Authorization object to WRITE/ADMIN all projects in cProjects

Similar Messages

• Project Search in cProjects 4.0 - Displays all projects

  Hi Experts,
  Project Search in cProjects fetches all projects - across all users and across all project types. This includes projects of project types the user is not authorized to. Well, the user cannot open any of these projects (unless he has authorization) but he can see all projects.
  Is there a way to restrict this? We require users to get to see projects in his search list only if the user has authorization to the corresopdning Project Type. Is there a way?
  Regards...

  Thanks Ramakrishna for responding.
  But I understand that this search is also influenced by the settings that the user does at the front end. What I mean is, if he does not put any such filter, he can still view all projects.
  Is there anyway we can restrict the users from viewing? What I mean is, can we put such filters (which the user puts at front end to search) at the back end by which the front end user just cannot see/view all projects?
  Thanks again...
  Regards,
  Bittu.

• Doubt regarding Authorization Object

  Hi All,
  I am not able to creat a Buiseness Agreement in CRM. Following is the error message which is getting displayed:
  The auothirzation check for object CRM_ORD_PR has sent back the return code 12. The activity carried out was to create.
  I checked my role and this authorization object is present with * (All) access.
  Please le me know how to correct this error.
  Thanks,
  Ritesh

  Hi,
  See the output in Su53 transacton once you get this error.
  Regards,
  Nirmal.K

• How to get all authorization objects for a certain authorization profile

  Hi ABAP experts,
  I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
  So:
  - where are these values stored (dictionary table)?
  - is there already a FM or a report to read all authoriation values for a certain authorization profile?
  Thanks in advance.
  Best regards,
  Oliver

  Hi,
  check the following it might useful for you:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
  if helpful reward points are appreciated

• CJ20N Authorization Object for Project Status Changes

  Hi Gurus,
    Can any one knows the Authorization Object responsible to control the change of status for a project in the CJ20N?
    We want to control who can and who can't change the STATUS of a project independent from other changes.
  Regards
  Gustavo Balboa

  User authorization object B_USERSTAT. Before that u should define authorization key in Tcode:BS52 and assign it to User status in Tcode:OK02.
  In authorization object B_USERSTAT set ERSL=Authorization Key, so that the user can change the status of that perticular status only.
  Venkat

• My itunes keeps asking me to set my permissions.  they are set to read and write for all accounts, admin, everybody, etc.  don't know why it won't let me download

  my itunes keeps asking me to set my permissions.  they are set to read and write for all accounts, admin, everybody, etc.  don't know why it won't let me download

  Ever find a real solution to this? I just posted something similar - been having the issues ever since I started using the mac.
  I have 5 mac accounts: 2 of those are admins.
  After I installed every program I may possibly want, I redid all my user accounts (as I had been having a lot of permissions issues before that). My (admin) account downloads fine. Another admin account, set up exactly as mine, periodically gets prompted that it doesn't have the right to download.
  To avoid duplication, I have a /common/music directory for all itunes accounts music. We have to periodically do a recursive permissions deal on the 2nd admin account so it can put music there, even though that directory is read/write for everyone. Apple's never been able to help me on this...

• Mass maintenance of authorization objects

  Is there a SAP transaction available to mass maintain authorization objects?
  Let's say that I have 120 roles, in all of which I want to change the value of field Y of authorization object X.  For example, object S_TABU_DIS. I want to exclude an authorization group in all available roles. How can I do this for all roles which have this object?
  Modifying each role separately in PFCG is rather time consuming (and pretty unpleasant).

  Actually, SAP does provide a solution to promote and demote fields to org. levels. There are reports for this (use them and not the table maintenance transactions!) because they automatically adjust your roles as well - otherwise you end up with inconsistencies.
  But I agree with you, that org-levels is not a natural solution for this specific problem and although retrofitting security is the most expensive option, one cannot foresee all requirements from the start and Go-Live project pressure can be a factor as well to use * values for fields which on their own appear to be harmless...
  You could try to write an adjustment tool for PFCG, but with "only" 120 roles I think you will be faster and safer with doing it manually. I think that less than 1 day's work should fix it. However, if you are willing to invest 2 or 3 days more, you can also consider restoring the values from the SU24 proposals. Particularly if one group of transactions are in many of the roles and you can isolate the common transaction (the "guilty one...) then you can do it more centrally in future as well.
  However if you have not used the "Read old merge new" function in PFCG's expert mode, then you should be carefull with this as other objects might "correct" themselves as well. Particularly if you have been deleting standard authorizations in roles! (Why that button even exists, I don't know. No good can come of it...
  Cheers,
  Julius

• Authorization object in sales order

  Dear All,
  In our project We would like to have a new authorization object in order to allow one Sales companies to reprint other Sales companies intercompany invoice based on the Sold to party.
  First we wants to give a particular  group of user that authorization so that they can reprint that order confirmation.
        We only give the display authorization or print authorization.
  I found in standard sales order only 2 authorization object is there v_vbak_vko and v_vbak_aat. I wants to create a new authorization object and assigned it to that sales order so that system first check that the user belongs to that autho. Group or not .if it is satisfied then he can display or reprint.
  But I donu2019t know I write that code and how  can I move.
  Please advice.
  Thanks in advance.
  Regards,
  Moni

  hi,
  use these transactions.
  SU21,SU20,SUIM.

• Profile/Role to READ all projects

  I am looking for a role or profile to read ALL projects in cPro. Can somebody help me out?

  I confirm Florian's answer.
  You can create a PFCG role with authorization object ACO_SUPER with::
    - activity: ADMIN
    - object category: *
  You may also have to add wild card authorization for project type.
  BR
  Matthias

• Use of RSSM to create authorization objects

  I have a few questions on the way of using authorization objects via RSSM.
  First, i would like to know if there is a limit in the number of values used as a filter in the authorisation object.
  First, what is the quantity limit of values that we can use as filter? CC00000010, CC00000011, CC00000012, ..., n. In this case what would be the value of n. In our fonctionnal need, ranges of values would not be an option.
  My second question is in relation with the use of an authorization object composed of two characteristics. Is there a way to build a case in witch the authorization check return a positive answer to a logical OR between the two  characteristics?
  Example 2, lets say that you want to perform an authority check on the cost center OR on the profit centre. Is there a way to build the authorization object to make sure that there is no error messages when the user has the authorization for the cost center CC00000010 OR the profit center PF00000011.
  Best regards,
  Stéphane Beaudoin

  why would you use Pages when there are templates in iweb
  as for the URL question, that is determined by the host, not iweb which just writes the page. but I would not use tinyurl since it has become a favorite of phishers and other web nasties. it might be worth getting a domain name if you can find a good deal.
  i would search for some realtor sites to see the kinds of information they are giving and how they are laying it out. and make sure that all photos look really really good. nothing is more off putting on a house ad than crappy photos

• How to use authorization object P_PERNR ?

  Hi, Gurus~
  In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
  So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
  Authorization level:  W,S,D,E
  Infotype: 0008
  Interpretation of assignment personnel number: E
  Subtype: *
  and then, i maintain her master data 0105's subtype 0001-system user name as 00041
  i think she shouldn't maintain her own 0008 now ,but she still can maintain it
  i want to know why and how to solve it, did i do it in the right way?
  Thank you in advance!

  P_PERNR   HR: Master Data - Personnel Number Check
  You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
  The following values are possible for the PSIGN field:
  I   =          Authorization for personnel number assigned, that is for own personnel number
  E  =          Authorization for all personnel numbers excluding own personnel number
  You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
  This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
  Example of Personnel Number Check P_PERNR
  The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
  The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
  PSIGN = I
  INFTY = *
  SUBTY = * AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0008
  SUBTY = *
  In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
  The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
  As the following examples illustrate, inconsistent authorizations can be granted.
  Example 1:
  AUTHC = *
  PSIGN = I
  INFTY = 0014
  SUBTY = M* AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0014
  SUBTY = *
  The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
  The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
  The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
  Example 2:
  AUTHC = *
  PSIGN = *
  INFTY = *
  SUBTY = *
  This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
  As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
  Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
  If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
  P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.

• How to add function group to the  authorization object S_RFC ?

  Hi All,
  Can you  please tell you how to add the function group FG_DIAGLS_DATA_ENRICHMENT  to the authorization object
  S_RFC?
  In solman_setup under basis configuration when I execute the step "SetupDPC/DCC Web Service URL" its getting failed because of the
  following error which i found it in the agent log
  "java.rmi.RemoteException:RfcExecutionException; nested exception is:
  com.sap.sup.admin.abap.rfc.exception.RfcExecutionException: An
  exceptionoccured during the execution of the function
  'FM_DIAGLS_PUSH_PHYSICAL_HOST': RFC_NO_AUTHORITY >
  com.sap.sup.admin.abap.rfc.exception.RfcExecutionException:An exception
  occured during the execution of the function
  'FM_DIAGLS_PUSH_PHYSICAL_HOST': RFC_NO_AUTHORITY >
  com.sap.mw.jco.JCO$Exception:No RFC authorization for function module
  FM_DIAGLS_PUSH_PHYSICAL_HOST. <Mid"
  Thanks,
  Satheesh E

  Hi,
  Please follow below steps:
  1) Go to SE01
  2) Click on create New workbench request and give desc once popup appears, Click Ok
  3) Now open the trasport in edit mode
  4) Add
  Program ID - R3TR
  Object Type - FUGR
  Object name - Name of the Function group
  >note that if you tranport Function group all the latest Function modules in function group along
  >with screens will be included in the transport.
  Regards
  Shital
  Formatted by: Vijay Babu Dudla on Apr 25, 2009 5:08 AM

• HR custom authorization objects

  Is it possible to have more than one custom HR authorization object active at the same time? For example if I need 2 custom variations of P_ORGINCON (I  have some very complex requirements),  is that possible, or am I limited to just 1? Having more than 1 seems to present a problem when I run RPUACG00 to generate include MPAUTCON. It overlys the code generated fo the first cusom object with code for the second object, therefore only allowing cgenerated code to exist for 1 of the objects.
  And one additional question - when I create a custom HR object (one which contains infotype, subtype, persg, persk etc), am  I limitied to only using fields from PA0001 in that object?  If I include some other field that does not exist on PA0001, when I run RPUACG00 it gives me the error "Field xxx is not allowed  in authorization object Z_xxx".
  Many thanks,
      Mike

  One example of a  requiremnet I have is for a manager to have 3 different types  of authority based on when a position was in his org structure. So if a position is currently in his org structure he might have WRITE access to their infotype 2,6,8... for positions that were in his org strucure between 1 and 60 days ago (but are not in his structure as of today) he might have WRITE access to their infotype 2 and 6 and READ access to other infotypes, and for people that were in his structure 61-9999 days ago, he might have only READ  access to all the position's infotype data.
  I was thinking of using 3 disctinct HR authorization objects to cover each of these 3 scenarios, but ran into the issue mentioned above with the generation program RPUACG00.

• Issue with context specific authorization object P_ORGINCON.

  Hello Experts,
  The context specific authorization object doesn't evaluate the
  structural profile it is assigned to when more than one structural
  authorization is assigned to a user.
  Please read the below scenario for issue description as follows:
  User ZHR_ACT13 is assigned two roles namely ZHR_HRD and ZHR_DEPT_HEAD.
  He is the manager for employee ID 167 and is not the manager of employee ID 17.
  Role ZHR_HRD has no read/write authorization for Infotype 6. ZHR_HRD is also assigned to structural authorization ALL which is meant for viewing all the objects with no restriction of any relationship.
  Role ZHR_DEPT_HEAD has read authorization for infotypes 6 for only the subordinates i.e. the structural authorization ZDEPT_HEAD of viewing only the subordinates data is assigned to this role. Also this structural authorization ZDEPT_HEAD is assigned to infotype 6 using
  authorization object P_ORGINCON.
  But now the manager ZHR_ACT13 is able to read infotype 6 data for employee ID 17 who is not his subordinate even though only structural authorization ZDEPT_HEAD is assigned to infotype 6 using P_ORGINCON. We
  expect that user ZHR_ACT13 must be able to read infotype 6 data only for employee ID 167 and not for employee ID 17.
  Please kindly help resolve this issue.
  Thanks & Regards,
  Roshan.

  This has been resolved.

• Authorization Object for data downloading from application server

  Hi friends ,
     My program downloads and uploads data from the application server .
  My requirement is  ,
  Authorization checks should be performed on the Server directories to ensure that the user has access to read and write to the directory. It should check the s_dataset authorisation object for this.. If a user does not have the s_dataset authorisation object no upload or download should be allowed.
  Can you please tell me how to deal with this ? how do we check the above condition ??
  Many thanks ,
  Hemant

  hi,
  This is not a single step process.
  First of all you have to create a field for authorization for server directories from su20 and then create authorization object from su21.then define a role from pfcg with this authorization object and assign this role to user profile from su01 with values defined.
  Then you have to call this authorization object in your program at selection screen.