Authorization restriction for Transaction PK13N

Similar Messages

• Authorization objects for  transaction, one to view, and one to maintain

  Hi all,
  My requrement is to create two authorization objects for  transaction, one to view, and one to maintain.
  I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
  Please suggest how to create object where i can asign activity codes.
  regards
  manish

  The Authorization Concept
  R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
  Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
  Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
  Do check this link as well.
  http://articles.techrepublic.com.com/5100-10878_11-5110893.html

• Authorization Object   for  Transaction code XSLT_TOOL

  Hi Friends
  When i try to use transaction xslt_tool the following error appears "You are not authorized to use transaction xslt_tool".
  Can anyone give  the Authorization object  for  transaction  xslt_tool,
  Regards.
  Wishva

  Give access to the transaction in PFCG. 
  Then use SU53 to highlight any additional access required.

• Disabling authorizations checks for transactions SU53 and/or SU56.

  Greetings.
  I seem to remember reading that there was either a system profile parameter or a table entry that can be used to disable all authorizations checks for transactions SU53 and/or SU56.
  Any truth in this or is my mind playing tricks on me?

  Hi,
  I guess theres is profile param auth/tcodes_not_checked(I guess thats right), this will exclude SU53/SU56 from checks on transaction code.
  This can be done using RZ10 and need to restart the system.
  Rakesh

• Authorization restriction for BP transaction

  Hi,
  We need to restrict the BP transaction access to user in the below mentioned way in our SRM system.
  1. Restricting BP access to all the users with display access.
  2. Restricting BP access to security users with create, change and display access.
  What is the main object for BP transaction for restricting access in the above mentioned scenarios?
  Here, we have observed one more issue like....
  Let say object-B_BUPR_BZT(not sure) is a main object for transaction-BP. If we restrict activity to 03 in that object, it will give display access when we are executing transaction-BP.
  Some of other transactions(like PPOMA_BBP) are there in SRM, those are also maintaining same object with all activities(create,change,Display).
  In this scenarios, how the above mentioned restriction is going to help the user.
  Please check and advice in this.
  Thanks & Regards,
  KKRao.

  > Let say object-B_BUPR_BZT(not sure) is a main object for transaction-BP.
  It may be a "main object" for BP, but that doesn't tell you much at all about the security aspects or where in the logic of the transaction it is used. This object is for example not a part of the business logic of transaction SE80, or that I am sure.
  If you have no clue, then start in SU21 and read the application help documentation on the transaction (to understand it's context) and the use-cases of the object - also to find the other transactions. Then you will become more sure.
  You also need to understand that in the same way the transactions, reports and the "real checks" are layers in the security, objects themselves can also be selective and layered in a conceptually consistent way, or (to make it more interesting...) transaction dependently.
  There are lots of shortcuts (even out-of-the-box roles which someone might try to sell you...) but ultimately if you use a SAP system to "build" your business processes, then you need a concept to secure your build. SAP owns the authority-checks in standard programs to enable the process to comply with legal requirements and some common sense.
  => So, you need to choose your transaction (or other entry point) carefully and understand the objects which they use.
  Cheers,
  Julius

• Authorization restriction for Goods issue against an Order

  Hello All,
  We have a situation wherein the user is able to issue goods using tcode MIGO by choosing Goods issue --> Others and mentioning an order number that belongs to another plant in the account assignment tab and issues a material which belongs another plant.
  For eg we have material A that has been created for plant 1. The user issues the material (movement type 261)and the account is assigned to an order which has been created for plant 2.
  I could not find any authorization object that restricts this.
  I checked the objects M_MSEG_BWA and M_MSEG_WWA and he has authorizations only for plant 1 and all movement types.
  Any pointers to restrict this access will be appreciated.
  Thanks & Regards,
  Subramaniam Iyer

  Hi,
  MIGO transaction by default restricted with Plant.  If you say that the user A is having access to only Plant 1 & 3, but not for 2, please check the below authorization objects does not have any manual objects inserted into the Role and restricted with the value only in organization field.
  M_MSEG_LGO
  M_MSEG_WMB
  M_MSEG_WWA
  M_MSEG_WWE
  This issue may occur because if the objects are maintained manually in the role.  If so, when you check in the organization field, it may not be showing the value which are manually added into the manual object.
  Also, please check the other roles are assigned to the user.  If any of the other roles assigned to the user having any of the above objects with * value, this may provide the user to do the Goods movement for any plant.
  To check the issue, please go to SUIM and check the user under "Roles by Complex Selection Criteria" and make sure that you are checking the objects for the particular user.  This should be able to identify whether the user is getting access from any other roles assigned to the user.
  Regards
  Anandm

• Authorization Object for Transaction Code

  Hi,
  Is there a report I can execute to give me the list of authorization object for this transaction code?
  Thanks.

  Check Transaction SU24
  Alternatively you can go to SE16-- enter the table name TSTCA, then enter the T CODE, you will get the object related to that T Code.
  Reward points..

• Authorizations: restrictions for InfoObjects and InfoProvider

  Hi Gurus,
  I am trying to define authorizations via RSECADMIN in 7.0 for a specific InfoObject and specific InfoProviders. The situation is: I want user USER1 to see only Company 4360 on Cube 'XXXXX', but he must be able to see all the Companies in all the other Cubes.
  I have used in RSECADMIN the icon "InfoCube Authorizations" to introduce the single Cube and corresponding single values for my Company, but it seems that the system use this restriction for all the Cubes.
  Please help me.
  Ciao.
  Riccardo.

  Problem solved.

• Authorization restriction for CRM 2007

  Dear Experts,
  We are in process of defining the authorization matrix for CRM 2007 for end users who will be using Web UI.
  Here my requirement is the service orders created by USER1 should not be displayed by USER2 and vice-versa when they do a search in both Web UI and GUI in Tx CRMD_ORDER for service orders.
  Please let me know how can I acheive this and what is the auth. object for the same.
  Thanks & Regards,
  Sharath

  Dear babu,
  If I understood your request, you want that, only one user will be able to access the document. If you want to do that, this is the answer:
  At tcode PFCG you shoud set:
  First you must set what type of document will be avaible to the user, in this case Z020.
  CRM_ORD_PR: PR_TYPE 'Z020',ACTVT '*'
  Next you must set which activities they will be able to do (notice, you must set the same field in the previsou object(
  CRM_ACT: ACTVT u2018*u2019
  And then you set which partner function or partner category are able to access the document, here is the main point !
  In this example I set that only users who has Partner Category (not partner function) Employee Responsible (std partner category 0008) are able to access the document
  CRM_ORD_OP: ACTVT '', PARTN_FCT '', PARTN_FCTT '0008'
  Here you can notice again field ACTVT, here you will set what user are able to do, "*" means everything, "1" = create, "2" = modify, etc. (I can see the list at PFCG, adding the auth. object to the PFCG profile).
  I notice only std partner function or partner category works with this object. I sent a message to sap support, and they confirm that, so if your user has Z partner funcition or category it is not possible to do that.
  Summary, your user must be present in the partner list of the document, and they must have a partner function or partner category std. It is possible to set together both values PARTN_FCT  and PARTN_FCTT, but I think it is not necessary.
  The easy way to do that is, user who will be able to access the document, must be the employee responsible.
  This help is very usefull
  http://help.sap.com/saphelp_crm60/helpdata/en/4a/b9f63a8ab2c745e10000000a114084/frameset.htm
  Regards,
  Lalas
  ps.: As you should know, only one partner function must have partner category Employee Responsible, in the partner det. procedure, otherwise, you will get error message in your application.

• Authorization restriction for bank details in FK03

  Hi,
  Please help me in restricting display of Bank details (payment transactions) in vendor master when we use transaction FK03 or XK03.
  Thanks,
  Nitish

  Hello Nitish,
  You can protect all general data (i.e. address data, payment transaction
  data, ...) with the authorization object F_LFA1_GEN. However, it is not
  possible to protect only bank data using authorization objects.
  As a workaround(!) for your requirement, you can do the following:
    1) Use the IMG Customizing tool (transaction SPRO) or transaction OB23
       directly to define Payment transactions data as "Suppress" within
       transaction FK03 and as "Display" within transaction XK03.
    2) The use of transaction XK03 should only be allowed to the managers,
       but not to the normal users who should use transaction FK03.
  Hope that helps,
  Jon

• Authorization restriction for material group field in MM02 for user role

  Dear All,
               My client wants to restrict 'material group' field usage in MM02 for certain users.
               How to achieve this task?
               Kindly advice
  Thanks &Regards
  Thangavel Ganesh

  Hi all ,
  You can use authorization object advised by AKPT MM. For related transactions , you can benefit from MM Related Authorization Objects - How to Find out & Assign , thanks to Sudeep A
  Regards.
  M.Ozgur Unal

• Invoking HR Master Data (P_ORGIN) authorization check for transaction PCP0

  Hello,
  We have to limit access to executives (managers) sensitive posting data in transaction PCP0 (display posting runs).
  Since executives belong to a personnel area other than all other employees, I thought we can achieve this by personnel area distinction.
  In order to have this done, P_ORGIN authorization check should be performed.
  It looks that by standard, such check is not performed.
  Does anyone have any experience of dealing with this issue?
  Thanks,
  Isaac

  Hi,
  I have a vague idea.
  I remember while creating an ESS user, we did something in P_ORGIN so as to to restrict access to personnel master data.
  Check the composite role : SAP_EMPLOYEE_ERP.
  A Z role was created for SAP_EMPLOYEE_ERP=>the corresponding roles in it had to be copied to a z role.
  Check the z-role created ; zSAP_ESSUSER_ERP.
  In Authorizations tab=>Display authorization data option => ;
  Expand Human Resources;
  In HR : Master data, you can find the various authorization assignments to P_ORIGIN;  where
  Authorization level (AUTHC)
  Infotype (INFTY)          
  Personnel Area (PERSA)
  Employee Group   (PERSG)
  Employee Subgroup  (PERSK)
  Subtype (SUBTY)
  Organizational Key (VDSK1)
  Authorization level (AUTHC) takes the values :
  • R (Read) for read access
  • M (Matchcode) for read access to input helps (F4)
  • W (Write) for write access
  • E and D (Enqueue and Dequeue) for write access using the Asymmetrical Double Verification Principle. E allows the user to create and change locked data records and D allows the user to change lock indicators.
  • S (Symmetric) for write access using the Symmetric Double Verification Principle
  • * always includes all other authorization levels simultaneously
  In your case if some has to make changes through PPCO.. it's equivalent to making changes to infotype 0001 (Organizational Assignment)
  So, probably, you need the Authorization level to R for Infotype 0001.
  I have no personal hands-on experience on this...since we are not allowed to anything Basis
  I have seen this being done and have noted what was done... !! May or may not be correct....!!
  I hope this is what you want.
  Cheers and Good Luck!!
  Remi

• Authorization restriction for Goods issue . others radio button in migo tcode

  Hello All,
  We have a situation wherein the user is able to issue goods using tcode MIGO by choosing Goods issue --> Others and  the movement type 201
  the above mentioning details i need to block the others tab only for specific user ids i have checked the MIGO objects But its not worked
  please give me solution for block the others button on the drop down box
  please find the attachment of screen shot its helpful to sort out the issue
  Best Regards
  suresh

  Dear Anandan,
  Please use trace t.code ST01 to fix the issue.
  You can restrict the movement type using the authorization object M_MSEG_BWA.
  If you can provide the step by step screens where you want to exactly restrict we can fix it.
  Regards,
  Venkatesh

• Authorization Issue for Transaction Codes PA10,PA20,PA30 &PA40

  Hi Experts,
  I have created Custom role for accessing ALL HR Transaction codes in IDES System and added to the user & Tested.
  All transactions codes are working except PA10,PA20,PA30 &PA40
  Please help me regading this.
  Advance Thanks,
  BBC

  Hi,
  I had check with basis Team, they told that I have all authorizations.
  This is New Installation for R/3 HR IDES System. even basis Team  also created role for above transaction code but not getting access.
  We can accesss all transaction codes except these.
  All are new for HR. here anything needs to  be configure for access PA10 to PA40 Transaction codes.
  Please advice me.
  Thanks & Regards,
  BBC

• Remove Authorization check for transactions VF03, FB03 and MIR4

  HI,
  We r using call transaction in BADI. When we r calling through BADI authorisation checks should not happen and allow any user to view the documents for the T-codes VF03, FB03 and MIR4 depending on document type.
  Early response is appreciated.
  Thanks,
  Raju

  hi,,
  Confimr with Basis team reg the Profile in which partculare authorization  object used.
  Either inactive that one or make a auth.Obj as per your requirment and assign to role and then user profile.
  Check out se54,24,pfcg.
  Regrads
  ricky