Authorization profiles for ISA, WebIC, & PCUI

Hi All,
Can anybody recommend a source of information for developing the authorization profiles needed to get the correct user authorization profiles for ISA, WebIC and PCUI ?
Regards,
Verdere

Thanks for replying Mark.
I know only of transaction SU53 for Authorization Trace.
But since this error is coming in webshop, i cant use SU53.
Is there an alternative way to do authorization Trace in Webshop, then please suggest.
Regards,
Rahul

Similar Messages

  • Create Display Authorization Profile for SAP Transaction SPRO (IMG).

    Dear All,
    In my current implementation project there is an requirement to create display authorization profile for SPRO. I have tried a lot but was not able to do so.
    Any one is having an experience in creating display profile for SPRO (IMG) ? If any one has worked on this issue then please guide me.
    Thanks,
    Avinash

    Hi
    This is security related question. I am not security expert.
    But you can check this, Include the following authorization objects in the profile and assign this profile to the target user.
    S_IMG_ACTV
    S_PROJECT
    S_PROJ_AUT
    S_PRO_AUTH
    and assign activity = 03 (Display).
    Hoipe it helps.
    regards
    Srinivas

  • Authorization Profile for attributes into qeries

    Hi all,
    I've a big problem in a Bex environment.
    Some users-id cannot see the kf-type attributes of 0material, but they can see only characteristic-type attributes. In general this happens for all characteristics with kf-type attributes.
    Instead with my user-id (sap_all) the query is ok.
    I believe the problem depends of the authorization profile.
    Every user has a lot of profiles.
    How can I do for detecting the restrictions of these users?
    Do you know the specific profile that limits the display of the attributes?
    Does it exists a t-code to identify the auth.profile used from a query?
    Thanks in advance.
    Cla

    Hi Claudia,
    It seems that key figure authroization has been set up in your system. You need to assign the role that would give the users access to these key figures. You can run the report by any other user's auth, through transaction RSSMQ.
    Hope this helps...

  • Authorization profile for partner user account

    Can anyone please tell me which authorization profile should be assigned to the user account that a partner of ours will use when they use basic authentication to sign on to our PI box when they consume a web service?
    Regards
    Philip
    Edited by: Philip Koch on Mar 16, 2009 3:38 PM

    Can anyone please tell me which authorization profile should be assigned to the user account that a partner of ours will use when they use basic authentication to sign on to our PI box when they consume a web service?
    Regards
    Philip
    Edited by: Philip Koch on Mar 16, 2009 3:38 PM

  • 1405975 - Minimum Authorization Profile for Remote Service Delivery

    In the document described in the header SAP Customers are asked to provide a logon user for SAP Remote Service Delivery.
    Due to security concerns, customers wish to grant restricted authorizations only.
    The minimal autorizations required have been described by SAP in a Z_BASIC_SERVICE_V1.zip file.
    Its there that I noticed the requirement for the SE93 transactioncode.
    With SE93 you can assign transactioncodes to your account and create new ones.
    I realy can't match this requirement with 'restricted autorizations only'.
    Am I missing something?

    Hi,
    If you think SE93 authorization should be restricted, then you can remove this from the role. As far I know, SE93 authorization is not necessary for remote service delivery. It is one of the 'good-to-have' authorization not the compulsory one.
    Regards,
    Vivek

  • To read an authorization profile.

    Hi,
    I am trying to provide authorization in a HR report. An administrative person can execute the report. At this momet, a user can see the information of all employees. Instead, the users should be restricted for a group of employees who’s organizational key has been assigned in his authorization profile.  I am trying this with P_ORGIN authorization object.  I can use P_orgin with single static organizational key. But, in this report, I have different sets of organization key for different administrative users. Fot this reason, I will need to read the user’s authorization profile to get the set of organizational key. Can anyone tell me how can I read the authorization profile for a particular user who is using the sytem so that the program can check the set of organizational key.   I am using R/3 version 4.6C.

    Or more generally (for multiple users:
    REPORT ztest NO STANDARD PAGE HEADING LINE-SIZE 255.
    TABLES: usref,
            usr11.
    DATA: BEGIN OF itab OCCURS 0.
            INCLUDE STRUCTURE usref.
    DATA: END OF   itab.
    DATA: BEGIN OF itab1 OCCURS 0.
            INCLUDE STRUCTURE usref.
    DATA: END OF   itab1.
    DATA: BEGIN OF itab2 OCCURS 0,
            user    LIKE usref-user,
            profile LIKE usref-profile,
            ptext   LIKE usr11-ptext,
          END   OF itab2.
    DATA: old_prof  LIKE usref-profile,
          prof_desc LIKE usr11-ptext.
    itab-user = sy-uname.
    APPEND itab.
    itab-user = 'USERNAME'.
    APPEND itab.
    CALL FUNCTION 'SUSR_GET_PROFILES_OF_USER'
         TABLES
              users    = itab
              profiles = itab1.
    SORT itab1 BY profile.
    LOOP AT itab1.
      IF itab1-profile <> old_prof.
        SELECT SINGLE ptext INTO prof_desc
          FROM usr11
          WHERE langu = sy-langu
          AND   profn = itab1-profile
          AND   aktps = 'A'.
        old_prof = itab1-profile.
      ENDIF.
      itab2-user    = itab1-user.
      itab2-profile = itab1-profile.
      itab2-ptext   = prof_desc.
      APPEND itab2.
    ENDLOOP.
    SORT itab2 BY user profile.
    LOOP AT itab2.
      WRITE: /001 itab2-user, itab2-profile, itab2-ptext.
    ENDLOOP.
    Rob

  • Training Authorization Profile

    I would like to create Authorization profile for Training Authorization by adding object P, L, D, E. and allow user only to be able to maintain those employees in specific cost center.
    I tried to add object "K" with specific cost center value, but it is not working.
    we can achieved the same by addiing a record for each "P" object with employee number value and it is working fine. But this is not a practical way.
    Please if you have any idea let us know how to d this. 
    M. Khalid

    Hi,
    If you don't have authorization for the transaction 'IL01', enter this transaction and in another window open transaction SU53. This will display the authorization check failed details. From there you can find out the the authorization object checked.
    Regards,
    Soumya.

  • How to get all authorization objects for a certain authorization profile

    Hi ABAP experts,
    I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
    So:
    - where are these values stored (dictionary table)?
    - is there already a FM or a report to read all authoriation values for a certain authorization profile?
    Thanks in advance.
    Best regards,
    Oliver

    Hi,
    check the following it might useful for you:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
    if helpful reward points are appreciated

  • Steps for creating structural authorization profile using trans. OOSP

    Dears,
    Could someone please guide to the steps for creating a structural authorization profile using transaction OOSP, to authorize on the HR Payroll Area.
    Thanks.
    Reda

    Hi,
    There are comprehensive guidelines on help.sap.com for creation of structural authorizations: http://help.sap.com/saphelp_erp2004/helpdata/en/34/49ba3b3bf00152e10000000a114084/content.htm
    However, please bear in mind that you cannot limit access to certain payroll area with structural authorization. For that you should use standard PA authorization object (you can use field organizational key to store Payroll Area VDSK1 in IT0001):
    P_ORGIN  http://help.sap.com/erp2005_ehp_02/helpdata/en/3e/b8b83b5b831f3be10000000a114084/content.htm
    Cheers

  • Authorization Profile needed for ISR Adobe Forms

    Hi,
    We have a couple of Custom ISR's and PCR's that are launched in Enterprise Portal.
    Well my Development ID had <b>SAP_ALL</b> and <b>SAP_NEW</b> Profiles attached.
    Now, when we started testing with the sample Test id's which doesnt have SAP_ALL or SAP_NEW profiles, we are getting error in ENTERPRISE PORTAL saying that... 
    "<i>You are not authorized to use the Notification Type 99</i>"
    Can anyone help me out in knowing the exact Authorization Objects for our Adobe Forms to run in EP.
    I cannot attach SAP_ALL and SAP_NEW profiles to all my users.
    Regards,
    <i><b>Raja Sekhar</b></i>

    Hi,
    Im new to the ISR framework implementation.
    We have a problem when we try testing a scenario using the adobe part, we have not done this before and we getting errors.
    We get the following errors:
    1. When using Administrator and Adsuser:
    com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: ComponentUsage(FPMConfigurationUsage): Active component must exist when getting interface controller. (Hint: Have you forgotten to create it with createComponent()? Should the lifecycle control of the component usage be "createOnDemand"?
    2. When i use my profile username:
    com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"https://10.142.252.157:50001/AdobeDocumentServicesSec/Config?style=document:50000/AdobeDocumentServices/Config?style=document"
    Can anyone advise me on what i should configure so that this can work properly...
    Is it an issue with the authorisation, because the ADS tests are all working.
    Thanks
    Joseph Tshwene

  • Authorization profile that provides "all authorizations" for PP and LO

    Hi:
    I'm looking for several authorization profiles provided by SAP:
    (1) Allow a user with "all authorizations" to work with PP module (Production Planning)
    (2) Allow a user with "all authoirzations" to work with LO module (Logistics)
    For examples, I found that there is the profile M_ALL that allows a user "all authorization" (universal authorization" for MM (Material Management) module.
    If you have some idea about one of these above (1) and/or (2) profile, please help. Any help would be appreciated.
    Thanks a lot,
    Thuan Nguyen

    Thuan,
    You can build it using PFCG fairly quickly. Go to PFCG, you will see a button called "Selection Criteria", all authorization objects are group by module (Object Class). You can include all PP auth objects in one shot. Logistic will separate into few class (General, Controlling, Warehouse Management, etc).
    It will be fairly clear to you once you get there.
    Hope this help.
    Thanks,
    Lye

  • Authorization key for the user profile

    In SAP, there is a provision where we can create the authorization key and assign this key to the various user statuses in the user status profile.
    The application is that when the user status is changed from one to other and if to the user status, the authorisation key is assigned then the authorised person should be only able to change the status.
    But my query is that i have not come across any customization where a SAP user can be assigned to the auth. key so that he can only change the user status.
    Can anybody let me know that whatever i understood, is it correct? And if yes, let me know where to assign the user to the authorisation key?
    Thanks

    Hi Iyer ,
    Please see the below,if it solves your requirement
    M/CS Autorisation Objects
    SAP Standard Authorisation Objects:
    I_ALM_ME: Mobile Asset Management  (ACTVT)
    I_AUART: Order Type  (IWERK, AUFART)
    I_BEGRP: Authorization Group  (TCD, BEGRP)
    I_BETRVORG: Business Operation  (BETRVORG)
    I_CCM_ACT: Configuration Control authorization object  (CCACT, ACTVT)
    I_CCM_STRC: Structure gap maintenance authority  (ACTVT)
    I_ILOA: Change location and accounting data in order  (IWERK, AUFART)
    I_INGRP: Maintenance Planner Group  (TCD, IWERK, INGRP)
    I_IWERK: Maintenance Planning Plant  (TCD, IWERK)
    I_KOSTL: Cost Centres  (TCD, KOKRS, KOSTL)
    I_QMEL: Notification Types  (TCD, QMART)
    I_ROUT: Task List  (ACTVT)
    I_ROUT1: Task Lists by PM Planning Plant, Work Sched., Status  (TCD, IWERK, VAGRP, STATU)
    I_SOGEN: Permit  (SWERK, PMSOG)
    I_SWERK: Maintenance Plant  (TCD, SWERK)
    I_TCODE: Transaction Code  (TCD)
    I_VORG_MEL: Business Operation for Notifications  (QMART, BETRVORG)
    I_VORG_MP: Business Operation for Maintenance Planning  (MPTYP, BETRVORG)
    I_VORG_ORD: Business Operation for Orders  (AUFART, BETRVORG)
    I_WPS_MEB: Maintenance Event Builder  (DIWPSMEBAR)
    I_WPS_REV: Revision authorization object  (REVTY, ARBPL, WERKS, WPS_REV_AC)
    S_NUMBER: Number Range Maintenance  (NROBJ, ACTVT)
    C_TCLA_BKA: Authorization for Class Types  (KLART)
    *Authorisation Tables:*
    TOBJ: Authorisation objects
    TOBJT: Authorisation object texts
    AGR_1250: Authorisation object assigned to role
    AGR_USERS: Users assigned to a role
    AGR_TCODES: Assignment of roles to Tcodes
    Authorisation Objects for System-Statuses:
    Order: I_VORG_ORD  (AUFART, BETRVORG)
    (REL = BFRE, TECO = BTAB, delete component = RMKL)
    Notification: I_VORG_MEL  (QMART, BETRVORG (NOPR = PMM2, NOCO = PMM4))
    Maint. plan: I_VORG_MP  (MPTYP, BETRVORG)
    User-Exits:
    CPAU0001: Enhancement for Authorization Check in Task Lists
    IMRC0005: Measure point: Exit in AUTHORITY_CHECK_IMPT
    IWOC0003: PM/SM authorization check of ref. object and planner group
    QQMA0026: PM/SM: Auth. check when accessing notification transaction
    QQMA0030: Check validity of status change
    BADIs:
    DIP_SET_USERSETTINGS: Initial Object Check in DP Processor
    INST_AUTHORITY_CHECK: PM/CS Enhanced Authorization Checks
    IWO1_ORDER_BADI: Maintenance, Service, and Refurbishment Order
    NOTIF_AUTHORITY_01: Additional Authorization Checks for the Notification
    WORKORDER_GOODSMVT: PM/PP/PS/PI orders: auto. goods movement
    Authorisation Groups:
    These can be created via TCode SM30 and table T370B. They can then be assigned to the following objects:
    a.     Equipment (IE02)
    b.     Functional Locations (IL02)
    c.     Maintenance plans (IP02)
    d.     Entry List for Measurement Documents (IK32)
    e.     Object links (IN05, IN08)
    f.     User-statuses
    Authorisation Debugging:
    TCode SU53: Evaluate Authorization Check

  • Difference between Reauthentication action of Common Task for Authorization Profile

    Hi guys,
    Would you mind helping me to choose reauthentication action for Authorization Profile?
    At Cisco ISE User Guide got "Reauthentication—To choose, select the check box and enter a value in seconds for maintaining connectivity during reauthentication. You can also choose attribute values from the Timer drop-down list. You choose to maintain connectivity during reauthentication by selecting to use either the default (a value of 0) or RADIUS-Request (a value of 1) from the drop-down list. Setting this to the RADIUS-Request value maintains connectivity during the reauthentication process."
    Then, what is "default" behaviour? What is different between default action and Radius-Request action ?
    On the other hands, could someone explain in detail the sequence and priority of IEEE 802.1X, MAC authentication bypass (MAB), and Central Web Authentication (CWA). I read a lot of paper, but still don't get it. It is possible to configure MAB will be fail in Authentication Policy with Wire_MAB ?
    Appreciate all your help!!!

    Hasan Saeed Khan wrote:
    Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
    I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.
    On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."
    It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:
    Create role
    Add transactions to menu
    Edit profile, org levels & authroization data.
    Hit 'save'.
    Accept proposed profile name.
    Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')
    And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"
    So it should be possible to maintain roles and profiles separately.

  • ASA and ACS 5 multiple VPN profiles for one user

    Hi there
    I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:
    ACS 5.3 group hierarchy:
    - VPN users global
    -- VPN users A
    -- VPN users B
    ASA VPN profiles:
    - VPN profile A
    - VPN profile B
    - VPN profile Z
    VPN authorizations:
    1. VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles)
    2. VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A)
    3. VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
    Thanks a lot in advance and best regards
    Dominic

    Hi Dominic,
    first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.
    The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.
    The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.
    So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".
    In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.
    However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:
    vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
    vendor ID = 3076, attribute 150 is "Client Type" (integer)
    0 = No Client specified  1 = Cisco VPN Client (IKEv1)  2 = AnyConnect Client SSL VPN  3 = Clientless SSL VPN  4 = Cut-Through-Proxy  5 = L2TP/IPsec SSL VPN  6 = AnyConnect Client IPsec VPN (IKEv2)
    So if you can configure the Radius server to "dynamically" permit/deny access based on the TG attribute I suppose you could achieve what you want.
    If/how ACS can do this, I personally don't know; I suggest you ask in the AAA forum if you need help with that part.
    hth
    Herbert

  • HR Authorization issue for specfic User

    Dear all,
    One of the HR user , he can run payroll on particular site ,
    i have assigned Org key of site to master data on the particular role .
    User tried to run payroll using pa30 with personnel no (one of store user) .
    but system is not take any value and its not showing any error also .
    For example pls check below detail i have tried my user id and system has shows below details of the user (below details is one of the store user ).
    Personnel no.   2941
    Name         A  Mohammed Younus
    Personnel ar ZOSO                            EE group   A
    Subarea      STCH                            EE subgrp  3E
    Kindly suggest to resolve the issue
    Note : 1, i have deleted the user and i have recreated role .
    2, i have copied another user role (he can run payroll) to effected user ,even though he cant able to run payroll.
    Edited by: satheesh0812 on Dec 17, 2010 9:29 AM

    Dear all,
    I dont thing so there is no issue with Role  ,only issue with Structure Auth..
    Becoz pls check below Authorization Object.
    Changed    HR: Master Data
      Authorization level            E, M, R, W
      Infotype                       *
      Personnel Area                 *
      Employee Group                 *
      Employee Subgroup              *
      Subtype                        *
      Organizational Key             20000156, 20000157, 20000201
    In OOSP for particular Org key .
    Auth profile              Auth.Profile name
    CTHR_CHENNAI     CTHR_Chen
    Auth profile             No  Plan Vers Obj Type   Object I         Maint Eval.path Status vec
    CTHR_CHENNAI     1     01               O                   20000156              O-S-P     12
    CTHR_CHENNAI     2     01               O                  20000157             O-S-P     12
    CTHR_CHENNAI     3     01               O                  20000201            O-S-P     12
    In OOSB details
    IN OOSB I have assigned Authorization profile to UserXXX, user can see all employee details in PA30 except one employee details , can
    User name Autho.profile                           Start date        End date            Exclustion Display Objects
    XXXX          CTHR_CHENNAI                     01.01.2005     31.12.9999
    If i give Autho.profile --> all instead of CTHR_CHENNAI ..
    HR executive can able see all employee details in PA30 ...
    Let me know where exactly issue is there ...
    Kindly suggest...

Maybe you are looking for