Authorization object related to PRT Delete

Hi PM guru,
Some user is not able to delete PRT assigned to the operation.
Whether any authorization object related to PRT is there so that i can check roles for user .
Regards
Anil Kumar

Anil,
Get the user to try to delete the PRT.
Then the user should type /nSU53 in the command field.
This will produce a report with the missing authorization object(s)

Similar Messages

Authorization Object Related To Movement Type

Hi,
I meet one problem, one user want to check which user can use MB1A t-code with movement type 201 and 202, but I know there are some authorization object related to movement type and I want to use suim with mb1a t-code and authorization object to check the user, but I don't know the authorization object about movement type in MB1A t-code, does anyone can help?

Go to SU24, enter the transaction code and press execute.
Here you can see the all authorization object whose are used for the transaction code MB1C.
Regards
Dev

Authorization objects problem , unable to delete

hi all,
i hv created authorization object via SU21. ZZ_program, I am trying to modify but it prompts warning:
Field assignment for object ZZ_PROGRAM cannot be changed as auth. for it exist
Message no. 01221
Diagnosis
You attempted to change an object for which authorizations exist. Authorization fields for the object cannot be changed here.
Procedure
If you want to change the object anyway, you must first delete all authorization belonging to this object. Consider that other systems may also be affected.
after i enter the message, it prompts the whereuse list
Where-Used List
Authorization Object
ZZ_PROGRAM
Berechtigungen
AA________00
Rollen
ZZPROGRAM 
after that, the fields are all greyed off, i am unable to change the authorizatiion fields and i do not understand the where use list result, can anybody pls help ?
i am working on sap 4.7

There is one particular check with Table USR12 (User Master Authorization Values) and also with table AGR_1251 (Authorization data for the activity group).
SELECT distinct AUTH FROM USR12
 appending table list
 WHERE OBJCT = OBJECT
 and AUTH ne '&_SAP_ALL'
 and AUTH ne '&_SAP_APP'
 order by auth.
if sy-subrc = 0.
 insert 'Berechtigungen' into list index 1.
 RC = 1.
endif.
append 'Rollen' to list.
index = sy-tabix.
 SELECT distinct agr_name FROM AGR_1251
 appending table list
 WHERE OBJECT = OBJECT
 order by agr_name.
If that is sucessful , you cannot change the authorization object.
See the content of AGR_1251 table using your authorization object name. Then you will Role name from field AGR_1251-AGR_NAME
with this role name, go to Tcode: PFCG
and give the Role name and click on change button
In authorization tab.Chick on Change Authorization Data.
And find and remove this authorization object from there.
And then proceed with changing the Authorization object.
Hope this will solve ur issue.

MRS - authorization objects (Multi Resource Scheduling)

Hello,
We are implementing MRS for a customer who does not have proper structural authorizations in place, and they would like to avoid using evaluation paths for the authorization check.
Is there a way to use cost centers to limit user access in MRS? We tried to use cost centers in auth. object MRSS/PB1, but it does not work.
Is it possible to modify the default MRS auth. objects and add some extra auth. fields? Would that auth. check work in planning board?
Is there any other way to limit user access in MRS planning board rather than using evaluation paths?
Thank you
Simon

Hi Simon,
I have checked the authorization objects related to MRSS in SU24 where I can see based on the T code. Did you find a way how to get relevant for SAP MRS only like the Resource Planner etc authorizations he need if you have found something like that please share.
Thank you

BW 3.5 which authorization objects available rssm (checks for infoprovider)

Hi all,
How does SAP generates the list of authorization objects in RSSM when you enter a specific infoprovider (checks for infoprovider)? Are only the authorization object related to this infoprovider listed?
Is there any documentation about the purpose in RSSM for the button 'update check status (Authorization objects, infoprovider).
thanks for your help.

Based on which criteria?
Is there somwhere detailed documentation available about the RSSM part in BW authorizations? It seems hard to find any...
Thanks,

Authorization objects Workflow HR

Hi,
I would like to know authorization objects related to workflow .
that to restrict the user that when he forward a workitem...to which users he can forward..
Thanks,
nachy

You have to first make that particular standard task as General forwarding not allowed. After this in the Task level you have to assign the Authorization role to this Task. Now if the user tries to forward workitem to user who is not maintained in this role he will not be able to do so.
Thanks
Arghadip

Authorization object L_LGNUM

Dear colleagues,
I am trying to restrict a user from doing a certain 'thing' and am looking for your help.
In Warehouse Management we are confirming Transfer Orders in Two steps. I want the user that does the first step, not to be able to confirm the second step.
In GUI mode this would be done with transaction LT12 for both the first and second step.
In RF mode we do this with LM05 for the first step and LM06 for the second step.
In table LTAP-ENAME the system writes the name of the user of the first step. In table LTAP-QNAME the user name of the second step.
So far I have removed in object L_LGNUM the destination Storage Type (which is part of the second step).
This was to no avail. I must admit that this storage type is not part of the verification process, i.e. it does not need to be verified/scanned, but still I would expect the user being blocked from confirming a document with this storage type.
Do you have any suggestions?
Thank you for your time,
Sandeep

Hi Sandeep,
Check the below link which has clear information on usage of the authorization object related to WM:
http://help.sap.com/saphelp_45b/helpdata/en/c6/f839e84afa11d182b90000e829fbfe/content.htm
I recommend you to verify whether you are applying the correct restrictions. If the issue still persists, revert to this thread, so that I can replicate and try to provide you a solution.
Warm Regards,
Raghu

PS Network Authorization Objects?

Hi,
I want to assign authorization for a perticular Network of a perticular WBS in a PS project.
BUt all the standard object i have checked dose not serve the purpose.
What is the standard procedure for doing that? Any object you know can be useful to me?
C_AFVG_APL           PS: Work Center for Network Activities and Activity Elements
C_AFVG_TYP           PS: Activity types for network act. and activity elements
C_AFKO_DIS            Network: MRP Group (Plant) and Transaction Type
C_AFKO_ACT           Activities on network header level

Hi Hussain,
    The authorization object related to wbs in a ps project are
*)C_PRPS_ART     you can use this object to control who can access WBS elements in the PS depending on the project type,
*)C_PRPS_KOK     you can use this object to control who can access WBS elements in the PS depending on the controlling area assigned to them,
*)C_PRPS_KST      you can use this object to control who can access WBS elements in the PS depending on the responsible cost center for the WBS elements,
*)C_PRPS_PRC       you can use this object to control who can access WBS elements in the PS depending upon the profit center ,
*)C_PRPS_USR       This authorization object is intended as a "master" for you to copy from when you create your own company-specific authorization objects for WBS elements, activities and activity elements.
*)C_PRPS_VNR     You can use this authorization object to control who has access to the WBS elements in the Project System depending on the person responsible for the project ("project manager").
    The best way to search for authorization object as i prefer is the use the tcode SUIM.
    Hussain,One thing which i want to mention here is when u give this authorization object to any user plz check the authorization field also.where u r able to restrict a user for view/display,change, create etc..

Error in Deleting Authorization Object

Hi,
I am trying to delete the authorization object in tcode RSSM, and I am getting following error:
Could not delete profile RSR_00006165 from the DUMMY user master
Message no. RSSBR063
Your input will be appreciated and points will be awarded for helpful answers to resolve this.
Thanks in advance,
Steve

Hi Steve,
All your roles which are depending on the specified authorization object should be free with AUTh.OBJ and then try to reomve the master data from the auth.obj and then delete the auth.obj, now it will allow you to delete the auth.obj
Regards
Sarath

Authorization OBject for Delete and Lock indicator in PO function.

Hiii
I'm using sap 5.0. I'm notice that we can set the authorization object to control the user from make a action for delete/Lock indicator in purchase order so that we can prevent the 'unpredictable user' from do the deletion on item PO item.
it also help me to authorize the selected user to perform delete or lock action.

Hi,
To prevent deletion or locking in specifically may not be controlled thro authorisation but changing the PO can be controlled.For this the authorisation objects M_BEST_BSA, M_BEST_EKG,M_BEST_EKO,M_BEST_WRK may be looked into .Here against Activity there is option like create,change ,delete,print etc which if suitably assigned can restrict the users for certain activity.Try with your basis team in this objects.
Dhruba

Relate authorization object to transaction

Hi experts,
I am currently working on authorization on AS ABAP, creating roles containing different SAP standard transactions
Actually I wonder if it is possible to relate an auth. object to a certain transaction. This could be necessary for my authorization concept because there are several SAP standard transactions checking the same auth. object.
As an example take transactions SE16 and SM30. Both check auth. object S_TABU_DIS.
If I now want to create a role which gives a user the permission to edit customizing tables in SM30 but not in SE16 there is no way (until now I do not know one) to define an instance of S_TABU_DIS with read/write permission for SM30 and another instance with only read permission for SE16.
I tried to use two roles putting one transaction into each. When I give the user the "SE16 role" he has no write permission in SE16. But when I give him the "SM 30 role" too he has write permissions in both, SM30 and SE16.
Therefore I guess that the authorization of the SM 30 role "overwrites" the read-only permission of the SE16 role.
Now my question to you: Is there any way to bind an auth. object to a transaction, so that an authorization defined from an auth. object is only valid for a certain transaction?
Thanks in advance for all answers!
Best regards,
Torben

Hi Bernard,
With transaction se93 you can add an authorization object to a transaction as far as I know. I never used it but it is possible. If you call transaction PFCG you see that object S_USER_AGR is used. I understood that this is a static authorization and the dynamic authorization is in the abap.
Have fun
Bye
Jan van Roest
Edited by: J. van Roest on Feb 18, 2011 12:15 PM
Edited by: J. van Roest on Feb 18, 2011 12:16 PM

RSSM Authorization objects linking to InfoProvider disappeared

Dear all
We have observed a strange scenario. Some times the link of the authorization objects to the InfoProvide disappeared and after certain time, it comes back again. It seems no any batch job running related to this. Have someone met the same situation?
Thanks for the help, Jessica

I don't know if this is the answer to your question but I have a similar experience, but slightly different:
Sometimes, in the process of redesigning InfoProviders already present in the production system, they are deleted and recreated in development. When that happens, all possible authorization checks for reporting objects are checked again by default. Transporting these InfoPoviders back to Production means that users will experience a loss in authorizations until the irrelevant authorization checks for reporting objects are unchecked again.
This problem can only be solved by implementing a decent change management procedure and increasing authorization awareness for BW developers.
Good luck,
Kind regards,
Lodewijk

New version of object popping up on Deletion of T Code

Hi
I removed a Tcode from a role. This Tcode does not have any other object besides S_TCODE. However on exclusion and choosing Expert Option / Read old status and merge with new data, i see that there is a new version of a object has popped up in "NEW". The older version of that object is in the Changed mode.
From this I understand that if a standard object is changed then every time "Read old status and merge with new data" is chosen SU24 is re-read to pull out the standard object... Am i correct here?
If the above is true then as a standard practice is it right to may inactivate the standard object and manually add that object again or copy that object to bring in a new version of that object.... -
is this right?
Please advice
- ravi

Hi Ravi,
When ever you add a new tcode to a role, make sure you add the tcode in the menu of the role so that the role will pull all the authorization objects check/maintained against the tcode.
When you delete a tcode then it will automatically deletes the authorization objects associated with the tcode.
If you do a merge with new authorization data, then the role will get the new authorization objects if newly check/maintained for any tcodes from SU24.
The best practice is to always have standard/maintained authorizations for the authorization objects in the role. Manual additions of authorization objects is not advisable unless if the business requires so.
Please reward points.
Regards,
Kiran.

Mass update to FILENAME field in S_DATASET authorization object

We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value. I'd like to do this programmatically if possible.
What I've learned so far is that I need to update the value in table USR12, but the value is encoded. When I look at the table in SE16, I do not see the encoded value field. The value does show in UST12, but I'm told this is an unreliable table.
So I'd like to know..
1. How can I look at the value if not in SE16?
2. Is there an API I can use to encode/decode the value? If not, where is the specification on how to build it?
If this is better addressed in a different forum, which one should I try next?
Thanks,
Dan

Hi there,
Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
But the behaviour as you have described:
>
> Path Saveflag Fs_noread Fs_nowrite Fs_Brgru
> =============================================================
> * X X DUMY
> /temp/FI/.. X X DUMY
> /temp/FI X FIFI
>
... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
> Caution:
> - If you enter paths generically in the table SPTH, the most precise specification counts.
> - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
So, the only check which is effective to protect the path, is:
Path Saveflag Fs_noread Fs_nowrite Fs_Brgru
=============================================================
/temp/FI X FIFI
... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
form CHECK_PERMISSION using ISPTH_HEAD type SPTH
 MODE type CLIKE
 SUBRC type SY-SUBRC.
data: ACTIVITY like AUTHB-ACTVT.
 SUBRC = 0.
 case MODE.
 when 'R'.
 ACTIVITY = '03'.
 when 'W'.
 ACTIVITY = '02'.
 when 'D'.
 ACTIVITY = '02'.
 endcase.
 if ISPTH_HEAD-FS_BRGRU <> SPACE. "Here it is... for BEGRU checks there must be a value...
 authority-check object 'S_PATH'
 id 'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
 id 'ACTVT' field ACTIVITY.
 if SY-SUBRC <> 0.
 SUBRC = 3.
 endif.
 endif.
endform.
Cheers,
Julius

Authorization Object is not working when report is modified.

Hi BW Guru's
We have Company Code as Authorization Object .and we have 3 company Codes (xxxx,yyyy,zzzz).where the users under Company code xxxx are not supposed to view company code yyyy,zzzz data etc.
I modified an existing Report and transported to production.But the Authorization Object is not working for that report.The Report is defaultly displaying all the company codes data(xxxx,yyyy) for all the users.But for the other reports its(company code ) is working fine.
What could be the problem?Is theproblem in transporting the objects.But i transported all the objects inluding auhorization object.
Please send me the solution as it is very much urgent.
The solution will be def. awarded with full points.
Regards
Sanjay

hi Sanjay,
please don't post the same question again, check and response back from your previous thread
Re: Authorization Object is not working when report is Modified.
hope this helps.
would be nice if you reward for helpful answers to all of your previous postings, e.g
docs related to RRI

Authorization object related to PRT Delete

Similar Messages

Maybe you are looking for