Authorization override in Kerberos EP landscape?
We are currently developing a mySAP solution including Portals, ECC and CRM. Looking to leverage single sign-on (SSO) we are considering scenarios that would look like:
- Kerberos authentication to a Windows domain via the Portal. Authentication would be automatic and invisible to the end-user.
- Portal issues SSO2 tickets as a result of the Kerberos authentication.
- Disable the use of passwords in CRM and ECC except for support accounts.
- End-users requiring SAPGUI would need to access the Portal first and use SSO2 to login to CRM or ECC with SAPGUI.
All of this appears to be standard configuration available for mySAP.
My question: In this scenario, is it possible to do a manual override at the Portal authentication stage? For support purposes, I would like my FBA's to be able to login to SAP on an end-user workstation without requiring the user to logoff the Windows domain.
Specifically:
- User A (end user) is logged onto the workstation and thus authenticated to the Windows domain.
- User B (FBA) accesses the Portal with User A's workstation and can manually login to the Portal with User B credentials, overriding the default authentication that would otherwise take place for User A.
regards,
Greg
Yes it is possible.
Try accessing the Portal directly on the Admin port, and if you clear all cookies on User A's machine, you should get a Login screen which allows to enter a userid/password.
So, Once you get Login screen, User B with needed Support roles can login to the Portal.
We have a similar setup which works.
Regards,
Piyush
ps: Please reward points if you find this answer useful.
Regards,
Piyush
Similar Messages
-
We are planning to build our own BW Infocube for Authorizations.
This required because we want to consolidate the authorization reports across our
production landscape (8 Systems) for the various interest groups - Adminstrators and Auditors.
I would appreciate if anyone can share their experiences if they have done anything like this before.Hello Mushtaq,
you can use standard functionality. There are scenarios available where you don't have to build custom InfoCubes or even develop programs.
Please have a look at the documentation.
1) Using existing authorizations
http://help.sap.com/saphelp_nw04/helpdata/en/a7/5ab43b6a596660e10000000a114084/frameset.htm
2) Generating authorizations
http://help.sap.com/saphelp_nw04/helpdata/en/56/25dc886b0611d5b2f50050da4c74dc/frameset.htm
Regards
Marc
SAP NetWeaver RIG, US BI -
How to use authorization object P_PERNR ?
Hi, Gurus~
In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
Authorization level: W,S,D,E
Infotype: 0008
Interpretation of assignment personnel number: E
Subtype: *
and then, i maintain her master data 0105's subtype 0001-system user name as 00041
i think she shouldn't maintain her own 0008 now ,but she still can maintain it
i want to know why and how to solve it, did i do it in the right way?
Thank you in advance!P_PERNR HR: Master Data - Personnel Number Check
You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
The following values are possible for the PSIGN field:
I = Authorization for personnel number assigned, that is for own personnel number
E = Authorization for all personnel numbers excluding own personnel number
You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
Example of Personnel Number Check P_PERNR
The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
PSIGN = I
INFTY = *
SUBTY = * AUTHC = W, S, D, E
PSIGN = E
INFTY = 0008
SUBTY = *
In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
As the following examples illustrate, inconsistent authorizations can be granted.
Example 1:
AUTHC = *
PSIGN = I
INFTY = 0014
SUBTY = M* AUTHC = W, S, D, E
PSIGN = E
INFTY = 0014
SUBTY = *
The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
Example 2:
AUTHC = *
PSIGN = *
INFTY = *
SUBTY = *
This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures. -
JAAS, JGSS Kerberos and windows 2000 newbie question
Hi
I have setup a Kerberos server on windows 2000, now i want to write code in java to authenticate and authorize user using Kerberos , I know I have to use JAAS, JGSS,
is there a how to document to setup a client machine, like setup krb4.ini file and other security files so i can use java to authorize and authenticate, i am using j2sdk1.4.2
I have following code
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
// Identify who the client wishes to be
GSSName userName = manager.createName("test02EIM", GSSName.NT_USER_NAME);
// Identify the name of the server. This uses a Kerberos specific
// name format.
GSSName serverName = manager.createName("krbsvr400/[email protected]",
krb5PrincipalNameType);
System.out.println("server name " +serverName.getStringNameType());
// Acquire credentials for the user
GSSCredential userCreds = manager.createCredential(userName,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.INITIATE_ONLY);
// Instantiate and initialize a security context that will be
// established with the server
GSSContext context = manager.createContext(serverName,
krb5Mechanism,
userCreds,
GSSContext.DEFAULT_LIFETIME);
and krb5.ini file looks like below
[libdefaults]
default_realm = GL1AMR.PFIZER1.TEST
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
forwardable = true
proxiable = true
[realms]
GL1AMR.PFIZER1.TEST= {
kdc = gl1mopsamrdc01.gl1amr.pfizer1.test:88
admin_server = gl1mopsamrdc03.gl1amr.pfizer1.test
default_domain = gl1amr.pfizer1.test
[domain_realm]
.gl1amr.pfizer1.test = GL1AMR.PFIZER1.TEST
gl1amr.pfizer1.testm = GL1AMR.PFIZER1.TEST
[login]
krb4_convert = true
krb4_get_tickets = true
i get following error
SSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:143)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.pfizer.maps.sso.TestGSS.useGSS(TestGSS.java:41)
at com.pfizer.maps.sso.TestGSS.main(TestGSS.java:59)
what am i missingMy JAVA FILE having the code as follows , when i run this code iam geeting the Folowing error
Error
D:\Ramesh_Dump\KerbersTools>java GSSAPI
GSSException: No valid credentials provided (Mechanism level: Failed to find any
Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredent
ial.java:133)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechF
actory.java:72)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.
java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java
:96)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
78)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
58)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5
Client.java:155)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
va:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
67)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
34)
at GSSAPI.main(GSSAPI.java:34)
Problem searching directory: javax.naming.AuthenticationException: GSSAPI [Root
exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by G
SSException: No valid credentials provided]]
JAVA CODE
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
* @param args
public static void main(String[] args) {
Hashtable env = new Hashtable();
String adminName = "[email protected]";//"[email protected]";
String adminPassword = "Password12";
String ldapURL = "ldap://172.20.55.97:389/";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
//env.put(Context.SECURITY_PRINCIPAL,adminName);
//env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//env.put("javax.security.sasl.server.authentication","true");
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//lets get the domain lockout duration policy
Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
//System.out.println("test arttr"+attrs.get(""));
System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
System.out.println("Duration: " + attrs.get("lockoutDuration").get());
System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Create the correct LDAP search filter
//Win32 file time is based from 1/1/1601
//Java date/time is based from 1/1/1970
/*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
GregorianCalendar Today = new GregorianCalendar();
long Win32Date = Win32Epoch.getTimeInMillis();
long TodaysDate = Today.getTimeInMillis();
long TimeSinceWin32Epoch = TodaysDate - Win32Date;
long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
System.out.println("Lockout (Long): " + lockoutDate);*/
//System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
//String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
String searchFilter = "(objectclass=user)";
//Specify the Base for the search
String searchBase = "dc=globalv,dc=com";
//initialize counter to total the results
int totalResults = 0;
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
System.out.println(" mail: " + attrs.get("mail").get());
System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
//System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
* @param args
public static void main(String[] args) {
Hashtable env = new Hashtable();
String adminName = "[email protected]";//"[email protected]";
String adminPassword = "Password12";
String ldapURL = "ldap://172.20.55.97:389/";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
//env.put(Context.SECURITY_PRINCIPAL,adminName);
//env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//env.put("javax.security.sasl.server.authentication","true");
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//lets get the domain lockout duration policy
Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
//System.out.println("test arttr"+attrs.get(""));
System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
System.out.println("Duration: " + attrs.get("lockoutDuration").get());
System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Create the correct LDAP search filter
//Win32 file time is based from 1/1/1601
//Java date/time is based from 1/1/1970
/*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
GregorianCalendar Today = new GregorianCalendar();
long Win32Date = Win32Epoch.getTimeInMillis();
long TodaysDate = Today.getTimeInMillis();
long TimeSinceWin32Epoch = TodaysDate - Win32Date;
long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
System.out.println("Lockout (Long): " + lockoutDate);*/
//System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
//String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
String searchFilter = "(objectclass=user)";
//Specify the Base for the search
String searchBase = "dc=globalv,dc=com";
//initialize counter to total the results
int totalResults = 0;
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
System.out.println(" mail: " + attrs.get("mail").get());
System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
//System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
} -
Authorization Question - BW 3.5
I hope someone can answer this question or send me to somewhere that explains how authorizations work exactly :o)
We currently have a multiprovider that has 5 cubes in it....each one of the cubes has different information but all of them have plant. On the multiprovider we have setup the authorization object for plant hierarchies, but the cubes have other authorizations on the such as sales organization, company code, etc.
Does the multiprovider authorizations override the cube authorizations? Or when the authorization check happens does it check both?
We have been having a few issues with authorization and getting this question answered would really help.
Thank you!
CarolineHi Caroline,
Please go through these links, might be helpful:
http://help.sap.com/saphelp_nw70/helpdata/EN/55/46eb411a7f6324e10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/43/fc4c7387e1025de10000000a1553f7/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/43/fc4c7387e1025de10000000a1553f7/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/c2/9ba23898909633e10000009b38f8cf/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/42/f0d71d75433ee9e10000000a1553f7/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/52/671617439b11d1896f0000e8322d00/frameset.htm
Rgds,
Ravi -
Hi,
While transporting the process chains, I am getting the following error Source system does not exist
Message no. RSAR409
Diagnosis
Source system is not known.
System Response
The imported data for DataSource was deleted again because the referenced source system does not exist and no mapping is defined in table RSLOGSYSMAP on an existing productive source system.
Procedure
Create the referenced source system in the Data Warehousing Workbench or define mapping to a known source system in table RSLOGSYSMAP.
You get to maintenance using Tools -> Conversion of the logical system names.
I have already checked the table in the development system and it contains the source system and so does the table in Consolidation system.
Any ideas on how to solve this error.
Thanks and Regards,
Sahana NarahalliHi Sahana,
The BW system landscape needs to be maintained. It looks like the Development Acceptance and Production environments are not maintained in the System Landscape Design, which is evident from the message 'Source system is not known'.
Ask your Basis team to do this. BW team may not have authorizations for such kind of Landscape changes.
Best Regards,
Pratap Sone -
Hi experts,
I need to find the list of Authorisation objects for FI & CO.
If I go by table, How do i restrict for FI alone. kindly suggest the best way to find the authorisation objects. I have to create a authorisation matrix and where i can find a sample or template for the authorisation matrix. is it available in help.sap?
Many thanks.
regards
DineshHi,
Please check below mentioned authorisation objects
F_ACCL_ACT BCA Account Closure: Activity
F_ACE_DST Accrual Engine: Accrual Objects
F_ACE_PST Accrual Engine: Accrual Postings
F_ACHY_ACT BCA Account Hierarchy: Activity
F_ACHY_BKA BCA Account Hierarchy: Bank Area
F_ACT_EBPP Authorization Object for the Activities (EBPP)
F_AVIK_AVA Payment Advice: Authorization for Advice Types
F_AVIK_BUK Payment Advice: Authorization for Company Codes
F_BAF4_FXT FDB: Authorization for Exchange Rate Category
F_BAF4_MDC FDB: Market Data Area
F_BAF4_PRT FDB: Authorizations for Price Type (Securities)
F_BAF4_SCE FDB: Authorization to Edit Real Data
F_BAF4_SCN FDB: Scenario
F_BAF4_SPT FDB: Authorizations for Spread Type
F_BAF4_VOT FDB: Authorization for Volatility Type
F_BAST_ACT BCA Bank Statement: Activity
F_BAV_BUK Treasury BAV General Rights
F_BKKA_ACT BCA Account: Activity
F_BKKA_ATT BCA Account: Authorization Types
F_BKKA_BKA BCA Account: Bank Areas
F_BKKA_BPG BCA Account: Authorization Group According to BP
F_BKKA_FDG BCA Account: Field Groups
F_BKKA_GRP BCA Account: Authorization Groups
F_BKKA_GSB BCA: Activities for Each Business Area
F_BKKA_PRG BCA Account: Authorization Group According to Product
F_BKKA_RCT BCA Account: Reactivate
F_BKPF_BED Accounting Document: Account Authorization for Customers
F_BKPF_BEK Accounting Document: Account Authorization for Vendors
F_BKPF_BES Accounting Document: Account Authorization for G/L Accounts
F_BKPF_BLA Accounting Document: Authorization for Document Types
F_BKPF_BUK Accounting Document: Authorization for Company Codes
F_BKPF_BUP Accounting Document: Authorization for Posting Periods
F_BKPF_GSB Accounting Document: Authorization for Business Areas
F_BKPF_KOA Accounting Document: Authorization for Account Types
F_BKPF_VW Acc. Document: Change/Display Default Vals for Doc.Type/PKey
F_BL_BANK Authorization for House Banks and Payment Methods
F_BNKA_BUK Banks: Authorization for Company Codes
F_BNKA_MAC Can be assigned; Still no usage, deletion not possible?
F_BNKA_MAN Banks: General Maintenance Authorization
F_BNKA_MAO Banks: General Maintenance Authorization by Country
F_CASH_ACG BCA Means of Payment Management: Auth. Group Acc. to Account
F_CASH_ACT BCA Means of Payment Management: Activity
F_CASH_ATT BCA Means of Payment Management: Authorization Types
F_CASH_BKA BCA Means of Payment Management: Bank Area
F_CASH_BPG BCA Means of Payment Management: Auth. Group According to BP
F_CASH_PRG BCA Means of Payment Management: Auth. Group Acc. to Product
F_CASH_TYP BCA Means of Payment Management: Position Type
F_CHAINREV Loans: Chain Reversal
F_CHG_COND Loans: Change Conditions After Posting
F_CLOS_ACT BCA Balancing: Activity
F_COND_ACT BCA Conditions: Activity
F_COND_ATT BCA Conditions: Authorization Types
F_COND_BDC BCA Conditions: Retroactive Condition Change
F_COND_COA BCA Conditions: Condition Area
F_COND_ITP BCA Conditions: Individual Conditions Condition Category
F_COND_TYP BCA Conditions: Condition Category
F_DABS_BUK Loans: Write off Debit Position - CoCd/Partner Authorization
F_DCFL_GLO Global Authorization Object for Decoupled System Landscapes
F_DEURCONV Loans: Contract Currency Changeover to Euro
F_DSIC_ACT Loans: Collateral - Maintenance Authorization
F_DVER_BUK Loans: Waiver Debit Postion - Authorization for CoCd/Pr.Type
F_DZNB_BEA Loans: Processing Key for Payment Postprocessing
F_DZNB_SEL Loans: Selection Authorization for Payment Postprocessing
F_EDX_AUTH EDX: Authorizations for Company Code, Activity, Messages
F_EMAC_FDG BCA Employee Accounts: Field Groups on Account
F_EMAC_MTH BCA Employee Accounts: Allowed Methods
F_EMAC_TRN BCA: Employee Accounts: Transaction Types
F_EPIC_BKC Authorizations for Bank Communications
F_EPIC_BKQ Authorization to execute Bank Queries
F_EPIC_BKU Authorizations for Secure Logon User Maintenance
F_FAGL_CV Customizing: Versions
F_FAGL_DRU General Ledger:Authorization for Rule Entries for Validation
F_FAGL_LDR General Ledger: Authorization for Ledger
F_FAGL_SEG General Ledger: Authorization for Segment
F_FAGL_SKF FI: Processing of Statistical Key Figures
F_FAST_CLS Fast Close Authorizations
F_FBCJ Cash Journal: General Authorization
F_FBK_SUST Vendor: Sustainability Authorization
F_FCRD_CRD Payment Cards: Card Master Record
F_FCRD_DAT Payment Cards: Data File
F_FCRD_VOU Payment Cards: Card Document
F_FDES_BUK Cash Management and Forecast: Company Code Memo Records
F_FDES_GSB Cash Management and Forecast: Business Area Memo Records
F_FDSB_BUK Cash Position: Company Code Summary Records
F_FDSB_GSB Cash Position: Business Area Summary Records
F_FDSR_BUK Liquidity Forecast: Company Code Summary Records
F_FDSR_GSB Liquidity Forecast: Business Area Summary Records
F_FEBB_BUK Company Code Bank Statement
F_FEBC_BUK Company Code Check Deposit/Lockbox
F_FICA_CCT Funds Management, Cross-Funds Center
F_FICA_CIG Funds Management: Commitment Item Groups
F_FICA_CTR Funds Management Funds Center
F_FICA_CVE Funds Management: Cover Eligibility
F_FICA_CVP Funds Management: Cover Pool
F_FICA_EAL Funds Management: Collective Expenditure
F_FICA_FAG Funds Management: Function Groups
F_FICA_FCD Funds Management Fund
F_FICA_FCG Funds Management: Funds Center Groups
F_FICA_FMC FM - CO Account Assignment: Controlling Area
F_FICA_FNG Funds Management: Fund Groups
F_FICA_FOG Funds Management: Authorization Group of Fund
F_FICA_FPG Funds Management: Authorization Group for Commitment Item
F_FICA_FSG Funds Management: Authorization Group for Funds Center
F_FICA_FTR Funds Management FM Account Assignment
F_FICA_KDR Funds Management: Account Assignment Derivation
F_FICA_KDS Maintain Strategy of FM Account Assignment Derivation
F_FICA_POP Funds Management: authorization group posting period
F_FICA_PPL Funds Management: Chart of Commitment Items
F_FICA_SEG Funds Management: Authorization Group for All Funds Centers
F_FICA_SIG Funds Management: Authorization Group Internal Funds Centers
F_FICA_TRG Funds Management: Authorization Groups of FM Acct Assignment
F_FICA_WCT Funds Management Within One Funds Center
F_FICB_FKR Cash Budget Management/Funds Management FM Area
F_FICB_FPS Cash Budget Management/Funds Management Commitment Item
F_FICB_VER Cash Budget Management/Funds Management Version
F_FICO_AIN FICO Individual Condition BAPIs
F_FICO_AST FICO Standard Condition BAPIs
F_FICO_ATT FICO Financial Conditions: Authorization Types
F_FICO_FDG FICO Financial Conditions: Field Groups
F_FICO_IND FICO Individual Conditions
F_FICO_STD FICO Standard Conditions
F_FIGM_BUD Grants Management: Authority for Budget
F_FIGM_CLS Grants Management: Authority for Class
F_FIGM_GNG GM: Grant Groups
F_FIGM_GNT Grants Management: Authority for Grant
F_FIGM_PRG Grants Management: Authority for Programs
F_FIGM_SCG GM: Sponsored Class Groups
F_FIGM_SPG GM: Sponsored Program Groups
F_FKKCJ FI-CA Authorization Object for Cash Journal
F_FM_DRRUL Funds Management: Rules of Account Assignment Derivation
F_FM_DRSTR Funds Management: Account Assignment Derivation Strategy
F_FM_OPEN FM: Authorization for Specially Opened Processes
F_FMBU_ACC Budgeting: Account Assignment
F_FMBU_DOC Budgeting: Document Type
F_FMBU_KEY Budgeting: Keyfigure
F_FMBU_KYF Budgeting: Keyfigure
F_FMBU_LAY Budgeting:FMPEP Layout
F_FMBU_STA Budgeting: Status
F_FMBU_VER Budgeting: Version and Budget Category
F_FMCA_IPM PSCD Installment Plan: Authorization for Mass Approval
F_FMCA_SHE Clarification Worklist (FMSHERLOCK)
F_FMCA_WOF IS-PS-CA: Write Off: Approval for Write-Off Reason
F_FMCA_WOM PSCD Write-Off: Authorization for Mass Approval
F_FMFG_DUN FM-FG: CCR Vendor Master
F_FMMD_FAR Funds Management: Functional Area (Authorization Group)
F_FMMD_FPG FM: Funded Porgram Sets
F_FMMD_MES Funds Management: Funded Program (Authorization Group)
F_FMME_ATT Funded Program authorizations
F_FMRE_BLK Funds locking, company code
F_FMRE_COM Funds commitment, company code
F_FMRE_FOR Forecast of revenue, company code
F_FMRE_PRE Funds precommitment, company code
F_FMRE_RES Funds reservation, company code
F_FMRE_TRA Funds transfer, company code
F_FMSHER Clarification Worklist - FMSherlock
F_FMSPLITG Authorization for Rule-Based Distrib'n to Multiple Acct Assn
F_FMWF_RSN Reasons for Release and Rejection, FM Workflow
F_FOPCMAIN MIC: Main Authorization
F_FUNDSRES Earmarked Funds, Funds Transfer
F_GLLO_ACG GL Loss on Receivables: Authorization Group Account
F_GLLO_BKA BCA General Ledger - Loss on Receivables: Bank Area
F_GLRE_BKA BCA General Ledger Reconciliation: Bank Area
F_GLVA_ACG BCA GL Individual Value Adjustment: Authorization Group Acct
F_GLVA_BKA BCA General Ledger - Individual Value Adjustment: Bank Area
F_GLVA_BPG BCA GL Individual Value Adjustment: Authorization Group BP
F_GLVA_PRG BCA GL Individ. Value Adjustment:Authorization Group Product
F_GMBU_ACC GM Budgeting: Account Assignment
F_GMGT_ATT Grants Management: Authorization Types
F_GMGT_FDG Grants Management: Field Groups
F_GMGT_GRP Grants Management: Authorization Groups
F_GMGT_RLT Grants Management: BP Roles
F_HMAC hmac_key
F_HOLD_ACT BCA Holds: Activity
F_INFO_BUK Central: Information System - CoCd, Trans. Type, Auth. Group
F_INVPGRIR Authorization for Performing GR/IR Clearing
F_INVRPGIR Authorization for GR/IR Journal (Inventory Info System)
F_INVRPMAT Authorization for Material Journal (Inventory Info System)
F_INVRPWIP Authorization for WIP Journal (Inventory Info System)
F_ISSR_1 Transaction Authorization Check
F_ISSR_AD
F_ISSR_BV Position Management
F_ISSR_BVC
F_ISSR_CU
F_ISSR_CUC
F_ISSR_DU
F_ISSR_GPC
F_ISSR_ID
F_ISSR_LTD
F_ISSR_MIG
F_IT_ALV Line Item Display: Change and Save Layout
F_ITTC_BUK
F_KBE__RES Funds reservation, company code
F_KBE__TRA Payment Transfer Company Code
F_KK_AVIS FI-CA Payment Advice Note in Contract A/R + A/P
F_KK_CJROL Cash Journal: Maintenance of Responsibilities
F_KK_EBPP FI-CA Special Functions for FSCM Biller Direct
F_KK_FCODE FI-CA authorizations for GUI functions with master data
F_KK_KUKON Authorization Check for Short Account Assignment
F_KK_LOCK FI-CA Processing Locks
F_KK_ODBUK FI-CA Request: Company Code Authorization
F_KK_ODCLA FI-CA Request: Mass Approval of Requests
F_KK_ODCLS FI-CA Request: Authorization for Request Class
F_KK_ODTYP FI-CA Request: Authorization for Request Category
F_KK_REPT FI-CA Receipt Management
F_KK_SEC FI-CA Security Deposit
F_KK_SOND FI-CA Special Functions
F_KKCASH FI-CA Authorization Object for Payment at Cash Desk
F_KKCC Obsolete !!! FI-CA Correspondence Generation
F_KKCMK FI-CA - Manual Checks Lot
F_KKCO Obsolete !!! FI-CA Correspondence in Contract A/R and A/P
F_KKCODU Correspondence Dunning in Contract Accounting
F_KKCR FI-CA Display Creditworthiness of a BP and Change Manually
F_KKCR_BUK FI-CA Authorization for Check Management / DFKKCR
F_KKDEVREV FI-CA Deferred Revenue Postings Transfer Posting Run
F_KKDU FI-CA Dunning in Contract Accounts Receivable & Payable
F_KKDU_BUK FI-CA Dunning in Contract Accts Rec. & Payable: CoCode Auth.
F_KKDUTL FI-CA Dunning: Telephone List
F_KKINDPAY FI-CA Payment Specification
F_KKINK FI-CA Authorization Object for Collection Agency
F_KKINSTPL FI-CA Auth. for Installment Plans in a Contract Account
F_KKINTER Authorization for Interest Posting
F_KKIP FI-CA Payment Specification
F_KKKO_AEN FI-CA Document in Contract A/R + A/P: Changeable Fields
F_KKKO_BEG FI-CA Doc.in Contract Accts Rec. & Pay.: Acct Authorization
F_KKKO_BUK FI-CA Doc.in Contract Accts Rec.& Pay.: CoCode Authorization
F_KKKO_GSB FI-CA Doc.in Contract Accts Rec. & Pay.: Business Area Auth.
F_KKMA FI-CA Mass Activities in Contract Accts Receivable & Payable
F_KKMDU Master Data Lot in Contract Accounts Receivable and Payable
F_KKMIGRAT FI-CA IS Migration Workbench
F_KKNR FI-CA NOC Returns Lot in Conract Accts Rec. and Payable
F_KKPY FI-CA Automatic Payment Transactions in Contract A/R & A/P
F_KKRD_MAS FI-CA Document Reversal - Mass Processing
F_KKRK FI-CA Returns Lot in Contract A/R + A/P
F_KKRV FI-CA Transfer Posting Run Receivable Evaluation
F_KKSU FI-CA Reconciliation Key and Posting Totals
F_KKVARI FI-CA Maintain Variants for Parallel Processing
F_KKVK_BEG FI-CA Contract Account: Authorization Group
F_KKVK_BUK FI-CA Contract Account: Company Code Authorization
F_KKVK_FDG Contract Account: Authorization for Individual Field Groups
F_KKVK_VKT FI-CA Contract Acct: Contract Acct Type Authorization
F_KKWOFF FI-CA Write-Off Open Documents of a Business Partner
F_KKWOFFM FI-CA Authorization for Mass Clearing of Open Documents
F_KKZK FI-CA Payment Lot in Contract A/R & A/P
F_KKZWF FI-CA Authorization for Receivables Evaluation
F_KMT_MGMT Account Assignment Model: Auth. for Maintenance and Use
F_KNA1_AEN Customer: Change Authorization for Certain Fields
F_KNA1_APP Customer: Application Authorization
F_KNA1_BED Customer: Account Authorization
F_KNA1_BUK Customer: Authorization for Company Codes
F_KNA1_GEN Customer: Central Data
F_KNA1_GRP Customer: Account Group Authorization
F_KNA1_KGD Customer: Change Authorization for Account Groups
F_KNB1_ANA Customer: Authorization for Account Analysis
F_KNKA_AEN Credit Management: Change Authorization for Certain Fields
F_KNKA_KKB Credit Management: Authorization for Credit Control Area
F_KNKA_MAN Credit Management: General Maintenance Authorization
F_KNKK_BED Credit Management: Account Authorization
F_L_ACCRUL Leasing Accounting Authorization Object
F_LC_AUS Consolidation: Authorization for reports
F_LC_COM Consolidation: Authorization for companies
F_LC_ERH Consolidation: Authorization for data entry forms
F_LC_LDNR Consolidation: Authorization for ledgers
F_LC_SUBD Consolidation: Authorization for subgroup
F_LC_URUN Consolidation: Authorization for update
F_LC_VERS Consolidation: Authorization for versions
F_LFA1_AEN Vendor: Change Authorization for Certain Fields
F_LFA1_APP Vendor: Application Authorization
F_LFA1_BEK Vendor: Account Authorization
F_LFA1_BUK Vendor: Authorization for Company Codes
F_LFA1_GEN Vendor: Central Data
F_LFA1_GRP Vendor: Account Group Authorization
F_MAHN_BUK Automatic Dunning: Authorization for Company Codes
F_MAHN_KOA Automatic Dunning: Authorization for Account Types
F_MANDATE Authorization to Process a SEPA Mandate in FI
F_MET_BEG Loans: Authorization Group for Condition Table
F_MIE_SKO Real Estate: Rental agreement - Authorization for conditions
F_MNG_CON Real Estate: Management Contract - Authorization for CoCd
F_NFBA Authority Check for Nota Fiscal Writer Brazil
F_NTC_ACT BCA Notice: Activities for each Bank Area
F_NTC_AMT F_NTC_AMT
F_NTC_GRP Notice: Authorization for each Group
F_NTC_PER F_NTC_PER
F_PAIT_ACG BCA Payment Item: Authorization Group According to Account
F_PAIT_ACT BCA Payment Item: Activity
F_PAIT_ATT BCA Payment Item: Authorization Types
F_PAIT_BDA BCA Payment item: Backdated payment items.
F_PAIT_BKA BCA Payment Item: Bank Area
F_PAIT_BPG BCA Payment Item: Authorization Group According to BP
F_PAIT_GRP BCA Payment Item: Authorization Group
F_PAIT_PRG BCA Payment Item: Authorization Group According to Product
F_PAOR_ACG BCA Payment Order: Authorization Group According to Account
F_PAOR_ACT BCA Payment Order: Activity
F_PAOR_ATT BCA Payment Order: Authorization Types
F_PAOR_BKA BCA Payment Order: Bank Area
F_PAOR_BPG BCA Payment Order: Authorization Group According to BP
F_PAOR_GRP BCA Payment Order: Authorization Group
F_PAOR_PRG BCA Payment Order: Authorization Group According to Product
F_PAYM_ACT Additional activity checks for payment items/orders
F_PAYOH_AV Release and Rejection Reasons
F_PAYR_BUK Check Management: Action Authorization for Company Codes
F_PAYRQ Authorization Object for Payment Requests
F_PERI_ACT BCA Periodic Tasks: Activity (Simulation Update Run)
F_PMT_TRNS Real Estate: Payment Transaction - Author. CoCd/Activity
F_POD_BEG Loans: Authorization Group for Files
F_POH_BEG Loans: Authorization Group for Main Files
F_PRL_BUK Payment Release: Authority object by Com.Code and Action
F_PROD_GRP BCA/FIPR Product: Authorization Group
F_PSDO_BEG PSCD Document: Authorization Group for Contract Object
F_PSDO_VGT PSCD Beleg: Contract Object Type Authorization
F_PSFA_CAT PSCD Facts. Fact Type Parts
F_PSFA_SET PSCD Facts: Authorization for a Fact Set.
F_PSFA_TYP PSCD Facts. Fact Set Parts
F_PSM_DRUL Rules for Account Assignment Derivation
F_PSM_DSTR Strategy for Account Assignment Derivation
F_PSMEC_CR Expenditure Certification: Certification Run
F_PSMEC_FS Expenditure Certification: Financing Source
F_PSMEC_OP Expenditure Certification: Certifying Operation
F_PSOB_ATT PSCD Contract Object: Authorization Types
F_PSOB_BEG PSCD Contract Object: Authorization Group
F_PSOB_FDG PSCD Contract Object: Field Groups
F_PSOB_VGT PSCD Contract Object: Object Type Authorization
F_RE_BRGRP Real Estate: Authorization Group
F_RE_REPOR Real Estate: Reporting - Author.for CoCd/Auth.Grp/Data Type
F_RE_TRANS Real Estate: General Transaction Authorization
F_REAJ_AT Real Estate: Adjustment Measure
F_REAJ_CG Real Estate: Comparative Group
F_REAJ_PR Real Estate: Adjustment of Conditions
F_REBD_AO Real Estate: Architectural Object
F_REC_TAX Authorization Check for Tax Auditor
F_RECD_CN Real Estate: Conditions - Contract
F_RECD_RO Real Estate: Conditions - Rental Object
F_RECN Real Estate: Real Estate General Contract
F_RECN_ATT Real Estate: Authorization Types for General Contract
F_RECN_FDG Real Estate: Field Groups for General Contract
F_RECN_SKO Real Estate: Conditions for Real Estate General Contracts
F_REGU_BUK Automatic Payment: Activity Authorization for Company Codes
F_REGU_KOA Automatic Payment: Activity Authorization for Account Types
F_REIT_DS Real Estate: Input Tax Distribution
F_REIT_OR Real Estate: Option Rate Determination
F_REIT_TC Real Estate: Correction Object
F_RELM_JL Real Estate: Joint Liability
F_RELM_LR Real Estate: Land Register
F_RELM_NA Real Estate: Notice of Assessment
F_RELM_PE1 Real Estate: Public Register: Contamination/Non-Hazard.Waste
F_RELM_PE2 Real Estate: Public Register: Site Protection
F_RELM_PE3 Real Estate: Public Register: Development Plan
F_RELM_PE4 Real Estate: Public Register: Easement Register
F_RELM_PL Real Estate: Parcel of Land
F_RELM_RC Real Estate: Parcel Update
F_REMM_MN Real Estate: Mandate
F_REOR_OF Real Estate: Contract Offer
F_REOR_OO Real Estate: Offered Object
F_REOR_RR Real Estate: RE Search Request
F_REORG_PL General Ledger: Authorization for Reorganization
F_RERA_OP Real Estate: One-Time Postings
F_RESC_PG Real Estate: Participation Group
F_REXC_MS Real Estate: Main Rent Statement
F_RNT_ADJ Real Estate: Rent Adjustment - Authorization for CoCd/Method
F_RNT_OFF Real Estate: Offer - Authorization for CoCd/Bus.Entity
F_RPCODE Repetitive Code
F_RPROC Intercompany Reconciliation: Authorizations
F_RPUS_ATT Retirement plan: Authorization types
F_RPUS_FDG Retirement plan: Field groups
F_RQRSVIEW Bank Ledger: Viewer for Request Response Messages
F_RTP_ACT Retirement plan: Activity
F_RTP_AGP Retirement plan: Authorization group
F_RTP_BKA Retirement plan: Bank area
F_RTP_BPA Retirement plan: Authorization accountholder
F_RTP_BPG Retirement plan: Authorization accountholder (obsolete)
F_RTP_GRP Retirement plan: Authorization group (obsolete)
F_SEPA_MDT Authorization for Processing a Global SEPA Lock
F_SKA1_AEN G/L Account: Change Authorization for Certain Fields
F_SKA1_BES G/L Account: Account Authorization
F_SKA1_BUK G/L Account: Authorization for Company Codes
F_SKA1_KTP G/L Account: Authorization for Charts of Accounts
F_STAT_MON Bank Relationship: Status Monitor authorizations
F_STAT_USR Bank Communication: Assignment of Signature User ID
F_STO_TRAN Loans: Authorization for Reversal Transaction
F_STOR_ACG BCA Standing Order: Authorization Group According to Account
F_STOR_ACT BCA Standing Order: Activity
F_STOR_ATT BCA Standing Order: Authorization Types
F_STOR_BKA BCA Standing Order: Bank Area
F_STOR_BPG BCA Standing Order: Authorization Group According to BP
F_STOR_FDG BCA Standing Order: Field Groups
F_STOR_GRP BCA Standing Order: Authorization Group
F_STOR_PRG BCA Standing Order: Authorization Group According to Product
F_T_FBNAME Treasury: Authorization for Asynchronous Datafeed
F_T_PART_B Treasury: Business Partners: Authorization Group per Role
F_T_PART_R Treasury: Business Partners: Role Authorization
F_T_TRANSB Treasury: Transaction Authorization
F_T_VTBLL Limit Transfers
F_T_VTBLR Limit Reservations
F_T_VTBLV Limit
F_T_VTBMA Master Agreement
F_T011 Financial Statements: General Maintenance Authorization
F_T011_BUK Planning: Authorization for Company Codes
F_T011E Authorization for Financial Calendar
F_T011XBRL F/S from XBRL Taxonomy: General Maintenance Authorization
F_T042_BUK Payment Program Customizing: Authorization for Company Codes
F_T060_ACT Info System: Account Type/Activity for Evaluation View
F_TD_CORR controls the correction of an already fixed time deposit.
F_TR_MRM_S Scenario Maintenance
F_TRAVL Travel Planning
F_TRAVL_RW Travel Expenses: Posting Run Management
F_TRAVL_S Travel Planning Status Travel Agency
F_TRAVL_TG Separation Allowance
F_TRAVL_TP Maintain Separation Allowance Periods
F_TXW_RA DART: Retrieve data from archive
F_TXW_TF DART: Data extracts
F_TXW_TFCF DART: Data extract configuration
F_TXW_TV DART: Data view queries
F_TXW_TVC2 DART: Data view configuration, with AuthGrp
F_TXW_TVCF DART: Data view configuration
F_UDM_ESCA Dispute Case: Check of Escalation Reasons
F_UDM_GRUP Authorization for Collection Group
F_UDM_PRUN Program with Parallel Processing
F_UDM_SGMT Authorization for Collection Segment
F_UDM_STGY Authorization for Strategies
F_UDM_WLIT Worklist Items
F_UHC_ACT Collection Case: Actions
F_UKM_SGMT SAP Credit Management Authorization for Credit Segment
F_UMV_BUK Real Estate: Sales-based agreement adj. - CoCd authorization
F_VGINT Change to Posting Rule in FEBAN
F_WEB_ADRS Display/Change of Address Data via Web Interface
F_WEB_BANK Display/Change of Bank Data
F_WEB_BCNF Display/Change of a Balance Confirmation
F_WEB_BLNC
F_WEB_EBPP Participation in EBPP Process via Web Interface
F_WEB_ITEM
F_WEB_MTCH
F_WIBE Real Estate: Cost Efficiency Analysis
F_WORKQ001 Authorization Object for Work Queue
F_WTMG Withholding Tax Changeover
F_XCIT_ICI Real Estate: Italian localisation - ICI
F_XCIT_IRE Real Estate: Italian localisation - IRE
F_ZTXT_ACT Word Processing: Maintenance Authorization
FAGL_INST Customer Enhancements for General Ledger
FB_SRV_DMS Financials Basis: Data Model Synchronization
FB_SRV_GC Financials Basis: Garbage Collector
FB_SRV_TR Financials Basis: Transport
FD_AKT_ACT Loans: Filed Documents - Maintenance Authorization
FD_AUS_BUK Loans: Disbursement - Company Code Authorization
FD_AUS_GSA Loans: Disbursement - Authorization for Product Types
FD_BAV_BUK Loans: Transfer BAV Data - Company Code Authorization
FD_BEL_ACT Loans: Collateral Value - Maintenance Authorization
FD_BO_BUK Activity Authorization Based on Business Operation Category
FD_BUK_LAY Loans: Changing and Saving ALV Layouts
FD_CHARAC Loans: Authorization for Processing Characteristics
FD_CLI_GRP CL CLI: Authorization Group for Changes to a CLI Policy
FD_COT_GRP Loans: Authorization Group for Condition Table
FD_COT_PRD Loans: Assignment of Product to Condition Table
FD_DAR_ACT Loans: Transaction Check for Product Category
FD_DAR_BEG Loans: Authorization Group for Loan Contracts
FD_DAR_BUK Loans: Company Code Authorization
FD_DAR_DIS Distribution Channel
FD_DAR_GSA Loans: Authorization for Product Types
FD_DAR_RBD Loans: Authorization Check for Reserve for Bad Debts
FD_DAR_SBW Loans: Flow Type
FD_DAR_STA Loans: Status Authorization
FD_IA_ZANF Loans: Investor Account - Payment upon Request
FD_MAN_BUK Loans: Manual Debit Position - Company Code Authorization
FD_MAS_BUK Loans: Automatic Debit Position - Company Code Authorization
FD_MET_BUK Loans: Rollover Methods - Company Code Authorization
FD_OBJ_ACT Loans: Collateral Objects - Maintenance Authorization
FD_POD_BUK Loans: Rollover File - Company Code Authorization
FD_POG_BUK Loans: General Rollover File - Company Code Authorization
FD_POH_BUK Loans: Main Rollover File - Company Code Authorization
FD_POK_BUK Loans: Configure/Fill Rollover File - Company Code
FD_PROD_BG Loans: Authorization Group for Products
FD_SET_STA Loans: Automatic Status Transfer
FD_STOP_CD Loans: Authorization Check for Stop Code
FD_UMB_BUK Loans: Transfers - Authorization for CoCd / Product Type
FDT_ADMN BRFplus: Administration/Monitoring
FDT_OBJECT BRFplus: Authorization Check on Object Level
FDT_PROC BRFplus: Processing (Web Service/RFC)
FDT_TRACE BRFplus: Authorization Check on Trace
FDT_WORKB BRFplus: Authorization Check for BRFplus Workbench
FI_ABR_BUK Real Estate: Settlement unit - Company code authorization
FI_BAV_BUK Real Estate: Transfer BAV data - Company code authorization
FI_BEW_ACT Real Estate: Application - Maintenance authorization
FI_BKA_BUK Real Estate: Operat.costs stt. - Company code authorization
FI_FAG_BUK Real Estate: Free rent adj. commerc.agrmnt - CoCd authoriz.
FI_FAW_BUK Real Estate: Free rent adj. resid. agrmnt - CoCd authoriz.
FI_GAR_BUK Real Estate: Rent adj. of garage rent - CoCd authorization
FI_GBU_ACT Real Estate: Land register - Maintenance authorization
FI_GEB_BUK Real Estate: Building - Auth. for CoCd/business entity
FI_GRU_BUK Real Estate: property - Author.for CoCd/business entity
FI_HEI_BUK Real Estate: Heating system - Company code authorization
FI_HKA_BUK Real Estate: Heating expenses stt. - CoCd authorization
FI_IND_BUK Real Estate: Index-linked rent - Company code authorization
FI_KUE_BUK Real Estate: Notice on lease-out - Author.for CoCd/BE
FI_ME1_BUK Real Estate: Rental unit - Authoriz.for CoCd/business entity
FI_MIE_BUK Real Estate: Rental agreement - Authoriz. for CoCd/BE
FI_MIS_ACT Real Estate: Repr.lists of rents - Maintenance authorization
FI_MIS_BUK Real Estate: Repr.list of rents adj. - CoCd authorization
FI_MOD_BUK Real Estate: Modernization adjustment - CoCd authorization
FI_RAU_BUK Real Estate: Rooms - Authorization for CoCd/business entity
FI_VBE_BUK Real Estate: Comparative group - Company code authorization
FI_VWO_BUK Real Estate: Comparative apartment - Company code authoriz.
FI_WEI_BUK Real Estate: Business entity - Authoriz. for CoCd/BE
FI_WT_VEN Authorization object for vendr data enhancement
FI_ZAH_BUK Real Estate: Debit pos.payment transactions - CoCd authoriz.
FI_ZLG_BUK Real Estate: Surcharge adjustment - Company code authoriz.
FI_ZUO_ACT Real Estate: Assign RU/applic. - Maintenance authorization
FINB_ACINS Obsolete!!! Authorization with Reference to Accounting Inst.
FOT_B2A_V Admin. Report Electronic Data Transmission to Authorities
FPIA_GROUP Evaluate user groups (Gestinaire, Comptable, Super User etc)
FPP_ALL Authorization Object for All FPP Activities
FPP_CUST Authorization Object for Maintaining ParaProcessing Objects
FPP_USE Authorization for Using FPP Service Modules
FSCM_BCCE
FW_AKS_BUK Securities: Stock Split - Company Code Authorization
FW_BAV_BUK Securities: Transfer BAV Data - Company Code Authorization
FW_BES_BUK Securities: Position Indicator - Auth. for CoCd/Prod. Type
FW_BEZ_BUK Securities: Subscription Right - Company Code Authorization
FW_DEP_BUK Securities: Securities Account - Authorization for CoCd/TTy
FW_GAT_ACT Securities: Class - Transaction Check Prod. Cat./Activity
FW_GAT_GSA Securities: Class - Authorization for Transaction Types
FW_JUA_BUK Securities: New Stock - Company Code Authorization
FW_KAB_BUK Securities: Capital Reduction - Company Code Authorization
FW_KER_BUK Securities: Capital Increase - Company Code Authorization
FW_MAS_BUK Securities: Automatic Debit Position - CoCd/Product Type
FW_ORD_BUK Securities: Order - Company Code Authorization
FW_ORD_GSA Securities: Order - Authorization for Transaction Types
FW_ORD_STA Securities: Order - Status Authorization
FW_OSA_BUK Securities: Exercise WA - Authorization for CoCd/Prod. Type
FW_OST_BUK Securities: Detach WA - Company Code Authorization
FW_SON_BUK Securities: Other Postings - Company Code Authorization
FW_UMB_BUK Securities: Balance Sheet Transfer - Co. Code Authorization
FW_UMD_BUK Securities: Securities Account Transfer - CoCd Authorization
FW_WAN_BUK Securities: Exercise Convertible Bond - Company Code Auth.
FZ_BAV_BUK
FZ_FRG_KOM Release: Authorization Check - Release Object/Authoriz. Amnt
FZ_FRG_OST Release: Authorization for Release Object/Release Status
FZ_IND_ACT Index data: Maintenance authorization
FZ_PRT_ACT Partner Management: Partner - General Maintenance Authoriz.
FZ_PRT_AUS Partner Management: Partner Role - Selection Authorization
FZ_PRT_BEG Treasury: Business Partners: Authorization Group for Partner
Thanking you
Regards
Mahesh -
Active Directory 2003 and Sun One Directory Server 5.2
I just installed Sun One Directory Server 5.2 on a Linux machine. I want to configure LDAP on that machine so that it can be authenticated on Active Directory 2003. How do I go about doing this?
Active Directory server is a "directory server" (and kerberos server.) If your linux client authenticates against Active Directory it doesn't have to involve the Sun Directory Server at all. You have several general approaches you could investigate:
1. Linux client gets accounts and and authentication via LDAP from Active Directory
If you use AD to handle unix LDAP authentication (opt 1) you may need to extend schema in AD to add the unix password field. I haven't tried it yet, but hope to.
2. Linux client gets accounts from AD LDAP and authorization from AD Kerberos.
There should be docs on support.microsoft.com on enabling kerberos support for non-Win clients.
3. Linux client (with samba client installed, with winbind or pam_smb to support unix level services) gets accounts and authentication as a "Windows" client from Active directory "Windows server"
Check the samba.org docn or forums- I think this is a pretty common solution.
4. Linux client gets account information from Sun Directory server but uses kerberos (against active directory) for authentication.
There should be docs on support.microsoft.com on enabling kerberos support for non-Win clients.
5 Linux client gets account and authorization from Sun Directory server, which the sun Directory server configured to use Active Directory as a Kerberos server.
Probably incredibly complex. -
How to Move Migrated Analysis Authorization across the landscape?
Hi,
we have migrated existing 3.x obsolete authorization concept to 7.x Analysis Authorization with the SAP delivered program RSEC_MIGRATION. Unit test is completed in the Development. What is the process to move the changes to quality.
Any help is greatly appreciated.
Thanks!Hi Tony,
what about the roles that are updated during the migration process. How do I identify them and Do I need to collect them and transport too? Is there a way I can use the tables you mentioned in the above discussion for this.
First you should decide on whether you wish to use direct AA assignment or use S_RS_AUTH authorization object (This is referred as indirect AA assignment).
If you wish to assign AA directly, you doesn't require the roles to be transported and just need to transport the AA, since the AA works independently.
If you with to implement indirect AA assignment, you should identify the roles (from the tables I've provided in my last post) and findout the roles based on query's. Further the AA that were related to the queries should be added using S_RS_AUTH and these roles require a transport.
Hope this helps!!
@Arpan - Those tables are required to quickly find out the roles Vs queries Vs InfoAreas/InfoCubes information to work on the AA.
Regards,
Raghu -
How to override automated authorization with 'Select person'
Hi
We have many services that needs nearest manager's authorization. However, in certain situations the approver should be another person other than the nearest manager. Example, when a secretary orders a new PC for a production line which needs to be approved by a shopfloor supervisor instead. newScale says this is possible. Has anyone else tried it and can help instruct us on the setup? Please provide instruction in dummy-prove & non-technical language.
Thanks.You would have two authorization tasks. One for nearest manager and one for the manager that is selected by the user. On the form have a radio button fields that asks the question: "Does this service require approval by someone other than your line manager?" or simlar with yes and no radio buttons.
On the authorization tasks for line manager/nearest manger approval have a condition which requires the question to be "No", if no is selected in the form the nearest manager task will trigger. On the "other" manager have the opposite condition, thus it requires the question to be "yes". If the user selects "Yes" that task will trigger instead. Set up the task to go to whomever the user has selected on the form as their "other manager". This selection field could be set up only to be shown if the y select Yes to the question.
hope that helps. -
Is S_RFCACL a critical Authorization Object ?
Hi All,
As we know that S_RFCACL (Authorization Check for RFC User (e.g. Trusted System)) is required for having access to the trusted systems.
In most of our roles for this authorization Object we have maintained the * value for the following fields:-
RFC_SYSID
RFC_TCODE
This has been made as an observation by the auditors as having this critical access with the users.
But my question is how can it be the critical access when the user should have id's in both the systems(trusted and trusting) to login to the called system.
Also even if the user logs into the called system he will only be able to execute the list activities/t-codes that he is authorized to in that system, it will override the * value maintained in RFC_TCODE.
What possibly could be the risk from this authorization object ?
Regards,
ParichayParichay Jain wrote:
In most of our roles for this authorization Object we have maintained the * value for the following fields:-
RFC_SYSID
RFC_TCODE
This has been made as an observation by the auditors as having this critical access with the users.
The object itself is certainly critical, but as you stated the trust itself has to have been setup at the system level for the authorization to be going anywhere.
These two fields are in all honesty only irritating and you can successfully defend putting a * into them.
RFC_SYSID values for a role means you unit test a role in DEV, integration test in in QAS and then use it live in PROD. Additionally the field RFC_INFO is actually the installation number and you can be fairly sure that will be the same in the landscape. So only adding the pairs of production system IDs means you cannot test the same roles, which is a bit silly.
RFC_TCODE is even sillier. The generic RFCs for starting transactions (eg. ABAP4_CALL_TRANSACTION) check the transaction code themselves again and that is then user specific roles relating to their job functions. Restricting S_RFCACL additionally in a system role (eg. common role for all users) means that you must double-discriminate against all possible transactions which can be called via RFC and list them all there and maintain the list. But the check happens later again and the application authorizations in the transaction are generally checked as well. Waste of time.
@ Alex: The RFC_EQUSER = Y field only means that if the calling and called user ID names are the same, then the field RFC_USER is not checked and therefore does not have to be maintained. But it is often misunderstood and the field RFC_USER gets a * value as well (which is where the real music is..) and the EQUSER setting has no further affect. Technically, it actually weakens the authority-check on the user field - which is correct because otherwise you have to maintain it and end up with personalized roles, which is most silly of all.
So you can quite safely tell you auditor that Julius agrees with you and they are barking up the wrong tree.. :-)
Cheers,
Julius -
Authorization Group for G/L Account
Hi,
What?
- I wish to restrict the 'posting' of a G/L account to be done by certain users only
How?
- What I have done was...
a) From FS00, I have added a free-text (BANK) into the Authorization Group for a G/L account
b) From PFCG, a new role was created to allow these 2 Authorization Objects, F_BKPF_BES and F_SKA1_BES
c) 'BANK' was entered for the Authorization Group for both these 2 Authorization Objects
d) From there, I have assigned this new role to the user that I wish to allow Posting of the G/L account
Problem?
- Other users still can do Posting for this G/L account
- Any steps which I have missed out here or done wrongly?
Thanks,
BrandonHi,
Some other roles of the users may override and cause the users to post against this GL account.
Check all the roles relevant for the restricted users.
Use SUIM t-code to find if the auth object mentioned above is included in any other role.
If it be, restrict that again.
Generally if one role as no restriction against this auth and not all, this issue tends to happen.
Regards,
Sridevi -
Mass update to FILENAME field in S_DATASET authorization object
We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value. I'd like to do this programmatically if possible.
What I've learned so far is that I need to update the value in table USR12, but the value is encoded. When I look at the table in SE16, I do not see the encoded value field. The value does show in UST12, but I'm told this is an unreliable table.
So I'd like to know..
1. How can I look at the value if not in SE16?
2. Is there an API I can use to encode/decode the value? If not, where is the specification on how to build it?
If this is better addressed in a different forum, which one should I try next?
Thanks,
DanHi there,
Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
But the behaviour as you have described:
>
> Path Saveflag Fs_noread Fs_nowrite Fs_Brgru
> =============================================================
> * X X DUMY
> /temp/FI/.. X X DUMY
> /temp/FI X FIFI
>
... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
> Caution:
> - If you enter paths generically in the table SPTH, the most precise specification counts.
> - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
So, the only check which is effective to protect the path, is:
Path Saveflag Fs_noread Fs_nowrite Fs_Brgru
=============================================================
/temp/FI X FIFI
... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
form CHECK_PERMISSION using ISPTH_HEAD type SPTH
MODE type CLIKE
SUBRC type SY-SUBRC.
data: ACTIVITY like AUTHB-ACTVT.
SUBRC = 0.
case MODE.
when 'R'.
ACTIVITY = '03'.
when 'W'.
ACTIVITY = '02'.
when 'D'.
ACTIVITY = '02'.
endcase.
if ISPTH_HEAD-FS_BRGRU <> SPACE. "Here it is... for BEGRU checks there must be a value...
authority-check object 'S_PATH'
id 'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
id 'ACTVT' field ACTIVITY.
if SY-SUBRC <> 0.
SUBRC = 3.
endif.
endif.
endform.
Cheers,
Julius -
Analysis Authorization for nav Attr Issue
Hello:
I have a 0COMP_CODE as an attribute of 0SALSORG and it is marked as authorization relevant. i.e 0SALESORG_0COMP_CODE is authorization relevant.
I created an analysis authorization Object ZCOMPCODE_1000 by adding following in it.
InfoObject Value
0COMP_CODE = 1000
0SALESORG = *
0SALESORG_0COMP_CODE = 1000
0TCAACTVT = *
0TCAIPROV - *
0TCAKYFNM = *
0TCAVALID = *
Now I have a report on a cube which has 0SALESORG as char and also 0SALESORG as a variable on selection.
When I run a query for sales org = 1000, I can see rsults as sales org 1000 is assigned to company code 1000.
If I run report for sales org 2000, I should get not authorized message as 2000 is not assigned to company code 1000 and I only have a role assigned to me which has analysis authorization object ZCOMPCODE_1000. But Still I am getting report results.
Please explain Why and How can I overcome this issue.
ThanksFirst of all it is strange that we see two appearances of sales org.
0SALESORG = *
0SALESORG_0COMP_CODE = 1000
Probably the star value overrides the setting in the second one.
Besides did you create the variable in the query as authorization relevant or you will have problems there. -
How can I set up ssh via kerberos on MacOS 10.5 (Leopard)?
I am the de facto mac sysadmin for a few mac labs on a campus that is primarily Windows-using, and we have the Macs configured to do single sign-on via Kerberos and get their directory info via LDAP and home directories via NFS. This works fine for someone physically sitting at the machine, but I am running into a brick wall when it comes to sshing into these machines. ssh itself definitely works: I can ssh into the machine with a local user and password. And as I said, the kerberized login works fine from console. It's just getting the two to talk to each other.... Furthermore, there is a Linux box that we can successfully log into via kerberos/sso, so it's unlikely to be anything on the client side.
Things I've tried:
* Editing /etc/authorization and changing "authinternal" under system.login.tty to "builtin:krb5authnoverify,privileged" (I think this used to work; the same change to system.login.console is definitely what makes the console logins work)
* Editing /etc/sshd_config and setting "GSSAPIAuthentication yes" (this makes it match the sshd_config on the linux box we can log in to)
* In the same file, turning on "KerberosAuthentication" and friends (just because it looked promising)
Any ideas?It's not completely obvious. What you have to do in Spaces is to position your cursor to the upper right of the screen, after which faint + (plus) sign appears in that area. Click that, upon which another Desktop will appear.
The + may be difficult or impossible to see with some desktop backgrounds (black, for instance):
Maybe you are looking for
-
Hi all, When i try to login into infoview its shows logging Exception error and i can't log into infoview. Can anyone tell me what exactly the the problem is ??? waiting for your reply. Regards, Anish
-
English keyboard on Japanese iBook G4?
My wife bought her iBook in Japan with the original Japanese-layout keyboard (Japanese characters printed on the keys, etc). After about a year of use, many of the letters were fading on her keys, and she needed a replacement keyboard... We've reloca
-
Cannot connect new landline phone
I have had to purchase a new phone and cannot connect - it is completely dead. Tried on another line and it was OK Hub and hub phone and wifi all OK Have I got this connected up wrong or what Solved! Go to Solution.
-
Set default font type and size in formcreated using Acrobat X Pro
I have a word document that I used Acrobat X Pro to create a PDF and then a Form. The Form has over 200 text fields. Is there a way to globally set the font type and size to one type, for instance Arial 10 so that when someone opens the Form and fi
-
Sharing external hard drive between 2 mac's
I have all my music on an external hard drive. I have ratings, playlists, etc. and I've been using it with my desktop G4. I bought a Powerbook and would like to use the hard drive with the iTunes on my powerbook. How do I share the library between 2