Authorization Object Values

Similar Messages

• Update the authorization object value for more than 1000 role

  I need to remove one of the activity value (06) from authorization object S_SCD0.
  I do a search and found out that there are more than 1000 roles which having the activity value = 06 for authorization object S_SCD0.
  However, I don't think I can create a SCAT script to update all these 1000 roles and I believe its going to be a very tedious if I am going to manually change it one-by-one. Hence, I am wondering is there any standard program/function which I can use to automate the above changes for all these 1000 over roles.
  Kindly advise.
  Thanks

  Direct update the table is the easiest way, but should be discourage for the obvious reason.
  Should take a step back, take a long term view, when you need to update 1000 roles, maybe a role redesign might be needed. For example, if you can change the role model to derive role model, once update to the parent role will take care of all the child role.
  Thanks,
  Lye

• Put a Query in an Authorization Object

  Hi everyone
  Is there any way to set a query as an authorization object value?
  Best regards,
  Luis Elizondo

  Hi,
  This is not possible for finding out authorization value from a Table for an Authorization Oject. But in case of BI Analysis Authorization we have the option to pass the information of Authorization Value Dynamically from a Z-Table or an Hierarchy as a node of that Hierarchy. If you are looking for this in a BI system then you can of course dynamically pass a value from a Z-table through a Customer exit variable.
  Please note that even in BI analysis authorization also we don't have option to pass Query technical name and also conceptually this is not convincing and useful. BI query technical name can be maintained in the authorization objects S_RS_COMP and S_RS_COMP1 (please go through the text description of these two objects to understand the difference).
  Let us know for any query you have.
  Regards,
  Dipanjan

• Authorization default values of transaction /MRSS/PLBOMGR for object /MRSS/

  Hello,
    When I add the tcode "/MRSS/PLBOORGM " throuh the menu tab and when I go the authrization tab and click  on either
      Change Authorization Data or    Expert Mode for Profile Generation the is an error message stating the following :
  ======================================================================================
  Authorization default values of transaction /MRSS/PLBOORGM for object /MRSS/PB1 inconsistent
  Message no. 5@015
  Diagnosis
  The authorization fields contained in the authorization defaults are incomplete or incorrect.
  System Response
  The process had to be terminated to avoid generating inconsistent authorization data.
  Procedure
  Use transaction SU24 to adjust the authorization defaults to the object definitions in transaction SU21 and then repeat the process.
  ============================================================================================
  SU24, the custom values maintained are same as SAP Default . Any suggestion?
  Thanks
  Osama Khalifa

  This indicates one of two things resulting from changes to the authorization object AFTER SU22 had been maintained for it:
  1) One or more of the fields were converted to org. levels using the "old" technique of maintaining the table instead of running the report for this.
  2) One of more of the fields were changed in SU20 or SU21 but the original data in SU22 was not corrected.
  Solution in both cases is to correct the proposals in SU24 (customer data) and report it to SAP to correct in SU22 (original SAP data).
  Cheers,
  Julius

• Authorization default values of transaction F-53 for object F_FAGL_LDR

  All,
  I am getting this error when I go to adjust an existing role
  "Authorization default values of transaction F-53 for object F_FAGL_LDR inconsistant"
  Can any one help me resolve this issue?  I tried to set the check indicator to "NO" but it is still giving me the error at the bottom.
  Please assist.

  > ... they had me add Profit center to F_FAGL_LDR through SU21 and then I ran into the inconsistant issue.
  This part was missing before hand... I can understand that SAP said this is not support, because you have modified as standard object by adding a field to it... that makes it yours now.
  Whoever "they" is, they gave you bad advice.
  To repair the authorization object preferably do so by transporting it from a system on the same release which still has the standard fields.
  Cheers,
  Julius
  Edited by: Julius Bussche on Aug 15, 2009 3:30 PM

• Authorization Object=S_RFC values for Integarted Planing

  Hello all,
  Does any one know specific values(Function Group Names) just to authorize and enable users to open IP-Workbooks on BEx.
  Authorization Object:  S_RFC- Authorization Check for RFC access..
  When I give full "*" authorization everyting is working fine, but I dont want to give full RFC access authorization to End users, I just want to give specific values for IP.
  Thanks, Regards,
  Ali
  Edited by: Ali on Oct 20, 2009 12:09 PM

  Hi,
  try the following objectnames. I think they are from a SAP Standard Role but include web-reporting.
  If you want to know exactly which you have to authorize, activate authorization trace in st01 and check which authorization-checks fail when you execute BEX
  RFC1
  RRMX
  RRXWS
  RRY1
  RSAH
  RSBOLAP_BICS
  RSBOLAP_BICS_CONSUMER
  RSBOLAP_BICS_PROVIDER
  RSBOLAP_BICS_PROVIDER_VAR
  RSFEC
  RSMENU
  RSOBJS_RFC_INTERFACE
  RSOD_BIRM
  RSRCI_LOCAL_VIEW
  RSR_XLS_RFC
  RSWAD
  RSWRTEMPLATE
  RS_BEX_REPORT_RFC
  RS_IGS
  RZX0
  RZX2
  SDIFRUNTIME
  SM02
  SMHB
  SRFC
  SUNI
  SUSO
  SYST
  SYSU

• Maximum number of field values for an Authorization object

  Hello Experts,
  What is the maximum number of field values can be put into the role, Is there any restriction for number of values in any authorization field?
  I have put 326 values for field OBJTYPE in authorization object S_DEVELOP but not able to generate the role it is showing error.
  I know I can split the values in two or more instance but wanted to know if there any other way out for this (without creating more instances)
  Thanks
  DK

  If the values for OBJTYPE are not uniquely the same, then the system will not merge them - so nothing will be lost.
  Here is another trick for you: Choose one of the transactions in the role (or create a "symbolic" one for it") where you want to have the OBJTYPE proposed automatically from. Now maintain one or two of them in SU24 and then download it to your PC. Now from the F4 value range of the OBJTYPE, add all of those values you want via copy&paste into the file and then upload into SU24 again. A read old / merge new in PFCG will then swing all the values in for you.
  Single values are always better, as you do not know what else is hidden in the range or might be added in future. It is however common to see FROM / TO ranging around values such as DEBUG and FUGR although all aspects of S_DEVELOP are dangerous - even in display mode.
  Cheers,
  Julius

• Authorization Object Field Values

  Hello All,
  I am trying to look for all possible values of  an authorization  object field's in change mode of a role. But when I click the pencil icon beside the specified  field, for  few auth objects field's, the list doesnt pop up.
  Any idea, what is happening?
  Thanks.
  Rajesh

  > I am trying to look for all possible values of  an authorization  object field's in change mode of a role. But when I click the pencil icon beside the specified  field, for  few auth objects field's, the list doesnt pop up.
  > Any idea, what is happening?
  For quite a lot of fields the possibilities are not forseeable because they are completely dependent on your configuration. The ones with pop-up-lists have check tables configured. Some fields also accept wildcards and ranges..... so their possibilities are endless.
  I think it is a good idea to want such a list but I doubt if you'll ever get it.

• Copying values of a singular authorization object between roles?

  Suppose I have an authorization object assigned to a role and its fields hold a large amount of data (say S_TCODE with a lot of transaction codes specified via ranges). Suppose further that I want to have this same object with this same data in another role. The other objects of the two roles are different and I'd rather not type the large amount of data into the authorization object again.
  Is there a way to copy/paste just one authorization object between two roles?
  I know how to make a copy of an authorization object and its values within the same role, but I haven't found a way to copy between roles.
  ursa

  Hi Ursa,
  I havent come across any export object kinda thing...
  This may help you in practical situation...
  Let us consider your particular requirement related to s_tcode.
  for that go to suim -
  transactions -> executable for role .
  Give the role name get the list of transaction codes.
  Download into excel file. then copy from there and paste into your new role menu or in s_tcode object.
  Mostly we dont get that much list for other objects.
  One more thing you can do.
  click on display tab beside the object in your source role, you get the list window.
  type ctrl + Y and then copy the 7-8 lines and paste it in the object of new role.
  Cheers.
  Shamish
  Message was edited by:
          Shamish Lele

• How to get all authorization objects for a certain authorization profile

  Hi ABAP experts,
  I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
  So:
  - where are these values stored (dictionary table)?
  - is there already a FM or a report to read all authoriation values for a certain authorization profile?
  Thanks in advance.
  Best regards,
  Oliver

  Hi,
  check the following it might useful for you:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
  if helpful reward points are appreciated

• Mass update to FILENAME field in S_DATASET authorization object

  We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value.  I'd like to do this programmatically if possible.
  What I've learned so far is that I need to update the value in table USR12, but the value is encoded.  When I look at the table in SE16, I do not see the encoded value field.  The value does show in UST12, but I'm told this is an unreliable table.
  So I'd like to know..
  1. How can I look at the value if not in SE16?
  2. Is there an API I can use to encode/decode the value?  If not, where is the specification on how to build it?
  If this is better addressed in a different forum, which one should I try next?
  Thanks,
  Dan

  Hi there,
  Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
  But the behaviour as you have described:
  >
  > Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
  > =============================================================
  > *                                 X         X            DUMY
  > /temp/FI/..                       X         X            DUMY
  > /temp/FI               X                                 FIFI
  >
  ... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
  > Caution:
  > - If you enter paths generically in the table SPTH, the most precise specification counts.
  > - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
  So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
  So, the only check which is effective to protect the path, is:
  Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
  =============================================================
  /temp/FI               X                                           FIFI
  ... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
  Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
  form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                              MODE       type CLIKE
                              SUBRC      type SY-SUBRC.
  data: ACTIVITY like AUTHB-ACTVT.
     SUBRC = 0.
     case MODE.
       when 'R'.
            ACTIVITY = '03'.
       when 'W'.
            ACTIVITY = '02'.
       when 'D'.
            ACTIVITY = '02'.
     endcase.
     if ISPTH_HEAD-FS_BRGRU <> SPACE.  "Here it is... for BEGRU checks there must be a value...
        authority-check object 'S_PATH'
            id  'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
            id  'ACTVT'    field ACTIVITY.
         if SY-SUBRC <> 0.
            SUBRC = 3.
         endif.
     endif.
  endform.
  Cheers,
  Julius

• Creation of a user with a particular authorization object (Very Urgent)

  Hi,
  There is a requirement in my project to create a user who can only reset his password. So for this I think a authorization object should be created and assign it to a profile which displays only the tab for reseting the password which is( Logon in SU01). I want to know two things in this regard.
  1. The whole process of creating customised authorization object and assigning it to a profile and
  2. Any other way to achieve the needed scenario.
  Thanks & Regards,
  Sujith
  Edited by: Sujith K on Feb 4, 2008 1:26 PM

  In transaction pfcg ,
  give single/composite role name
  give profile name and description in authorization tab, save it
  enter into change authorization data
  select manually tab
  give authorization objects name (creating auth. objects)
  fields will automatically come inside it
  enter the field values
  save and generate profiles (Profiles created)
  go to su01,
  create users (fill address, logon data, roles )
  In pfcg,
  select the role you created and click on the user comparison for giving the authorization to access.
  award points if useful

• Authorization Objects for pricing conditions in Sales Order

  Hi All,
  In transaction VA03, we should restrict some users not to see pricing conditions tab in header and item level and net value on overview screen.
  Is there anyone who knows how to do it? I wii be very glad if you help me.
  Best Regards.

  Hi,
  i have not done this exact limitation before, but I hope this method will help.You can look up the list of all authorization objects linked to the tcode in transaction SU22.
  You can also get this by doing a user trace in ST01; and displaying the pricing condition.
  once you have a rough idea, you can do a trial and error with the values inside these objects and see which one  works.
  Regards,
  Soumya

• BP Authorization Object

  Hi,
  I have the necessary CRM authorizations to create Business Partners of type person in roles such as employee, contact person, general using the BP transaction.
  I have now activated the role 'Internet User'. While I can see this role in the 'Create in Role' dropdown on the BP creation screen, I cannot create a BP of type person in this role.
  I get the error message: "You are not authorized to maintain user data".
  Are there any additional authorizations that I require to be able to assign this role to a business partner?
  Thank you,

  But you could assign different values of B_BUPA_FDG authorization object for different authorization profiles. For example:
  Profile 1: B_BUPA_FDG
  Values:    FLDGR= FLDGR1  (Defined in IMG)
             ACTVT= Display
  Profile 2: B_BUPA_FDG
  Values:    FLDGR= FLDGR1  (Defined in IMG)
             ACTVT= Change
  User Group 1 -> Profile1
  User Group 2 -> Profile2
  However probably the best solution for your requirements will be the GuiXT Tool.
  You can find more information about this tool in <a href="http://www.synactive.com">http://www.synactive.com</a>. You will be able to assign different scripts to different user groups.
  Message was edited by: Javier Merino Vivar

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan