Authorization Objects in Transaction codes
Dear Experts
we are trying to make Authorization Matrix for users authorizations , so what i need to know if is there any way i can get template list includes Tcodes and the Authorization objects corresponding to each Tcode , it will be a lot easier to make the roles .
please if anyone can advice how i can get the tcode list with its objects it will be great.
thanks
Sameh Essa
Authorization Matrix - Not any table / programme will work for you in this case, you better maintain below checklist :
1) Gather company data : Organization Structure HR will help you in this. (you need to get all details on Organization values such as Company Code, Plant, Purchasing / Sales Organization etc.,
2) Prepare a sheet for every module (PP,MM,SD,FI,CO,HR etc.,)
3) Study the Organization structure & Identify the Job responsibility of the person in current organization & what function he / she will do in SAP.
4) A sheet contains T-codes & description (you can get list of tcodes from respective functional consultant), Role Name, Activity - create/change/display et.,
5) Don't add all t-codes Ex- PP : Add only those tcodes access by you users : End or Core users. Sometime it doesn;t make sense to give create / change / delete t-codes to a user who's only responsible for doing data entry job or a user who is responsible only for creating materials not approving / sending.
6) Make a sheet that maps you users to role
7) Always review / approve your Matirx from respective Functional Head, as a BASIS we can't take decision on Functional side.
8) Always test you roles in DEV / QAS (training client) assigned to a test user by your functional cunsultant.
9) Always remember of cross functionality authorizations (like some time they may
10) Always make sure that none of the user gets any BASIS activity authorization.
I gather above points from my experience where I was involved in designing Matrix, It can be defferent depends upon the organization.
Regards;
Similar Messages
-
Link authorization object to transaction code
Hi to all
how to link authorization object to transaction code?
i think we can do by using SU24, i am not getting how to do ?
can any one help me on this Immediately
Regards
raadhaIn SU24
In the Application tab
Type of Application: 'Transaction'
Transaction Code: 'Tcode'
In the Authorization Object tab
Authorization Object: 'Authorisation object name'
Type of Application: 'Transaction'
Then Execute or Press F8... -
Authorization Object for Transaction code XSLT_TOOL
Hi Friends
When i try to use transaction xslt_tool the following error appears "You are not authorized to use transaction xslt_tool".
Can anyone give the Authorization object for transaction xslt_tool,
Regards.
WishvaGive access to the transaction in PFCG.
Then use SU53 to highlight any additional access required. -
Report to view user nm, authorization objects, activity, transaction code.
Hi All,
I want to view a user-wise report that displays the transaction code, authorization objects and activities for which the user has authorization.
Is there any standard report to view all this at a glance?
Can anybody help me on this?
Thanks.u can try SUIM tcode
its really helps u
regards,
Abhilash -
Authorization Object for Transaction Code
Hi,
Is there a report I can execute to give me the list of authorization object for this transaction code?
Thanks.Check Transaction SU24
Alternatively you can go to SE16-- enter the table name TSTCA, then enter the T CODE, you will get the object related to that T Code.
Reward points.. -
List of Authorization Object with Transaction Code
Dear All ,
Does SAP provide any report to list all the Authorization Object ? and which object is belong to which transaction code ?
Thanks .hi olrang ,
STEP BY STEP TO CREATE AUTHORIZATION OBJECT:
STEP1: goto SU21 transaction and create a new Authorization Object
Object Name: Z.....
Text: ...........
ClassL SD (YOUR MODULE)
AUTHOR: YOUR ID
STEP2: Give authorizatin fields as
ACTION - Action of the Authorization
Activity - Document Destribution.
STEP3: Basis will create a role using transaction PFCG and assign this authorization object to that role.
STEP4: Call the AUTHORITY-CHECK Object in your code.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
IF sy-subrc 0.
MESSAGE e000(zzpp) WITH 'No Authorization'.
ENDIF.
and it belongs to SU24 transaction code
Saurabh Goel -
Authorization objects for transaction, one to view, and one to maintain
Hi all,
My requrement is to create two authorization objects for transaction, one to view, and one to maintain.
I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
Please suggest how to create object where i can asign activity codes.
regards
manishThe Authorization Concept
R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
Do check this link as well.
http://articles.techrepublic.com.com/5100-10878_11-5110893.html -
Authorization for a Transaction code
Hi,
In ECC 5.0, how can we get an authorization for a transaction code by debugging the code?
Actually in 4.6C, we used to debug the code & change SY-SUBRC code to '0' & get the authorization for a perticular transaction code.
Similarly how can we do this in ECC 5.0?
I tried, but I am not getting where to change the sy-subrc code to '0'.
Any help or clue is greatly appreciated.
Thanks,
Sarika.Hi Sarika,
You can try out this workaround. In function module 'RS_TRANSACTION_TEST' put a breakpoint at statement ' call function 'AUTHORITY_CHECK_TCODE''. Execute the required transaction using tcode SE93.If you don't have the authorization then sy-subrc will be 4 after the above statement. In debugging mode change it to 0. Hope this helps.
Thanks,
Roshan Gujaran. -
Adding new authorization objects to transactions
Hi experts,
i would like to add new authorization objects to specific transactions, for example the object K_CCA for checking the cost element in the transaction KB15N.
What do we have to maintain, except the transaction code with (SU22). What do we have to do with the program behind the transaction?
Is it "just" adding two line of code into the auth object check in the program, similar or like described for client specific ABAP-programs???
Any experiences on that?
Regards
FlorianHi,
First add the objects in DSO then in Info Cube.
Map the same with transformation.
Move the objects to production then DSO.
Load the DSO first. then delete the data from cube in production.
Now move the modified cube and transformation to production.
Now load the Cube from DSO.
No need to change any thing in existing query.
I hope this will help.
Thanks,
S -
Hi Gurus,
Using SU24 i am able to get objects available in a specific Transaction Code.
Is there any TC which will help me in getting all Transaction Code in which a specific Object Exists.
For example object F_BKPF_BEK exists at authorization level for TC FB60. I would like to know it exists in which all other TC.Hi,
Please try
The where-used list for authorization objects in programs and transactions can be called using the Repository Information System (transaction SE84 -> Workbench -> Edit Object -> 'More...' tab page ) or the administration of authorization objects (transaction SU21).
Check transaction SUIM also.
Regards
Ben -
Forcing Authorization for a transaction code without authorization check in
Transaction code 'PP02' has an authorization object P_TCODE. So when a user who does not have authorization to transaction 'PP02' tries to execute it from command prompt, the SAP system appropriately restricts user saying "You have no authorization".
However, If Ia program has "Call transaction" verb calling this transaction and if the restricted user runs this report or module program, it does not restrict the user to access the transaction.
Is there any way to restrict user to access the transaction from program without explicitly doing authorization check from within the program?
Jitendra MehtaHi Florin:
S_TCODE restricts the user only at command prompt level, not if you run the transaction for program using "CALL TRANSACTION" verb.
If we assign auth.object P_TCODE with some other transaction values (not one for which we want to restrict), then the authority check works for the above.
But say, if I have no other transaction code values to be assigned to auth. object P_TCODE for the restricted user ( therefore, obviously I don't assign auth. object P_TCODE to any auth. profile for the restricted user) then again, I am out of luck.
The only way, I have seen this working is to assign value space ( ' ' ) to auth. object P_TCODE and then assign this auth.object to one of the auth. profiles of the restricted user, BINGO!, then it works.
But our Authorization team has an objection saying "We assign the transactions ( to auth. object ) which the user should have access. It is not proper to assign a no value to auth. object ( assigning space value ) "
I do not know how much merit their argument has, however, I was wondering if there is another way I could achieve it without relying on tens of hundred of programs doing auth. checks whenever they call the restricted transaction.
Please let me know your thoughts.
Thanks.
Jitendra Mehta -
Authorization Issue for Transaction Codes PA10,PA20,PA30 &PA40
Hi Experts,
I have created Custom role for accessing ALL HR Transaction codes in IDES System and added to the user & Tested.
All transactions codes are working except PA10,PA20,PA30 &PA40
Please help me regading this.
Advance Thanks,
BBCHi,
I had check with basis Team, they told that I have all authorizations.
This is New Installation for R/3 HR IDES System. even basis Team also created role for above transaction code but not getting access.
We can accesss all transaction codes except these.
All are new for HR. here anything needs to be configure for access PA10 to PA40 Transaction codes.
Please advice me.
Thanks & Regards,
BBC -
Assigning authorization objects to transaction
Hi All,
While creating a new role using transaction PFCG, If i enter transaction SE38, i will get lot of authorization objects, fields where i can decide whether i should allow only display or change or create etc. But if i create my own transaction, then i will not get these authorization objects. Where should i assign there objects for my transactions.
I tried to assign this in transaction se93, but that did not work.
Thanks in advance.
Best Regards,
Surendra<b></b><b></b>TRY with SE97.
and check the check box change mode and try running there you can change the authorizations..
vijay -
Is there any table for see Authorization object for Function code?
Hi,
I am facing problem in finding autho. object for function code.
My problem is, in tcode cor2 there is function Approval (in Menubar->process order->function->approval), I want to restrict this to some users.
So is there any way or table to see function code's authorization object..
Thanks...Hi ,
I such scenario the best way is to run trace (ST01) and analyse to find used/missing authorization objects.
Regards, -
Relate authorization object to transaction
Hi experts,
I am currently working on authorization on AS ABAP, creating roles containing different SAP standard transactions
Actually I wonder if it is possible to relate an auth. object to a certain transaction. This could be necessary for my authorization concept because there are several SAP standard transactions checking the same auth. object.
As an example take transactions SE16 and SM30. Both check auth. object S_TABU_DIS.
If I now want to create a role which gives a user the permission to edit customizing tables in SM30 but not in SE16 there is no way (until now I do not know one) to define an instance of S_TABU_DIS with read/write permission for SM30 and another instance with only read permission for SE16.
I tried to use two roles putting one transaction into each. When I give the user the "SE16 role" he has no write permission in SE16. But when I give him the "SM 30 role" too he has write permissions in both, SM30 and SE16.
Therefore I guess that the authorization of the SM 30 role "overwrites" the read-only permission of the SE16 role.
Now my question to you: Is there any way to bind an auth. object to a transaction, so that an authorization defined from an auth. object is only valid for a certain transaction?
Thanks in advance for all answers!
Best regards,
TorbenHi Bernard,
With transaction se93 you can add an authorization object to a transaction as far as I know. I never used it but it is possible. If you call transaction PFCG you see that object S_USER_AGR is used. I understood that this is a static authorization and the dynamic authorization is in the abap.
Have fun
Bye
Jan van Roest
Edited by: J. van Roest on Feb 18, 2011 12:15 PM
Edited by: J. van Roest on Feb 18, 2011 12:16 PM
Maybe you are looking for
-
Can I import my playlist from my ipod to my iTunes? My playlists in iTunes has disappeared....
I recently upgraded my old mac with a new mac. I transferred everything over and it worked (including the itunes xml file that contained my playlists). I erased my old mac and gave it to a friend. I synced my iphone to my new mac and all my playli
-
How to pass a table of data to transaction.
Hi, I need to pass several rows of data to an internal table of a bapi from a page . I know how to create a table in xMII transaction within itself. But I couldn't figure how to pass several rows from a HTML page to an input parameter of a Xacute que
-
How much storage do I need on a MacBook Air?
Hi, I am about ready to convert from a PC to a 13 inch MacBook Air for work purposes. I have been a Mac user personally since the beginning. I will use this computer for email, word docs, some music and some photos. My PC says I have only used 40gb o
-
Hello , I have a Problem with the Web-Version of Oracle-Discoverer. I make an Export in Web-Discoverer 11g. My Result has 700 000 records and if I export this into for example a Text file then I get 177 000 records in this file. Not enough. The same
-
I am currently deployed over seas.. I recently purchased a book that im pretty stoked about. but when i open it in ibooks i get ( incorrectly formatted or not formatted for ibooks to recognize) the file is an .epub so i dont see how it could be a for