Authorization Required for RFC user in R/3-APO system.
Could you please help regarding one authorization issue. I want to know the authorization required for one RFC user. Now this RFC user used for RFC connection of SAP R/3 - SAP APO system. user type is given dialog type and SAP_ALL profile has been given to this user id. Now I have to remove SAP_ALL from this user id in R/3 and APO system and provide the required the authorization in R/3 and APO system.
Regard
Auroshikha
The RFC authorisation depends completely on what the user is doing (ALEREMOTE?). We can't tell you what RFC auths your connection requires.
There is a guide to doing this here: https://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections
Similar Messages
-
Hi experts,
We need to set the password for RFC User in small letters.But we are not able to do it ,because of our 'login/*' parameter values.
Is there is any other method to create the password for User ID with small letters(Ex:welcome,hello)?
Thanks in Advance,
Karthika> > Login rules are not specific to user types. It is same for all type of users.
> Sorry, this is not correct. The password validity rules are a good example which don't apply to SYSTEM and SERVICE type users. Other examples are the idle time rules and compliance to policy rules and the logon ticket rules and remote login via debugging rules and...
>
I tried to talk about is as per the ongoing discussion topic i.e. Case sensitiveness of Passwords and not other attributes. So from this point of view there is no such separate rule applies during admin imposed password or during a change (the cases where system prompts for changing password).
> > From NAS 7 there is a change in the password rules.
> There were major changes in 46B, and 6.10 and 6.40 as well, and Karthika still has not told us which release she is on.
>
Agreed totally.
> > [Note 750390 - USR02: various problems with password attributes|https://service.sap.com/sap/support/notes/750390]
> > [Note 624635 - Error messages with password change using RFC function|https://service.sap.com/sap/support/notes/624635]
> I cannot see how these notes are related to this silly requirement of setting a lower-case only password.
>
I didn't went through in details fully but seen it contains a considerable error details.... may be of any help to OP.
> I think either Karthika is playing a joke on us, or the person interviewing Karthika is playing a joke on her... These would be the only logical explanations left which I can see for for such a requirement.
>
May be.. but of course need more information and purpose of such strictness for setting such password. Also the FM PASSWORD_FORMAL_CHECK can be used with required customizations but you are the best person to tell this properly.
regards,
Dipanjan -
Authorization required for creating new Organizational units
Hi all,
How can we give authorization required for creating new Organizational units (IMG CRM Master Data Organizational Management Organizational Model Create Organizational Model) to a particular user?
Thanks and Regards,
Archanathe basis guy should be able to help.
at a higher level: you need to set authorizations to the roles assigned, the transaction code is pfcg.
you may create a new role with the required authorization and assign to the relevant users.
hope it helps..
regards
RH -
Authorization required for creating new Organizational units in CRM
Hi all,
How can we give authorization required for creating new Organizational units (IMG CRM Master Data Organizational Management Organizational Model Create Organizational Model) to a particular user?
Thanks and Regards,
ArchanaHi archana,
U can Create a role through Transaction PFCG.
Just create a role and assign the tcode PPOCA_CRM if u want to give the user just only this authorization otherwise u can select the menu list from sap menu and assign this role to that user.
Another way is if that user already exist in that system then just assign that particular transaction codr with that user.
Hope it will help u
Regards
Subhash -
Not able to use password with characters for RFC User.
hi All,
I have installed SAP SCM 5.0 with MaxDB 7.6and liveCache 7.6.
I created RFC user and RFC destination to administer liveCache globally as per SAP notes 305634 and 452745. I changed the initial passwords and tested Remote login for RFC User.
But when I try to start liveCache with startrfc following the link below
http://help.sap.com/erp2005_ehp_04/helpdata/EN/95/379f3cad1e3251e10000000a114084/frameset.htm
I got the following error
RFC Call/Exception: SYSTEM_FAILURE
Group Error group 104
Key RFC_ERROR_SYSTEM_FAILURE
Message Name or password is incorrect (repeat logon)
Then I logged into the CI with RFC user and try to start the liveCache with RSLVCSTART T-Code SE38..I got the following error.
Error DBMCLI_COMMAND_EXECUTE_ERROR when starting liveCache LCS on server saplcslc
Message no. LVC007
I tried by changing the password for RFC user to numeric [0-9] and special characters [$,:] which worked fine.
Does anyone faced this issue earlier? I searched notes, sdn and finally google ... but no luck to resolve the issue.
Your help is much appreciated.
Thanks,
VenkatYes I used LCA as liveCache connection. I resolved the issue with RSLVCSTART. Thanks for your suggestion to run connection test. I used wrong password for control user in the LCA connection. Now LCA connection shows everything is fine.
But I am still not able to use alphanumeric password RFC user to start the liveCache from command line. I get the following when run startrfc command...
bash-3.00$ /usr/sap/CAT/rfcsdk/bin/startrfc -3 -d LCSCLNT001 -h sapcatci -s 51 -c 001 -u LCSRFC -p Mach1cspsap\$ -l EN -F START_LIVECACHE_LVC -E IV_CON_NAME=LCA
RFC Call/Exception: SYSTEM_FAILURE
Group Error group 104
Key RFC_ERROR_SYSTEM_FAILURE
Message Name or password is incorrect (repeat logon)
bash-3.00$ echo $?
1
But I can start the liveCache from command line with numeric password successfully.
bash-3.00$ /usr/sap/CAT/rfcsdk/bin/startrfc -3 -d LCSCLNT001 -h sapcatci -s 51 -c 001 -u LCSRFC -p 19811983\$ -l EN -F STOP_LIVECACHE_LVC -E IV_CON_NAME=LCA
bash-3.00$ echo $?
0
Note the difference between the passwords used. Do i need to change any settings to accept alphanumeric passwords for RFC user.
Note that I am able to start liveCache server in both cases(alphanumeric password and numeric password) by logging into SAP GUI and RSLVCSTART program. The problem is only when i try to start the liveCache from the commandline.
Any help will be much appreciated.
Thanks,
Venkat -
WHY PGA IS REQUIRED FOR EVERY USER ?
Good Morning Everyone ;
I have a question about PGA.
WHY PGA IS REQUIRED FOR EVERY USER ?
What i got from google ..
Even though the parse information for SQL or PL/SQL may already be available in library cache of shared pool,
the value upon which the user want to execute the select or update statement cannot be shared.
I cant realize it Can anyone show clear example , if possible ?
DB Version is 10.2.0.4.0
OS : oracle linux 5.5
Thanks in advance ..Thanks aman and heok.
My Question :
Your explanation is clear. I think i am getting little bit confused.
Could you please clarify little more ?
>> session 1 :
user is HR
SQL>select * from tab1 ORDER BY name;
>> session 2 :
user is scott
SQL>select * from tab1 where ORDER BY name;
>> session 3 :
user is USER1
SQL>select * from TAB1 where ORDER BY name;
>> session 4 :
user is USER2
SQL>select * from TAB1 where ORDER BY name;
IS this right aman ?
Already sql statements are avail in SGA ,Even though all above users needs same information.
Oracle does sorting operation in PGA. If PGA exceeds , oracle will use temporary tablespace .
Thanks heok and aman. -
Hi experts,
How can i get the authorization key for the user.thanks for the reply
when iam creating a sales order , i need to check wheather the user creating the sales order has authorization depending on the authorization key -
Password inconsistancy issue with RFC users in ECC 6.0 System after upgrade
Hi,
We have upgraded the system from 4.7 to ECC 6.0, but facing the password inconsistancy problem for RFC users. We have set the parameters like "login/min_password_lng" as "8" and "login/password_downwards_compatibility" as "3" & RFC user Type is "system". Could you please suggest how to resolve the password inconsistancy issue.Hi Chandan,
you need to run the txn. SECSTORE and there it will shows you all the RFCs that have inconsistent passwords. Please maintain the correct passwords there.
In case the existing passwords are no longer acceptable due to new security policies as per the new SAP version, you will have to change the password from SU01.
Regards,
Shitij -
What are the authorization requirements for an EDI communication user?
I'm trying to find documentation describing the authorization objects required for an EDI communication user to have appropriate RFC access.
Take a look in the FAQ thread at the top of the (security) forum...
Is there something in addition to the standard documentation which you would like to know?
Cheers,
Julius -
Authorizations needed for MAM 2.5 for RFC user and business users
Hello all,
We are using MAM 2.5 application but we are facing authorizations issues.
It seems we have not enough authorizations on RFC user used between middleware system and back-end system located on the RFC destination MAM on the middleware.
And we don't find any SAP document related to this customizing.
Moreover is there any other or same document deals with authorizations needed on the back-end for each user using MAM on its mobile device ?
Thank in advance,
Eric GOURDOUHello,
Can you send me the errors you have?
If you have a trusted connection, then each users need the authorization S_RFCACL .
Other than that, I never had to set any authorization for the plant maintenance scenarios of MAM.
Thank you,
Julien.
msc mobile Canada
http://www.msc-mobile.com -
Authorization Policy for Modify user in OIM 11gR2
Hi Experts,
Requirement: I want the users in particular org not to modify certain user attributes and users from other org should be allowed to modify user.
I have created user1 whose organization is org1 and role is role1. I have also created user user2 under same org and same role. I assigned the Admin Role "User Administrator" role to user2.
So If user2 from same org1 tries to modify certain attributes then OIM should throw error message. I have completed till this.
But when the user from diff org say org2 with Admin Role "User Administrator" tries to modify user, OIM is not allowing to modify user which should not be the case.
I want the Auth Policy to trigger only for Org1. I have specified the below condition for my custom policy in OES admin console but it is not triggering.
The condition is
IF ( OrclOIMTargetEntity = 'true' AND OrclOIMUserOrganizations = 'true' AND STRING_AT_LEAST_ONE_MEMBER_OF(OrclOIMUserOrganizations,['25','1000000']) = true )
What am I missing?
Any help is much appreciated.Hi
Can anyone let me know the steps to restrict modify user operation for the users belonging to specific organization in OIM 11gR2. The condition which I specified under Authorization Policy in APM console is not triggering at all.
Thanks! -
Authorizations required for applying support packs
What authorizations do you require for applying support packs?
After u successfully downloaded the support pack from the service market place , the 1st authorization u need is for using the client 000.
Only with the client 000 u will be available to import the support pack (ABAP suppotr package) using transaction SPAM. To use all SPAM functions, you require the following authorizations:
S_TRANSPRT
S_CTS_ADMIN
If you log on in client 000, then your user master data contains the corresponding authorizations (inside the authorization profile) and you can use all the functions in Support Package Manager.
For Java u can use jspm tool for applying the support packages for any component and if u want to enhance or upgrade the java components( say from ESS 1.1 to ESS 1.2) then u can do it using sdm tool.
Before applying the pack u need to unpack the abap/java files using the commands in the command- prompt and copy the unpacked files into sap/sid/trans/eps/in folders of ur system.
Also before using the SPAM for abap support pack make sure that u had set ur system as the domain-controller in transaction stms with ddic user and masterpwd.
Go thru this document:-
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/7a2e4346-0a01-0010-718a-fa846ad19716
Award points if found helpful -
Authorization key for the user profile
In SAP, there is a provision where we can create the authorization key and assign this key to the various user statuses in the user status profile.
The application is that when the user status is changed from one to other and if to the user status, the authorisation key is assigned then the authorised person should be only able to change the status.
But my query is that i have not come across any customization where a SAP user can be assigned to the auth. key so that he can only change the user status.
Can anybody let me know that whatever i understood, is it correct? And if yes, let me know where to assign the user to the authorisation key?
ThanksHi Iyer ,
Please see the below,if it solves your requirement
M/CS Autorisation Objects
SAP Standard Authorisation Objects:
I_ALM_ME: Mobile Asset Management (ACTVT)
I_AUART: Order Type (IWERK, AUFART)
I_BEGRP: Authorization Group (TCD, BEGRP)
I_BETRVORG: Business Operation (BETRVORG)
I_CCM_ACT: Configuration Control authorization object (CCACT, ACTVT)
I_CCM_STRC: Structure gap maintenance authority (ACTVT)
I_ILOA: Change location and accounting data in order (IWERK, AUFART)
I_INGRP: Maintenance Planner Group (TCD, IWERK, INGRP)
I_IWERK: Maintenance Planning Plant (TCD, IWERK)
I_KOSTL: Cost Centres (TCD, KOKRS, KOSTL)
I_QMEL: Notification Types (TCD, QMART)
I_ROUT: Task List (ACTVT)
I_ROUT1: Task Lists by PM Planning Plant, Work Sched., Status (TCD, IWERK, VAGRP, STATU)
I_SOGEN: Permit (SWERK, PMSOG)
I_SWERK: Maintenance Plant (TCD, SWERK)
I_TCODE: Transaction Code (TCD)
I_VORG_MEL: Business Operation for Notifications (QMART, BETRVORG)
I_VORG_MP: Business Operation for Maintenance Planning (MPTYP, BETRVORG)
I_VORG_ORD: Business Operation for Orders (AUFART, BETRVORG)
I_WPS_MEB: Maintenance Event Builder (DIWPSMEBAR)
I_WPS_REV: Revision authorization object (REVTY, ARBPL, WERKS, WPS_REV_AC)
S_NUMBER: Number Range Maintenance (NROBJ, ACTVT)
C_TCLA_BKA: Authorization for Class Types (KLART)
*Authorisation Tables:*
TOBJ: Authorisation objects
TOBJT: Authorisation object texts
AGR_1250: Authorisation object assigned to role
AGR_USERS: Users assigned to a role
AGR_TCODES: Assignment of roles to Tcodes
Authorisation Objects for System-Statuses:
Order: I_VORG_ORD (AUFART, BETRVORG)
(REL = BFRE, TECO = BTAB, delete component = RMKL)
Notification: I_VORG_MEL (QMART, BETRVORG (NOPR = PMM2, NOCO = PMM4))
Maint. plan: I_VORG_MP (MPTYP, BETRVORG)
User-Exits:
CPAU0001: Enhancement for Authorization Check in Task Lists
IMRC0005: Measure point: Exit in AUTHORITY_CHECK_IMPT
IWOC0003: PM/SM authorization check of ref. object and planner group
QQMA0026: PM/SM: Auth. check when accessing notification transaction
QQMA0030: Check validity of status change
BADIs:
DIP_SET_USERSETTINGS: Initial Object Check in DP Processor
INST_AUTHORITY_CHECK: PM/CS Enhanced Authorization Checks
IWO1_ORDER_BADI: Maintenance, Service, and Refurbishment Order
NOTIF_AUTHORITY_01: Additional Authorization Checks for the Notification
WORKORDER_GOODSMVT: PM/PP/PS/PI orders: auto. goods movement
Authorisation Groups:
These can be created via TCode SM30 and table T370B. They can then be assigned to the following objects:
a. Equipment (IE02)
b. Functional Locations (IL02)
c. Maintenance plans (IP02)
d. Entry List for Measurement Documents (IK32)
e. Object links (IN05, IN08)
f. User-statuses
Authorisation Debugging:
TCode SU53: Evaluate Authorization Check -
Hello,
Does anyone have an exhaustive list of the authorisations that should be granted to RFC users in GTS and for those in the Feeder Systems?
Thx,
MarcHi Marc
I haven't reached this stage yet, as you know.. from the question you have answered for me.
But I believe it is authorization to the object s_rfcacl. Can you check if it works ?
(In a similar situation we tried to give the user access to additional RFC authorizations or SAP_ALL and then once we found the rfc working... reduced the authorizations given to that user)
Is there any specific error that you get when you run the RFC authorization test ? -
Authorization required for BADI
Hi All,
I have a query if someone can help.
What authorizations are required by a user in backend to execute a badi in portal?
Thanks in Advance for the help.
Regards
SrinivasHi srinivas reddy ,
BAPI should be remote enable and u need end user privilizes for accessing the predefined BAPI's. Just check it before you execute and make sure they are remote enabled.
then your problem would be solved.
thanks
suresh
Maybe you are looking for
-
I have a iMac from early 2009 and wanted to use it as an external monitor for my laptop which has Windows 8.1 as it's OS. So my question is without using any software such as Synergy, Air Display, etc is there anyway I can make the iMac an external m
-
File to Idoc Scenario using third party systems
hi, Working with a File to Idoc Scenario. Been able to successfully define everything in IR / ID. However when I go to BD87 (reciever system) and see the status of Idoc processed - getting the error code 51 "Function Module Not Allowed: <Function Nam
-
Adapter engine on a J2EE dialog instance?
Can you install an adapter engine on a J2EE dialog instance, or by nature if you add DI's to the central adapter engine they already have adapters? Thanks
-
Every time I try to use bookmarks It takes several attempts. Even if I wait till the URL appears I still get what is behind that selection( Fox news story normally) It takes as many as 5-6 attempts to get the bookmark selection to work. Its not trans
-
Adjusting queuestatistics.vbs timeout in MSMQ management pack
Hi all, I'm running SCOM 2012 R2 and my question is specific to the MSMQ 6.0.6700.88 management pack. I'm seeing a few alerts titled "Operations Manager failed to start a process", with the alert details saying "Forced to terminate the following pro