Authorization Object  to access

Similar Messages

• Authorization object to access Infopackage

  Hello BW Experts,
  Need to give access to only infopackages for the users to run the loads. What Authorization object to include in RSSM for this.
  Suggestions appreciated.
  Thanks,
  BWer

  Hi,
  There is not direct way to secure an InfoPackage right now, but you can try out the suggestion as mentioned in this thread:
  Re: Authorization at Infopackage Level?
  Hope this helps...

• Limiting the Report Layout access other than Authorization Object S_ALV_LAYO

  Dear Experts,
  We have an issue of Layout Access limit to Users coz unwittingly these are being deleted.
  (Example: IW39 à after F8 à Settings à Layout.)
  The Authorization object S_ALV_LAYO which limits the access, has been defined in the multiple Roles, where every User been assigned with these Roles across Three Continents.
  Instead of hampering the existing Streamlined Roles, looking for other Options since if it may give odd behaviour after modifying the Roles then all the Users across the continents will be effected.
  It will be grateful if we get other options to limit the Layout access instead of controlling through Authorization Object.
  Thank you & Have a Great Day!

  Thank you Sebastian & Terence,
  The Global Roles has maintained with Authorization Object (S_LAYO_ALV) and these are been assigned to Every User coz all Users should access these reports.
  So now every User has maintained with the Authorization Object to access.
  Now we are trying to Control the Access to limited Users through without hampering the well maintained/streamlined  Roles, since if any adverse effects on the modified roles may impact to all the Users across the continents.
  Looking for other options.
  Thanks, I appreciate your time and efforts on this.

• Authorization object for InfoArea access

  Hi,
  what authorization object should i use to give access to just a few InfoAreas on workbench and Bex ?
  thx

  Hi,
    As you are having S_RS_ICUBE in your role, drill down the complete tree, now you can see Info cube, Info area, activity etc options. at info area level give the info area name and if you want to restrict for few info cubes, you can give cube names as well. now goto activity tab Display (03), Refresh(66) and maintain(23), this depends on your requirment. same you can give in S_RS_ODSO and S_RS_COMP and S_RS_COMP1, if you have * here, it will overwrite the restrictions of other object.

• Authorization objects to avoid users to access workbook design mode

  Hi all,
  Does anyone knows an authorization object that stops the user to enter workbooks design mode?
  We use workbook protection but this disables most of the workbook properties.
  Many thanks,
  Mazzz

  Hi..
  see this thread.. hope it helps..
  How to prevent workbook users from saving workbooks
  You must set up security to control who can save workbooks, where they can be saved, and which workbooks appear in the BEx Browser for a specific user.
  Workbooks can also be created in the BEx Analyzer. After executing a query, choose Save u2192 Save as new workbook.
  Securing Workbooks
  In order to save a workbook, a user needs two authorization objects. The two objects listed below are the minimum authorizations a user needs to save workbooks.
  S_GUI: Authorization for GUI activities
  S_BDS_DS: Authorizations for document set
  Using both S_GUI and S_BDS_DS will enable a user to save workbooks to their Favorites folder.
  The authorization object S_GUI has one field, Activity. The activity field must be set to 60. For S_BDS_DS, the user needs activities 03 and 30. The Class Type field should be set to OT.
  Saving Workbooks to Roles
  If a user wants to save aworkbook to a location where it can be easily accessed by others, they need to save to a Role rather than saving the workbook in their own Favorites folder. Saving to a Role means saving to a security role.
  You may want to set up roles specifically for saving workbooks. You can then assign the role to all parties who need to share workbooks.
  Another option is to not allow users to save workbooks, but rather only allow power users to save workbooks. This is done to maintain the roles and to ensure that the workbooks are manageable. This also prevents users from changing workbooks saved by other users.
  In order to save workbooks to roles, a user needs:
  S_USER_AGR: Authorizations: Role check
  S_USER_TCD: Transactions in roles
  The authorization object S_USER_AGR has two fields:
  Activity and Role Name.
  Activity field -Must have at least values 01, 02 and If the user can delete workbooks, they will also need value 06.
  Role Name, you should enter the specific roles you have created for saving
  workbooks. Use proper naming convention for roles so that the roles can be restricted pretty easily.  The role name is the name of a role that will be used to hold workbooks. Saving a workbook to a role actually updates the Menu portion of a role, so object S_USER_AGR is a required object.
  Authorization object S_USER_TCD has one field
  Transaction Code. The user needs value RRMX in this field.
  Once a workbooks is saved, the data and the layout is saved in the workbook. For security reasons, we recommend that users save workbooks without the data. To save the workbook without the data, the users selects from following menu path from the BEx Analyzer: Tools > All queries in Workbooks > Delete results
  Sathya
  Edited by: sathya prasad anumolu on Jul 30, 2008 4:58 PM

• Authorization Object to Control access for ContactData in Dispute Managmt

  Hello Experts,
  Do you know which Authorization Object is necessary to use to be able to control Contact Data available in Dispute Management? Any hint will be much appreciated.
  I want to have greyed out the contact data fields (contact person, e-mail, phone and fax number) in change mode.
  Thanks in advance.
  Best Regards,
  Vanessa.

  Hi Ravi,
  Thank you very much for your reply, but I have done this already.
  Transaction is UDM_DISPUTE but they are so many authorization objects available and none of them seems to be related to contact data. Please kindly check within transaction the part of the screen that I am talking about.
  Also check the list of objects in SU24 to Transaction UDM_DISPUTE. Do you know which one is related to 'contact data' part of the screen?
  I need to know which authorization object valid to Transaction UDM_DISPUTE is the one related to contact data. Any other idea?
  Thanks in advance.
  Best Regards,
  Vanessa Barth.

• MRS - authorization objects (Multi Resource Scheduling)

  Hello,
  We are implementing MRS for a customer who does not have proper structural authorizations in place, and they would like to avoid using evaluation paths for the authorization check.
  Is there a way to use cost centers to limit user access in MRS? We tried to use cost centers in auth. object MRSS/PB1, but it does not work.
  Is it possible to modify the default MRS auth. objects and add some extra auth. fields? Would that auth. check work in planning board?
  Is there any other way to limit user access in MRS planning board rather than using evaluation paths?
  Thank you
  Simon

  Hi Simon,
  I have checked the authorization objects related to MRSS in SU24 where I can see based on the T code. Did you find a way how to get relevant for SAP MRS only like the Resource Planner  etc authorizations he need if you have found something like that please share.
  Thank you

• How to restrict provide to a single account(by authorization object)

  Hello, i have two types of accounts.
  Account range 1: 10000000 -19999999
  Account range 2: 20000000 - 29999999
  For range 1 i have assigned authorization group AUT1.
  For range 2 i have assigned authorization group AUT2 (by transaction OB_GLACC12).
  So the general idea is some users will have access only to group 1 , etc. i have used autorization object F_BKPF_BES in  the role btw.
  I have created 4 roles:
  1) RANGE1_ALL (means user can create / modify delete GL from range 1)
  2) RANGE1_DISP(means user can only disp  GL from range 1)
  3) RANGE2_ALL(means user can create / modify delete GL from range 2)
  4) RANGE2_DISP(means user can only disp  GL from range 1)
  If i give RANGE1_ALL + RANGE2_DISP to the user, he can create/modify/delete for range1 and only display GLS from range2.
  Now the problem is if i want user to create/modify/delete for range1 but only display a specific account from range 2 ; say GL 29999000.
  Which authorization object can i use to specify the range 2 GL account directly?thx.

  Hi,
  The only option for you is to have a different authorisation object for that GL alone and assign it to the user. You dont assign RANGE2-DISPLAY object to that user.
  From FS00, you have to change the Auth group of that specific GL.
  Regards,
  Mike

• BI authorization objects not appearing in RAR, error while generating role

  Hi
  I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
  (a)  In Risk Analysis and Remediation (RAR) component, I am creating Functions and
        Risks for Business Intelligence (BI) module. For that I have downloaded the
        descriptive text and authorization object data from BI development system and
        uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
        RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
        Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
        the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
        authorization objects for the actions in them.
  (b)  In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
         in DBI 100 and I put the  BI transaction codes in authorization data , I get the
         authorization objects . Risk analysis is also being done successfully. But at the time
         of Role generation in background mode , it is giving an error message :
         Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
         I am thus unable to generate any role in DBI 100.
  (c)  In Compliance User Provisioning (CUP), I have imported a standard role from DBI
        100. Then I have added Functional Area, Business Process, Subprocess  and
        Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
         gives an error Error creating request. But requests are getting created and roles are
         being assigned to users in ECC development  systems using the same Initiator, CAD, stage
         and path.
  Can anyone please help me ?

  -

• NO Authorization error when accessing Functional module RH_CUT_OBJECT

  Hi,
  I am getting NO AUTHORIZATIOn error when I am executing SE37-->FUNCTIONAL OBJECT-RH_CUT_OBJECT.
  I also checked SU53 screenshot which says AUTHORIZATION CHECK SUCCESSFUL and there are no errors or missing authorizations highlighted in SU53.
  I switched on the TRACE-ST01 then also the error is not captured.
  I would like to know WHY am I getting NO AUTHORIZATION error.
  I am already having access to T-CODE SE37, SE11, SE80, SMARTFORMS and authorization object S_DEVELOP.
  I need to know this ASAP on why I am getting NO AUTHORIZATION error when I am trying to access the FUNCTIONAL MODULE RH_CUT_OBJECT whereas I am having all the required authorization required for ABAP Developer including SE37.
  Is it something I need change at ABAP code level.
  Please advise ASAP.

  The reason is ..You do not have acess to see/acess the data this FM is trying to acess ...Debug the function module keep a breakpoint at The Raise statement see which authorization you do not have ....BTW this is my guess you are trying to demilit certain objects /infotypes using this FM and delimit basically makes that object non-usable in that system  .So it is quite evident that every one will not have authorization for that .Please post in detail that what is it that you are trying to achieve using this function module .....
  Also you can check with debugging  which authority object is being checked before raising the message and can ask security team to get that added to your profile ....
  Thanks,
  Anjaneya

• Creation of a user with a particular authorization object (Very Urgent)

  Hi,
  There is a requirement in my project to create a user who can only reset his password. So for this I think a authorization object should be created and assign it to a profile which displays only the tab for reseting the password which is( Logon in SU01). I want to know two things in this regard.
  1. The whole process of creating customised authorization object and assigning it to a profile and
  2. Any other way to achieve the needed scenario.
  Thanks & Regards,
  Sujith
  Edited by: Sujith K on Feb 4, 2008 1:26 PM

  In transaction pfcg ,
  give single/composite role name
  give profile name and description in authorization tab, save it
  enter into change authorization data
  select manually tab
  give authorization objects name (creating auth. objects)
  fields will automatically come inside it
  enter the field values
  save and generate profiles (Profiles created)
  go to su01,
  create users (fill address, logon data, roles )
  In pfcg,
  select the role you created and click on the user comparison for giving the authorization to access.
  award points if useful

• Creation of a new Authorization object

  Hi ,
  I need to create a new Authorization group and add three existing tables to it.
  Kindly suggest a way.
  Regards.

  Authorization Field
  Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the database table TACT and the customer-specific table TACTZ.
  Maintenance using transaction SU20.
  Authorization Object
  Repository object that forms the basis for authorizations. An authorization object comprises up to 10 authorization fields. The combination of authorization fields, which represent data and activities, is used for authorization assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
  Maintenance using transaction SU21.
  Authorization
  Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
  Maintenance in transaction SU03 or generation from transaction PFCG (profile generator for role maintenance).
  Authorization Profile
  Grouping of several individual authorizations or further authorization profiles. Can be entered in the user master record instead of individual authorizations. An authorization can be assigned to authorization profiles as often as you wish.
  Maintenance in transaction SU02 or generation from transaction PFCG (profile generator for role maintenance).

• Authorization object of DMS Document Number

  i need to limit access of users on range of document .
  for example  :
  i have created document type ZFI with number range 100 to 500
  i need grant the access of a specific user to range from 100 to 300 only .
  How can i do that ?
  i need to know the authorization object of Document number .

  Hi Reda,
  You can use ACL authorization, There is the only option available to control authorization at document level.
  The task for doing the same will take time if the documents are more, I hope there is some standard FM for ACL , try using the same and let me know the results.
  Rgds,
  Nayeem.

• Authorization object for Object services

  Hello together,
  I want to know if there is an authorization object for Generic object services functionilty especially the WF options like WF overview, start WF, Archieve WF..............................
  My understanding is any user who has access to a particular Business object, can user GOS to view WF stuff..................Is my understanding correct or should we have extra functions.....................
  Regards

  Check authorization objects S_OC_ROLE and, for recent releases, S_GOS_ATT.
  Regards,
  Raymond

• Authorization object coding in ABAP report

  Hi,
  I am working on a report. The output of the report is details regarding vendor based on purchasing organization. When user executes the reports, they should be only able to see details if they are authorized to (create, change and display) for the purchasing org of vendor.
  The authrorization object by SAP security team is 'M_LFM1_EKO' for standard access to vendors (via MK01, MK02 AND MK03).
  How can I use same authorization object to do check in my program for the user in ABAP so that if user is not authroized he will not be able to see details during output for those vendor.
  Regards,
  Tgshah.

  Hi ,
  Basically you need to call Authority-check using the pattern option and then pass the object name and field name .If the user has been assigned that object in his profile sy-subrc will succed otherwise fail .
  AUTHORITY-CHECK OBJECT 'M_LFM1_EKO'
           ID 'ACTVT' FIELD '1/2/3'
           ID 'EKORG' FIELD 'value of purchase organization'.
  IF sy-subrc eq 0 .
  WRITE :'authorization' .
  ELSE .
    WRITE 'no authorization' .
  ENDIF.
  The below lonk explains it more ...
  [http://help.sap.com/saphelp_40b/helpdata/fr/d4/e02c7dd435d1118b3f0060b03ca329/content.htm]
  Thank you .
  Anjaneya .