Authorization objects for EA-PS after upgrade
Hi,
We are upgrading from ERP 4.6c to ECC 6.0 (IS-PS 462 to EA-PS 6.00).
On preliminary tests we have found that we need to add a few authorization objects to the users, but we want to minimize that.
We opted to deactivate BAdi implementation "FMBS_ADDON_AUTH_FI" and to mark the two checks inside IMG "Activate Old Authorization Check"
Although we have found authorization issues with objects:
F_FICA_FTR and
F_FICA_FCD
Is there a list of Objects that we need to add to the roles that I can review? or maybe an OSS Note or SDN article about this?
Best regards,
Nelson
Hi, I have been studying this, and I have found that the error message I saw yesterday definitely speaks to the problem I have been having.
I created a test role with one transaction, then went into SU24 for that transaction and made a new auth check with display 03. After I updated that role in PFCG (maintaining the new authorization), I went back to SU24, changed that new auth check by removing 03.
When I went back into the role in expert mode, the maintained authorization was gone and replaced with a new standard authorization with no values.
My concern is that wherever the authorization checks are coming from, their construction is corrupt! I'm not even sure that the original auth checks are OK -- if they had values that were later taken out, I am concerned that they will cause this error I am seeing.
I'm getting ready to upload the auth check tables from QA back to the Sandbox, but I'm not sure that will solve the problem if there is another cause for this. Is there some other setting/selection that someone must have clicked on that is now causing this problem? I still don't have a clear answer on that, and I would love to know.
Thanks,
Ed
Similar Messages
-
Authorization Object for Z Tcodes
Dear SAP Guru's
how to find authorization object for Z tcodes
e.g. in our orgnisation we have created report ZSR( Sales Register) and we want to restrict user for Plant & sales office
so where i can get authorization object.
kindly help
Thanks
ParamanandHi,
Goto T.Code "SUIM".
Click on "Roles".
Click on "By Transaction Assignment".
Enter your T.Code here i.e. "ZSR".
Click on Execute or Press F8.
You will identify the role assigned to it.
Copy that role.
Goto T.Code "PFCG".
Paste that role here.
Click on Display.
Goto "Authorisations" tab.
click on "Display Authorization data".
Goto Utilities-->Technical names on in menu bar.
Here you can see the authorization object assigned for this T.Code.
But in general all the Z transactions will be in S_TCODE authorization object.
Also,goto that T.Code.
Immediately after this enter,"/nSU53" T.Code.
Regards,
Krishna. -
Authorization object for Object services
Hello together,
I want to know if there is an authorization object for Generic object services functionilty especially the WF options like WF overview, start WF, Archieve WF..............................
My understanding is any user who has access to a particular Business object, can user GOS to view WF stuff..................Is my understanding correct or should we have extra functions.....................
RegardsCheck authorization objects S_OC_ROLE and, for recent releases, S_GOS_ATT.
Regards,
Raymond -
Authorization object for plant on selection-screen
Hi All,
I need to cehck the authorization object for plant on sleection screen..the palnt is select-options.
I have written the code
Declaration of local constants.
CONSTANTS : lc_i(1) TYPE c VALUE 'I',
lc_eq(2) TYPE c VALUE 'EQ'.
REFRESH : r_werks.
LOOP AT s_werks.
IF s_werks-low IS NOT INITIAL.
AUTHORITY-CHECK OBJECT 'M_MATE_WRK' "Check if the user has autorization for the plant.
ID 'ACTVT' FIELD '03'
ID 'WERKS' FIELD s_werks-low.
IF sy-subrc NE 0.
r_werks-sign = lc_i.
r_werks-option = lc_eq.
r_werks-low = s_werks-low.
APPEND r_werks.
ENDIF.
ENDIF.
ENDLOOP.
LOOP AT s_werks.
IF s_werks-high IS NOT INITIAL.
AUTHORITY-CHECK OBJECT 'M_MATE_WRK' "Check if the user has autorization for the plant.
ID 'ACTVT' FIELD '03'
ID 'WERKS' FIELD s_werks-high.
IF sy-subrc NE 0.
r_werks-sign = lc_i.
r_werks-option = lc_eq.
r_werks-low = s_werks-high.
APPEND r_werks.
ENDIF.
ENDIF.
ENDLOOP.
My doubt is will the authorization will check the plants in between 1001 and 2001..suppose i have pplants 1001,1002,1003,1004,2001..Now will the above code will check for all the plants or only 1001 and 2001 if i specify in the select-options.
Regards,
rajHi Raj
First no need to LOOP AT s_werks and check s_werks-high as it will always be present only once in the table s_werks.
Do this
SELECT werks FROM t001w INTO li_werks
WHERE werks IN s_werks.
LOOP AT li_werks.
*check your authority thing here and fill the range
ENDLOOP.
Pushpraj -
Authorization Object for Marketing Attributes
Hi Experts,
We are working with CRM 2007 and use in BP Marketing Attributes. Does someone know if there are any authorization objects for Marketing Attributes? We would like to restrict some of users to see some Attribute sets!
Thank you in advance,
RoulaHi Roula,
Thank you so much for awarding points.
Please note that in Transaction PFCG you have to assign the appropriate three digit attribute set key under the authorization group BGKRL to the authorization object C_KLAH_BKL for assigning attribute sets and to the authorization object C_KLAH_BKP for editing attribute sets.
Please have a look at the Note in the bottom of the page at the following link for further information.
http://help.sap.com/saphelp_crm60/helpdata/en/46/3517cc86e01421e10000000a1553f6/frameset.htm
Regards,
Deepak -
Authorization object for PLANNING PLANT
Hi all,
My client has different Planning plant & Production plant.
If I need to give access to GR for order (MB31), how do I know the authorization object for the Planning plant.
User should be given access to MB31 to the Planning plant & NOT to the Production plannt.
Any idea where we could find the authoriz. objects for a particular field?
Pls advise.Goods Receipt for Production Order: Movement Type M_MSEG_BWF
Goods Receipt for Production Order: Plant M_MSEG_WWF
these are the authorisation objects with activities as ACTVT and WERKS
Maintaine the values for ACTVT as
01 Create or generate,
02 Change
03 Display
04 Print, edit messages
and maintaine the values WERKS (ur plants 4 which u want to give authorisations)
and BWAR ( movement types 4 which u want to give authorisations) -
Kindly tell me authorization object for MRP type
Hi friends,
Kind tell me what is the authorization object for MRP type in material master.
Your help is considered more important.
thanks in advance
willaimsHi Willaim,
There is no standard authorization object for MRP type.
Regards,
Alexander -
Kindly give authorization object for mrp type in material master
Hi friends,
Kind tell me what is the authorization object for MRP type in material master.
Your help is considered more important.
thanks in advance
willaimshi,
check your authorisation objects here:
Go to PFCG --> Environment (at menu bar) --> authorization objects --> Display...
Here see for MRP and MM for material managament in the tree structure...
Regards
Priyanka.P -
Mandatory Authorization object for the BO user
Dear All
I am facing some problem for the BO user.
can you let me know what are mandatory Authorization object for BO user to run the dashboard without error.
Fast reply appreciate.
Thanks
HajiDear All
i am working for Analysis Authorization.
i included Analysis Authorisation object to the user.
S_RS_AUTH BI Analysis Authorizations in Role.
when i checked in the BW side its working fine.
when i checked the user in the BO side.
filter values are coming correct, but the values in the column are not showing.
its throwing an error.
kindly help me to solve this issue.
Thanks
Haji -
Authorization object for delivery block
Hi ,
How do I check the authorization object for any field? I specifically need one for delivery block.
Please help.
Thanks,
ShailajaHi,
If your looking to put a delivery level block or its removal then i guess you explore it through userexit mv45afzz
Regards,
Saurabh -
Authorization objects for transaction, one to view, and one to maintain
Hi all,
My requrement is to create two authorization objects for transaction, one to view, and one to maintain.
I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
Please suggest how to create object where i can asign activity codes.
regards
manishThe Authorization Concept
R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
Do check this link as well.
http://articles.techrepublic.com.com/5100-10878_11-5110893.html -
Maintain assignments of authorization objects for Z Webdynpros in SU24
Hello experts,
When we display the assignments of authorization objects for External Services - Webdynpros in transaction SU24, Z_webdynpros are not shown in the screen.
We need to add more webdynpros in that table.
I suposse that there must exist a way for updating that table with the Z webdynpros developed or some configuration is needed.
Thanks in advance...
Hector LongarteThe Zwebdynpros I am talking about are Java Webdynpros in the SAP Portals, and the SAP ERP is onlyan ABAP stack.
Is this configuration posible?? -
Custom Authorization Object for HR
Hi,
As per our Company's internal needs I have created a Custom Authorization Object for HR named ZP_ORGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction & do a trace on it, the object ZP_ORGIN is never checked (for a user having this object in his/her User Master). Only P_ORGIN object is checked instead.
I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked.
Your help will be appreciated.
Thanks,
Mandeep VirkHi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
but still it is taking the P_ORGIN object. -
HR Authorization : Custom Authorization Object for P_ORGIN
Hi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
but still it is taking the P_ORGIN objectOnline Help
<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a> -
Adding authorization object for "Function Group"s ?
Is it possible to add any authorization object for any function group ?
We have an issue i.e. whenever user "XYZ" is getting some Windows Excel related error whenever trying call an excel report from BW server. System log related to "XYZ" user shows that -> User "XYZ" has no RFC authorization for the function group "ABCD". The RFC authorization object is S_RFC.
Function Group you can check through SE37->GoTO->Display Function Group
Now is it possible to add authorization for any "Function Group" ?You give authorisation for all function groups by giving auth object S_RFC a * value in field RFC_NAME
However I do not recommend this as giving wide access to RFC's can bypass a lot of the security you have implemented for the users.
In this case, add only the function group that the user requires in this instance into S_RFC
Maybe you are looking for
-
Gmail standard will not load in Firefox 3.6.15
Gmail standard view no longer loads in Firefox3.6.15. It worked until about three weeks ago, but now will only load in HTML
-
Help ! ITunes crashes everytime on gapless playback information
Please, i don't know what to to. Everytime I open Itunes it says gapless playback information and goes on forever, it won't let me import a cd . It just crashes. It's version 7 the latest one. It didn't happen before until the upgrade how can i stop
-
Can't electronically sign?
Hi I am trying to electronically sign a pdf file that says it allows signing in the permission details. The pen icon is there but the options to use it are grey. It's a long document and I'd really rather not print it all out just to sign it and then
-
ALV doesn't expand/collapse subtotals
Hi everyone, I have an old ALV program in wich i made some changes. For example, added form USER_COMMAND so that when you double-click on a row, it makes a CALL TRANSACTION to the referenced document. But a problem emerged, and it didn't happended be
-
Service Requests and Collection Plans
I'm experimenting here just a bit... and I wondered. Is it possible to map a Service Request Type to a Collection Plan. Seems logical functionality to me, but I couldn't find it anywhere...