Authorization objects details

Similar Messages

• TOBJ Authorization Object Details

  Hi All,
  I am trying to see the logic of a Z-Authorization object. I can see an entry in the table TOBJ but am wandering about where to see the details for that Z-authorizations.
  Where can i get the details for any authorization objects?
  Please help.
  Thanks!

  Hi ,
  At run time/Debugging  Create a BreakPoint using key word 'authority-check'.
  The Debugger will stop at all those place where Authority check is done.
  See attached screen shot for reference.
  Regards,
  Vikas

• Authorization object to import mb51 detail list to excel

  Dear all,
  What is authorization object to import mb51 detail list to excel ?
  Able to see report material document list,but export to local file is greyed out ?
  Jeyakanthan

  Hi,
  you can export ALV using menu option List -> Export -> Local file. Icon with green arrow which is usually used for download functionality in ALV has a different meaning in MB51. I know it's confusing. It's used to get full MM documents from archive. It's active only if you set option Short Documents in the section Data Source.
  Cheers

• MB51 Detail list import to excel - Authorization object

  Dear all,
  What is authorization object to import mb51 detail list to excel ?
  Jeyakanthan

  HI,
  Try this link
  Problem with authorization object belongs to MB51
  Regards
  KK

• Details about authorization Object

  Please help ,i had two fields ex sales org & distribution chanel and i have to write a code for authorization , is the authorization object which i wrote is right or not.
  I know that we can use at max of 10 fields , but say vkorg / vtweg is used 5 times  with different variable name in same prog how to make sure that this code will work for authorization check on VKORG/ VTWEG can anybody please explain me in step's
  AUTHORITY-CHECK
            OBJECT 'Z_zzlau'
            ID  'VKORG' FIELD  'S_VKORG'
            ID  'VTWEG' FIELD  'S_VTWEG'
            ID  'ACTVT' FIELD '02'
            ID  'ACTVT' FIELD '03'
            ID  'ACTVT' FIELD '70'.
  Thanks

  Hi,
  ACTVT field is used for checking the create /display / change authorizations.
  after creation of the activity group , add it to the user profiles which need authorizations.
  01-create 02-change 03-display
  AUTHORITY-CHECK
  OBJECT 'Z_zzlau'
  ID 'VKORG' FIELD 'S_VKORG'
  ID 'VTWEG' FIELD 'S_VTWEG'
  ID 'ACTVT' FIELD '02'
  ID 'ACTVT' FIELD '03'
  ID 'ACTVT' FIELD '70'.
  if you are checking authorizations with the selection screen parameters then change your code like below:(if change is required)
  AUTHORITY-CHECK
  OBJECT 'Z_ZZLAU'
  ID 'VKORG' FIELD S_VKORG
  ID 'VTWEG' FIELD S_VTWEG
  ID 'ACTVT' FIELD '02'.
  and also check SAP help on this :
  AUTHORITY-CHECK
  Basic form
  AUTHORITY-CHECK OBJECT object
      ID name1  FIELD f1
      ID name2  FIELD f2
      ID name10 FIELD f10.
  Effect
  Explanation of IDs:
  object
  Field which contains the name of the object for which the authorization is to be checked.
  name1 ...
  Fields which contain the names of the
  name10
  authorization fields defined in the object.
  f1 ...
  Fields which contain the values for which the
  f10
  authorization is to be checked.
  AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
  You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
  The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
  If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
  If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
  The return code value changes according to the different error scenarios. The return code values have the following meaning:
  4
  User has no authorization in the SAP System for such an action. If necessary, change the user master record.
  8
  Too many parameters (fields, values). Maximum allowed is 10.
  12
  Specified object not maintained in the user master record.
  16
  No profile entered in the user master record.
  24
  The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
  28
  Incorrect structure for user master record.
  32
  Incorrect structure for user master record.
  36
  Incorrect structure for user master record.
  If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
  Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
  Note
  Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
  The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
  Example
  Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
  Table OBJ: Definition of authorization object
  M_EINF_WRK
     ACTVT
     WERKS
  Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
  M_EINF_WRK_BERECH1
     ACTVT 01-03
     WERKS 0001-0003 .
  can display and change plants within the Purchasing and Materials Management areas.
  Such a user would thus pass the checks
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD '0002'
      ID 'ACTVT' FIELD '02'.
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' DUMMY
      ID 'ACTVT' FIELD '01':
  but would fail the check
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD '0005'
      ID 'ACTVT' FIELD '04'.
  To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.
  Regards
  Appana

• Analysis Authorization Object not working

  Hi Gurus,
  I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
  For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
  I have followed the below steps but still the report shows all data instead of restricted one.
  1)RSECADMIN -> Maintenance ->zz_div ->Create
  2) Add 0DIVISION in Auth structure , and in details 
  I     EQ     32
  I     EQ     33
  3) Add 0TCAIPROV with I     EQ     0SD_C03
  4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
  I     CP     *
  5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
  6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
  Following are the authorization object in that user's Role (Reporting Only)
  S_RFC 
  S_TCODE
  S_GUI
  S_BDS_D  
  S_BDS_DS 
  S_OC_SEND
  S_RS_AUTH - only having zz_div
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  S_RS_RSTT
  S_RS_TOOLS
  S_RS_PARAM
  I have surfed lots of thread for this issue but not getting a solution
  Tell me what i m missing in above or any additional setting need before creating analysis authorization
  Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

  Hi
  Thanks a Ton for ur reply
  I have checked in SPRO : Analysis Authorization
  where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
  We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
  Thanks
  Sonal....

• BI authorization objects not appearing in RAR, error while generating role

  Hi
  I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
  (a)  In Risk Analysis and Remediation (RAR) component, I am creating Functions and
        Risks for Business Intelligence (BI) module. For that I have downloaded the
        descriptive text and authorization object data from BI development system and
        uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
        RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
        Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
        the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
        authorization objects for the actions in them.
  (b)  In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
         in DBI 100 and I put the  BI transaction codes in authorization data , I get the
         authorization objects . Risk analysis is also being done successfully. But at the time
         of Role generation in background mode , it is giving an error message :
         Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
         I am thus unable to generate any role in DBI 100.
  (c)  In Compliance User Provisioning (CUP), I have imported a standard role from DBI
        100. Then I have added Functional Area, Business Process, Subprocess  and
        Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
         gives an error Error creating request. But requests are getting created and roles are
         being assigned to users in ECC development  systems using the same Initiator, CAD, stage
         and path.
  Can anyone please help me ?

  -

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• Authorization object coding in ABAP report

  Hi,
  I am working on a report. The output of the report is details regarding vendor based on purchasing organization. When user executes the reports, they should be only able to see details if they are authorized to (create, change and display) for the purchasing org of vendor.
  The authrorization object by SAP security team is 'M_LFM1_EKO' for standard access to vendors (via MK01, MK02 AND MK03).
  How can I use same authorization object to do check in my program for the user in ABAP so that if user is not authroized he will not be able to see details during output for those vendor.
  Regards,
  Tgshah.

  Hi ,
  Basically you need to call Authority-check using the pattern option and then pass the object name and field name .If the user has been assigned that object in his profile sy-subrc will succed otherwise fail .
  AUTHORITY-CHECK OBJECT 'M_LFM1_EKO'
           ID 'ACTVT' FIELD '1/2/3'
           ID 'EKORG' FIELD 'value of purchase organization'.
  IF sy-subrc eq 0 .
  WRITE :'authorization' .
  ELSE .
    WRITE 'no authorization' .
  ENDIF.
  The below lonk explains it more ...
  [http://help.sap.com/saphelp_40b/helpdata/fr/d4/e02c7dd435d1118b3f0060b03ca329/content.htm]
  Thank you .
  Anjaneya .

• BW 3.5 which authorization objects available rssm (checks for infoprovider)

  Hi all,
  How does SAP generates the list of authorization objects in RSSM when you enter a specific infoprovider (checks for infoprovider)? Are only the authorization object related to this infoprovider listed?
  Is there any documentation about the purpose in RSSM for the button 'update check status (Authorization objects, infoprovider).
  thanks for your help.

  Based on which criteria?
  Is there somwhere detailed documentation available about the RSSM part in BW authorizations? It seems hard to find any...
  Thanks,

• Authorization objects which contain company code field

  Hi,
  We are looking for list of Authorization objects which contain company code field for Audit. The listing should have Role, Authorization obj and the <b>company code and values</b>.
  Is there any we can query this info.
  Thanks,
  Sam
  Message was edited by: Sam

  Hi,
  You can use the follwing
  in USR12 table
  in USOBT table (but you get the details for the Auth Obj in the Tcodes and their field values.
  But as far as my knowledge goes you will get all the Auth Obj with Company code field
  Caution: If there are some objects in not check or are which are not in any tcodes then they will not be captured.
  But they are very less I guess and so i think you can capture most of the Auth Obj I guess
  Message was edited by: Manohar Kappala

• Upload Document Authorization Object

  I try to set the authorization for uploading a document onto the report via the Portal website.
  However, I can't find any proper authorization object for this purpose. (I tried the authorization object 'S_RS_ADMWB', but it is not workable)
  May you all help me in this issue? It will be highly appreciated if you also give me details of authorization object parameters?

  Hello,
  Mash recently reported a similar error here :
  when i try to upload oracle authorization objects getting errors
  obviously, we can't see the attached file
  Cheers,
  Diego.

• Authorization object CRM_ORD_OP

  Hello ,
  We are using authorization object CRM_ORD_OP to restrict display/change/create transactions according to Sales group/office/area.
  As for now user can not display/edit transaction those not belong to his sales area, but once user enter, for example,  to "search for opportunity" in the result screen all opportunities are shown. Once he clicks on "not his" opportunity u2013"no authorization" message appears.
  Can object "CRM_ord_op" be checked before display search result?
  Any another idea to restrict search results?
  Thank you,
  Rika

  Rika,
  Thanks for taking the time to reply, it's really appreciated.
  I will pass the details of this note over to our Basis team to see if this helps us resolve our issue also (we are trying to prevent unauthorised objects showing in user search result lists).
  We are on CRM 2007 though, so I am not sure whether it will still be relevant.
  Many thanks again,
  Andrew G.

• Barcodes and authorization objects

  PLS TELL ME ABOUT THE AUTHORIZATION OBJECTS WHILE WE R CREATING THE
  TRANSACTION FOR ANY  USER DEFINED REPORT .
  22. WHAT IS THE use OF BAR CODES IN ANY WINDOW OF SCRIPT . AND HOW TO INSERT BARCODE IN WINDOW.PLS TELL IN DETAIL?

  Ideally, if in a role autorization is not provided for STMS, then the user id will not allow to use transaction code STMS.
  However, if SAP_All is provided, in that case, user will have access to all Transaction Codes.
  Regards,
  Rajesh Banka

• Authorization Objects in Transaction codes

  Dear Experts
  we are trying to make Authorization Matrix for users authorizations , so what i need to know if is there any way i can get template list includes Tcodes and the Authorization objects corresponding to each Tcode , it will be a lot easier to make the roles .
  please if anyone can advice how i can get the tcode list with its objects it will be great.
  thanks
  Sameh Essa

  Authorization Matrix - Not any table / programme will work for you in this case, you better maintain below checklist :
  1) Gather company data : Organization Structure HR will help you in this. (you need to get all details on Organization values such as Company Code, Plant, Purchasing / Sales Organization etc.,
  2) Prepare a sheet for every module (PP,MM,SD,FI,CO,HR etc.,)
  3) Study the Organization structure & Identify the Job responsibility of the person in current organization & what function he / she will do in SAP.
  4) A sheet contains T-codes & description (you can get list of tcodes from respective functional consultant), Role Name, Activity - create/change/display et.,
  5) Don't add all t-codes Ex- PP : Add only those tcodes access by you users : End or Core users. Sometime it doesn;t make sense to give create / change / delete t-codes to a user who's only responsible for doing data entry job or a user who is responsible only for creating materials not approving / sending.
  6) Make a sheet that maps you users to role
  7) Always review / approve your Matirx from respective Functional Head, as a BASIS we can't take decision on Functional side.
  8) Always test you roles in DEV / QAS (training client) assigned to a test user by your functional cunsultant.
  9) Always remember of cross functionality authorizations (like some time they may
  10) Always make sure that none of the user gets any BASIS activity authorization.
  I gather above points from my experience where I was involved in designing Matrix, It can be defferent depends upon the organization.
  Regards;