Authorization of Organizational elements at user level

Similar Messages

• PM Organization Units Authorization on User Level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Planning Plant) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY
  This role should be able to display equipment from the Plant Maintenance module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User jsmith has ZPM_AUT_EQM_EQUIPMENT_DISPLAY assigned but can only display equipment from Planning Plant SL01.
  We know we can create this authorization creating several roles, like:
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SL01
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SJ01
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_AG01
  but our idea is not create several roles, but to assign the Planning Plant authorization on a user level and leave just one role so we would only need ZPM_AUT_EQM_EQUIPMENT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Best regards,
  Fernando Montenegro

  Hi ,
  Could you share about your solution ? I think I have face the same problem as yours.

• Organization Units Authorization on user level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZFI_AP_REPORT_DISPLAY
  This role should be able to display AP report from the Financial module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.
  We know we can create this authorization creating several roles, like:
  ZFI_AP_REPORT_DISPLAY_3201
  ZFI_AP_REPORT_DISPLAY _3202
  ZFI_AP_REPORT_DISPLAY_3203
  but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Christine Tseng

  I agree with Jurjen.  There is no point creating a "new" authorisation concept for a few transactions.  If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.
  Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend).  By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.

• Authorization at data element level

  Hi all,
  I have a requirement where i have to put a authorization check at data element BANKN .
  In all the transactions which use BANKN data element( e.g FK01 , FK02, FK03 etc) , i need to put an auth check for Bank number .
  Only those users who are authorized will be able to see the Bank number, other wise the field will be masked by ******* .
  I tried with field exit , howerever , it gets triigerrred only at Change (that too not completely satisfying the requirement.)
  Please provide me a solutiion for the same.
  Also , how to mask a particulat field based on a condition
  Thanks
  Supriya Murudkar

  As I said, most of the time, you should do modification of the standard. In 4.7, you only have SSCR.
  I don't know FK* transactions, so I can't tell you if there is a BTE for that.
  You should have better mentioned them in the title of your post to get more chance to have an answer, and do not mention "authorization at data element" (people wouldn't read it as it makes no sense in SAP).
  By the way, another solution would be to use authorizations at transaction level: authorized people would use FK* transactions where bank field would be displayed, while some other people would use ZFK* transactions where bank field is NOT displayed, using transaction and screen variants

• DIR Authorization by Organizational Level

  Hi fellows!
  I would like to know if it is possible restrict access of DIR by organizational levels?
  Example: I need that if User A from plant 1234, creates a DIR type AAA number 0001, the User B from plant 4567 shouldn't have to access this DIR type AAA number 0001. I want that the users only can access the DIRs created by the plant which they have access.
  In the master roles of DMS I didn't find any object to help me in this scenario. I dont want to use the ACL to restrict the access of the documents. I want that this restriction has to be done by authorizations rules as in other areas.
  Can someone help me with some idea or case about this?
  Best Regards!
  Daniel
  Edited by: D Quintal on Nov 25, 2010 5:43 PM

  Hi Daniel,
  Its quite possible to achieve your requirement.
  There is a field called 'Authorization group' in a DIR if you have observed.This enables you to restrict authorization at Document level in addition to authorizations at Document Type and Status level.Suggest you create Authorization Groups like Plant1234,Plant4567 and so on with the help of your ABAPer.Now assign the required users to these Authorization groups.
  Once implemented,whenever a DIR is created and specific Authorization group is assigned, only those users part of this Authorization group will be able to process/access this DIR.Hope this addresses your requirement.
  For details on implementing Authorization group in DMS,refer link,
  http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
  Regards,
  Pradeepkumar Haragoldavar

• Restricting Authorizations to Variants at User level

  Hi SAPians,
  Can you help me to know how can I restrict variants to be displayed for particular users.?
  Example: I am creating 5 variants in EMMACL transaction and give authorizations for the users only to particular Variants as below:
  1. Variant1 --> Can be access by only users ERP-EHK, ERP-SAP & ERP-EJS
  2. Variant2 --> Can be access by only users ERP-EAS & ERP-HJG.
  3. Variant3 --> Can be access by only user ERP-EMM
  4. Variant4 --> Can be access by only users ERP-EHK & ERP-UJY
  5. Variant5 --> Can be access by only user ERP-EAS
  Let me know how I can achieve the above requirement?

  Hi,
  i have assigned it at user level then why iam i
  getting the currency code of site level ?Did you user to logout and login again after setting the profile option at the user level?
  What if you set this profile option at the site/application/responsibility level, can you reproduce the issue then?
  Thanks,
  Hussein

• Defaulting organizational elements from PD to WBSE

  Hi PS Experts ,
  I would like to default some of the organizational elements like Company code /  Functional area from Project definition to WBS elements .
  In other words , a user while creating the PD he/ she enters these data and these data should be defaulted to the WBS elements automatically  .
  These data shall not be defined in project profile  and we dont want them to default from project profile as There can be many many functional areas .So, entering these at PD level shall be confusing to the users .
  Experts insights is very much appreciated.
  Regards
  Judy

  Hi Experts,
  The issue here is , although intially the org elements are being defaulted however , when there is change in the Org element at PD level , then this change is not being defaulted and the WBS elements are retaining the same old value.For exanple:If Funcational area at PD level initially is A00  , and this is being defaulted to WBS elements .When there is a change   from A00 to A01 at PD level then this A01 is not defaulted to WBS Elements and the WBS elements still possess A00 and the user has to manually change all those values....
  Any suggestions please ......
  Regards
  Judy

• Issue in User Level Simulation in GRC 10.0

  Hello Every one,
  Before i Jump into the question, please find below the screen shot which tells about the B.P(Business process),Functions created in test system(GRC 10.0), where as the roles and corresponding users which have been created in back end system connecting to GRC 10.0.
  Now when i am trying to run a risk analysis on user TEST_RISK(TEST_ROLE_RISK role is assigned and pfa the authorizations in the role), i will be shown the Risk R001.
  Now i am trying to run user Level Simulation on the above user TEST_RISK and i am trying to simulate by adding a new role TEST_ROLE_RISK3 as shown in the below screenshot at Action level,Permission Level,Critical Action level ,Critical permission level.
  Even though i select the option, Risk from Simulation only, when i try to execute at action level , it is also showing me the risk which coming from the actual role assigned but not from the simulating one.
  Thanks and Regards,
  Naga.

  Hi Naga,
  there are some notes which might help to fix the problem. Especially the first might fix your problem.
  http://service.sap.com/sap/support/notes/1895502
  http://service.sap.com/sap/support/notes/1953347
  Please let us know if it helped.
  Regards,
  Alessandro

• User level settengs for Report Painter GR55

  HI All,
  When user is trying to extract a cost center report from Report Painter GR55. User is not getting the values for few line items for last FI year (2010) and he is able to see the values for current year (2011).
  Tried with parameters, authorizations and settings with other user (able to see the report) who is having same roles authorizations.
  Please suggest if there are any user level setting related to above.
  Regards,
  Hamed

  did you check in transaction RPC0?
  Maybe you have some value at user settings level.
  br, Guido

• Issue with Total Number of SODs at user level.

  Friends,
  Quick question -
  We are using GRC 5.3 Production on NT 20003 server. and back end systems are ECC 6.0
  1.We added the Additional Role to one of the business users in ECC 6.0
  2.We ran the FULL synch after adding this role in backend.
  Issue : The total number of SODs did not change for users, even though the SODs for this business users did increase about 300.
  Locations of Screen
  Informer Tab ->> Risk Violoations.
  Analysis Type -> Users
  Does anyone has any idea how this numbers get interpreted?
  The Total number of Violations for permission should increase, if user level SOD gets increased, as per our understanding.
  PT

  It should be in below sequence -
  1. Full or incremental sync for user/role/profile
  2. Full or incremental batch risk analysis for role/user/profile
  3. Management report
  The view you see is management report, which is based upon above jobs. FIrst jobs does high level sync like user/role/profile addition/deletion etc. Second job actually does risk analysis. Third one fills up the management view. If your batch risk analysis was run on  Aug 30 aug 10 and management report after completion of the same, the report will show the same data till you run these jobs again even there are many changes in backend authorization.
  Hope it clarifies your query.
  Regards,
  Sabita

• Reg Number of elements at this level and Variables

  Hi Experts,
  What is the purpose of Number of elements at this level in the dimensional hierarchy of BMM layer on what basis default it will show 1 if we change this value into 2 what happens .
  Difference between non system session variables and dynamic repository variables in which scenarios we will use these bth variables.

  Hi Rafi,
  Sorry for delay response.
  Nonsystem Session Variables :-
  The procedure for defining nonsystem session variables is the same as for system session variables.
  A common use for nonsystem session variables is setting user filters. For example, we could define a nonsystem variable called SalesRegion that would be initialized to the name of the user’s sales region.
  We could then set a security filter for all members of a group that would allow them to view only data pertinent to their region.
  2. difference between dynamic repository variables and non-system session variables?
  Dynamic Repository Variables:-
  We initialize dynamic repository variables in the same way as static variables, but the values are refreshed by data returned from queries. When defining a dynamic repository variable, we will create an initialization block or use a pre-existing one that contains a SQL query. We will also set up a schedule that the Oracle BI Server will follow to execute the query and periodically refresh the value of the variable.
  Note: When the value of a dynamic repository variable changes, all cache entries associated with a business model that reference the value of that variable will be purged automatically. Each query can refresh several variables—one variable for each column in the query. We schedule these queries to be executed by the Oracle BI Server.
  Hope this help's
  Thanks,
  Satya

• Running Risk analysis at User Level(CC)

  Hi
  Please Clear my query, wat is the difference between running the risk analysis at userlevel Violation count by Risk and Violation count by Permission.
  violation count by Permission, the total number of violations are 377,569.
  Violation count by Risk,the total number of violations are 11,716.
  Thanks & Regards

  Hi Karuna,
  When you perform Risk Analysis at User level and choose violation count by Permission/Risk. Here are the details of each analysis:
  1. Violation Count by Risk
  This analysis will display the count of how many SOD risks associated with the users existing in each business process like FI, HR, MM, PR, SD.
  It will display as a bar graph or pie chart. If you choose each of the business processes and drill down to the particular SOD risk,P001 then you can display how many users have that risk, P001
  2. Violation Count by Permission
  This analysis will display the count of SOD violations at the action/permission level associated with the users existing in each business process.
  If you choose the conflicting functions inside each SOD risk, and then expand on the permission tab you will understand why the huge number of violations it is showing.
  In the Risk information screen, in Conflicting Functions, click the AP02 u2013 Process Vendor Invoices link to display the SAP transaction codes and the authorization objects. There are 26 different transactions in SAP to Process Vendor Invoices and another 185 authorization object values u2013 all come preconfigured out of the box.
  Choose the Permission tab. Expand Action F-42. Open an authorization object to show field values. By looking at all possible permutations of actions/permissions of one business function with all actions/permissions of the second business function, you can understand how the system arrives at the number of violations.
  Hope this will help you understand better.
  Regards,
  Kiran Kandepalli.

• LSO course authorization for Organizational Unit

  Hi,
  Is is possible to restrict courses in a course catalog according to Organizational unit. In the system we can restrict users to specific courses through structural authorization, but is it possible to maintain authorizations on Organizational units for LSO Courses or course types.
  Regards,
  Asad

  Disappering is the right behavior. On delivery method WBT participant type 'O' cannot be booked because WBT can be only accessed using Learning portal and Learning portal cannot be logged in using Org. Unit. So this is not possible for this release.
  But i have heard in EHP4 this option of Org. unit booking on WBT is possible but not directly but system will take care if you select an org unit for booking.
  Regards, kavya
  Edited by: Kavya Shree on Oct 30, 2008 10:08 AM

• User level personalization not available

  Hi All,
  I went to one of our OA pages and clicked Personalize page. I m trying to personalize an item at user level. I see only Site, Function, Organization and Responsibility and can't see user level .
  Please let me know what needs to be done to enable the user level personalization for that page/item.

  User Personalization specifies whether the user can personalize a item. This property is relevant only in the case of user-defined views. Items that have the User Personalization property set to true only can be personalized by the user in the Create/Update Views page.
  Thanks
  --Anil                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Make all the forms at a user level or responsibility level to be read only

  Hi,
  Please suggest me to make all the forms at a user level or responsibility level to be read only. So that when a particular user logs in, he gets all the form in read only mode or at a particular responsibility all the forms are read only so that we can attach this responsibility to the user for the same purpose.
  Any ideas will be highly appreciated.

  check this blog,
  http://www.oracleappshub.com/11i/oracleapps-responsibility-vs-sap-functions/
  Re: How to change OM responsibility as read-only in oracle applications 11i
  read only responsibility-user