Authorization on Lists

Similar Messages

• Authorization Object List

  Does anybody know of a document that lists each SAP authorization object and what functions you can restrict with each authorization object?
  I'm looking for something that says (for example) "If you want to restrict access to roles, use this"

  Hi Jim,
  See if the following help you:
  http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6873e07211d2acb80000e829fbfe/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.htm

• Authorization in List Entries appears to be failing

  In my application I have a number of Authorization Schemes defined in Shared Components which work fine everywhere but in List Entries in a Region. They appear to be being ignored as I expected the list entry not to appear if the Authorization Scheme returned false which would mirror the functionality when they are used in other components.
  Is this a bug, or have I a too simplistic understanding of them?

  rjh,
  I think this is not a bug. It is probably because your authorization function is run only once per session and not once per page view. See this example in my demo application:
  http://htmldb.oracle.com/pls/otn/f?p=31517:173
  Denes Kubicek
  http://deneskubicek.blogspot.com/
  http://www.opal-consulting.de/training
  http://htmldb.oracle.com/pls/otn/f?p=31517:1
  -------------------------------------------------------------------

• Error in  Authorization even after giving Colon authoriztion to users

  Dear Experts
  We have built a query which is having Sum GT function used and also Constant for some characterstics.
  But when we execute the query the user is getting not authorized message. If i run the query without  the SUM GT and Constant RKF and CKF its running fine.
  We have checked the rsec log for the error it says Colon authorization is required for the some chars which are authorizaiton relavant but we have given all the other chars : authorization but still i am getting the below message.
  Authorization Check Log
  For a general description see the Note 1234567
  Date and Execution Time (Local Server)
  Execution Date: 01.12.2011
  Execution Time: 15:33:23
  Executed Query: ZM_SD_M22/ZM_SD_M22_Q_00010
  Transaction RSRT ( BW - output test )
  Executed by User P00010784
  Executed with Analysis Authorizations of Another User P00007960
  Software Component  Release  Level  Support Package 
  SAP_ABA  700  0021  SAPKA70021 
  SAP_BASIS  700  0021  SAPKB70021 
  SAP_BW  700  0023  SAPKW70023 
    InfoProvider Check  
  Building the Buffer...
  ...Buffer Built
  Are there authorizations for accessing InfoProvider ZM_SD_M22 with activity 03?
  Authorization exists for general access to InfoProvider ZM_SD_M22 with activity 03 
    Relevant Characteristics for Detailed Authorization Check  
  (Characteristics with Full Authorization Are Not Listed!)
    List of Effective Authorization-Relevant Characteristics for InfoProvider ZM_SD_M22:  
  0DF_HRPOSTN 
  ZCUS_MAT__ZSD_HEQT 
  ZC_CUST__ZSD_HEQT 
  ZSD_HEQT 
    Authorization Check  
    Detail Check for InfoProvider ZM_SD_M22  
    Preprocessing:  
  Selection Checked for Consistency, Preprocessed and Supplemented As Needed
  Subselection (Technical SUBNR) 1
  Check Node Definitions and Value Authorizations...
  Node- and Value Authorizations Are OK
  Subselection (Technical SUBNR) 2
  Check Node Definitions and Value Authorizations...
  Node- and Value Authorizations Are OK
  End of Preprocessing
  Filling the Buffer...
  ...Buffer Filled
    Main Check:  
    Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    Check Added for Aggregation Authorization:     0DF_HRPOSTN  
    Check Added for Aggregation Authorization:     ZCUS_MAT__ZSD_HEQT  
    Check Added for Aggregation Authorization:     ZC_CUST__ZSD_HEQT  
    Check Added for Aggregation Authorization:     ZSD_HEQT  
    Authorizations missing for aggregation (":")  
  Characteristic  1        2       3 
  0DF_HRPOSTN    Node      I EQ :      I EQ :   
  ZCUS_MAT__ZSD_HEQT    I EQ :      I EQ :      Node   
  ZC_CUST__ZSD_HEQT    I EQ :      I EQ :      I EQ :   
  ZSD_HEQT    I EQ :      Node      I EQ :   
  Entries marked with red do not have aggregation authorization
  You can find more information about this here 1140831
    The authorization check stops here as this selection is no longer needed  
    Message EYE007: You do not have sufficient authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
    Subselection (Technical SUBNR) 2  
  Supplementation of Selection for Aggregated Characteristics
    Check Added for Aggregation Authorization:     0DF_HRPOSTN  
    Check Added for Aggregation Authorization:     ZC_CUST__ZSD_HEQT  
    Check Added for Aggregation Authorization:     ZSD_HEQT  
  List of authorizations that provide authorization for selection on ":" (aggregation):
  Characteristic  3 
  0DF_HRPOSTN    I EQ :   
  ZC_CUST__ZSD_HEQT    I EQ :   
  ZSD_HEQT    I EQ :   
  Please guide me what else is required to get the report running.
  Thanks and Regards
  Sree
  Edited by: CRMKNW on Dec 4, 2011 9:43 AM

  Shivraj,
  I have done the way to display the authorization but still its giving the error no authorization  and for change  i have removed the Auth relavant Char from the filter which is having the variable (authorization type ) now its showing the report but four Key figure columns are not shown.
  These key figure columns are SUM GT function  which will bring the total value of a characterstic. So where am i going wrong because as i have given the : authorizaiton it should give the aggregated value for these columns and give full details for his authorized zone.
  if i don't add the variable its giving all the data without these four key figures what i am expecting is it should give data for the authorized zone but also show the aggregated value in the SUM GT key figures as they are authorized with : authoriztion.
  Thanks and Regards
  Sree

• Problem with setting Authorization

  Hi,
  I created a sample survey using the downloadable Survey app on the hosted apex site. The Survey is meant to be public, but I want the Admin, reports pages to require login.
  At first it looked very straightforward since when I click on security for the page attributes, there already seems to be an Authorization Scheme listed in the drop down list "Must Not Be Public User" and an Authentication item "Page Requires Authentication". Looked perfect for what I needed. But when I apply the changes, the public user still can access the pages! What am I missing? Or am I too naive to think such functionality was actually built into this version of Apex and applicable to this particular application.
  PM

  PM -
  Something I've done is to create custom Authorization schemes for the types of users that access my applications through Single Sign On. I grab their ID and then do a select based on a table where I identify the level of security they have. And then I set the Authorization to "Page requires authentication".
  In my authorization scheme I use a PL/SQL function that returns a boolean to determine what the user may or may not be able to see.
  My code is something like:
  CASE
  WHEN my_pkg.authenticate_user(&APP_USER.) = 'SURVEY_ADMIN' THEN
  RETURN true;
  END CASE;
  Hope this helps.

• Which table could i find 'Authorization Group'  used for Material master?

  Hi experts,
  Is there any table available could i find all 'Authorization Group' list as used by material master data.
  OR in SPRO, anywhere could i find 'Define authorization group' for material master data specific??
  Thanks.

  Hi
  Authorization group in the material master are maintained at the material type level.
  SPRO->IMG-> Logistics - General-> Material Master-> Basic Settings-> Material Types-> Define Attributes of Material Types
  List of authorization roups can be found in table T134-Material Types
  this filed is a free defined 4 charcter field.
  Thanks & Regards
  Kishore

• Authorization requirement

  hi,
    this is my requirement
  how to provide authorization to be primarily based on
  plant code
  purchasing group
  material group
  incoterm
  vendor account group.
  please provide me the procedure and if there is any code for it please provide.
  thanks in advance

  PARAMETERS carr TYPE spfli-carrid.
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'S_CARRID'
      ID 'CARRID' FIELD carr
      ID 'ACTVT'  FIELD '03'.
    IF sy-subrc <> 0.
      MESSAGE 'No authorization' TYPE 'E'.
    ENDIF.
  AUTHORITY-CHECK OBJECT auth_obj [FOR USER user]
                          ID id1 {FIELD val1}|DUMMY
                         [ID id2 {FIELD val2}|DUMMY]
                         [ID id10 {FIELD val10}|DUMMY].
  Addition:
  ... FOR USER user
  Effect
  This statement checks whether authorization is entered in the user master record of the current user or the user specified in user for the authorization object entered in the field auth_obj, and whether this authorization is sufficient for the request specified in the statement. A flat character-type field that contains the name of an authorization object is expected for auth_obj. Without the addition FOR USER, the authorization of the current user is checked.
  With id1 ... id10, you must have at least one and can have a maximum of 10 authorization fields listed for the authorization object specified. With id1 ... id10, "flat", character-type fields are expected that contain the name of the authorization fields in uppercase letters. If an authorization field is specified that does not appear in the authorization object, no check can be executed and sy-subrc is set to 4. For each specified authorization field, you must specify with FIELD either a value to be checked in a flat, character-type field val1 ... val10 or the addition DUMMY.
  The authority check is carried out if the check indicator for the specified authorization object for the current context is set to check with any proposal status. If the check indicator is set to no check, no authority check is carried out and sy-subrc is set to 0, as with a successful check.
  The authorization check is successful if one or several authorizations are created for the authorization object in the user master record and if - for at least one of the authorizations - each of the value sets defined there for the authorization fields specified using FIELD includes the value val1 ... val10 to be checked. Authorization fields that are not included in the statement or that have DUMMY specified for them are not checked. If the check is successful, sy-subrc is set to 0. Otherwise, it is set to a value not equal to 0 (see below).
  System Fields
  sy-subrc Meaning
  0 Authorization successful or no check was carried out. An authorization for the authorization object was found in the user master record. It's value sets include the specified values.
  4 Authorization check not successful. One or several authorizations were indeed found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect or too many authorization fields were specified.
  12 No authorization was found for the authorization object in the user master record.
  24 Incorrect authorization fields or an incorrect number of authorization fields was found. This return value is no longer set since Release 6.20. Up to Release 4.6 it is set only if the profile parameter "auth/new_buffering" has a value less than 3.
  40 An invalid user ID has been entered in user.
  Notes
  The authorization fields of an authorization object are fields for data and a field with the name ACTVT for activities. Activities are represented by abbreviations with two characters that are defined in the ACTVT column of the database table TACT or have a customer-specific definition in TACTZ. Possible activities are assigned to the authorization field ACTVT in the authorization object. In the user master record, you have authorizations for data and activities in the form of operands for logical expressions stored as value sets. Here, masking characters can be used for generic authorizations.
  When checking the authorization of the current user without the addition FOR USER, the content of the system field sy-uname is not evaluated, but the actual user name is used instead.
  The most important contexts for which check indicators can be set are transactions. The execution of a statement AUTHORITY-CHECK can have different results depending on how the current program flow was started. In general, a check indicator should always been set to check.
  For authorization objects of the areas SAP NW AS ABAP (BC) and human resources management (HR), a check indicator cannot be set to no check.
  Addition
  ... FOR USER user
  Example
  Check as to whether the current user has the authorization required for displaying the airline that he specifies on the selection screen. The used authorization object is called S_CARRID and includes the authorization fields CARRID for the name of an airline and ACTVT for the activity. The abbreviation "03" stands for the "Display" activity and is one of the activities that are assigned to the authorization object S_CARRID.
  PARAMETERS carr TYPE spfli-carrid.
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'S_CARRID'
      ID 'CARRID' FIELD carr
      ID 'ACTVT'  FIELD '03'.
    IF sy-subrc <> 0.
      MESSAGE 'No authorization' TYPE 'E'.
    ENDIF.

• ISE Selecting wrong authorization profile

  Hi,
  We are testing ISE in a wired environment.
  We have set up two authorization profiles called AD_Machine and AD_User as recommned in Trustsec 2.0 doc.  The AD_Machine policy has a condition set on it to look at the AD External Group AD Machines, likewise the AD_User has a condition to look at AD External Group AD Users.  At the end of the authorization policy list we have the default policy, this is set to WEBAUTH authorization profile.
  What we see is machine auth is granted by the WEBAUTH policy as this is catch all.  If I disable WEBAUTH it picks AD_Machine, also if I enable WEBAUTH and remove the AD External Group AD Machines condition it also selects the correct policy.
  There seems to be some kind of timing issue when authorizing against an external DB.
  Any ideas?
  Thanks.
  Gary

• Authorization Object for Account Assignment field

  HI all,
  We wanted to restrict the users from creation of PO (in ME21N) against the specific Internal Orders (Account assignment KNTTP='F'). So that user can use Internal orders assigned to his Business Area only.
  Which authorization object i can use to restrict the user to use specific Internal order during PO creation and change. ??? I tried to check authorization object listed under t code ME21n but none of them restrict Internal order.
  Is there any std. object available, if not then what I need to do while creation of customized authorization object (in SU21), how system will call this authorization object in ME21N while using Acc. Assignment u201CFu201D. more detailed answers will be more useful.
  Thanks...

  Hi frnd...
  i think you want to allow all users to use acct. ***. "F",
  but you want to stop the user from using ir-relevant internal orders.
  For this, i think you can create a "Z" table having fields:
  1)User ID - (key field)
  2)Internal Orders - (key field)
  3)Access.
  Make the entries of the users against the internal orders. (if you  want any user to access all the internal orders, then make entry (*) in the field access. 
  While creating GRN check these entries, if the entry exist, let user use that internal order, if not give the error as you are not authorized.
  To do all these, you have to use user - exit. which one i dont  know...
  kindly let me know, if you use any.
  njoy SAP...
  njoy Lyf...
  Regards,
  Amit P Hiran

• User cannot access

  hi,
  i  am new to this forum,i have one doubt,
  user cannot access one authorization field , how can i analysis this issue, i know su 53 for find the authorization field...but user have 100 roles... how can i find the which role and object...plz help me..

  Hi Hassan,
  This is not the correct category. This message should be opened under security item. However, you can find the whole required authorization objects list, by using ST01 trace.
  Best regards,
  Orkun Gedik

• VPN remote site tunnel-all with web and email filtering at core

  I'm helping a client setup a 'tunnel-all' VPN from remotes to the core.  That's not difficult - there's enough commentary in the community and I can set it up in the lab.  The rub comes with the location of the web filter box in particular - it's currently in-line with the inside interface of the ASA.
  What does the topology for a typical tunnel-all VPN with web filtering at the core look like?  Can't put my hands on any quickly.
  We only have one ISP conn at this time.  I have a layer-3 switch at the core too.
  Thx

  Hi,
  Thats a good question.
  I haven't thought about this part of VPN filtering much as I've usually had to open only a few ports. But if you really need to open all traffic from local to remote, you will also be doing the same for the other direction in the same ACL ACE rule.
  The only thing I can come up with right now is to stop using VPN Filter list and change the "sysopt" setting so that ASA wont let VPN traffic past the outside interface without checing the outside interface ACL
  The Configuration command (8.2) is the following:
  sysopt connection permit-vpn
  For traffic that enters the adaptive security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command  in global configuration mode to allow the traffic to bypass interface  access lists. Group policy and per-user authorization access lists still  apply to the traffic. To disable this feature, use the no form of this command. sysopt connection permit-vpn no sysopt connection permit-vpn
  Though if you change this setting, you will have to take this into account with every VPN Client or L2L VPN you have configured so far.
  After this you can create rules on your outside interface access-list to limit remote user access to your local network. From local to remote networks you can use the access-lists assigned to each interface in question.
  Hope this helps
  - Jouni

• Problem with L2TP with Cisco 3845

  Dear all
  I have the following scenario for my dailup network.
  MaxTNT(LAC) ---Ethernet--- Cisco3845 (LNS)
  I have configuered MaxTNT Dailup server to act as LAC and launch a L2TP Tunnel after authenticating with Radius Server. Cisco 3845 acting as LNS estblishes L2TP tunnel with LAC and Dailup Users get connected on it as VPDNpppOE users.
  However problem i am facing is that i don't receieve any authentication request on Cisco LNS. As soon as user gets connect it sents Accouting Request only.
  I need authorization request in order to Push various different AVP from radius. But its not happening.
  Anyone have any idea what could be wrong here?? is thre any specific parameter i need to set up Cisoc.. or on MaxTNT????
  Waiting for reply

  To enable the Layer 2 Tunnel Protocol (L2TP) tunnel server or network access server (NAS) to perform remote authentication, authorization, and accounting (AAA) tunnel authentication and authorization, use the vpdn tunnel authorization network command in global configuration mode. To disable remote tunnel authentication and authorization and return to the default of local tunnel authentication and authorization, use the no form of this command.
  vpdn tunnel authorization network {list-name | default}
  no vpdn tunnel authorization network {list-name | default}

• Exit in SM30?

  Hi All.
  We want to restrict some users from going into some tables in SM30 transaction. I know we can assign authority at table level, but problem is those are standard SAP tables and the same profile is given to some other tables which the users can access.
  Is there any user exit in SM30 whereby we can achieve it?
  Thanks.

  Look at [Authorization Object S_TABU_DIS (Table Maintenance)|http://help.sap.com/saphelp_nw04/helpdata/en/1e/e867408cd59b0ae10000000a155106/frameset.htm]
  Objects to check
  - [TDDAT|https://www.sdn.sap.com/irj/scn/advancedsearch?query=tddat&cat=sdn_all] Maintenance Areas for Tables - attach a database/view to an authorization group (SM30 on view V_DDAT)
  - [TBRG|https://www.sdn.sap.com/irj/scn/advancedsearch?cat=sdn_all&query=tbrg&adv=false&sortby=cm_rnd_rankvalue] Authorization groups - list of (SM30 on view V_BRG)
  -  [S_TABU_DIS |https://www.sdn.sap.com/irj/scn/advancedsearch?cat=sdn_all&query=s_tabu_dis&adv=false&sortby=cm_rnd_rankvalue] Table Maintenance (via standard tools such as SM30) Maintain system tables
  -  [S_TABU_CLI|https://www.sdn.sap.com/irj/scn/advancedsearch?cat=sdn_all&query=s_tabu_cli&adv=false&sortby=cm_rnd_rankvalue] Maintain cross-client tables
  -  [S_TABU_LIN|https://www.sdn.sap.com/irj/scn/advancedsearch?cat=sdn_all&query=s_tabu_lin&adv=false&sortby=cm_rnd_rankvalue] Line-oriented Authorizations
  If you are not satisfied with this, you may enhance the check, look at OSS [Note 1030838 - SM30: View Maintenance Authorization Enhancement|https://service.sap.com/sap/support/notes/1030838]
  Regards

• ISG does not send Access-Request to download service definition

  Hi guys, 
  I got these configs on my ISG and when I see the packets between AAA and ISG router, there's no access-request for downloading the service definition! 
  policy-map type control PPPoE_MAIN_POLICY
   class type control always event session-start
    10 authenticate aaa list PPPoE_AUTHE 
    15 authorize aaa list PPPoE_AUTHO password cisco identifier source-ip-address
    20 service local
   class type control always event service-start
    5 collect identifier source-ip-address
    10 service permit
    20 service-policy type service identifier service-name
    30 log-session-state 
   class type control always event account-logon
   service-policy type control PPPoE_MAIN_POLICY
  And here's the picture of Access-Accept with bunch of specified not-cached services 
  Any idea I appreciate it in advance. 

  Hi,
  Could you share your full config? It would be good to check your AAA config since that will influence how service profiles are downloaded.
  Also, could you briefly explain the goal of your config? Do you simply want to apply services "SRV_INTERNET_PRIMARY" and "SR_INTERNET_128K_5G" via autosevice?
  Regards

• GRC AC 5.3 - RAR Parameters

  Hello,
  I have the following 8 queries related to GRC AC 5.3 RAR parameters
  When I go into RAR -> Configuration -> Miscellaneous, I see the following entries.
  Maximum Display Lines For Print Preview 
  This parameter specifies the maximum number of lines to be displayed in print preview mode; the default value is 500
  1- What is the Print Preview of the lines for? Can I make it 10000 instead of 500. Is there a performance impact?
  Background Job Spool File Location 
  This parameter specifies the location where the background job spool files are stored Note: You need to restart the server
  2- Why do I need the Background Job Spool File location? Is it when I use Default Logger parameter as SAP Logger? Currently we are using the Default Logger parameter as Java Logger
  Alert Log File Name and Location 
  This parameter specifies the location where the action usage purged data files are stored
  3- Whey do I need this Alert Log file parameter for? I mean how is the Alert Log file generated in RAR 5.3
  SAP Application Server Location 
  Enter SAP application server location here
  4- Why do I need SAP Application Server Location, when I have installed SAP GRC 5.3 on standalone SAP JAVA Stack?
  FTP Site Location 
  Enter FTP site location here
  5- What should the FTP site location be given as? Should I give a fully qualified domain for a particular host for the FTP of above RAR background job log files and RAR Alert log files?
  6- Do we have the background job log files FTP into another host, if Default Logger parameter is chosen as SAP Logger?
  FTP Site User Name 
  Enter FTP site User Name here
  7- What is the best practice for specifying a FTP User? I mean what is the username normally given in RAR environment?
  8- Is there any OSS Note, SAP Help URL which  describes about RAR parameters in detail?
  Thanks,
  Haleem

  Hi,
  > Maximum Display Lines For Print Preview 
  >  This parameter specifies the maximum number of lines to be displayed in print preview mode; the default value is 500
  >
  > 1- What is the Print Preview of the lines for? Can I make it 10000 instead of 500. Is there a performance impact?
  > 
  You should used 500 only.
  > Background Job Spool File Location 
  > This parameter specifies the location where the background job spool files are stored Note: You need to restart the server
  >
  > 2- Why do I need the Background Job Spool File location? Is it when I use Default Logger parameter as SAP Logger? >Currently we are using the Default Logger parameter as Java Logger
  > 
  No, background job spool file location is something different from logger. Background spool file location is the location where
  spool file of your background job will be generated.
  Diferent between Java Logger and SAP Logger is that if you choose SAP Logger then log file of your RAR will be generated in NWA. But if you will choose as Java Logger then log file will be generated as separate file as ccappcomp.<n>.log which you will see in CC debugger.
  > Alert Log File Name and Location 
  > This parameter specifies the location where the action usage purged data files are stored
  > 
  > 3- Whey do I need this Alert Log file parameter for? I mean how is the Alert Log file generated in RAR 5.3
  >
  check below link:
  Compliance Calibrator Alert Generation Issue
  > SAP Application Server Location 
  >  Enter SAP application server location here
  > 
  > 4- Why do I need SAP Application Server Location, when I have installed SAP GRC 5.3 on standalone SAP JAVA Stack?
  >
  > FTP Site Location 
  >  Enter FTP site location here
  >
  > 5- What should the FTP site location be given as? Should I give a fully qualified domain for a particular host for the FTP of above RAR background job log files and RAR Alert log files?
  > 6- Do we have the background job log files FTP into another host, if Default Logger parameter is chosen as SAP Logger?
  >
  > FTP Site User Name 
  >  Enter FTP site User Name here
  >
  > 7- What is the best practice for specifying a FTP User? I mean what is the username normally given in RAR environment?
  The following new reports can have long runtimes:
  - User Authorization Count
  - Role Authorization Count
  - List Expired and Expiring Roles for Users
  - For that reason These jobs run on ABAP side and produce a spool file. An icon is displayed on the front-end for the jobs that complete. (If you run jobs on all systems and it finishes on one system before another the icon will display for the finished system first)
  - The report directory on the SAP Enterprise Resource Planning (ERP) application servers. This is the temporary storage location for spool files generated by these background jobs.
  - The same directory name is used for all SAP backend systems.
  - The location, user name, and password for FTP of security reports generated by backend SAP ERP systems.
  > 8- Is there any OSS Note, SAP Help URL which  describes about RAR parameters in detail?
  Note 1121978 - Recommended settings to improve peformance risk analysis
  Check below link for performance optimization of RAR:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90aa3190-8386-2b10-c4ba-ced67322ea6d?quicklink=index&overridelayout=true
  Thanks
  Sunny