Authorization values by role table AGR_1251

Similar Messages

• Table that stores Analysis authorization values

  Hi all,
         We generated analysis authorizations for users on Profit centers. In RSECADMIN for each user we see an automatic authorization object being assigned with a name like RSR_000234  so on. We can see the values (profit centers) for this object when we double click on it. I would like to create a list of all users and the assigned profit centers. Can you please tell me if a table is available to get this list.
  Thanks,
  Ram.

  Chetan,
           We are loading authorizations values to 0PROFIT_CTR from ECC and flatfile into the Authorization DSO's and generating authorizations to assing the profit centers to users. I would like to see the profit centers assigned to a user. For example suppose if a user is assigned a particular region. I would like to see all the values of the profit centers assigned to the user from a table rather than going to the hierarchy and getting the list for each region.
          The tables that you specified give the userid and the technical name of the authorization(RSR_000234..) but I would like to see the actual values in the authorization.
        Hope I am clear. Thank you for your assistance.
  Ram.

• Data in tables AGR_1251, UST12 and USR12

  Hi there,
  I know that table AGR_1251 contains authorization data for SAP Roles. USR tables contain authorization definitions for access and UST tables contain data for SUIM reporting. The USR and UST tables that concern me are USR12 and UST12.
  I have a couple of questions about these tables (AGR_1251, UST12 and USR12):
  1) it seemed that these three tables were kept in sync when I created new roles and generated profiles for those roles. But when I checked other roles that were already there when the system was installed, the data for those role are not in sync. Is there a way to bring data for those role in sync for these three tables?
  2) In table AGR_1251, when the value for the "LOW" field starts with "$", it indicates a variable and the actual value for that field needs to be found in table AGR_1252. When I checked the same field in table UST12, it seemed that the value were already resolved. Could I depend on this?
  Thanks in advance
  GG

  Hi,
  > 1) it seemed that these three tables were kept in sync when I created new roles and generated profiles for those roles. But when I checked other roles that were already there when the system was installed, the data for those role are not in sync. Is there a way to bring data for those role in sync for these three tables?
  --> regenerate the profile shall do. If usr12 and ust12 are not in synch, run FM susr_synch_user_tables with option TABLETYPE=X
  > 2) In table AGR_1251, when the value for the "LOW" field starts with "$", it indicates a variable and the actual value for that field needs to be found in table AGR_1252. When I checked the same field in table UST12, it seemed that the value were already resolved. Could I depend on this?
  USR/UST12 are populated upon generating the profile! So the agr_12-data is put into usr/ust* tables then.
  b.rgds, Bernhard

• Extract authorization values

  Hi,
  Is there a way to extract specific authorization values for a particular user?
  In SUIM, using "Users by Complex Selection Criteria" will display all the authorization & values.  You then need to find that particular authorization, say "P_ORGIN" and go through each one of them to find the values assigned.  It is very tedious if the user have a lot of the "P_ORGIN" authorization assigned.
  I think in this case, SUIM is not the best way.
  Is there a way to quickly zoom into and look at all the values in just that particular authorization, in this case, "P_ORGIN"?
  Thanks

  If your focus is on HR authroizations one of the ways :
  SE16 - table name AGR_USERS
  The technical name will provide the assignment coming from organizational management.
  Take just those roles :
  use SE16 -  AGR_1251
  Which will give you an output export to excel filter on P_origin.
  If you are not using Organizational management:
  Then use SE16 - AGR_1251 find roles having P-origin
  get the role list and use AGR_USERS to find role to user relationship.

• Report users & authorization values in release strategy

  Hello,
  I want a report which displays the user names and their release codes from the authorizations which the users have.
  Is there any standard report?
  Thank you.

  Dear Landra,
  There is no standard report to get this data. But you can get this by combining the data of the 2 tables AGR_1251 & AGR_USERS.
  1. Goto SE16 --> table AGR_1251. Give Z* for Role, M_EINK_FRG for Object & FRGCO for Field Name and run it.
  2. Goto SE16 --> table AGR_USERS. Give Z* for Role and execute it.
  Vlookup both the reports in step 1 & 2 to get the list of users having access to a particular Release Code in the system.
  Regards,

• Programmatically assigning Authorization Objects to roles

  Hi there,
  I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
  What I want to do is the following:
  There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
  In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
  Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
  I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
  Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
  Thank you very much,
  Gregor
  Edited by: Gregor Bender on Mar 11, 2008 8:41 AM

  >
  Gregor Bender wrote:
  > I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
  Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
  For mass regenerating profiles there's transaction SUPC.
  For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
  If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.

• Authorization coding in custom table

  Hi frnds,
     I want to give an authorization to a custom table. I have created a new authorization group and assigned a role and user for it.
     I had done a coding to check the authorization in Maintenance generator program.
  MODULE CHECK_AUTHORIZATION OUTPUT.
  data : w_tddat like tddat,
         viewname type tabname value 'ZTSD_IB_TRMAP',
         act_level.
  select single * from tddat into w_tddat where tabname = viewname.
    if sy-subrc <> 0  or  w_tddat-cclass = space.
      w_tddat-cclass = '&NC&'.           " 'non classified table'
    endif.
    authority-check object 'S_TABU_DIS'  "check by class
        id 'ACTVT'      field '02'
        id 'DICBERCLS'  field w_tddat-cclass.
    if sy-subrc <> 0.                    "not allowed
        authority-check object 'S_TABU_DIS' "check by class
           id 'ACTVT'      field '03'
           id 'DICBERCLS'  field w_tddat-cclass.
        if sy-subrc =  0.
         fupd  = space.
         fshow = 'X'.
         act_level = '03'.
         p_action = 'S'.
          message w106(tb) with viewname."only show allowed
        else.
          message e107(tb) with viewname."no upd auth
        endif.                           "sy-subrc from  2nd auth_check
      else.                              "act_level <> 02
        message e105(tb) with viewname . "no show auth
     endif.
    endif.
  ENDMODULE.                 " CHECK_AUTHORIZATION  OUTPUT
  But the problem is on debugging even for the unauthorized user the authorization check coding:
    authority-check object 'S_TABU_DIS'  "check by class
        id 'ACTVT'      field '02'
        id 'DICBERCLS'  field w_tddat-cclass.
  gives sy-subrc = 0.
  What is the problem with the coding.
  Also can an one explain me about
         fupd  = space.
         fshow = 'X'.
         act_level = '03'.
         p_action = 'S'.
  and what are the datatypes to be given for it on data declaration.
  Thanks in Advance

  >
  neethu wrote:
  > I have created a Z table and I need to create and assign an Authorization group to the table. The requirement is like, say, if there are 10 users who belong to this particluar Authorization group, then 5 users should be given display and change authorization. And the remaining 5 users should be given only display authorization & no change authorization.
  >
  Assuming users are accessing the table content using SM30 (or SM30 parameterised transaction) you can use authority object S_TABU_DIS to control change mode. User who are suppose to change content should have authority object S_TABU_DIS with following values in their role.
  S_TABU_DIS
  ACTVT = 02
  DICBERCLS = AUTH_GRP
  for display only
  S_TABU_DIS
  ACTVT = 03
  DICBERCLS = AUTH_GRP
  Where AUTH_RP is authorization group assigned to table
  Regards,
  Pawan.
  Edited by: Pawan Kesari on Aug 9, 2010 4:17 PM

• How to get custom field value in vbkd table using "SD_SALESDOCUMENT_CREATE" bapi

  Hi Experts,
  Need your help . In one program Iam using SD_SALESDOCUMENT_CREATE bapi .
  i/p for my report is am excel.
  excel is having  below formatt.
  To create salesdoc we are using SD_SALESDOC_CREATE bapi.
  but After execution of the program we are unable to find the ZZFV_SBCNT (which is custom  field) in VBKD w.r.t salesdocument.
  Need your help what we need to do to reflect the value in vbkd table.
  Here temp will contains the data from excel
  1)
  FORM f_move_header_data .
     wg_header-doc_type            = wg_temp-auart .                   "Order type
     wg_header-sales_org           = wg_temp-vkorg .                   "Sales Organization
     wg_header-distr_chan          = wg_temp-vtweg .                   "Distribution Channel
     wg_header-division            = wg_temp-spart.                    "Division
     wg_header-sales_off           = wg_temp-vkbur .                   "Sales Office
     wg_header-sales_grp           = wg_temp-vkgrp .                   "Sales Group
     wg_header-purch_no_c          = wg_temp-bstnk .                   "Customer purchase order number
     wg_header-pymt_meth           = wg_temp-zlsch  .                  "Payment Method
     wg_header-zzychan_role        = wg_temp-zzychan_role_i.           "Channel Role
     wg_header-zzysub_role         = wg_temp-zzysub_role  .            "Submitter Role
     wg_header-zzy_inv_for_opt     = wg_temp-zzinv_format  .           "Invoice Format Optio
     wg_header-ord_reason          = wg_temp-augru  .                  "Order Reason Code
     wg_header-bill_block          = wg_temp-faksp.                    "Billing Block
     wg_headerx-doc_type            = c_set .                   "Order type
     wg_headerx-sales_org           = c_set .                   "Sales Organization
     wg_headerx-distr_chan          = c_set .                   "Distribution Channel
     wg_headerx-division            = c_set.                    "Division
     wg_headerx-sales_off           = c_set .                   "Sales Office
     wg_headerx-sales_grp           = c_set .                   "Sales Group
     wg_headerx-purch_no_c          = c_set .                   "Customer purchase order number
     wg_headerx-pymt_meth           = c_set  .                  "Payment Method
     wg_headerx-zzychan_role        = c_set.                    "Channel Role
     wg_headerx-zzysub_role         = c_set .                   "Submitter Role
     wg_headerx-zzy_inv_for_opt     = c_set .                   "Invoice Format Option
     wg_headerx-ord_reason          = c_set .                   "Order Reason Code
     wg_headerx-bill_block           = c_set.                    "Billing Block
  ENDFORM.                    " F_MOVE_HEADER_DATA
  2)
  FORM f_move_item_data .
     wg_item-itm_number          =   g_itmnumber.                              "Item number
     wg_item-material            =   wg_process-matnr .                        "Material
     wg_item-target_qty          =   wg_process-target_qty.                    "Targeted Qty
     wg_item-item_categ          =   wg_process-pstyv.                         "Sales document item category
     wg_item-zzylegal_i          =   wg_process-zzlegal.                       "Legal Contract
  **********Added this line for vbkd-ZZFV_SBCNT****************************
     wg_item-zzfv_sbcnt          = wg_process-zzfv_sbcnt.      
  APPEND wg_item TO i_item.
  wg_itemx-material            =   c_set .                        "Material
     wg_itemx-target_qty          =   c_set.                         "Targeted Qty
     wg_itemx-item_categ          =   c_set.                         "Sales document item category
     wg_itemx-zzylegal_i          =   c_set.                         "Legal Contract
     wg_itemx-zzsteady_date       =   c_set .                        "Amortization Start Date
     wg_itemx-zzsteady_end_dat    =   c_set.                         "Amortization Stop Date
  **********Added this line for vbkd-ZZFV_SBCNT****************************
     wg_itemx-ZZFV_SBCNt     =   c_set.   "
     APPEND wg_itemx TO i_itemx.
     CLEAR : wg_itemx. 
  endform. 
  3)           
  FORM f_move_head_ext
  wg_extension-structure   = c_ext_vbak.
     wg_ext_vbak-zzinv_format = wg_temp-zzinv_format.
  wg_ext_vbak-zzychan_role = wg_temp-zzychan_role_i.
     wg_ext_vbak-zzysub_role  = wg_temp-zzysub_role.
     wg_extension+30 = wg_ext_vbak.
  APPEND wg_extension to i_extension.
  CLEAR wg_extension.
     wg_extensionx-structure =  c_ext_vbakx.
     wg_ext_vbakx-zzinv_format = c_set.
    wg_ext_vbakx-zzlegal      = c_set.
     wg_ext_vbakx-zzychan_role = c_set.
     wg_ext_vbakx-zzysub_role  = c_set.
     wg_extensionx+30 = wg_ext_vbakx.
     APPEND wg_extensionx TO i_extensionx.
     CLEAR wg_extensionx.
  ENDFORM.                    " F_MOVE_HEAD_EXT
  *&      Form  F_MOVE_ITEM_EXT
  *       Item Extension
  4)
  FORM f_move_item_ext .
  * Structure for BAPI parameter Extension
     wg_extension-structure = c_ext_vbap.
     wg_ext_vbap-posnr      = g_itmnumber.
     wg_ext_vbap-zzsteady_date       =   wg_process-zzsteady_date .                 "Amortization Start Date
     wg_ext_vbap-zzsteady_end_dat    =   wg_process-zzsteady_end_dat.               "Amortization Stop Date
     wg_ext_vbap-zzlegal             =   wg_process-zzlegal.                        "Legal Contract
     wg_extension+30 = wg_ext_vbap.
  APPEND wg_extension to i_extension.
  * Structure for BAPI parameter Extension - Update Indicator Fields
     wg_extensionx-structure =  c_ext_vbapx.
     wg_ext_vbapx-posnr = g_itmnumber.
     wg_ext_vbapx-zzsteady_date       =   c_set .
     wg_ext_vbapx-zzsteady_end_dat    =   c_set.
  *  wg_ext_vbapx-zzlegal             =   c_set.
  *wg_process-zzfv_sbcnt = c_set.
     wg_extensionx+30 = wg_ext_vbapx.
     APPEND wg_extensionx TO i_extensionx.
     CLEAR wg_extensionx.
  and bapi calling is like below.
  CALL FUNCTION 'SD_SALESDOCUMENT_CREATE'
       EXPORTING
         sales_header_in       = wg_header
         sales_header_inx      = wg_headerx
         logic_switch          = wg_logic_switch
         business_object       = fp_bus_obj
         status_buffer_refresh = 'X'
       IMPORTING
         salesdocument_ex      = g_sorder
       TABLES
        return                = i_return
         sales_items_in        = i_item
         sales_items_inx       = i_itemx
         sales_partners        = i_partner
         sales_conditions_in   = i_cond
         sales_conditions_inx  = i_condx
         sales_text            = i_text
         extensionin           = i_extension
       extensionex           = i_extensionx.
  still we are not getting ZZFV_SBCNT value in VBKD table w.r.t created salesdoc(g_sorder)
  Please help me from this issue.
  Thank You..

  Hi,
  Please let me know how to add custom fields in the characteristic list, My clients wants department and profit center grouping.
  Please tell me how to solve it..
  Thanks & Regards,
  Reena..

• Authorization issue within a table in BI

  Hello All,
  Here is my authorization issue :
  We have set up an authorization on infoobject Zapplication. End user is allowed to choose "HR" only.
  In Rsecadmin, infoObject Zapplication is restricted to "HR"
  Then, this authorization object has been assigned to end user.
  This user go to a specific table to select an application and a date.
  When user display the possible value he only see "HR". Which means our authorization is correct.
  However, this user can enter another value such as "SD". This value does exist in infoObject Zapplication. So, it means that there is an issue with our authorizations settings.
  We have added a control table, it's even worse in this case, authorization are not checked at all and all available values are displayed.
  Any idea to prevent the user to entered a value within this table ?
  Why our authorization does not check the value entered directly in the table ?
  Thanks &
  Regards
  Cath

  Hello
  For info we manged to restrict acces on this table by using event table from table maintenance and we have combined it with a specific authorisation object.
  Regs
  C.

• Table AGR_1251: Search between a range of the field "LOW" and "HIGH

  Hello Experts,
  i've got a problem by searching all users who have the authority for a transaction.
  The transaction was written in a parameter, called p_trans.
  I've the Tables AGR_1251, AGR_AGRS and AGR_USERS.
  I know what I've to do.
  Here is my Join.
  SELECT agru~uname
    INTO CORRESPONDING FIELDS OF TABLE gt_users
    FROM agr_1251 as ag12
    INNER JOIN agr_agrs as agrs
      ON  ag12~agr_name = agrs~child_agr
    INNER JOIN agr_users as agru
      ON  agrs~agr_name = agru~agr_name        
    INNER JOIN usr01 as us
      ON  agru~uname = us~bname
    WHERE ag12~object = 'S_TCODE' AND
                 ag12~field  = 'TCD' AND
                 ???? parameter p_trans between ag~low and ag~high????
  SELECT agru~uname
    APPENDING TABLE gt_users
    FROM agr_1251 as ag12
    INNER JOIN agr_agrs as agrs
      ON  ag12~agr_name = agrs~child_agr
    INNER JOIN agr_users as agru
      ON  agrs~child_agr = agru~agr_name       
    INNER JOIN usr01 as us
      ON  agru~uname = us~bname
    WHERE ag12~object = 'S_TCODE' AND
                 ag12~field  = 'TCD' AND
                 ???? parameter p_trans between ag~low and ag~high????                       
    SORT gt_users BY uname ASCENDING.
    DELETE ADJACENT DUPLICATES FROM gt_users COMPARING uname.
  Here is my question:
  In my code are question marks...here i want to say, that my transaction lays between the fields LOW and HIGH.
  But how can i say, that in WHERE.
  I have to say... Search that agr_name, where object = s_tcode, field=tcd and where my transaction lies between.
  For example: low is T and high is X and i have the transaction va21.
  So i must find out, in which range lays ma transaction.
  I hope somebody understands me
  Thanks!
  Regards,
  Marcel

  Hi Marcel,
  You are mentioning it as a parameter between having low & high values. Is it a parameter or select option.
  If its a parameter, then anyway it will have only single value at any point of time.
  If its a select option, then you need to use
  select * from
  and tcode in s_tcode.
  Thanks,
  Best regards,
  Prashant

• SAP USERS ROLE TABLE

  Can some one tell me the SAP USERS ROLE TABLE
  I Will assign point to any input.
  Balance Roll forward     
  Change Vendor Line Items
  Change Parked Vendor Document
  Change/ Reverse Vendor Invoice     
  Check Processing
  Clear Accounts Payable Items
  Display A/P  Balance & Items
  Display Checks     
  Display Vendor Documents     
  Display A/P Master Data     
  Display Parked Vendor Documents     
  Account Payable Interest Calculation     
  A/P Invoice Entry     
  A/P Accounting Key Reports     
  Manual Payment     
  Payments Using Bill of Exchange     Display
  Payment Run Parameters     
  Create and Process Payment Run Proposal     
  Accounts payable period closing     
  Post Parked Vendor Document     
  Maintenance of Accounts Payable Master Data     
  Process Withholding Tax

  go to t code PFCG
  Search for roles with SAP_FI_AP*
  You could always create your own role.
  In the Menu tab add the t codes you have specified.
  You will then need to add the authorization objects in the authorization tabs.
  For the t codes you have I guess it would take an hour max.

• Add authorization checks to the table maintenance

  i have created a table maintenance and I have authorization object and the field for it which will take some values this i got from basis people . Then how to add authorization checks to the table maintenance.

  U can try to use the event, after generating table maintenance program:
  Enviroment->Modification->Events: the events 05/18 could be good for you
  Max

• Authorization on BP Role ???

  Hello Experts,
  we are running on CRM 5.0. we have created 3 roles "Prospect", "Customer", "Employe".
  In our case we want "Customer" and  "Employe" role to be in display only, user shoud not edit the details. Prospect can be created or edited.
  What we did we put authorization on role Customer and Employe "DISPLAY"
  This authorization is working in GUI but in PCUI, user still able to edit the details of Customer and Employe.
  Please guide me how i can achive this authorization check on roles ???
  Regards!!!
  Amit Saini

  Hi Amit,
  How is that done?  We tried using Authorization and Spro table but when we make address Display Only it only applies to SAP GUI and doesnt carry over to the portal.
  Is there a way to add PCUI field groups to the BP role dataset and then make it a Display only?  If you could please give me details on how you accomplish it I would really appreciate it.
  Thank you,
  Arpan

• Authorization in Basis Roles

  The scenario is; there is a single client but two different companies.
  We are planning to develop a separate Basis Administration roles for each company.
  To restrict Organizational levels (Company code, controlling area...) I use "S_USER_VAL" Authorization object. it works fine with org. levels but I have to define all possible Field Names along with their Authorization values and it seems very difficult.
  Is it possible "S_USER_VAL" works according to the values I maintained but for rest of other values it may goes to * ?. In other word it should not by pass the maintained values.

  Jurjen Heeck wrote:>
  >... something else to make a part of SAP_ALL not work?
  2 ideas:
  - If the regeneration of SAP_ALL could check that the user running it does not have any SAP_ALL authorizations? Meaning, they would need to know exactly which non-SAP role authorizations (their technical names) have that authority in it. Many folks who only work with SAP_ALL don't know how to do that
  - If there were some way to isolate the program parts which are required to change SCC4 such that they can only be run with root priveleges, then you do not need to give your SAP system (with SAP_ALL) root access...?
  Disclaimer: Just ideas! Complete overkill!!
  => Does restricting the user's access sound like a much easier idea now?
  Cheers,
  Julius

• Tcode authorization without any role or profile

  Hi Experts ,
  Can you please suggest on authorization issue , if observed that one Tcode not given in to any roles or profile but some user still using this authorization.
  When I checked role and profile for such user using the SUIM still it shows no data.
  So is there any other way to assign direct Tcode without using any role or profile.
  Thanks in advance .

  not sure how you are using SUIM to check, just to be sure, use the complex selection method or the authorization values method. the by transaction method only check for transactions that were added via the menu.
  look for object= S_TCODE, value=(the transaction code)
  SUIM will then calculate if the transaction code was added manually and as part of a wild card or a range.
  i.e. if the transaction was MM02 it will be accessible if the S_TCODE had
  wild card value M*, MM*, MM0* or
  range value A*-Z*
  Otherwise, it is possible that it was called indirectly and the BADI does not perform a S_TCODE check.