Authorization Object of Article Group

Hi Gurus,
Could you tell me , what is the authorization object of Article Group?
I want to aggregate this object to my roles of Material Management.
Thanks for your support.
Regards.
Miguel Cerna

could you please explain what you are calling 'article group'? please give the field-name ...

Similar Messages

Adding authorization object for "Function Group"s ?

Is it possible to add any authorization object for any function group ?
We have an issue i.e. whenever user "XYZ" is getting some Windows Excel related error whenever trying call an excel report from BW server. System log related to "XYZ" user shows that -> User "XYZ" has no RFC authorization for the function group "ABCD". The RFC authorization object is S_RFC.
Function Group you can check through SE37->GoTO->Display Function Group
Now is it possible to add authorization for any "Function Group" ?

You give authorisation for all function groups by giving auth object S_RFC a * value in field RFC_NAME
However I do not recommend this as giving wide access to RFC's can bypass a lot of the security you have implemented for the users.
In this case, add only the function group that the user requires in this instance into S_RFC

Authorization Object for Purchase Group while GRN

HI all,
We wanted to restrict the specific users from doing GRN with ML81N & MIGO_GR against specific Purchase Group. Which authorization object can be used to restrict the user from processing others Pur. groups for which he is not authorised.
Is there any std. object available, if not then what I need to do while creation of customized authorization object (in SU21), how system will call this authorization object in MIGO & ML81N. more detailed answers will be more useful.
Thanks...

closed...

Authorization Object Grouping

Hi,
I need to control vía authorization (PFCG) the access to grouping when it create a new client.
Someone know, what is the authorization object that controlls grouping?.
Regards,
Meifo.

Hi Sarah
Did you ever get this requirement to work?
If yes - how was it achieved?. we have a similar requirement and are struggling with it currently
Regards
eol

Where we check the authorization group & authorization object?

Hi all,
i have a std program & tcode like fb03 . now i want to know the authorization group & authorization object. so where we will check..?
help me.
thanks.
Vipin

Hi,
Use transaction SU21 & SU22 for Auth Objects & Class

How to add function group to the authorization object S_RFC ?

Hi All,
Can you please tell you how to add the function group FG_DIAGLS_DATA_ENRICHMENT to the authorization object
S_RFC?
In solman_setup under basis configuration when I execute the step "SetupDPC/DCC Web Service URL" its getting failed because of the
following error which i found it in the agent log
"java.rmi.RemoteException:RfcExecutionException; nested exception is:
com.sap.sup.admin.abap.rfc.exception.RfcExecutionException: An
exceptionoccured during the execution of the function
'FM_DIAGLS_PUSH_PHYSICAL_HOST': RFC_NO_AUTHORITY >
com.sap.sup.admin.abap.rfc.exception.RfcExecutionException:An exception
occured during the execution of the function
'FM_DIAGLS_PUSH_PHYSICAL_HOST': RFC_NO_AUTHORITY >
com.sap.mw.jco.JCO$Exception:No RFC authorization for function module
FM_DIAGLS_PUSH_PHYSICAL_HOST. <Mid"
Thanks,
Satheesh E

Hi,
Please follow below steps:
1) Go to SE01
2) Click on create New workbench request and give desc once popup appears, Click Ok
3) Now open the trasport in edit mode
4) Add
Program ID - R3TR
Object Type - FUGR
Object name - Name of the Function group
>note that if you tranport Function group all the latest Function modules in function group along
>with screens will be included in the transport.
Regards
Shital
Formatted by: Vijay Babu Dudla on Apr 25, 2009 5:08 AM

Assigning of authorization object to authorization group

I have created an authorization object and I have assigned this to already exsiting authorization group.I would like to assign the authorization object to a new authorization group.Please confirm how to create an authorizaton group and assigning a authorization object to this new authorization group.

hi,
I have got a pdf related to this.
I shall send that to you if i can get ur mail id.
I too havent tried this. I dont have any authorizations to do with my server.
Plz follow the following steps:
1. Create a user (for example for SAP DEV, TEST, or PRD systems).
2. Open the SAP Profile Generator (transaction PFCG) available in SAP R/3 versions 4.6 and above.
3. Create an Activity group (Role since SAP 4.6C), for example ZBODI_ROLE.
4. Enter a description for the role.
5. Go to the Authorizations tab and click Change authorization data.
6. On the Change Role: Authorizations screen, click the Manually,toolbar icon.
7. The Manual Selection of Authorizations window opens.
8. Type in the following authorization objects.
S_ADMI_FCD*
S_BTCH_JOB
S_DEVELOP*
S_DATASET
S_PATH
S_RFC
S_TABU_DIS
S_TCODE
S_RS_ADMWB for SAP BW
9. Click OK
10. Return to the Change Role: Authorizations screen.
11. Manually configure components by entering the values that support Data Integrator operations include:
Administration
Batch
BW loading
Development
File access
File system access
RFC calls
RFC calls in BW
Table source access
Transactions
12. To complete the security profile, click the Back icon (or press F3), select
the User tab, enter your SAP user ID for Data Integrator and click the Save icon.
Regards,
Sailaja.

Association of authorization group with authorization object

Dear Colleagues,
We are using ECC 6.0 system. There is a transaction EMMAC2 where in the user would pick the case categories & view/make changes as required in the cases.
However, we would like to have a user to pick only those case categories for which he/she is authorized & view/change the data.
This EMMAC2 is controlled by authorization object B_EMMA_CAS & this authorization object has field BRGRU (Authorization Group) along with ACTVT (activity).
We would like to control this via authorization groups
We would like to create authorizations groups based on case categories & those authorization groups would be assigned in this BRGRU field.
Meaning, the end result should be such that, when that new authorization group is added in BRGRU field & that role is assigned to an end user, the user should be able to see data only for those case categories for which the new authorization group has been created
If I use SE54 to create authorization group, it automatically associates itself with authorization object S_TABU_DIS & this does not solve my purpose.
But we would like to create a new authorization group & associate it with authorization object B_EMMA_CAS.
Can someone please let me know the steps on how to achieve it or any other method to achieve it(for above underlined text)?
Does a developer or functional consultant also need to be involved in this?
PS: I tried to search in Google & our forums but could not get any answers

Dear Aninda,
Thanks for the help.
I created an auth group via SE16 in table TBRG & associated to B_EMMA_CAS
A case category was then assigned to this auth group
We tested it - below are the results:-
1. The user is allowed to 'change' and 'display' the case for the case category for which the user is authorized: this works as per requirement.
2. The user is not allowed to 'change' case for the case category for which the user is not authorized: this works as per requirement.
3. However, he is able to 'display' cases for the case category for which the user is not authorized: this we do not want.
If I remove activty 03 (display), then the user is unable to display the case for the case category for which the user is authorized.
How to resolve this?

Authorization objects for transaction, one to view, and one to maintain

Hi all,
My requrement is to create two authorization objects for transaction, one to view, and one to maintain.
I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
Please suggest how to create object where i can asign activity codes.
regards
manish

The Authorization Concept
R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
Do check this link as well.
http://articles.techrepublic.com.com/5100-10878_11-5110893.html

Regardig Authorization object

Hi All,
I would like to know the step by step creation of authorization object...
Iam able to create the authorization class and objects using SU21 for a ztable fields..
And am not getting how to use this in ABAP program.
I know using Authority-check we can do this...
Here Iam not understanding to whom we are checking the authorization..and how...
And also is this necessary to create a role in pfcg and assign it to user...
if so what is the necessary to create a role...
and what is the link between SU21 and pfcg...
how this is affecting...
can any one help me...out of this...
thanks and regards
raghu

Hai Phani
Go through this
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
go through report
TABLES: TOBJT.
DATA: OBJECT1 LIKE USR12-OBJCT,
OBJECT2 LIKE USR12-OBJCT,
OBJECT3 LIKE USR12-OBJCT,
AUTH1 LIKE USR12-AUTH,
AUTH2 LIKE USR12-AUTH,
AUTH3 LIKE USR12-AUTH,
IND LIKE SY-INDEX,
FLAG TYPE I.
DATA: BEGIN OF INTTAB OCCURS 30,
OBJECT LIKE USR12-OBJCT,
AUTH LIKE USR12-AUTH,
END OF INTTAB.
DATA: BEGIN OF INTTAB2 OCCURS 30,
OBJECT LIKE USR12-OBJCT,
AUTH LIKE USR12-AUTH,
EXPL LIKE TOBJT-TTEXT,
END OF INTTAB2.
DATA: BEGIN OF TABSET OCCURS 30,
SFIELD LIKE TOBJ-FIEL1,
VON(18),
BIS(18),
END OF TABSET.
*read up the authorizations from the user buffer
CALL 'ANALYSE_USERBUFFER'
ID 'AUTHS' FIELD INTTAB-SYS.
*filter out the multipy authorizatios of the same object
SORT INTTAB BY OBJECT.
DO.
IF SY-INDEX = 1.
OBJECT1 = ''. AUTH1 = ''.
READ TABLE INTTAB INDEX 1.
OBJECT2 = INTTAB-OBJECT .AUTH2 = INTTAB-AUTH.
READ TABLE INTTAB INDEX 2.
OBJECT3 = INTTAB-OBJECT.AUTH3 = INTTAB-AUTH.
ELSE.
OBJECT1 = OBJECT2. AUTH1 = AUTH2.
READ TABLE INTTAB INDEX SY-INDEX.
OBJECT2 = INTTAB-OBJECT .AUTH2 = INTTAB-AUTH.
IND = SY-INDEX + 1.
READ TABLE INTTAB INDEX IND.
IF SY-SUBRC = 0.
OBJECT3 = INTTAB-OBJECT.AUTH3 = INTTAB-AUTH.
ELSE.
OBJECT3 = ''. AUTH3 = ''.
IF OBJECT2 = OBJECT1 OR OBJECT2 = OBJECT3.
INTTAB2-OBJECT = OBJECT2.
INTTAB2-AUTH = AUTH2.
SELECT SINGLE * FROM TOBJT
WHERE LANGU = SY-LANGU
AND OBJECT = OBJECT2.
INTTAB2-EXPL = TOBJT-TTEXT.
ENDIF.
EXIT.
ENDIF.
ENDIF.
IF OBJECT2 = OBJECT1 OR OBJECT2 = OBJECT3.
INTTAB2-OBJECT = OBJECT2.
INTTAB2-AUTH = AUTH2.
SELECT SINGLE * FROM TOBJT
WHERE LANGU = SY-LANGU
AND OBJECT = OBJECT2.
INTTAB2-EXPL = TOBJT-TTEXT.
APPEND INTTAB2.
ENDIF.
ENDDO.
SORT INTTAB2 BY OBJECT AUTH.
*display the authorization and description, the objects, fields and
*field values
FLAG = 0. OBJECT1 = ''.
LOOP AT INTTAB2.
IF OBJECT1 = INTTAB2-OBJECT.
WRITE: / INTTAB2-AUTH COLOR 2.
PERFORM FIELD_VALUES.
LOOP AT TABSET.
WRITE: / TABSET-SFIELD, TABSET-VON, TABSET-BIS.
ENDLOOP.
ELSE.
SKIP.
WRITE: / INTTAB2-OBJECT COLOR 3, INTTAB2-EXPL COLOR 3.
PERFORM FIELD_VALUES.
WRITE: / INTTAB2-AUTH COLOR 2.
LOOP AT TABSET.
WRITE: / TABSET-SFIELD, TABSET-VON, TABSET-BIS.
ENDLOOP.
ENDIF.
OBJECT1 = INTTAB2-OBJECT.
ENDLOOP.
FORM FIELD_VALUES *
retrieve the field values of an authorization *
FORM FIELD_VALUES.
TABLES: USR12.
FIELD-SYMBOLS .
DATA: INTFLAG TYPE I VALUE 0, OFF TYPE I, VTYP, LNG TYPE I,
CLNG(2), GLNG(2), FLDLNG TYPE I VALUE 10, SETFILL.
SELECT SINGLE * FROM USR12
WHERE AUTH = INTTAB2-AUTH
AND OBJCT = INTTAB2-OBJECT
AND AKTPS = 'A'.
SETFILL = 0.
REFRESH TABSET.
CLEAR TABSET.
OFF = 2.
ASSIGN USR12-VALS+OFF(1) TO .
WRITE TO VTYP.
WHILE VTYP <> ' ' AND OFF < USR12-LNG.
OFF = OFF + 1.
CASE VTYP.
WHEN 'F'.
OFF = OFF + 5.
ASSIGN USR12-VALS+OFF(2) TO .
WRITE TO CLNG.
LNG = CLNG.
IF LNG <= 0.
EXIT.
ENDIF.
OFF = OFF + 2.
ASSIGN USR12-VALS+OFF(FLDLNG) TO .
WRITE TO TABSET-SFIELD.
OFF = OFF + FLDLNG.
WHEN 'E'.
ASSIGN USR12-VALS+OFF(LNG) TO .
WRITE TO TABSET-VON.
IF TABSET-VON = SPACE.
TABSET-VON = ''' '''.
ENDIF.
APPEND TABSET.
SETFILL = SETFILL + 1.
TABSET-VON = SPACE.
TABSET-BIS = SPACE.
OFF = OFF + LNG.
WHEN 'G'.
ASSIGN USR12-VALS+OFF(2) TO .
WRITE TO CLNG.
GLNG = CLNG.
OFF = OFF + 2.
ASSIGN USR12-VALS+OFF(LNG) TO .
IF INTFLAG = 0.
WRITE TO TABSET-VON.
WRITE '*' TO TABSET-VON+GLNG.
ELSE.
WRITE TO TABSET-BIS.
WRITE '*' TO TABSET-BIS+GLNG.
INTFLAG = 0.
ENDIF.
APPEND TABSET.
SETFILL = SETFILL + 1.
TABSET-VON = SPACE.
TABSET-BIS = SPACE.
OFF = OFF + LNG.
WHEN 'V'.
INTFLAG = 1.
ASSIGN USR12-VALS+OFF(LNG) TO .
WRITE TO TABSET-VON.
IF TABSET-VON = SPACE.
TABSET-VON = ''' '''.
ENDIF.
OFF = OFF + LNG.
WHEN 'B'.
INTFLAG = 0.
ASSIGN USR12-VALS+OFF(LNG) TO .
WRITE TO TABSET-BIS.
IF TABSET-BIS = SPACE.
TABSET-BIS = ''' '''.
ENDIF.
APPEND TABSET.
SETFILL = SETFILL + 1.
TABSET-VON = SPACE.
TABSET-BIS = SPACE.
OFF = OFF + LNG.
ENDCASE.
ASSIGN USR12-VALS+OFF(1) TO .
WRITE TO VTYP.
ENDWHILE.
ENDFORM.
go through this link
http://www.thespot4sap.com/Articles/SAP_ABAP_Queries_Authorizations.asp
also go through this Document
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
ID name10 FIELD f10.
Effect
Explanation of IDs:
object Field which contains the name of the object for which the authorization is to be checked.
name1 ... Fields which contain the names of the name10 authorization fields defined in the object.
f1 ... Fields which contain the values for which the f10 authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY ).
The system checks the values for the ID s by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
If the return code SY-SUBRC = 0, the user has the required authorization and may continue.
The return code is modified to suit the different error scenarios. The return code values have the following meaning:
4 User has no authorization in the SAP System for such an action. If necessary, change the user master record.
8 Too many parameters (fields, values). Maximum allowed is 10.
12 Specified object not maintained in the user master record.
16 No profile entered in the user master record.
24 The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
28 Incorrect structure for user master record.
32 Incorrect structure for user master record.
36 Incorrect structure for user master record.
If the return code value is 8 or possibly 24, inform the person responsible for the program. If the return code value is 4, 12, 15 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP, since authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f , you can also write ID name DUMMY . This means that no check is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
Table OBJ : Definition of authorization object
M_EINF_WRK
ACTVT
WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
Thanks & regards
Sreenivasulu P

Mass update to FILENAME field in S_DATASET authorization object

We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value. I'd like to do this programmatically if possible.
What I've learned so far is that I need to update the value in table USR12, but the value is encoded. When I look at the table in SE16, I do not see the encoded value field. The value does show in UST12, but I'm told this is an unreliable table.
So I'd like to know..
1. How can I look at the value if not in SE16?
2. Is there an API I can use to encode/decode the value? If not, where is the specification on how to build it?
If this is better addressed in a different forum, which one should I try next?
Thanks,
Dan

Hi there,
Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
But the behaviour as you have described:
>
> Path                   Saveflag Fs_noread Fs_nowrite Fs_Brgru
> =============================================================
> *                                 X         X            DUMY
> /temp/FI/..                       X         X            DUMY
> /temp/FI               X                                 FIFI
>
... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
> Caution:
> - If you enter paths generically in the table SPTH, the most precise specification counts.
> - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
So, the only check which is effective to protect the path, is:
Path                   Saveflag Fs_noread Fs_nowrite Fs_Brgru
=============================================================
/temp/FI               X                                           FIFI
... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                            MODE       type CLIKE
                            SUBRC      type SY-SUBRC.
data: ACTIVITY like AUTHB-ACTVT.
   SUBRC = 0.
   case MODE.
     when 'R'.
          ACTIVITY = '03'.
     when 'W'.
          ACTIVITY = '02'.
     when 'D'.
          ACTIVITY = '02'.
   endcase.
   if ISPTH_HEAD-FS_BRGRU <> SPACE. "Here it is... for BEGRU checks there must be a value...
      authority-check object 'S_PATH'
          id 'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
          id 'ACTVT'    field ACTIVITY.
       if SY-SUBRC <> 0.
          SUBRC = 3.
       endif.
   endif.
endform.
Cheers,
Julius

How to restrict provide to a single account(by authorization object)

Hello, i have two types of accounts.
Account range 1: 10000000 -19999999
Account range 2: 20000000 - 29999999
For range 1 i have assigned authorization group AUT1.
For range 2 i have assigned authorization group AUT2 (by transaction OB_GLACC12).
So the general idea is some users will have access only to group 1 , etc. i have used autorization object F_BKPF_BES in the role btw.
I have created 4 roles:
1) RANGE1_ALL (means user can create / modify delete GL from range 1)
2) RANGE1_DISP(means user can only disp GL from range 1)
3) RANGE2_ALL(means user can create / modify delete GL from range 2)
4) RANGE2_DISP(means user can only disp GL from range 1)
If i give RANGE1_ALL + RANGE2_DISP to the user, he can create/modify/delete for range1 and only display GLS from range2.
Now the problem is if i want user to create/modify/delete for range1 but only display a specific account from range 2 ; say GL 29999000.
Which authorization object can i use to specify the range 2 GL account directly?thx.

Hi,
The only option for you is to have a different authorisation object for that GL alone and assign it to the user. You dont assign RANGE2-DISPLAY object to that user.
From FS00, you have to change the Auth group of that specific GL.
Regards,
Mike

BP Authorization Object

Hi,
I have the necessary CRM authorizations to create Business Partners of type person in roles such as employee, contact person, general using the BP transaction.
I have now activated the role 'Internet User'. While I can see this role in the 'Create in Role' dropdown on the BP creation screen, I cannot create a BP of type person in this role.
I get the error message: "You are not authorized to maintain user data".
Are there any additional authorizations that I require to be able to assign this role to a business partner?
Thank you,

But you could assign different values of B_BUPA_FDG authorization object for different authorization profiles. For example:
Profile 1: B_BUPA_FDG
Values:    FLDGR= FLDGR1 (Defined in IMG)
           ACTVT= Display
Profile 2: B_BUPA_FDG
Values:    FLDGR= FLDGR1 (Defined in IMG)
           ACTVT= Change
User Group 1 -> Profile1
User Group 2 -> Profile2
However probably the best solution for your requirements will be the GuiXT Tool.
You can find more information about this tool in <a href="http://www.synactive.com">http://www.synactive.com</a>. You will be able to assign different scripts to different user groups.
Message was edited by: Javier Merino Vivar

Creation of a new Authorization object

Hi ,
I need to create a new Authorization group and add three existing tables to it.
Kindly suggest a way.
Regards.

Authorization Field
Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the database table TACT and the customer-specific table TACTZ.
Maintenance using transaction SU20.
Authorization Object
Repository object that forms the basis for authorizations. An authorization object comprises up to 10 authorization fields. The combination of authorization fields, which represent data and activities, is used for authorization assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
Maintenance using transaction SU21.
Authorization
Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
Maintenance in transaction SU03 or generation from transaction PFCG (profile generator for role maintenance).
Authorization Profile
Grouping of several individual authorizations or further authorization profiles. Can be entered in the user master record instead of individual authorizations. An authorization can be assigned to authorization profiles as often as you wish.
Maintenance in transaction SU02 or generation from transaction PFCG (profile generator for role maintenance).

Role creation and authorization objects in sap

Hi
i want to know the full relationship between creation of roles , authorization objects ,authorizations in web as abap
Please explain the process in detail the use of PFCG and all its options and how to create Z roles

Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
- Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
- The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
For e.g. If a user wants to create a PO we can restrict him on:
u2022     Activity : Create/Change/Display
u2022     Org elements like Company Code, Plant, Purchase Organization etc
u2022     Document type etc.
- Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
- Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
- An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
- Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
- Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

Authorization Object of Article Group

Similar Messages

Maybe you are looking for