Authorization profiles for ISA, WebIC, & PCUI
Hi All,
Can anybody recommend a source of information for developing the authorization profiles needed to get the correct user authorization profiles for ISA, WebIC and PCUI ?
Regards,
Verdere
Thanks for replying Mark.
I know only of transaction SU53 for Authorization Trace.
But since this error is coming in webshop, i cant use SU53.
Is there an alternative way to do authorization Trace in Webshop, then please suggest.
Regards,
Rahul
Similar Messages
-
Create Display Authorization Profile for SAP Transaction SPRO (IMG).
Dear All,
In my current implementation project there is an requirement to create display authorization profile for SPRO. I have tried a lot but was not able to do so.
Any one is having an experience in creating display profile for SPRO (IMG) ? If any one has worked on this issue then please guide me.
Thanks,
AvinashHi
This is security related question. I am not security expert.
But you can check this, Include the following authorization objects in the profile and assign this profile to the target user.
S_IMG_ACTV
S_PROJECT
S_PROJ_AUT
S_PRO_AUTH
and assign activity = 03 (Display).
Hoipe it helps.
regards
Srinivas -
Authorization Profile for attributes into qeries
Hi all,
I've a big problem in a Bex environment.
Some users-id cannot see the kf-type attributes of 0material, but they can see only characteristic-type attributes. In general this happens for all characteristics with kf-type attributes.
Instead with my user-id (sap_all) the query is ok.
I believe the problem depends of the authorization profile.
Every user has a lot of profiles.
How can I do for detecting the restrictions of these users?
Do you know the specific profile that limits the display of the attributes?
Does it exists a t-code to identify the auth.profile used from a query?
Thanks in advance.
ClaHi Claudia,
It seems that key figure authroization has been set up in your system. You need to assign the role that would give the users access to these key figures. You can run the report by any other user's auth, through transaction RSSMQ.
Hope this helps... -
Authorization profile for partner user account
Can anyone please tell me which authorization profile should be assigned to the user account that a partner of ours will use when they use basic authentication to sign on to our PI box when they consume a web service?
Regards
Philip
Edited by: Philip Koch on Mar 16, 2009 3:38 PMCan anyone please tell me which authorization profile should be assigned to the user account that a partner of ours will use when they use basic authentication to sign on to our PI box when they consume a web service?
Regards
Philip
Edited by: Philip Koch on Mar 16, 2009 3:38 PM -
1405975 - Minimum Authorization Profile for Remote Service Delivery
In the document described in the header SAP Customers are asked to provide a logon user for SAP Remote Service Delivery.
Due to security concerns, customers wish to grant restricted authorizations only.
The minimal autorizations required have been described by SAP in a Z_BASIC_SERVICE_V1.zip file.
Its there that I noticed the requirement for the SE93 transactioncode.
With SE93 you can assign transactioncodes to your account and create new ones.
I realy can't match this requirement with 'restricted autorizations only'.
Am I missing something?Hi,
If you think SE93 authorization should be restricted, then you can remove this from the role. As far I know, SE93 authorization is not necessary for remote service delivery. It is one of the 'good-to-have' authorization not the compulsory one.
Regards,
Vivek -
To read an authorization profile.
Hi,
I am trying to provide authorization in a HR report. An administrative person can execute the report. At this momet, a user can see the information of all employees. Instead, the users should be restricted for a group of employees whos organizational key has been assigned in his authorization profile. I am trying this with P_ORGIN authorization object. I can use P_orgin with single static organizational key. But, in this report, I have different sets of organization key for different administrative users. Fot this reason, I will need to read the users authorization profile to get the set of organizational key. Can anyone tell me how can I read the authorization profile for a particular user who is using the sytem so that the program can check the set of organizational key. I am using R/3 version 4.6C.Or more generally (for multiple users:
REPORT ztest NO STANDARD PAGE HEADING LINE-SIZE 255.
TABLES: usref,
usr11.
DATA: BEGIN OF itab OCCURS 0.
INCLUDE STRUCTURE usref.
DATA: END OF itab.
DATA: BEGIN OF itab1 OCCURS 0.
INCLUDE STRUCTURE usref.
DATA: END OF itab1.
DATA: BEGIN OF itab2 OCCURS 0,
user LIKE usref-user,
profile LIKE usref-profile,
ptext LIKE usr11-ptext,
END OF itab2.
DATA: old_prof LIKE usref-profile,
prof_desc LIKE usr11-ptext.
itab-user = sy-uname.
APPEND itab.
itab-user = 'USERNAME'.
APPEND itab.
CALL FUNCTION 'SUSR_GET_PROFILES_OF_USER'
TABLES
users = itab
profiles = itab1.
SORT itab1 BY profile.
LOOP AT itab1.
IF itab1-profile <> old_prof.
SELECT SINGLE ptext INTO prof_desc
FROM usr11
WHERE langu = sy-langu
AND profn = itab1-profile
AND aktps = 'A'.
old_prof = itab1-profile.
ENDIF.
itab2-user = itab1-user.
itab2-profile = itab1-profile.
itab2-ptext = prof_desc.
APPEND itab2.
ENDLOOP.
SORT itab2 BY user profile.
LOOP AT itab2.
WRITE: /001 itab2-user, itab2-profile, itab2-ptext.
ENDLOOP.
Rob -
Training Authorization Profile
I would like to create Authorization profile for Training Authorization by adding object P, L, D, E. and allow user only to be able to maintain those employees in specific cost center.
I tried to add object "K" with specific cost center value, but it is not working.
we can achieved the same by addiing a record for each "P" object with employee number value and it is working fine. But this is not a practical way.
Please if you have any idea let us know how to d this.
M. KhalidHi,
If you don't have authorization for the transaction 'IL01', enter this transaction and in another window open transaction SU53. This will display the authorization check failed details. From there you can find out the the authorization object checked.
Regards,
Soumya. -
How to get all authorization objects for a certain authorization profile
Hi ABAP experts,
I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
So:
- where are these values stored (dictionary table)?
- is there already a FM or a report to read all authoriation values for a certain authorization profile?
Thanks in advance.
Best regards,
OliverHi,
check the following it might useful for you:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
if helpful reward points are appreciated -
Steps for creating structural authorization profile using trans. OOSP
Dears,
Could someone please guide to the steps for creating a structural authorization profile using transaction OOSP, to authorize on the HR Payroll Area.
Thanks.
RedaHi,
There are comprehensive guidelines on help.sap.com for creation of structural authorizations: http://help.sap.com/saphelp_erp2004/helpdata/en/34/49ba3b3bf00152e10000000a114084/content.htm
However, please bear in mind that you cannot limit access to certain payroll area with structural authorization. For that you should use standard PA authorization object (you can use field organizational key to store Payroll Area VDSK1 in IT0001):
P_ORGIN http://help.sap.com/erp2005_ehp_02/helpdata/en/3e/b8b83b5b831f3be10000000a114084/content.htm
Cheers -
Authorization Profile needed for ISR Adobe Forms
Hi,
We have a couple of Custom ISR's and PCR's that are launched in Enterprise Portal.
Well my Development ID had <b>SAP_ALL</b> and <b>SAP_NEW</b> Profiles attached.
Now, when we started testing with the sample Test id's which doesnt have SAP_ALL or SAP_NEW profiles, we are getting error in ENTERPRISE PORTAL saying that...
"<i>You are not authorized to use the Notification Type 99</i>"
Can anyone help me out in knowing the exact Authorization Objects for our Adobe Forms to run in EP.
I cannot attach SAP_ALL and SAP_NEW profiles to all my users.
Regards,
<i><b>Raja Sekhar</b></i>Hi,
Im new to the ISR framework implementation.
We have a problem when we try testing a scenario using the adobe part, we have not done this before and we getting errors.
We get the following errors:
1. When using Administrator and Adsuser:
com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: ComponentUsage(FPMConfigurationUsage): Active component must exist when getting interface controller. (Hint: Have you forgotten to create it with createComponent()? Should the lifecycle control of the component usage be "createOnDemand"?
2. When i use my profile username:
com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"https://10.142.252.157:50001/AdobeDocumentServicesSec/Config?style=document:50000/AdobeDocumentServices/Config?style=document"
Can anyone advise me on what i should configure so that this can work properly...
Is it an issue with the authorisation, because the ADS tests are all working.
Thanks
Joseph Tshwene -
Authorization profile that provides "all authorizations" for PP and LO
Hi:
I'm looking for several authorization profiles provided by SAP:
(1) Allow a user with "all authorizations" to work with PP module (Production Planning)
(2) Allow a user with "all authoirzations" to work with LO module (Logistics)
For examples, I found that there is the profile M_ALL that allows a user "all authorization" (universal authorization" for MM (Material Management) module.
If you have some idea about one of these above (1) and/or (2) profile, please help. Any help would be appreciated.
Thanks a lot,
Thuan NguyenThuan,
You can build it using PFCG fairly quickly. Go to PFCG, you will see a button called "Selection Criteria", all authorization objects are group by module (Object Class). You can include all PP auth objects in one shot. Logistic will separate into few class (General, Controlling, Warehouse Management, etc).
It will be fairly clear to you once you get there.
Hope this help.
Thanks,
Lye -
Authorization key for the user profile
In SAP, there is a provision where we can create the authorization key and assign this key to the various user statuses in the user status profile.
The application is that when the user status is changed from one to other and if to the user status, the authorisation key is assigned then the authorised person should be only able to change the status.
But my query is that i have not come across any customization where a SAP user can be assigned to the auth. key so that he can only change the user status.
Can anybody let me know that whatever i understood, is it correct? And if yes, let me know where to assign the user to the authorisation key?
ThanksHi Iyer ,
Please see the below,if it solves your requirement
M/CS Autorisation Objects
SAP Standard Authorisation Objects:
I_ALM_ME: Mobile Asset Management (ACTVT)
I_AUART: Order Type (IWERK, AUFART)
I_BEGRP: Authorization Group (TCD, BEGRP)
I_BETRVORG: Business Operation (BETRVORG)
I_CCM_ACT: Configuration Control authorization object (CCACT, ACTVT)
I_CCM_STRC: Structure gap maintenance authority (ACTVT)
I_ILOA: Change location and accounting data in order (IWERK, AUFART)
I_INGRP: Maintenance Planner Group (TCD, IWERK, INGRP)
I_IWERK: Maintenance Planning Plant (TCD, IWERK)
I_KOSTL: Cost Centres (TCD, KOKRS, KOSTL)
I_QMEL: Notification Types (TCD, QMART)
I_ROUT: Task List (ACTVT)
I_ROUT1: Task Lists by PM Planning Plant, Work Sched., Status (TCD, IWERK, VAGRP, STATU)
I_SOGEN: Permit (SWERK, PMSOG)
I_SWERK: Maintenance Plant (TCD, SWERK)
I_TCODE: Transaction Code (TCD)
I_VORG_MEL: Business Operation for Notifications (QMART, BETRVORG)
I_VORG_MP: Business Operation for Maintenance Planning (MPTYP, BETRVORG)
I_VORG_ORD: Business Operation for Orders (AUFART, BETRVORG)
I_WPS_MEB: Maintenance Event Builder (DIWPSMEBAR)
I_WPS_REV: Revision authorization object (REVTY, ARBPL, WERKS, WPS_REV_AC)
S_NUMBER: Number Range Maintenance (NROBJ, ACTVT)
C_TCLA_BKA: Authorization for Class Types (KLART)
*Authorisation Tables:*
TOBJ: Authorisation objects
TOBJT: Authorisation object texts
AGR_1250: Authorisation object assigned to role
AGR_USERS: Users assigned to a role
AGR_TCODES: Assignment of roles to Tcodes
Authorisation Objects for System-Statuses:
Order: I_VORG_ORD (AUFART, BETRVORG)
(REL = BFRE, TECO = BTAB, delete component = RMKL)
Notification: I_VORG_MEL (QMART, BETRVORG (NOPR = PMM2, NOCO = PMM4))
Maint. plan: I_VORG_MP (MPTYP, BETRVORG)
User-Exits:
CPAU0001: Enhancement for Authorization Check in Task Lists
IMRC0005: Measure point: Exit in AUTHORITY_CHECK_IMPT
IWOC0003: PM/SM authorization check of ref. object and planner group
QQMA0026: PM/SM: Auth. check when accessing notification transaction
QQMA0030: Check validity of status change
BADIs:
DIP_SET_USERSETTINGS: Initial Object Check in DP Processor
INST_AUTHORITY_CHECK: PM/CS Enhanced Authorization Checks
IWO1_ORDER_BADI: Maintenance, Service, and Refurbishment Order
NOTIF_AUTHORITY_01: Additional Authorization Checks for the Notification
WORKORDER_GOODSMVT: PM/PP/PS/PI orders: auto. goods movement
Authorisation Groups:
These can be created via TCode SM30 and table T370B. They can then be assigned to the following objects:
a. Equipment (IE02)
b. Functional Locations (IL02)
c. Maintenance plans (IP02)
d. Entry List for Measurement Documents (IK32)
e. Object links (IN05, IN08)
f. User-statuses
Authorisation Debugging:
TCode SU53: Evaluate Authorization Check -
Difference between Reauthentication action of Common Task for Authorization Profile
Hi guys,
Would you mind helping me to choose reauthentication action for Authorization Profile?
At Cisco ISE User Guide got "Reauthentication—To choose, select the check box and enter a value in seconds for maintaining connectivity during reauthentication. You can also choose attribute values from the Timer drop-down list. You choose to maintain connectivity during reauthentication by selecting to use either the default (a value of 0) or RADIUS-Request (a value of 1) from the drop-down list. Setting this to the RADIUS-Request value maintains connectivity during the reauthentication process."
Then, what is "default" behaviour? What is different between default action and Radius-Request action ?
On the other hands, could someone explain in detail the sequence and priority of IEEE 802.1X, MAC authentication bypass (MAB), and Central Web Authentication (CWA). I read a lot of paper, but still don't get it. It is possible to configure MAB will be fail in Authentication Policy with Wire_MAB ?
Appreciate all your help!!!Hasan Saeed Khan wrote:
Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.
On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."
It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:
Create role
Add transactions to menu
Edit profile, org levels & authroization data.
Hit 'save'.
Accept proposed profile name.
Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')
And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"
So it should be possible to maintain roles and profiles separately. -
ASA and ACS 5 multiple VPN profiles for one user
Hi there
I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:
ACS 5.3 group hierarchy:
- VPN users global
-- VPN users A
-- VPN users B
ASA VPN profiles:
- VPN profile A
- VPN profile B
- VPN profile Z
VPN authorizations:
1. VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles)
2. VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A)
3. VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
Thanks a lot in advance and best regards
DominicHi Dominic,
first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.
The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.
The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.
So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".
In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.
However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:
vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
vendor ID = 3076, attribute 150 is "Client Type" (integer)
0 = No Client specified 1 = Cisco VPN Client (IKEv1) 2 = AnyConnect Client SSL VPN 3 = Clientless SSL VPN 4 = Cut-Through-Proxy 5 = L2TP/IPsec SSL VPN 6 = AnyConnect Client IPsec VPN (IKEv2)
So if you can configure the Radius server to "dynamically" permit/deny access based on the TG attribute I suppose you could achieve what you want.
If/how ACS can do this, I personally don't know; I suggest you ask in the AAA forum if you need help with that part.
hth
Herbert -
HR Authorization issue for specfic User
Dear all,
One of the HR user , he can run payroll on particular site ,
i have assigned Org key of site to master data on the particular role .
User tried to run payroll using pa30 with personnel no (one of store user) .
but system is not take any value and its not showing any error also .
For example pls check below detail i have tried my user id and system has shows below details of the user (below details is one of the store user ).
Personnel no. 2941
Name A Mohammed Younus
Personnel ar ZOSO EE group A
Subarea STCH EE subgrp 3E
Kindly suggest to resolve the issue
Note : 1, i have deleted the user and i have recreated role .
2, i have copied another user role (he can run payroll) to effected user ,even though he cant able to run payroll.
Edited by: satheesh0812 on Dec 17, 2010 9:29 AMDear all,
I dont thing so there is no issue with Role ,only issue with Structure Auth..
Becoz pls check below Authorization Object.
Changed HR: Master Data
Authorization level E, M, R, W
Infotype *
Personnel Area *
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key 20000156, 20000157, 20000201
In OOSP for particular Org key .
Auth profile Auth.Profile name
CTHR_CHENNAI CTHR_Chen
Auth profile No Plan Vers Obj Type Object I Maint Eval.path Status vec
CTHR_CHENNAI 1 01 O 20000156 O-S-P 12
CTHR_CHENNAI 2 01 O 20000157 O-S-P 12
CTHR_CHENNAI 3 01 O 20000201 O-S-P 12
In OOSB details
IN OOSB I have assigned Authorization profile to UserXXX, user can see all employee details in PA30 except one employee details , can
User name Autho.profile Start date End date Exclustion Display Objects
XXXX CTHR_CHENNAI 01.01.2005 31.12.9999
If i give Autho.profile --> all instead of CTHR_CHENNAI ..
HR executive can able see all employee details in PA30 ...
Let me know where exactly issue is there ...
Kindly suggest...
Maybe you are looking for
-
Strange Print Sharing Issue from Leopard 10.5.1 to XP machine
Hi, I'm experiencing an issue with sending a print job from an XP-based PC to a Leopard-based PC which has a printer attached to it (Xerox Printer). The software that's used as a print server is efi Splash Server which routes a non-standard IP addres
-
Setting multiple values for query prompt: In List...
Dear All, I have used "Radio Button" component which has labels like A, B and C. If user selects A then Radio button save 10 as its value on Excel and which being used in queries prompts. If user select B then Radio button save 20 on Excel at Destina
-
2 iphone 5 update gives error 3 and error 1669???
i have here 2 iphone 5 that i update to ios7 and gives error, one is error 1669 another is error 3 what this this error means????
-
How to convert generated mail into rfc-822 valid format
Hello everybody, for our customer we generate email addresses, for example [email protected] Regards Georg
-
Batch Assign missing Profile - Adobe RGB
Is there a way to batch assign the missing profile? Each time some images are opened we have to assign the missing profile manually - and save manually even tho' image has been worked on in Adobe RGB. Makes working with 100's of images very very slow