Authorization object Z_PRPS_ANR missing
Hi All,
One user tried running CJIC and the error msg thrown" No costs, revenues or Finances were selected" The SU53 screen shot gives the following details:
Missing Auth Obj:Z_PRPS_ANR.
There are two roles found which links with this object
1. maintain WBS
2. Person Responsible (restricting to certain values in the range 00003*)
Notified certain things like the project for which he tries to run CJIC has no person responsible i.e. zero so understood he cannot execute it. We confirmed he can run CJIC for those projects in which Person Responsible is in the range mentioned above.
But then another user with the same roles and restricted values can run CJIC for the same project. Compared all the roles and authorization for both these users and could not find any difference. Can anybody help me out why it behaves so?
Hi,
One thing that is clear from your query is that if the person responsible is specified for the WBS you wont get any authorization issue. But then you also say that some other user is able to execute the transaction without getting any authorization issue. I find this to be a purely technical case and has to be sorted out with the help of the technical guys only.
You need to take the help of the technical team in your company or raise this issue in the appropriate forum to get relevant pointers on how to get this resolved.
Regards,
Gokul
Similar Messages
-
hi Guys,
The Variable screen doesnot popup when i run teh query. We are upgrading from BW 3.5 to BI 7.0. Which authorization Object is missing?
RegardsApplied note : Note 918598 - Error in variable screen if authorization S_BDS_D is missing
Note 923176 - Support situation authorization management BI70/NW2004s
Hope it Helps
Chetan
@CP.. -
Authorization object to display table field names in english text in SE17
Hi,
One of users have issues with the filed name getting displayed in technical format instead of english text while browsing table information in SE17. Normally we can set this in through Settings->User Parameters. But here for this user, user parameter option is greyed out and he doesn't have access to SE16.
Is there any other way to change user specific parameters, instead of granting him accesss to SE16 or enabling user parameters in SE17?
Thanks,
ManoHi,
I made him run SU53 on SE17 transaction the log is showing that authorization check failed for S_ALV_LAYO with value 23.
Actually i have access SE16 and for me also, user parameter option is greyed out in SE17. I ran SU53 on SE17 in my session i also got same log.
One more observation is, the user's colleague also doesn't have access to SE16 and user parameter option is greyed out in SE17 but he can view the table field names in english. So we are wondering if some authorization object is missing here.
We do not want user to make any changes through GUI.
Thanks,
Mano. -
PFCG authorization objects vs SU53 checks
Hi all,
I was thinking I have understood for a long time authorization checks. But no.
So Here's my question.
When I ahd a transaction in PFCG menu, PFCG gets the authorization objects to maintain automatically (from SU24 checks). OK.
When testing the role in ECC : : error. SU53 qays that authorization objects are missing. How the tests are working regarding SU53 and PFCG ?
i.e tcode_de = MDBT in PFCG, PFCG gets M_MTDI_ORG object to maintain => OK
When testing my role, SU53 says that other objects is missing, i.e S_ADMI_FCD. I don't understand because this object is checked with 'NO' in ECC.
Thx.
LaurentHi
> When testing the role in ECC : : error. SU53 qays that authorization objects are missing. How the tests are working regarding SU53 and PFCG ?
The auth checks performed are dependent on lots of things: system config, functional config, master data setup, use of the transaction.
The config in SU24 can't cater for all of those options so SAP gives us the ability to make them more accurate for our particular situations.
> i.e tcode_de = MDBT in PFCG, PFCG gets M_MTDI_ORG object to maintain => OK
>
> When testing my role, SU53 says that other objects is missing, i.e S_ADMI_FCD. I don't understand because this object is checked with 'NO' in ECC.
You can't deactivate a check on an S_ or P_ auth object. These auths are fundamental methods of protecting the SAP application (S_) and personal data (P_)
As David says, the SU53 only shows the last auth failure and there is often lots of spurious stuff reported that isn't required to allow the transaction to process. In this respect ST01 is more useful as it (usually) shows you all the auth checks being evaluated so you can more easily focus on the important ones. -
Missing authorizations for authorization object UIU_COMP
I have generated the pfcg role for a business role using report CRMD_UI_ROLE_PREPARE and assigned the pfcg role to a user.
The user is apparently able to perform navigation as required. However, when a ST01 trace is run for the user, there are few missing authorizations for UIU_COMP. Could anyone please explain the reason for this? No changes have been made to object UIU_COMP i.e. only values generated by the report is present there. Should the missing authorizations be added manually to the role?I would recomend that you define for component UIU_COMP in your pfcg role full access (all set to *), because this authorization object is used for access to web ui components. Even thou if you define this object to full access users will still see just components defined in business role.
Regards. -
Authorizations in CRM 2007 - How to check missing authorization objects?
Hi,
In our project we are currently busy with the set up of authorizations.
I did create the necessary PFCG and Business roles.
For the PFCG roles, I did create all of them by copy of the standard SAP_CRM_UIU_FRAMEWORK so that the user can access to the web layout.
Now I need to give authorizations for other CRM objects, my question is: How can I see which objects are missing to displaying or creating activities in the new WEB Layout?
In the old days we used the SU53 to check the authorization objects that were missing, how can we do it now in this new release? I tried it and didn't worked out.
Thx
Regards
HugoHi,
For report CRMD_UI_ROLE_PREPARE you have to input a business role - not a PFCG role. Are you doing that?
Are you getting no results at all in ST01 or are all results just with return code 0?
You have to remember to set a filter for your user in ST01 before activating the trace. Another thing to check is if you are using several application servers. I would imagine the trace has to be activated on the same application server as the Web UI. You can change the application sever in SM51.
/Anders -
How to assign authorization objects to a cube
Hello,
My cube includes 0profit_ctr which is marked as authorization relevant. Still in RSSM my cube is not included in the list of infocubes for an authorization object (zprofit) linked to 0profit_ctr. I'm therefore not able to enable that authorization object for my cube. I have a few ODSs which are included in the list. Why is my cube missing? Is there something I must do to include it, or is it a bug?
When checking the infocube for authorization objects in RSSM this list is empty as well. I don't see any option to add authorization objects in that list.
I have read the following document:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b849e690-0201-0010-9b88-c00cca40736f
I'm using BW 3.5.
Regards,
ChristofferHi Christoffer,
In RSSM you will find a button "Update Check Status ( Authorization Objects, Info providers) ". After this update you should find your cube in the list.
Jaya -
Analysis Authorization Object not working
Hi Gurus,
I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
I have followed the below steps but still the report shows all data instead of restricted one.
1)RSECADMIN -> Maintenance ->zz_div ->Create
2) Add 0DIVISION in Auth structure , and in details
I EQ 32
I EQ 33
3) Add 0TCAIPROV with I EQ 0SD_C03
4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID, this having details as
I CP *
5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
Following are the authorization object in that user's Role (Reporting Only)
S_RFC
S_TCODE
S_GUI
S_BDS_D
S_BDS_DS
S_OC_SEND
S_RS_AUTH - only having zz_div
S_RS_COMP
S_RS_COMP1
S_RS_ICUBE
S_RS_RSTT
S_RS_TOOLS
S_RS_PARAM
I have surfed lots of thread for this issue but not getting a solution
Tell me what i m missing in above or any additional setting need before creating analysis authorization
Edited by: Sonal Patel on Apr 18, 2009 8:10 AMHi
Thanks a Ton for ur reply
I have checked in SPRO : Analysis Authorization
where the authorization mode is " OLD obsolete Concept With RSR Authorization Objects "
We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
Thanks
Sonal.... -
Authorization object for running a report in background
Good day experts,
I tried running a report in background, I choose immediately so that it doesn't have to be scheduled. But when I checked it in my own jobs, It remains at scheduled status. When I tried it on my admin account, It works and with status finished. It seems to be an authorization problem. What object could I be missing with my user account? I tried S_TCODE SMX and SP02 but still not working.
Thanks in advance!Hi karshbax,
What you're looking for is authorization object S_BTCH_JOB. You need authorization for field JOBACTION = RELE.
In future use transaction SU53. It shows last error authorization error, so if this is authorization problem then after try of manual releasing of job you'll find in SU53 precise info what went wrong.
Best Regards
Marcin Cholewczuk -
Hi basis guys........
i am not able to give print request.its showing authorization error
"no authorization for LOCAL PRINTER" and "output could not be issued"
i checked su53 screen. and i assigned that activity in authorization object.
even then its showing authorization problem.
Is there any object to add to get printing ?
and what is "s_gui" object ? is that works?
Please tell me your suggestions
Regards........nagendra.Hi
Check whether for the user a printer is assigned or not. Only the printer which is assigned to the user in SU01 can be used by the user.
What u can try is assign the Local Printer in default printer for that particular user.
Also if you have assigned the authorization object that was missing then there should not be a problem.
Regards
Sumit Jain
[reward with points if the answer is useful] -
Creation of Authorization Object
Dear All,
Can anyone of you guide me on how to create Authorization Object?
My Knowledge on this concept:-
1) Mark required object as Authorization Relevant
2) Use of T-code RSSM
3) Select marked Authorization Object
4) Assign fields to it, for authorization.
thats all i know.
There are few more additional settings we need to do for it.
Request you to provide with step by step procedure for the same.
Thanks & Rgds,
Anuphi
To create an authorization object:
1) Execute transaction SU21
2) Double-click an Object Class to select a class that should contain
your new auth object
3) Click on CREATE (F5)
4) (If creating custom field) - Click the 'Field Maintenance' button -->
Click on CREATE (Shift+F1)
5) Enter the Name for the New Authorization field and the corresponding
Data Element and SAVE
6) Confirm the Change Request data for the new Authorization Field
7) Go back two screens (F3-->F3)
8) Enter the Authorization field name and document the object:
9) SAVE and ACTIVATE the documentation
10) Save the new Authorization Object
11) Confirm the change request data for the Authorization Object and
EXIT SU21
12) Finally, the SAP_ALL profile must be re-generated
the following link will be helpful
http://209.85.175.104/search?q=cache:BigTSV4_olEJ:www.gingle.com/glenaccess%255CsdnAuthorizationObjectsimple.docHowtocreatauthorisation+object&hl=en&ct=clnk&cd=10&gl=in
http://aroundsap.blogspot.com/2008/02/sap-bw-70bi-70-new-authorization.html
Use of T-code RSSM
Through BIW Authorizations (TCode RSSM)
Authorization check log. This gives information on
missing authorizations for reading data. -
Authorization object not to allow certain user to enter sloc PO
Dear All,
i have manage to go su21 to create under mm purchasing authorization object called Y_BEST_LOC with Acty and LGORT field. other than that i have insert check item under program RM06ENHI. after that i go to su24 to assign the transaction code check for me21 and me22. under field value for me21, my new object i want to assign value (interval) = $LGORT, but don;t know how so i leave it blank.
Come to user profile i adding this object into the authorization to check, and put in only allow for 0001 and 0002 location. But the user still can save the PO when choose 0004 without error. I want to know missing step that should be done to prevent certain user to order under 0004 storage location.
Kindly suggest and guide me. thanks in advance
Regards
AishahME21/ME21N doesn't even check if the material is extended to the storage location entered in the PO. I don't think what you did is enough to restrict users per storage location, you need to find a user exit or BAdi and do the authorization check in the your custom code
AUTHORITY-CHECK OBJECT 'Y_BEST_LOC'
ID 'ACTVT' FIELD '01' "Create
ID 'LGORT' FIELD '0002'. "Storage Location 0002
IF SY-SUBRC = 0.
" User has authorization
ELSE.
message 'Not authorized for storage location' type E
ENDIF.
You may have to use the following Business Add-in (TCode SE18)
ME_CHECK_ALL_ITEMS : Run Through Items Again in the Event of Changes in EKKO -
Custom authorization object and check logic
Hi gurus,
we need to apply additional authorization check in our custom reports.
so i created a custom fields & object, and put the statement
AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
ID 'ZROLEID' FIELD '03'
ID 'ZSOBID' FIELD zzdwbm.
in a abap class method centrally, so it could be called by many reports.
but the test show that the sy-subrc always set to 0, even for users without any authorization.
what i missed for adding custom auth check?
for this case, do i need to maintain authorization check indicator in SU24?
what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
thanks and best regards.
JunHi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
but still it is taking the P_ORGIN object. -
0Orgunit(hierarchy) and authorization object display getcell error in Webi
Hello,
We are facing with GetCellData error in WebI to SAP BEx Query.
This works perfectly fine in Bex for a particular test user who has access to particular org unit value.
But in Webi we are getting this Getcelldata error.
Tried all the options and message as recommended in sdn group.
mdxtest returns no value.
looked at all below messages but no luck.
GetCellData error in WebI to SAP BEx Query
Re: SAP BO WebI Report on top of BI Bex Query with Authorization Variable
in the rsecadmin, we get the same error like mentioned in below message
Hierarchy Authorization doesn't work for MDX but works for BEx Query.
Is any authorization required for this user to execute and view the authorized values in Webi?
or we have to assign any authorization ?(0BI_ALL is not assigned).
Please find below screenshots of BEx query auth log or Webi auth log (differences)
Bex auth log:
The Following Attributes Are Authorized and Thus Are Visible
0BBPPURGRPX
0BBPPURORGX
0BBP_BUYID
0BBP_ISCOMP
0BUS_AREA
0COMP_CODE
0CO_MST_AR
0CRMSALGRPX
0CRMSALOFFX
0CRMSALORGX
0CRMSRVTGRP
0CRM_SALGRP
0CRM_SALOFF
0CRM_SALORG
0CRM_SRVORG
0LEAVERS
0LOGSYS
0MAST_CCTR
0PERS_AREA
0PERS_SAREA
0PLANT
0PURCH_ORG
0PUR_GROUP
0SALESORG
0SALES_GRP
0SALES_OFF
This above log is missing for mdxtest auth log.
Is this the issue?
Any quick reponse or help really appreciated.
Regards,
Ravi
Edited by: Ravi Gadicherla on Feb 28, 2010 5:36 PMHi,
Here is the log of MDXtest:
Buffering the Authorization Data
Buffering for InfoProvider 0PA_C01 and Users HRTEST93
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
No, the User Does Not Have Universal Authorizion 0BI_ALL
Negative Entry in SU53 Result of Failed Check for 0BI_ALL
Indirect assignments found; no universal authorization
Regards,
Ravikanth -
F9K3 and authorization object in su24
Hello,
We want to add authorization object F_KNA1_BUK to new role for check in F9K3 transaction.
The problem is it is not being checked. I tried to debug and stop on authority-check but it's not stopping on this object.
But the object is showned in transaction SU24 - as CHECK / NO.
So it should be checked during F9K3 transaction run, correct?
Anyone knows what we're missing here ?
Thank You in advance for help,
Best regards,
ArturHi,
What appears in SU24 is not a reliable indicator of what is actually checked. It may be that F_KNA1_BUK is checked at some point depending on either how the tx is used or what menu options are used but I wouldn't bet my house on it.
Cheers
Maybe you are looking for
-
OIM 9.1.0.2: Remove user assigned to a task in Provisioning Process
I have read Note: Ability to Have Multiple Approvers Per Resource Object in OIM [ID 429999.1], and executed each steps described in it. But when grant these resource object to some user. First the request was not sended directly to a approval process
-
Macbook to TV display help.
When I plug my 13" macbook pro retina via hdmi cable to my HD tv the picture quality on my computer screen is no longer the retina resolution. The picture quality on my tv also isn't very good. The tv is a 26" LED Samsung. Can I fix this?
-
Troubleshooting Electronic Signature in Adobe X Standard
Trying to assist a coworker in setting up an electronic signature with password. When walking her through the screens, I noticed the "Add Digital ID" popup box does not show "Key Algorith" or "Use digital ID for" sections (mine does). She does not
-
the title explains it all. I upgraded to the newest quicktime. But when i went online to look at movies and other video files, it just shows white. Everything else is fine besides that. Weird. Help?
-
Hello! I have a cluster array with 105500 clusters; in a cluster there are 3 2D array with the same size (10 rows and 8 columns). I want to merge the data to obtain a single 2D array with 10*105500 rows and 8*3 columns. I know that with large array