Authorization Restriction for Object Changeability :

Similar Messages

• Authorization restriction for Goods issue against an Order

  Hello All,
  We have a situation wherein the user is able to issue goods using tcode MIGO by choosing Goods issue --> Others and mentioning an order number that belongs to another plant in the account assignment tab and issues a material which belongs another plant.
  For eg we have material A that has been created for plant 1. The user issues the material (movement type 261)and the account is assigned to an order which has been created for plant 2.
  I could not find any authorization object that restricts this.
  I checked the objects M_MSEG_BWA and M_MSEG_WWA and he has authorizations only for plant 1 and all movement types.
  Any pointers to restrict this access will be appreciated.
  Thanks & Regards,
  Subramaniam Iyer

  Hi,
  MIGO transaction by default restricted with Plant.  If you say that the user A is having access to only Plant 1 & 3, but not for 2, please check the below authorization objects does not have any manual objects inserted into the Role and restricted with the value only in organization field.
  M_MSEG_LGO
  M_MSEG_WMB
  M_MSEG_WWA
  M_MSEG_WWE
  This issue may occur because if the objects are maintained manually in the role.  If so, when you check in the organization field, it may not be showing the value which are manually added into the manual object.
  Also, please check the other roles are assigned to the user.  If any of the other roles assigned to the user having any of the above objects with * value, this may provide the user to do the Goods movement for any plant.
  To check the issue, please go to SUIM and check the user under "Roles by Complex Selection Criteria" and make sure that you are checking the objects for the particular user.  This should be able to identify whether the user is getting access from any other roles assigned to the user.
  Regards
  Anandm

• Authorization restriction for CRM 2007

  Dear Experts,
  We are in process of defining the authorization matrix for CRM 2007 for end users who will be using Web UI.
  Here my requirement is the service orders created by USER1 should not be displayed by USER2 and vice-versa when they do a search in both Web UI and GUI in Tx CRMD_ORDER for service orders.
  Please let me know how can I acheive this and what is the auth. object for the same.
  Thanks & Regards,
  Sharath

  Dear babu,
  If I understood your request, you want that, only one user will be able to access the document. If you want to do that, this is the answer:
  At tcode PFCG you shoud set:
  First you must set what type of document will be avaible to the user, in this case Z020.
  CRM_ORD_PR: PR_TYPE 'Z020',ACTVT '*'
  Next you must set which activities they will be able to do (notice, you must set the same field in the previsou object(
  CRM_ACT: ACTVT u2018*u2019
  And then you set which partner function or partner category are able to access the document, here is the main point !
  In this example I set that only users who has Partner Category (not partner function) Employee Responsible (std partner category 0008) are able to access the document
  CRM_ORD_OP: ACTVT '', PARTN_FCT '', PARTN_FCTT '0008'
  Here you can notice again field ACTVT, here you will set what user are able to do, "*" means everything, "1" = create, "2" = modify, etc. (I can see the list at PFCG, adding the auth. object to the PFCG profile).
  I notice only std partner function or partner category works with this object. I sent a message to sap support, and they confirm that, so if your user has Z partner funcition or category it is not possible to do that.
  Summary, your user must be present in the partner list of the document, and they must have a partner function or partner category std. It is possible to set together both values PARTN_FCT  and PARTN_FCTT, but I think it is not necessary.
  The easy way to do that is, user who will be able to access the document, must be the employee responsible.
  This help is very usefull
  http://help.sap.com/saphelp_crm60/helpdata/en/4a/b9f63a8ab2c745e10000000a114084/frameset.htm
  Regards,
  Lalas
  ps.: As you should know, only one partner function must have partner category Employee Responsible, in the partner det. procedure, otherwise, you will get error message in your application.

• Authorizations: restrictions for InfoObjects and InfoProvider

  Hi Gurus,
  I am trying to define authorizations via RSECADMIN in 7.0 for a specific InfoObject and specific InfoProviders. The situation is: I want user USER1 to see only Company 4360 on Cube 'XXXXX', but he must be able to see all the Companies in all the other Cubes.
  I have used in RSECADMIN the icon "InfoCube Authorizations" to introduce the single Cube and corresponding single values for my Company, but it seems that the system use this restriction for all the Cubes.
  Please help me.
  Ciao.
  Riccardo.

  Problem solved.

• Authorization restriction for Goods issue . others radio button in migo tcode

  Hello All,
  We have a situation wherein the user is able to issue goods using tcode MIGO by choosing Goods issue --> Others and  the movement type 201
  the above mentioning details i need to block the others tab only for specific user ids i have checked the MIGO objects But its not worked
  please give me solution for block the others button on the drop down box
  please find the attachment of screen shot its helpful to sort out the issue
  Best Regards
  suresh

  Dear Anandan,
  Please use trace t.code ST01 to fix the issue.
  You can restrict the movement type using the authorization object M_MSEG_BWA.
  If you can provide the step by step screens where you want to exactly restrict we can fix it.
  Regards,
  Venkatesh

• Authorization restriction for bank details in FK03

  Hi,
  Please help me in restricting display of Bank details (payment transactions) in vendor master when we use transaction FK03 or XK03.
  Thanks,
  Nitish

  Hello Nitish,
  You can protect all general data (i.e. address data, payment transaction
  data, ...) with the authorization object F_LFA1_GEN. However, it is not
  possible to protect only bank data using authorization objects.
  As a workaround(!) for your requirement, you can do the following:
    1) Use the IMG Customizing tool (transaction SPRO) or transaction OB23
       directly to define Payment transactions data as "Suppress" within
       transaction FK03 and as "Display" within transaction XK03.
    2) The use of transaction XK03 should only be allowed to the managers,
       but not to the normal users who should use transaction FK03.
  Hope that helps,
  Jon

• Authorization restriction for executing the ABAP queries

  Hi
  In ABAP queiries how the restriction can be done for where users should not execute /authorized
  of other plant or company code - Projects/ WBS/NWA and its related components. I tried the following methods but not working - seems something is missing .
  method 1) restricting based on the profit center ( free coding )
  AUTHORITY-CHECK OBJECT 'C_PRPS_PRC'
           ID 'PRCTR' FIELD PROJ-PRCTR
           ID 'PS_ACTVT' FIELD '02'.
  (or)
  method 2 -(free coding)
  *---Authorization for Company code entered by the users.
  *---This code will restrict users to see data for company
  *---codes which they are not authorized to.
  *---Select all the company codes based upon selection entered by the
  *---user
  SELECT bukrs
     FROM t001
     INTO TABLE li_bukrs
    WHERE bukrs IN z_bukrs.
  IF sy-subrc EQ 0.
  *---Clear Screen variable for Company code
     CLEAR z_bukrs.
     REFRESH z_bukrs.
  *---Filter and prepare Select options for Company code table to be
  *---passed to query. Table will only have values of company codes he is
  *---authorized to for display.
     LOOP AT li_bukrs INTO lwa_bukrs.
       AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
                         ID 'BUKRS' FIELD lwa_bukrs
                         ID 'ACTVT' FIELD '03'.
       IF sy-subrc = 0.
         z_bukrs-sign = 'I'.
         z_bukrs-option = 'EQ'.
         z_bukrs-low = lwa_bukrs.
         z_bukrs-high = space.
         APPEND z_bukrs.
       ELSE.
         lv_flag = 'X'.
       ENDIF.
     ENDLOOP.
  *---Give warning message to the user in case he is not authorized to see
  *---data for all the company codes that he has entered.
     IF lv_flag = 'X'.
       MESSAGE ID 'ZF_MSS_FNG' TYPE 'W' NUMBER '015'.
     ENDIF.
  ENDIF.
  Just make sure that Z_BUKRS field is available in selection tab.
  Also, declare below mentioned variables in INITIALIZATION.
  DATA: li_bukrs TYPE TABLE OF bukrs,
         lwa_bukrs TYPE bukrs,
         lv_flag TYPE c.
  Kindly help if there is missing anything on the above or is there any other alternative.
  Regards
  PP

  Hi,
  Kindly help if there is missing anything on the above or is there any other alternative.
  Carlos is right about the Authorization check.
  If you further wants to explore something extra, just visit these links:
  1. http://help.sap.com/saphelp_NW70EHP1core/helpdata/en/52/671449439b11d1896f0000e8322d00/frameset.htm
  2. http://help.sap.com/saphelp_wp/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
  3. http://help.sap.com/crmcg_en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
  4. http://www.sap-img.com/bc042.htm
  May this information helps you.
  Regards.
  Deepak Sharma.

• Authorization restriction for Transaction PK13N

  Hi @ all
  My colleagues and I are responsible for the authorizations in our system.
  Since few days we test the Kanban functions in SAP.
  In abovementioned transaction are two buttons "To Empty" and "To Full".
  Does anybody know if there is a possibility to restrict some users for these buttons?
  Thanks @ all!!
  Greets Kristin

  Hi Kristin,
  The "Save to Empty" and "Save to Full" buttons are screen elements and can't be restricted with the authorization objects.
  Further, below are the authorization object that are checked with PK13N transaction code:
  C_KANBAN     PP KANBAN Processing
  C_TCLA_BKA     Authorization for Class Types
  CPE_SETTIN     Commodity Pricing Engine: General Settings
  You can imply restriction on any of these.
  If you with to show/remove one of these buttons, you can achieve this with screen variants using SHD0 transaction code.
  Hope this helps.
  Regards,
  Raghu

• Authorization restriction for material group field in MM02 for user role

  Dear All,
               My client wants to restrict 'material group' field usage in MM02 for certain users.
               How to achieve this task?
               Kindly advice
  Thanks &Regards
  Thangavel Ganesh

  Hi all ,
  You can use authorization object advised by AKPT MM. For related transactions , you can benefit from MM Related Authorization Objects - How to Find out & Assign , thanks to Sudeep A
  Regards.
  M.Ozgur Unal

• Restriction for objects Products, BPs and Activities

  How experts,
  I have the following objects Products, BPs and Activities which I have to restrict the access to  be visualize. For example, a user that belongs to another Org.Unit can not see the BPs, Produtct,Activities from the other Org.Unit.
  1. How can I structure the solution to restrict group of users to visualize those objects ?
  2. Each of these objects should I have to assign the Org.Unit allowed to be displayed ?
  3. For BP, territory management is the best solution ?
  Best regards,

  Hi
  U can restrict and make display etc in creating/modifying the roles and authorizations
  go to Tcode PFCG, select ur role and do necessary settings there according to ur requirement.
  Rewardif helps
  Regards
  Manohar

• Authorization restriction for PM Order via PM activity Type.

  Dear PM Experts....
  There is a requirement to restrict order creation (Eg: PM07) for selected user group if they select particular PM Activity Type(ILART).
  Is it possible to restrict authorization in such a way and What are the Authorization Objects that i have to change?
  Thanks in advance..

  Hi,
  Use the authorization object I_INGRP for restricting at the Planner Group level along with the I_AUART.
  At activity level might not be possible.
  Thanks
  Sunil

• Authorization restriction for purchase order release

  How to restrict the authorization for particular authorization object with respect to roles.
  Example:  I am having below three release roles for purchase order.
  1.     Regional Commercial Head
  Below objects are assigned to it.
  M_BEST_WRK u2013 Plant 1000 with value 02
  M_EINK_FRG u2013 with release code A1
  2.     Regional Commercial Head
  Below objects are assigned to it.
  M_BEST_WRK u2013 Plant 2000 with value 02
  M_EINK_FRG u2013 with release code A1
  3.     National Commercial Head
  Below objects are assigned to it.
  M_BEST_WRK u2013 All plants with value 02
  M_EINK_FRG u2013 with release code B1
  All the roles are for releasing a purchase order.  My requirement is I had assigned 1st and 3rd roles to a user.  That user should not be able to release a purchase order with release code A1 for plant 2000.
  How to make it possible?
  Pls help

  u have 2 aothorisation M_BEST_WRK and M_EINK_FRG
  while giving authorisation condsider both
  say for ex user 1  give authro for M_BEST_WRK all paants and M_EINK_FRG B1
  user 2  give authro for M_BEST_WRK 1000 and M_EINK_FRG A1
  user 3  give authro for M_BEST_WRK 2000 and M_EINK_FRG A1
  so the user authorised to particular authorisation will be able to release correct po only
  hope this helps

• Authorization Issue for Object CRM_ORD_PR

  Dear All,
  When user search sales orders in PCUI by sales org, Distributional Channel and Division criteria it shows the result list. But it is also throwing the error as "You are not authorized to Display this transaction"
  I am not sure why system is showing this message.
  I have checked the auth objects for this user.Authorization Objects CRM_ORD_PR and Object CRM_ORD_OE are inactive for the Role.
  When I searched the sales order in SAP GUI and when I click on the sales order from Locator it is giving the message as "You are not authorized to Display this transaction". When I checked the SU53 dump it is giving the message "Authorization check failed
  Authorization Obj CRM_ORD_PR Authorization Object CRM Order -Business transaction Type.
  So my question is though we have made the CRM_ORD_PR object inactive why system is showing the message in SU53.
  Also when I checked the trace system is also checking this object.
  Please help.
  Pankaj

  Rika,
  Thanks for taking the time to reply, it's really appreciated.
  I will pass the details of this note over to our Basis team to see if this helps us resolve our issue also (we are trying to prevent unauthorised objects showing in user search result lists).
  We are on CRM 2007 though, so I am not sure whether it will still be relevant.
  Many thanks again,
  Andrew G.

• Authorization restriction for BP transaction

  Hi,
  We need to restrict the BP transaction access to user in the below mentioned way in our SRM system.
  1. Restricting BP access to all the users with display access.
  2. Restricting BP access to security users with create, change and display access.
  What is the main object for BP transaction for restricting access in the above mentioned scenarios?
  Here, we have observed one more issue like....
  Let say object-B_BUPR_BZT(not sure) is a main object for transaction-BP. If we restrict activity to 03 in that object, it will give display access when we are executing transaction-BP.
  Some of other transactions(like PPOMA_BBP) are there in SRM, those are also maintaining same object with all activities(create,change,Display).
  In this scenarios, how the above mentioned restriction is going to help the user.
  Please check and advice in this.
  Thanks & Regards,
  KKRao.

  > Let say object-B_BUPR_BZT(not sure) is a main object for transaction-BP.
  It may be a "main object" for BP, but that doesn't tell you much at all about the security aspects or where in the logic of the transaction it is used. This object is for example not a part of the business logic of transaction SE80, or that I am sure.
  If you have no clue, then start in SU21 and read the application help documentation on the transaction (to understand it's context) and the use-cases of the object - also to find the other transactions. Then you will become more sure.
  You also need to understand that in the same way the transactions, reports and the "real checks" are layers in the security, objects themselves can also be selective and layered in a conceptually consistent way, or (to make it more interesting...) transaction dependently.
  There are lots of shortcuts (even out-of-the-box roles which someone might try to sell you...) but ultimately if you use a SAP system to "build" your business processes, then you need a concept to secure your build. SAP owns the authority-checks in standard programs to enable the process to comply with legal requirements and some common sense.
  => So, you need to choose your transaction (or other entry point) carefully and understand the objects which they use.
  Cheers,
  Julius

• Authorization restriction for IK34

  Dear Experts,
  We want to restrict user from entering one plant reading from another in t-code ik34. Currently user can enter measurement document of all plant. We want to restrict the user plant wise. Our basis consultant is trying with authorization group(i_begrp). But not getting the desired result. Please suggest how to restrict it.
  Regards,
  Shivang

  When I had this issue a while back, we found that you cannot restrict on plant for measurement documents.
  One way to restrict it is to tie the measuring pionts to an authorization group. You can classify each authorization group into each plant. Then maintain these authorization groups in the measuring point in IK01 or IK02. These measuring points would be tied to the measurement documents and should show up in the trace.
  I would also ask if the restriction is really required. Would it do that much damage if a person is able to touch other measurement documents. Some may say yes, others no.
  Hope this helps.