Authorization Profile for attributes into qeries

Similar Messages

• Create Display Authorization Profile for SAP Transaction SPRO (IMG).

  Dear All,
  In my current implementation project there is an requirement to create display authorization profile for SPRO. I have tried a lot but was not able to do so.
  Any one is having an experience in creating display profile for SPRO (IMG) ? If any one has worked on this issue then please guide me.
  Thanks,
  Avinash

  Hi
  This is security related question. I am not security expert.
  But you can check this, Include the following authorization objects in the profile and assign this profile to the target user.
  S_IMG_ACTV
  S_PROJECT
  S_PROJ_AUT
  S_PRO_AUTH
  and assign activity = 03 (Display).
  Hoipe it helps.
  regards
  Srinivas

• Authorization profiles for ISA, WebIC, & PCUI

  Hi All,
  Can anybody recommend a source of information for developing the authorization profiles needed to get the correct user authorization profiles for ISA, WebIC and PCUI ?
  Regards,
  Verdere

  Thanks for replying Mark.
  I know only of transaction SU53 for Authorization Trace.
  But since this error is coming in webshop, i cant use SU53.
  Is there an alternative way to do authorization Trace in Webshop, then please suggest.
  Regards,
  Rahul

• Authorization profile for partner user account

  Can anyone please tell me which authorization profile should be assigned to the user account that a partner of ours will use when they use basic authentication to sign on to our PI box when they consume a web service?
  Regards
  Philip
  Edited by: Philip Koch on Mar 16, 2009 3:38 PM

  Can anyone please tell me which authorization profile should be assigned to the user account that a partner of ours will use when they use basic authentication to sign on to our PI box when they consume a web service?
  Regards
  Philip
  Edited by: Philip Koch on Mar 16, 2009 3:38 PM

• 1405975 - Minimum Authorization Profile for Remote Service Delivery

  In the document described in the header SAP Customers are asked to provide a logon user for SAP Remote Service Delivery.
  Due to security concerns, customers wish to grant restricted authorizations only.
  The minimal autorizations required have been described by SAP in a Z_BASIC_SERVICE_V1.zip file.
  Its there that I noticed the requirement for the SE93 transactioncode.
  With SE93 you can assign transactioncodes to your account and create new ones.
  I realy can't match this requirement with 'restricted autorizations only'.
  Am I missing something?

  Hi,
  If you think SE93 authorization should be restricted, then you can remove this from the role. As far I know, SE93 authorization is not necessary for remote service delivery. It is one of the 'good-to-have' authorization not the compulsory one.
  Regards,
  Vivek

• To read an authorization profile.

  Hi,
  I am trying to provide authorization in a HR report. An administrative person can execute the report. At this momet, a user can see the information of all employees. Instead, the users should be restricted for a group of employees who’s organizational key has been assigned in his authorization profile.  I am trying this with P_ORGIN authorization object.  I can use P_orgin with single static organizational key. But, in this report, I have different sets of organization key for different administrative users. Fot this reason, I will need to read the user’s authorization profile to get the set of organizational key. Can anyone tell me how can I read the authorization profile for a particular user who is using the sytem so that the program can check the set of organizational key.   I am using R/3 version 4.6C.

  Or more generally (for multiple users:
  REPORT ztest NO STANDARD PAGE HEADING LINE-SIZE 255.
  TABLES: usref,
          usr11.
  DATA: BEGIN OF itab OCCURS 0.
          INCLUDE STRUCTURE usref.
  DATA: END OF   itab.
  DATA: BEGIN OF itab1 OCCURS 0.
          INCLUDE STRUCTURE usref.
  DATA: END OF   itab1.
  DATA: BEGIN OF itab2 OCCURS 0,
          user    LIKE usref-user,
          profile LIKE usref-profile,
          ptext   LIKE usr11-ptext,
        END   OF itab2.
  DATA: old_prof  LIKE usref-profile,
        prof_desc LIKE usr11-ptext.
  itab-user = sy-uname.
  APPEND itab.
  itab-user = 'USERNAME'.
  APPEND itab.
  CALL FUNCTION 'SUSR_GET_PROFILES_OF_USER'
       TABLES
            users    = itab
            profiles = itab1.
  SORT itab1 BY profile.
  LOOP AT itab1.
    IF itab1-profile <> old_prof.
      SELECT SINGLE ptext INTO prof_desc
        FROM usr11
        WHERE langu = sy-langu
        AND   profn = itab1-profile
        AND   aktps = 'A'.
      old_prof = itab1-profile.
    ENDIF.
    itab2-user    = itab1-user.
    itab2-profile = itab1-profile.
    itab2-ptext   = prof_desc.
    APPEND itab2.
  ENDLOOP.
  SORT itab2 BY user profile.
  LOOP AT itab2.
    WRITE: /001 itab2-user, itab2-profile, itab2-ptext.
  ENDLOOP.
  Rob

• Training Authorization Profile

  I would like to create Authorization profile for Training Authorization by adding object P, L, D, E. and allow user only to be able to maintain those employees in specific cost center.
  I tried to add object "K" with specific cost center value, but it is not working.
  we can achieved the same by addiing a record for each "P" object with employee number value and it is working fine. But this is not a practical way.
  Please if you have any idea let us know how to d this. 
  M. Khalid

  Hi,
  If you don't have authorization for the transaction 'IL01', enter this transaction and in another window open transaction SU53. This will display the authorization check failed details. From there you can find out the the authorization object checked.
  Regards,
  Soumya.

• Authorization profile that provides "all authorizations" for PP and LO

  Hi:
  I'm looking for several authorization profiles provided by SAP:
  (1) Allow a user with "all authorizations" to work with PP module (Production Planning)
  (2) Allow a user with "all authoirzations" to work with LO module (Logistics)
  For examples, I found that there is the profile M_ALL that allows a user "all authorization" (universal authorization" for MM (Material Management) module.
  If you have some idea about one of these above (1) and/or (2) profile, please help. Any help would be appreciated.
  Thanks a lot,
  Thuan Nguyen

  Thuan,
  You can build it using PFCG fairly quickly. Go to PFCG, you will see a button called "Selection Criteria", all authorization objects are group by module (Object Class). You can include all PP auth objects in one shot. Logistic will separate into few class (General, Controlling, Warehouse Management, etc).
  It will be fairly clear to you once you get there.
  Hope this help.
  Thanks,
  Lye

• Difference between Reauthentication action of Common Task for Authorization Profile

  Hi guys,
  Would you mind helping me to choose reauthentication action for Authorization Profile?
  At Cisco ISE User Guide got "Reauthentication—To choose, select the check box and enter a value in seconds for maintaining connectivity during reauthentication. You can also choose attribute values from the Timer drop-down list. You choose to maintain connectivity during reauthentication by selecting to use either the default (a value of 0) or RADIUS-Request (a value of 1) from the drop-down list. Setting this to the RADIUS-Request value maintains connectivity during the reauthentication process."
  Then, what is "default" behaviour? What is different between default action and Radius-Request action ?
  On the other hands, could someone explain in detail the sequence and priority of IEEE 802.1X, MAC authentication bypass (MAB), and Central Web Authentication (CWA). I read a lot of paper, but still don't get it. It is possible to configure MAB will be fail in Authentication Policy with Wire_MAB ?
  Appreciate all your help!!!

  Hasan Saeed Khan wrote:
  Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
  I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.
  On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."
  It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:
  Create role
  Add transactions to menu
  Edit profile, org levels & authroization data.
  Hit 'save'.
  Accept proposed profile name.
  Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')
  And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"
  So it should be possible to maintain roles and profiles separately.

• How to get all authorization objects for a certain authorization profile

  Hi ABAP experts,
  I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
  So:
  - where are these values stored (dictionary table)?
  - is there already a FM or a report to read all authoriation values for a certain authorization profile?
  Thanks in advance.
  Best regards,
  Oliver

  Hi,
  check the following it might useful for you:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
  if helpful reward points are appreciated

• Need to Pass Active Directory Attributes into OBIEE for use in Report Query

  Hi,
  We're using OBIEE 11.1.1.5 and have integrated it with AD security. Users successfully log into OBIEE and BIP (which is integrated with OBIEE) using their network/AD accounts.
  Next step for us is to be able to pass some AD attributes that are on the user accounts into OBIEE and BIP so we can restrict data queries for the person logged in.
  I've searched the web and so far have only come up with specific steps for setting this up in BIP. Since BIP is integrated with OBIEE, we have not set any of the MSAD/LDAP security up there - it is all in OBIEE. I have been unable to find the equivalent for adding the attribute names for data query bind variables.
  With our current setup, we are unable to filter the report data automatically based on who has logged into the application (analytics and BIP). We have security setup within the catalog so only certain AD groups can access objects, but beyond that we need to be able to secure the data using AD attribute information. For example, all of our users should be able to access an Open Purchase Order report, but they should only be able to see their own purchase orders - not everyone in the company.
  Anyway, we're looking to be able to pass AD attributes into OBIEE so that we can use this data in our Analytics and BIP queries.
  How can we get this setup?
  Thank you in advance!
  Suzanne

  A fairly common problem, see:
  http://www.williamrobertson.net/documents/comma-separated.html
  http://www.oracle-base.com/articles/misc/DynamicInLists.php
  http://tkyte.blogspot.com/2006/06/varying-in-lists.html

• Authorization Object for Marketing Attributes

  Hi Experts,
  We are working with CRM 2007 and use in BP Marketing Attributes. Does someone know if there are any authorization objects for Marketing Attributes? We would like to restrict some of users to see some Attribute sets!
  Thank you in advance,
  Roula

  Hi Roula,
  Thank you so much for awarding points.
  Please note that in Transaction PFCG you have to assign the appropriate three digit attribute set key under the authorization group BGKRL to the authorization object C_KLAH_BKL for assigning attribute sets and to the authorization object C_KLAH_BKP for editing attribute sets.
  Please have a look at the Note in the bottom of the page at the following link for further information.
  http://help.sap.com/saphelp_crm60/helpdata/en/46/3517cc86e01421e10000000a1553f6/frameset.htm
  Regards,
  Deepak

• Steps for creating structural authorization profile using trans. OOSP

  Dears,
  Could someone please guide to the steps for creating a structural authorization profile using transaction OOSP, to authorize on the HR Payroll Area.
  Thanks.
  Reda

  Hi,
  There are comprehensive guidelines on help.sap.com for creation of structural authorizations: http://help.sap.com/saphelp_erp2004/helpdata/en/34/49ba3b3bf00152e10000000a114084/content.htm
  However, please bear in mind that you cannot limit access to certain payroll area with structural authorization. For that you should use standard PA authorization object (you can use field organizational key to store Payroll Area VDSK1 in IT0001):
  P_ORGIN  http://help.sap.com/erp2005_ehp_02/helpdata/en/3e/b8b83b5b831f3be10000000a114084/content.htm
  Cheers

• Authorization Profile needed for ISR Adobe Forms

  Hi,
  We have a couple of Custom ISR's and PCR's that are launched in Enterprise Portal.
  Well my Development ID had <b>SAP_ALL</b> and <b>SAP_NEW</b> Profiles attached.
  Now, when we started testing with the sample Test id's which doesnt have SAP_ALL or SAP_NEW profiles, we are getting error in ENTERPRISE PORTAL saying that... 
  "<i>You are not authorized to use the Notification Type 99</i>"
  Can anyone help me out in knowing the exact Authorization Objects for our Adobe Forms to run in EP.
  I cannot attach SAP_ALL and SAP_NEW profiles to all my users.
  Regards,
  <i><b>Raja Sekhar</b></i>

  Hi,
  Im new to the ISR framework implementation.
  We have a problem when we try testing a scenario using the adobe part, we have not done this before and we getting errors.
  We get the following errors:
  1. When using Administrator and Adsuser:
  com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: ComponentUsage(FPMConfigurationUsage): Active component must exist when getting interface controller. (Hint: Have you forgotten to create it with createComponent()? Should the lifecycle control of the component usage be "createOnDemand"?
  2. When i use my profile username:
  com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"https://10.142.252.157:50001/AdobeDocumentServicesSec/Config?style=document:50000/AdobeDocumentServices/Config?style=document"
  Can anyone advise me on what i should configure so that this can work properly...
  Is it an issue with the authorisation, because the ADS tests are all working.
  Thanks
  Joseph Tshwene

• Set Up Authorization Check for G/L Accounts  into PO creation

  Dear friends !
  How could I activate check to the access to certain accounts into PO creation ?
  I know that is possible to activate this into Purchasing customizing under path
  SPRO > Materials management > Purchasing > Purchase order > Set Up Authorization Check for G/L Accounts
  But could I use it to give access only to certain GL Accounts by user ? Is this the purpose of this customizing ?
  If yes what´s the object should I use to link with user account !?
  best regards,
  Ale

  Hi ,
  After you setup the configuration in transaction OMRP, please setup up
  the authorisation group in the account code (FS02, the field is on the
  "Control", technical name is BEGRU).
  When a account assigned purchase order is created, the system checks for
  object F_BKPF_BES with values from the BEGRU and activity 01.