Authorization objects generated by a transaction

Similar Messages

• Assign authorization objects to newly created transaction

  I have just created a new transaction YMM02 as a copy of MM02. When I create a role using PFCG and enter in the new transaction there are no authorization objects proposed. Do these come from the original transaction or can I assign them through a SAP transaction or via a table entry?
  Regards,
  Brian

  Hi Brian,
  that's transaction SU24.
  See also its documentation if needed : http://help.sap.com/saphelp_nw70/helpdata/en/52/671449439b11d1896f0000e8322d00/frameset.htm
  BR
  Sandra

• List of Authorization Object with Transaction Code

  Dear All ,
      Does SAP provide  any report to list all the Authorization Object ? and which object is belong to which transaction code ?
  Thanks .

  hi olrang ,
  STEP BY STEP TO CREATE AUTHORIZATION OBJECT:
  STEP1:  goto  SU21 transaction and create a new Authorization Object
  Object Name:  Z.....
  Text:  ...........
  ClassL  SD (YOUR MODULE)
  AUTHOR:  YOUR ID
  STEP2:  Give authorizatin fields as
  ACTION - Action of the Authorization
  Activity -  Document Destribution.
  STEP3:  Basis will create a role using transaction  PFCG and assign this authorization object to that role.
  STEP4:  Call the AUTHORITY-CHECK Object in your code.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  IF sy-subrc 0.
  MESSAGE e000(zzpp) WITH 'No Authorization'.
  ENDIF.
  and it belongs to  SU24 transaction code
  Saurabh Goel

• Custom authorization object

  Hi all,
  I have created a custom authorization object to define a data security based on the Company code field.
  These are the steps I did:
  - I create a new authorization object containing the Company code field (BUKRS).
  - I create a new role with this authorization object, and I have assigned a specific value to the Company code field.
  - The role contains also the standard authorization object HR Master data which contains the field: infotype, personnel area...
  - I have assigned the new role to a user and I have executed a report, but I had not the expected result.
  - I had assigned the custom authorization object to the report transaction through SU24 and SU22, but I had not the expected result.
  As expected result I was expecting that the data are filtered based on the Company code I put in the authorization field.
  Any idea about the problem?
  thx!

  Please check that you have followed all of the steps listed here when creating your object:
  <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm">http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm</a>
  - April

• Inclusion of Authorization Object

  Hi friends,
  I want to include a standars SAP authorization object in a standard transaction type. The authorization object is originally not there in the transaction. Do we need to enhance the standard code for calling the additional authorization check or there is some other way to do this?
  Regards,
  Deb.

  Hi Manuel,
  In Opportunity transaction I want to give authorization to the Text Types. E.g. The person with manager role shall be able to edit all the text types but the person with role Sales Rep should only be able to view it.
  I added the authorization object 'CRM_TXT_ID' to the transaction but i'm still not able to achieve the functionality. Could you guide me how to go ahead regarding this?
  Regards,
  Deb

• BI authorization objects not appearing in RAR, error while generating role

  Hi
  I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
  (a)  In Risk Analysis and Remediation (RAR) component, I am creating Functions and
        Risks for Business Intelligence (BI) module. For that I have downloaded the
        descriptive text and authorization object data from BI development system and
        uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
        RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
        Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
        the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
        authorization objects for the actions in them.
  (b)  In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
         in DBI 100 and I put the  BI transaction codes in authorization data , I get the
         authorization objects . Risk analysis is also being done successfully. But at the time
         of Role generation in background mode , it is giving an error message :
         Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
         I am thus unable to generate any role in DBI 100.
  (c)  In Compliance User Provisioning (CUP), I have imported a standard role from DBI
        100. Then I have added Functional Area, Business Process, Subprocess  and
        Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
         gives an error Error creating request. But requests are getting created and roles are
         being assigned to users in ECC development  systems using the same Initiator, CAD, stage
         and path.
  Can anyone please help me ?

  -

• Authorization object for parameter transactions

  Hi all,
  I'm trying to restrict transaction VL10h for shipping point,this transaction is a parameter transaction and is not controlled by an authorization object directly.when I run a trace , transaction Vl10x shows up. The authorization object that is being checked is V_LIKP_VST.
  Note : The requirement is when the user executes transaction VL10h he/she should be able to display only those shipping points they are authorized to.
  Please advice.
  Thanks,
  Mohan.

  Hi Mohan,
  For transaction VL10H you can specify values for the following fields in authorization object V_LIKP_VST:
  -Activity:
  01     Create or generate
  02     Change
  03     Display
  04     Print, edit messages
  18     Deliveries from coll. proc.
  24     Archive
  25     Reload
  85     Reverse
  -Shipping point: Here you must set the restriction for each group of users that are allowed for the maintenance of the shipping points that are used for delivery processing.
  You can restrict the access through these fields.
  Regards,
  Leandro

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan

• Adding new authorization objects to transactions

  Hi experts,
  i would like to add new authorization objects to specific transactions, for example the object K_CCA for checking the cost element in the transaction KB15N.
  What do we have to maintain, except the transaction code with (SU22). What do we have to do with the program behind the transaction?
  Is it "just" adding two line of code into the auth object check in the program, similar or like described for client specific ABAP-programs???
  Any experiences on that?
  Regards
  Florian

  Hi,
  First add the objects in DSO then in Info Cube.
  Map the same with transformation.
  Move the objects to production then DSO.
  Load the DSO first. then delete the data from cube in production.
  Now move the modified cube and transformation to production.
  Now load the Cube from DSO.
  No need to change any thing in existing query.
  I hope this will help.
  Thanks,
  S

• Report to view user nm, authorization objects, activity, transaction code.

  Hi All,
  I want to view a user-wise report that displays the transaction code, authorization objects and activities for which the user has authorization.
  Is there any standard report to view all this at a glance?
  Can anybody help me on this?
  Thanks.

  u can try SUIM tcode
  its really helps u
  regards,
  Abhilash

• Authorization objects in web dynpro ABAP and SU24 transaction

  Hi,
  I have created a new authorization object to check a storage location for certain activities. I have added the authorization object in a specific web dynpro ABAP and I have created a new role in PFCG for my web dynpro ABAP.
  The organization level for storage location is not recognized in PFCG. Someone told me I have to maintain my authorization object in SU24 as it is done for transaction.
  I wanted to maintain my web dynpro in SU24 but I found no way to do that.
  It seems that we can maintain authorization for TADIR service and in those services there is R3TR WDYA but when I use the search help for  OBJ_NAME I don't find may web dynpro ABAP. I suppose I have to create a TADIR service for my web dynpro ABAP or something like that but I don't know how to do ?
  Does anybody  know how to deal with specific authorization in web dynpro ABAP and t ohave the organizational level recognized in PFCG.
  Thanks for your help,
  Emmanuel

  Hi,
  Please RUN the function module as "AUTH_TRACE_WRITE_USOBHASH" with following parameter
  R3TR
  "custom webdynpro application"
  SERVICE TYPE and Service can be kept blank
  after this try  SU24 it will be available in SU24 list.
  Thanks & regards

• Restricting the authorization Object for B2B Transactions

  Hi All
  we are facing the problem in the ISA b2b app, actually the scenario is as below.
  we have various transaction types like b2b sales,Peoplesoft order,Request for Order change, RMA ,Request for Quotation(RFQ) and metel order.
  As per the requirement, The client wants only a few functionalities for a particular user.
  Example:
  Transaction Type Authorization
  PeopleSoft order View only View only
  B2B:Req. OrderCh x x
  B2B: Req. RMA
  B2B: Req. Quote x x
  Metel Order x
  For b2b sales transaction a lower level employee would only be able to view the order and he should be restricted to make any changes. Is there a posibility to restrict in this manner? This is Urgent. Please respond immediately. Thanking you in anticipation.
  Message was edited by:
  Sunil Kumar

  >
  Viral741 wrote:
  > Hi All
  >
  > I have a requirement in SAP Security to restrict the authorization object S_ALV_LAYO to a particular set of users.
  >
  > Background:
  >
  > We use composite roles which is shared accross all areas(Finace,marketing,work managment).Now the requirement is for from Work managment to restrict S_ALV_LAYO so that user cant change default layout and can create user specific layout,but other areas are not ready for this.So please let me know if there is any way i can restrict this auth object only for work managment area only.
  >
  > Thanks,
  >
  > Nitesh
  Nitesh,
  Remove access to S_ALV_LAYO for general users and give access to F_IT_ALV instead.  Keep S_ALV_LAYO for the users who will be maintaining the default layout.
  Good Luck!

• Transaction to check authorization objects that failed

  I am trying to test a report, but I get an authorization error when running a standard function.
  I have already used a transaction which shows what authorization object failed if you call this transaction right after you got the error. Does anybody know the code of this transaction?
  Thanks in advance,
  Carol

  Hello,
  use /nsu53 and send the print screen to your basis team....they will modify your profile role to give you the permissions.
  Bye
  Gabriel P-

• Authorization objects for  transaction, one to view, and one to maintain

  Hi all,
  My requrement is to create two authorization objects for  transaction, one to view, and one to maintain.
  I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
  Please suggest how to create object where i can asign activity codes.
  regards
  manish

  The Authorization Concept
  R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
  Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
  Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
  Do check this link as well.
  http://articles.techrepublic.com.com/5100-10878_11-5110893.html

• Authorization Object   for  Transaction code XSLT_TOOL

  Hi Friends
  When i try to use transaction xslt_tool the following error appears "You are not authorized to use transaction xslt_tool".
  Can anyone give  the Authorization object  for  transaction  xslt_tool,
  Regards.
  Wishva

  Give access to the transaction in PFCG. 
  Then use SU53 to highlight any additional access required.