in S_DATASET authorization object
We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value. I'd like to do this programmatically if possible.
What I've learned so far is that I need to update the value in table USR12, but the value is encoded. When I look at the table in SE16, I do not see the encoded value field. The value does show in UST12, but I'm told this is an unreliable table.
So I'd like to know..
1. How can I look at the value if not in SE16?
2. Is there an API I can use to encode/decode the value? If not, where is the specification on how to build it?
If this is better addressed in a different forum, which one should I try next?
Thanks,
DanHi there,
Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
But the behaviour as you have described:
>
> Path Saveflag Fs_noread Fs_nowrite Fs_Brgru
> =============================================================
> * X X DUMY
> /temp/FI/.. X X DUMY
> /temp/FI X FIFI
>
... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
> Caution:
> - If you enter paths generically in the table SPTH, the most precise specification counts.
> - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
So, the only check which is effective to protect the path, is:
Path Saveflag Fs_noread Fs_nowrite Fs_Brgru
=============================================================
/temp/FI X FIFI
... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
form CHECK_PERMISSION using ISPTH_HEAD type SPTH
MODE type CLIKE
SUBRC type SY-SUBRC.
data: ACTIVITY like AUTHB-ACTVT.
SUBRC = 0.
case MODE.
when 'R'.
ACTIVITY = '03'.
when 'W'.
ACTIVITY = '02'.
when 'D'.
ACTIVITY = '02'.
endcase.
if ISPTH_HEAD-FS_BRGRU <> SPACE. "Here it is... for BEGRU checks there must be a value...
authority-check object 'S_PATH'
id 'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
id 'ACTVT' field ACTIVITY.
if SY-SUBRC <> 0.
SUBRC = 3.
endif.
endif.
endform.
Cheers,
Julius -
Authorization Object is not working when report is modified.
Hi BW Guru's
We have Company Code as Authorization Object .and we have 3 company Codes (xxxx,yyyy,zzzz).where the users under Company code xxxx are not supposed to view company code yyyy,zzzz data etc.
I modified an existing Report and transported to production.But the Authorization Object is not working for that report.The Report is defaultly displaying all the company codes data(xxxx,yyyy) for all the users.But for the other reports its(company code ) is working fine.
What could be the problem?Is theproblem in transporting the objects.But i transported all the objects inluding auhorization object.
Please send me the solution as it is very much urgent.
The solution will be def. awarded with full points.
Regards
Sanjayhi Sanjay,
please don't post the same question again, check and response back from your previous thread
Re: Authorization Object is not working when report is Modified.
hope this helps.
would be nice if you reward for helpful answers to all of your previous postings, e.g
docs related to RRI -
Authorization object for running a report in background
Good day experts,
I tried running a report in background, I choose immediately so that it doesn't have to be scheduled. But when I checked it in my own jobs, It remains at scheduled status. When I tried it on my admin account, It works and with status finished. It seems to be an authorization problem. What object could I be missing with my user account? I tried S_TCODE SMX and SP02 but still not working.
Thanks in advance!Hi karshbax,
What you're looking for is authorization object S_BTCH_JOB. You need authorization for field JOBACTION = RELE.
In future use transaction SU53. It shows last error authorization error, so if this is authorization problem then after try of manual releasing of job you'll find in SU53 precise info what went wrong.
Best Regards
Marcin Cholewczuk -
How to restrict provide to a single account(by authorization object)
Hello, i have two types of accounts.
Account range 1: 10000000 -19999999
Account range 2: 20000000 - 29999999
For range 1 i have assigned authorization group AUT1.
For range 2 i have assigned authorization group AUT2 (by transaction OB_GLACC12).
So the general idea is some users will have access only to group 1 , etc. i have used autorization object F_BKPF_BES in the role btw.
I have created 4 roles:
1) RANGE1_ALL (means user can create / modify delete GL from range 1)
2) RANGE1_DISP(means user can only disp GL from range 1)
3) RANGE2_ALL(means user can create / modify delete GL from range 2)
4) RANGE2_DISP(means user can only disp GL from range 1)
If i give RANGE1_ALL + RANGE2_DISP to the user, he can create/modify/delete for range1 and only display GLS from range2.
Now the problem is if i want user to create/modify/delete for range1 but only display a specific account from range 2 ; say GL 29999000.
Which authorization object can i use to specify the range 2 GL account directly?thx.Hi,
The only option for you is to have a different authorisation object for that GL alone and assign it to the user. You dont assign RANGE2-DISPLAY object to that user.
From FS00, you have to change the Auth group of that specific GL.
Regards,
Mike -
BI authorization objects not appearing in RAR, error while generating role
Hi
I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
(a) In Risk Analysis and Remediation (RAR) component, I am creating Functions and
Risks for Business Intelligence (BI) module. For that I have downloaded the
descriptive text and authorization object data from BI development system and
uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
authorization objects for the actions in them.
(b) In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
in DBI 100 and I put the BI transaction codes in authorization data , I get the
authorization objects . Risk analysis is also being done successfully. But at the time
of Role generation in background mode , it is giving an error message :
Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
I am thus unable to generate any role in DBI 100.
(c) In Compliance User Provisioning (CUP), I have imported a standard role from DBI
100. Then I have added Functional Area, Business Process, Subprocess and
Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
gives an error Error creating request. But requests are getting created and roles are
being assigned to users in ECC development systems using the same Initiator, CAD, stage
and path.
Can anyone please help me ?-
-
Error while generation of the Authorization object (
Hi Gurus,
I have created a Authorization object Z_CCTR3 for 0costcenter authorization.
but getting following error while generation of the Authorization object (type is Flat authorization)
"Error occurred when reading the data from DataStore object Z_CCTR3"
Any inputs will helpful...
Sonal.....Hello everybody,
my problem is solved.For the UDConnect, whatever DATA SOURCES you create gets registered in a FUNCTION MODULE which has a capacity of only 99 enties, so to increase it implement the SAP NOTE 876340 - UDC Error available on SERVICE MARKET PLACE.
This problem occurs with BW version 3.5 level 17 or below.
Regards,
Priyanka
Edited by: Priyanka Joshi on Jun 10, 2008 11:03 AM
Maybe you are looking for
-
SAP Authorization: unable to see change logs for role assignments
Hi , please do help us in this regards . When trying to find the changes update to certain role . We are unable to see that changes/ hope the changes are note gettng updated. we recive the message " NO CHAGE DOCUMENT FOUND TO MATCH SPECIFIED CRITERIA
-
How to write a Goods Receipts Report: Having A detailed report for listing goods receipts by material wise for a given period which contains detailed information like PO No, PO Date, Plant, GR ref, GR date, Material description. [Tables involved: EKK
-
Registration of Suppliers to New Product Categories
Hi, As we have seen, during registration of new suppliers, system offers a list of product categories to select. System sends questionnaires related to the selected product categories, to prospective supplier's email ID. The supplier submits answers
-
How do i download a full version of Final Cut Pro.I have the license agreement with the serial numbers.but now i am unable to license the trial.What needs to be done here.I was sent the license agreement by our Head Office
-
Convert to Apple TV from Drop folder with checking?
I'm trying to create a script for use on set. When rushes come off the camera I process offlines with the render software to H264 for quick viewing. I'm looking for a script that will monitor the folder these drop into and then reconvert them to appl