Authorization view at user level

Similar Messages

• PM Organization Units Authorization on User Level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Planning Plant) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY
  This role should be able to display equipment from the Plant Maintenance module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User jsmith has ZPM_AUT_EQM_EQUIPMENT_DISPLAY assigned but can only display equipment from Planning Plant SL01.
  We know we can create this authorization creating several roles, like:
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SL01
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SJ01
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_AG01
  but our idea is not create several roles, but to assign the Planning Plant authorization on a user level and leave just one role so we would only need ZPM_AUT_EQM_EQUIPMENT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Best regards,
  Fernando Montenegro

  Hi ,
  Could you share about your solution ? I think I have face the same problem as yours.

• Organization Units Authorization on user level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZFI_AP_REPORT_DISPLAY
  This role should be able to display AP report from the Financial module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.
  We know we can create this authorization creating several roles, like:
  ZFI_AP_REPORT_DISPLAY_3201
  ZFI_AP_REPORT_DISPLAY _3202
  ZFI_AP_REPORT_DISPLAY_3203
  but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Christine Tseng

  I agree with Jurjen.  There is no point creating a "new" authorisation concept for a few transactions.  If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.
  Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend).  By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.

• Restricting Authorizations to Variants at User level

  Hi SAPians,
  Can you help me to know how can I restrict variants to be displayed for particular users.?
  Example: I am creating 5 variants in EMMACL transaction and give authorizations for the users only to particular Variants as below:
  1. Variant1 --> Can be access by only users ERP-EHK, ERP-SAP & ERP-EJS
  2. Variant2 --> Can be access by only users ERP-EAS & ERP-HJG.
  3. Variant3 --> Can be access by only user ERP-EMM
  4. Variant4 --> Can be access by only users ERP-EHK & ERP-UJY
  5. Variant5 --> Can be access by only user ERP-EAS
  Let me know how I can achieve the above requirement?

  Hi,
  i have assigned it at user level then why iam i
  getting the currency code of site level ?Did you user to logout and login again after setting the profile option at the user level?
  What if you set this profile option at the site/application/responsibility level, can you reproduce the issue then?
  Thanks,
  Hussein

• Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

  I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

  Hi,
  Assign ECC connector to SAP_ECCS_LG group.
  Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
  Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
  Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
  Regards,
  Vivek

• Issue with Total Number of SODs at user level.

  Friends,
  Quick question -
  We are using GRC 5.3 Production on NT 20003 server. and back end systems are ECC 6.0
  1.We added the Additional Role to one of the business users in ECC 6.0
  2.We ran the FULL synch after adding this role in backend.
  Issue : The total number of SODs did not change for users, even though the SODs for this business users did increase about 300.
  Locations of Screen
  Informer Tab ->> Risk Violoations.
  Analysis Type -> Users
  Does anyone has any idea how this numbers get interpreted?
  The Total number of Violations for permission should increase, if user level SOD gets increased, as per our understanding.
  PT

  It should be in below sequence -
  1. Full or incremental sync for user/role/profile
  2. Full or incremental batch risk analysis for role/user/profile
  3. Management report
  The view you see is management report, which is based upon above jobs. FIrst jobs does high level sync like user/role/profile addition/deletion etc. Second job actually does risk analysis. Third one fills up the management view. If your batch risk analysis was run on  Aug 30 aug 10 and management report after completion of the same, the report will show the same data till you run these jobs again even there are many changes in backend authorization.
  Hope it clarifies your query.
  Regards,
  Sabita

• Authorization at Folder Tab level

  Hello Experts
                               I have design a form which has lots of folder tabs , but now i want authorization at folder tab level, so that only authorized user has access to those tab, while unauthorize user is not able to see content inside the tab
  ex
  user1 - Full authorization
  user2 - No authorization on tab level
  Is it possible
  Plz suggest

  Hi,
  Yes u can write a small logic like that, for a specific user some folders will not be avaliable, for that i suggest u create a new UDT with some cols like user name, and folder item UID to restrict, so that the end user admin can update this table with the required folder item ID and user code as the users can change in the future,
  So u can have a logic like
  If loggedInUser = restrictedUser Then
  msgbox("Not authorized to view this information")
  bubbleevent = false
  End If
  U need to execute this logic in the item click event.
  Hope this helps,
  Vasu Natari.

• Error on load: System.IO.IOException: The process cannot access the file : error in event viewer when users want to view documents from this third party deployed scan solution

  Error on load: System.IO.IOException: The process cannot access the file
  '\\server1\SCANSHARED\.pdf' because it is being used by another process.
     at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
     at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
     at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
     at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
     at System.IO.File.WriteAllBytes(String path, Byte[] bytes)
     at abc.Scan.Layouts.ICC.Scan.View.Page_Load(Object sender, EventArgs e)
  I faced this  error in event viewer  when users want to view documents from this third party deployed scan solution
  here I have two WFS servers  and they configured with load balancing in F5 .
  when I enable both servers in F5 I receive this error messages in 2nd server,
  when users want to view documents
  adil

  Do you have antiVirus installed on the sharepoint servers?
  These folders may have to be excluded from antivirus scanning when you use file-level antivirus software in SharePoint. If these folders are not excluded, you may see unexpected behavior. For example, you may receive "access denied" error messages when files
  are uploaded.
  Please follow this KB and exclude the folders from Scanning.
  http://support.microsoft.com/kb/952167
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• Issue in User Level Simulation in GRC 10.0

  Hello Every one,
  Before i Jump into the question, please find below the screen shot which tells about the B.P(Business process),Functions created in test system(GRC 10.0), where as the roles and corresponding users which have been created in back end system connecting to GRC 10.0.
  Now when i am trying to run a risk analysis on user TEST_RISK(TEST_ROLE_RISK role is assigned and pfa the authorizations in the role), i will be shown the Risk R001.
  Now i am trying to run user Level Simulation on the above user TEST_RISK and i am trying to simulate by adding a new role TEST_ROLE_RISK3 as shown in the below screenshot at Action level,Permission Level,Critical Action level ,Critical permission level.
  Even though i select the option, Risk from Simulation only, when i try to execute at action level , it is also showing me the risk which coming from the actual role assigned but not from the simulating one.
  Thanks and Regards,
  Naga.

  Hi Naga,
  there are some notes which might help to fix the problem. Especially the first might fix your problem.
  http://service.sap.com/sap/support/notes/1895502
  http://service.sap.com/sap/support/notes/1953347
  Please let us know if it helped.
  Regards,
  Alessandro

• Can we create wallet at User Level to implement TDE in Oracle 10g

  Hi
  I am going to use a Oracle 10g TDE security feature for data security.I have gone through with lots document.Everywhere there is mention to open or close a Wallet at system level.I mean ALTER SYSTEM..that means except DBA no one can see the encrypted column.
  But my requirement is bit different,I want to encrypt the column based on user.
  lets take example- Suppose we have one table TEST with C1,C2,C3,C4,C5,C6 column and there is U1,U2,U3 user.I want to encrypt C1 and C3 for U1 , C2 and C5 for U2 , C4 and C6 for U3 and U1,U2 and U3 can see only all columns except encrypted column.
  My question is Can we apply TDE at User level rather than system level.
  Any ideas or thought would be appreciable.
  Thanks in advance.
  ANwar

  The idea of TDE is to provide data protection on storage media, so when your backup tapes drop from the truck or the hard disk of a stolen laptop is sold online, encrypted data remains encrypted and can't be read by anyone.
  It seems to me as if you try to achieve access control by encryption, which you don't need: If users have sufficient privileges or the business need to see data, then they should be granted access and see the data de-crypted. Otherwise, access control mechanisms (roles, views, VPD, OLS) should kick in and hide the rows from them.
  So, for day-to-day business of your database, the wallet needs to be open, so that the database can de-crypt data for users who have been granted to see credit card numbers etc., but then limit access to credit card numbers they are not allowed to see with other measures. There is a little hands-on for TDE and VPD here:
  http://www.oracle.com/technology/obe/10gr2_db_vmware/security/tde/tde.htm
  Hope this helps,
  Peter

• User level settengs for Report Painter GR55

  HI All,
  When user is trying to extract a cost center report from Report Painter GR55. User is not getting the values for few line items for last FI year (2010) and he is able to see the values for current year (2011).
  Tried with parameters, authorizations and settings with other user (able to see the report) who is having same roles authorizations.
  Please suggest if there are any user level setting related to above.
  Regards,
  Hamed

  did you check in transaction RPC0?
  Maybe you have some value at user settings level.
  br, Guido

• Converting user level personalizations to site level personalizations

  Hi All,
  My Requirement is as follows:
  In one search page i have created one view to save my search by providing view name.
  Now if i login from different user i am not able to see that view name in the drop down which i have created from different login.
  i intend to see that view for all users even if create from single login.
  i know that save search is user level personalization, but i want to get the same at site level.
  but while creating there is option like site level or responsibility level.
  Any help would be greatly appreciated.
  Thanks in Advance.
  Regards,
  Naren.

  Hi Reetesh,
  find the below steps.
  let me know if you need any clarity.
  Create, Duplicate, Update or Delete an "admin-seeded user-level" personalization :-
  ==================================================
  Select the Personalize pen icon to launch a focused version of the Page Hierarchy Personalization page for a selected boxed region.
  Use the Hierarchy Page HGrid to identify the query region for which you wish to create an "admin-seeded user-level" personalization. (You can create seeded user-level personalizations only for a table or a HGrid in a query region.)
  Select the Seeded User Views icon to launch the Personalize Views page where you can create, update, duplicate or delete "Admin-seeded user level" personalizations.
  When you create, duplicate or update a seeded view, you navigate to the respective Create/Duplicate/Update Views page. Select Apply to save your changes when you are done.
  Regards,
  Naren.

• User Level SOD Report - Batch

  Hi GRC Experts,
  Every day my company runs a User Level SOD analysis against every user in ERP or HRP.  Here is the criteria for ERP (there is a connector):
  System:  Our defined ERP connector
  Risk Level:  All
  Rule Set:  Global
  User is not DDIC
  User Type:  Dialog
  Format: Detail      Technival View
  Access Risk Analysis at the Permission Level
  Show All Object
  This job is run in Background, and the report output is downloaded from Background Jobs.
  Is there a way to schedule this job using SE38 and a variant?  We would like to start using a automated scheduling tool.
  The program run is GRFN_BP_SCHEDULER with variant &0000000001569
  I looked at the variant, and it looks for I_PLANID and I_UPDTSK.
  Is all the criteria I selected stored in a table as a PLANID?
  Thanks in advance.
  Donna Wiley

  Hello Plaban,
  Thank you for the info!  How do you set up the variant for the "Report" options?  We need two reports for "User Level".  In the Report Options section, we need one report with a Format = Detail and one with a Format = Management Summary. Both reports should be in the Format = Technical View.
  Thank you and kind regards,
  Janice

• Remove Personalization at User Level - Saved Searches

  All,
  There is a problem in the Saved Searches. We are on 11.5.10. The page immeditely throws error when a custom view is created using "Save Search" button.
  It says,
  ## Detail 0 ##
  java.lang.NullPointerException
  at oracle.apps.fnd.framework.webui.OADataBoundValueCustomization.getValue (OADataBoundValueCustomization.java:191)
  I am not able to revert this view created through save search. I tried by setting the Disable Self-Service Personal to Yes at that user level where i created the view and bounced apache. But the error still exists.
  Is there any means like by "Functional Administrator" responsibility where these views can be removed?
  Thanks,
  Padmaja

  Pl see if a similar issue reported in MOS Doc 859190.1 (Personal Worklist Returns NullPointerException When 'Disable Self - Service Personal' Is Set To Yes) can help
  HTH
  Srini

• Authorization at profit center level

  Dear All,
  In FI Module we have a requirement of Authorization at Profit Center
  Level.
  For Example : in FB50 transaction we want to allow some users to enter
  only for "1001" profit center.
  We have tried the following :
  We have create authorization object for PRCTR - Profit Center field and
  assing that object manualy to role. But it is not working. After assigning this authoization object, profit center also comes in "Organization Level". But at transaction level no effect.
  Thanks  in adanace,
  Nirav

  Hi Nirav,
  You will only invoke additional authorisation checks if the code for the transaction is changed to include the relevant AUTHORITY-CHECK code + subsequent logic.
  From memory for FB50 you will need to look into an appropriate user exit or enhancement point to code this additional check.  Alternatively you could use an alternative control such as random sampling for those users.