Authorization object with no authorization field

Similar Messages

• Authorization object to display table field names in english text in SE17

  Hi,
  One of users have issues with the filed name getting displayed in technical format instead of english text while browsing table information in SE17. Normally we can set this in through Settings->User Parameters. But here for this user, user parameter option is greyed out and he doesn't have access to SE16.
  Is there any other way to change user specific parameters, instead of granting him accesss to SE16 or enabling user parameters in SE17?
  Thanks,
  Mano

  Hi,
  I made him run SU53 on SE17 transaction the log is showing that authorization check failed for S_ALV_LAYO with value 23.
  Actually i have access SE16 and for me also, user parameter option is greyed out in SE17. I ran SU53 on SE17 in my session i also got same log.
  One more observation is, the user's colleague also doesn't have access to SE16 and user parameter option is greyed out in SE17 but he can view the table field names in english. So we are wondering if some authorization object is missing here.
  We do not want user to make any changes through GUI.
  Thanks,
  Mano.

• List of Authorization Object with Transaction Code

  Dear All ,
      Does SAP provide  any report to list all the Authorization Object ? and which object is belong to which transaction code ?
  Thanks .

  hi olrang ,
  STEP BY STEP TO CREATE AUTHORIZATION OBJECT:
  STEP1:  goto  SU21 transaction and create a new Authorization Object
  Object Name:  Z.....
  Text:  ...........
  ClassL  SD (YOUR MODULE)
  AUTHOR:  YOUR ID
  STEP2:  Give authorizatin fields as
  ACTION - Action of the Authorization
  Activity -  Document Destribution.
  STEP3:  Basis will create a role using transaction  PFCG and assign this authorization object to that role.
  STEP4:  Call the AUTHORITY-CHECK Object in your code.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  IF sy-subrc 0.
  MESSAGE e000(zzpp) WITH 'No Authorization'.
  ENDIF.
  and it belongs to  SU24 transaction code
  Saurabh Goel

• Authorization Object for 0TCTBISBOBJ - restriction field too short in PFCG

  Dear all,
  I created an authorization object (TA: RSSM) with the InfoObject 0TCTBISBOBJ and 1KYFNM. When I restrict my authorization object in TA: PFCG, I can only type in 11 letters for InfoObject 0TCTBISBOBJ but I need 12 because of a bad naming convention. Working with more than one asterisk (*) in this field is not working!
  Does anyone know how to manage this problem?
  Thanks in advance
  F. L.

  Martin,
  It is not possible to restrict this in CRM.  The person, organization, and group influences the type of address for the business partner.  There are no user exits available in CRM 4.0 that are at the point to perform an authorization check on this value.
  I had to unfortuantely debug and read much of BUPA_DIALOG_JOEL before reaching this conclusion.  The only way to achieve this would be to write a custom front-end to the BP transaction or PCUI screens for business partners.
  Hope this answers your question,
  Stephen

• Two authorizations objects with OR function instead of AND

  Hi,
  We have created two authorization (RSECADMIN) objects for a CRM InfoProvider:
  Organizational responsible
  Delivery unit.
  Both the two authorized relevant InfoObjects are used in the query.
  In the query we have used a two authorization variables.
  Now only values in the authorizations are checked where Organizational responsible are true AND Delivery unit are true.
  Is it possible to check the authorization where:
  Organizational responsible is true OR Delivery unit is true??
  Please help!
  Regards,
  Jos.

  Hi,
  hmmm Andreas, I must comment on that:
  what is required is to show any record having Object1 = True OR Object2 = TRUE.
  Logically it is the same than asking:
  Don't show records having (Object1 NOT True) AND (Object2 NOT True), correct me if I am wrong there (this is pure Boolean math...)
  Because BW doesn't support this it doesn't mean that ANY system cannot do it.
  Simply put with SQL
  SELECT * FROM TABLE
  WHERE OBJ1 = TRUE OR OBJ2 = TRUE works perfectly in ANY RDBMS.
  also
  SELECT * FROM TABLE
  WHERE NOT OBJ1 <> TRUE AND OBJ2 <> TRUE would work as well.
  It is just that BW always perform an AND when you filter two different objects.
  Jos could achieve what he wants by setting up some restricted key figures and work it out with conditions but definitively not with standard authorizations.
  Alternatively, as I already mentioned, compounding objects would work but not without modeling effort. Finally I believe that with user exits it would also be possible... I don't have time but I would as well investigate bringing both objects along with the provider in a multi and verify if that couldn't be done by semi/standard means finally...
  hope this shed some lights on the issue....
  regards,
  Olivier.

• Setting Authorization Object to User defined field

  Hi
  What authorization object to be used to give user only display access in CJ20N tcode under "User Fields" tab. Any suggestion would be appreciated.
  Rgds
  Kamran

  Hi Imran,
  The value of field TRTYP of object C_PROJ_TCD should be A for display and you can also give C for Display from archive.
  Reward points invited!!
  Cheers,
  Hiral Soni

• Authorization Object for Account Assignment field

  HI all,
  We wanted to restrict the users from creation of PO (in ME21N) against the specific Internal Orders (Account assignment KNTTP='F'). So that user can use Internal orders assigned to his Business Area only.
  Which authorization object i can use to restrict the user to use specific Internal order during PO creation and change. ??? I tried to check authorization object listed under t code ME21n but none of them restrict Internal order.
  Is there any std. object available, if not then what I need to do while creation of customized authorization object (in SU21), how system will call this authorization object in ME21N while using Acc. Assignment u201CFu201D. more detailed answers will be more useful.
  Thanks...

  Hi frnd...
  i think you want to allow all users to use acct. ***. "F",
  but you want to stop the user from using ir-relevant internal orders.
  For this, i think you can create a "Z" table having fields:
  1)User ID - (key field)
  2)Internal Orders - (key field)
  3)Access.
  Make the entries of the users against the internal orders. (if you  want any user to access all the internal orders, then make entry (*) in the field access. 
  While creating GRN check these entries, if the entry exist, let user use that internal order, if not give the error as you are not authorized.
  To do all these, you have to use user - exit. which one i dont  know...
  kindly let me know, if you use any.
  njoy SAP...
  njoy Lyf...
  Regards,
  Amit P Hiran

• Not able to assign Project to the Urgent Change Request with Developer Id with the existing Authorizations. With SAP_ALL authorization, everything works fine.

  The Urgent Change request is in created status and I am not able to assign project to it. Also I am not able to change the status of the change request to In developement with developer's Id. Everything works fine if i assign SAP_ALL authorization to the developer.
  Below are the roles assigned to Developer ID -
  SAP_CM_SMAN_DEVELOPER
  SAP_SM_CRM_UIU_FRAMEWORK
  SAP_SM_CRM_UIU_SOLMANPRO
  SAP_SM_CRM_UIU_SOLMANPRO_CHARM
  SAP_SMWORK_BASIC_CHANGE_MAN
  SAP_SMWORK_CHANGE_MAN
  SAP_SOCM_DEVELOPER
  Z_S001
  ZSAP_SOCM_DEVELOPER
  Issue screen -
  SU53 for Developer-
  Please suggest which roles/Authorization should be assign to Developer Id.
  Thanks
  Kavita

  Hi Kavita,
  Copy these roles to Z-roles
  SAP_CM_SMAN_DEVELOPER
  SAP_SM_CRM_UIU_FRAMEWORK
  SAP_SM_CRM_UIU_SOLMANPRO
  SAP_SM_CRM_UIU_SOLMANPRO_CHARM
  SAP_SMWORK_BASIC_CHANGE_MAN
  SAP_SMWORK_CHANGE_MAN
  SAP_SOCM_DEVELOPER
  Assign this to user.
  Put a stace using ST01.
  Find that object and modify/add in your custom role.
  Regards,
  Divyanshu

• Text Object with a Paramter Field in It

  think I am losing my mind.  I have a text object on my report for the 'From' and 'To' dates on a report.  So that the spacing works between the words, I add a text object to my report and type the word "From" (without quotes).  Then, I drag the start date into the field next to the word From.  Then I type "To" and insert the ending date.
  I right justify the contents of the field.  I position the object on the right side of the report (not right at the margins about 1/4" in).
  Just above this combined field, is a special field with the print date.  It is also right justified and the two fields are right aligned.
  The problem is when the report prints, the combined field isn't truly right justified.  There are what appears to be extra spaces in it.  The fields look similar to this...
                                                           02/20/2009
          Report range 01/01/2008 to 12/31/2009
  They should be perfectly aligned based on the CR layout.  I have done some testing.  If I remove the text and just leave the dates in the text object, I have the same results.  It looks like it has something to do with the brackets that get placed around the parameter field when it is placed inside the text object.
  Report range {?datdeb} to {?datfin}
  Has anyone else run across this?  I have noticed this on several of my reports and decided to try and find a solution.
  Could it be a variable font issue?  The problem goes away if I use Lucida Console (a fixed width font).  It is somewhat better but not perfect with Verdana as the font.  It is horrible when using Arial.  I can't believe this is an issue that others have not run across. I searched the forum with no luck.
  Thanks in advance.
  Gilley Estes

  With the help of one of our programmers, he suggested using a Trim function in case there were extra spaces in the field.  So this is what I ended up doing.
  Created a formula with the following:
  "Report Range " + Trim (totext({?datdeb})) + " to " + Trim (totext({?datfin}))
  ?datedeb = beginning date parameter
  ?datefin = ending date parameter
  By using the trim function, the extra spaces that were inserted into the field were removed. 
  Go figure!  Oh well... At least there is a solution.
  HTH someone in the future...
  Gilley

• Authorization object for full authorization for PP consultant

  HI Experts
       Please suggest me a suitable authorization roles and objects which provides all the transaction codes relevant to PP. Thanks
  Kind regards
  Ayaz

  Ayaz,
  That is dependent upon which company you are working for, and in which type of client (dev, qual, prod, sandbox, etc.) you are expected to work in.
  I have seen everything from 'SAP_ALL' to 'no logon' set for every consultatnt for every client, in different companies. So,  speak to the company's authorization specialist.  For a basic listing of PP Roles, look at
  http://help.sap.com/saphelp_erp60_sp/helpdata/en/c6/239038570de04be10000009b38f8cf/frameset.htm
  The bottom line is you must have enough authority to perform the required work.  There is no 'standard' set of roles for consultants.
  Best Regards,
  DB49

• When to create new authorization objects

  Hi Experts,
  I am learning SAP Security.
  I have one question , what is the necessity of creating new authroization field and object , when SAP gives a huge list of objects /fields.
  Is there any reason behind like, whenever a customised transaction is created, a new authorization object or filed has to be created?
  Regards,
  Rekharaj

  Trick is to find not only a standard authorization object with the same field you are looking for, but an object already assigned to the users with those roles with the same semantic for all it's fields - so that you can simply reuse the existing concept which is also assigned to the sets of users.
  Often you will find "base" function modules and classes you can use to do all that work for you. Just call them at the correct location in the code and dont forget to check the return code and react to it.
  If you use BAPI APIs to access or process data, then many of them make these same semantically correct checks "out of the box".
  Cheers,
  Julius

• Authorization object - dump on field type due to character

  Hi all,
  As i have created an Authorization object
  AUTHORITY-CHECK OBJECT 'YINF_BYTE'
                          ID 'Y_BYTE_CON' FIELD lv_byte_count.
  While creating the authorization field ('Y_BYTE_CON' ), the data type I defined is ABAP_MSIZE.Similarly the type of the variable('LV_BYTE_COUNT)  i am passing to the authorization object
  is of the same type (i.e.,ABAP_MSIZE).
  I am getting an syntax error 'LV_BYTE_COUNT must be a Character type field',Please help me out in resolving this.
  Thanks in advance,
  Ram
  Edited by: Julius Bussche on Feb 20, 2009 9:19 AM
  Please use meaningfull subject titles

  Hi Chinmaya,
  Which data type i need to go with ABAPTYPE..? is it the variable i am passing to the authorization object or the authorization field i need to change as ABAPTYPE..?
  Plz advice me.
  Thanks,
  Ram

• Program with authorization object

  Hi Experts,
  I have an issue regarding rules and authorization.
  I have created a program with 2 radio buttons transfer and backload. The requirement in authorization is not all users can access both; some can only access transfer and some can access backload only. (r_trans,r_back)
  The basis told me that they need an authorization object in order for them to block/separate the transaction for transfer and backload.
  Is there a way for me to modify the program and put an authorization object with my radio button? or is it possible to do this with the current program?
  Thanks!

  Hi,
  Thanks for the reply,
  Our basis is using PFCG for roles and authorization , how can they check if my authorization object was created using that code?
  Here is my code: Im getting sy-subrc = 12.
  IF r_trans EQ 'X'.
     AUTHORITY-CHECK OBJECT 'ZACTIVITY'
                  ID 'ACTVT' FIELD '01'.
     IF sy-subrc NE '0'.
       MESSAGE 'User not authorized' TYPE 'S'.
       LEAVE LIST-PROCESSING.
     ELSE.
       MESSAGE 'User is authorized' TYPE 'S'.
       LEAVE LIST-PROCESSING.
     ENDIF.
  ELSEIF r_back EQ 'X'.
     AUTHORITY-CHECK OBJECT 'ZACTIVITY'
                  ID 'ACTVT' FIELD '02'.
     IF sy-subrc NE '0'.
       MESSAGE 'User not authorized' TYPE 'S'.
     ELSE.
       MESSAGE 'User is authorized' TYPE 'S'.
     ENDIF.
  ENDIF.

• Red Light with Authorization Object in PFCG

  Hello All - I have a question with authorization objects, there are three roles with red lights 'ON' in authorization object screen in our PRD. However users who are using these roles have no auth issues, standard procedure is to make all lights green in PFCG by maintaining these auth objects.
  Big question is "what is the down fall by leaving these objects RED, I need to support my theory when I say all lights green with auth objects.
  Why best practise says maintain all lights to green?
  Please suggest, appreciate your suggestions.
  Thanks.
  Edited by: AJ on May 12, 2009 9:44 PM

  Hi,
  > "What will be the difference between leaving that red lights 'ON' vs "disabling" these red objects? (I am bit confused on this).
  Red Object: As you know that authorization Objects comprises of Authorization fields. There are certain fields, which are known as "Organization Level" fields and need to be maintained Centrally. If you miss this fields, then the traffic light icon is RED. For all other authorization fields, light will be Yellow if you miss any blank field to maintain. During check, these fields will provide missing authorization (but you may not get error if same object is present in the role with all fields maintained status).
  Disabled Object: If you make any Object Disable, then during check, this Object will not be treated for checking Authorizations. But profile generator will keep this in mind, so you don't get Standard Objects repeatedly (if already present in Deactivated status also) whenever you go to "..Merge with New Data".
  You all other questions are very nicely answered already.
  Regards,
  Dipanjan

• Association of authorization group with authorization object

  Dear Colleagues,
  We are using ECC 6.0 system. There is a transaction EMMAC2 where in the user would pick the case categories & view/make changes as required in the cases.
  However, we would like to have a user to pick only those case categories for which he/she is authorized & view/change the data.
  This EMMAC2 is controlled by authorization object B_EMMA_CAS & this authorization object has field BRGRU (Authorization Group) along with ACTVT (activity).
  We would like to control this via authorization groups
  We would like to create authorizations groups based on case categories & those authorization groups would be assigned in this BRGRU field.
  Meaning, the end result should be such that, when that new authorization group is added in BRGRU field & that role is assigned to an end user, the user should be able to see data only for those case categories for which the new authorization group has been created
  If I use SE54 to create authorization group, it automatically associates itself with authorization object S_TABU_DIS & this does not solve my purpose.
  But we would like to create a new authorization group & associate it with authorization object B_EMMA_CAS.
  Can someone please let me know the steps on how to achieve it or any other method to achieve it(for above underlined text)?
  Does a developer or functional consultant also need to be involved in this?
  PS: I tried to search in Google & our forums but could not get any answers

  Dear Aninda,
  Thanks for the help.
  I created an auth group via SE16 in table TBRG & associated to B_EMMA_CAS
  A case category was then assigned to this auth group
  We tested it - below are the results:-
  1. The user is allowed to 'change' and 'display' the case for the case category for which the user is authorized: this works as per requirement.
  2. The user is not allowed to 'change' case for the case category for which the user is not authorized: this works as per requirement.
  3. However, he is able to 'display' cases for the case category for which the user is not authorized: this we do not want.
  If I remove activty 03 (display), then the user is unable to display the case for the case category for which the user is  authorized.
  How to resolve this?