Authorizations and role maintainance
Please tell me that How are the authorizations in a role maintained?
Thanks
Hi,
For Role and authorization Maintenance T.code is PFCG.
1. Identify the users what kind of Role and authorization needs to be given,
you can divide the role like PA , OM, TIME and Payoll.
2. There are 2 kinds of role - a) Single Role and b) Composite Role.
3. In the Role - give a name and click on create single role.
then you will find differnt tabs - 1) description, 2) Menu,3)Authorization and user.
You can define according to the requirement or you can copy from the standard role and assign to this.
Thanks
Sethu
Similar Messages
-
MSS (non-webdynpro) Authorizations and Roles
Do you know the MSS 60.1 business package authorizations and roles that are required for the backend R/3 system? I noticed an SAP note exists for the webdynpro version (#798967) but didn't see a note for the old package.
Umair,
I know this auth object is required for webdynpros in new business package but does it apply for old traditional java MSS package too?
Thanks, John -
Regarding Authorizations and Roles
Hi All,
Can anyone explain me about Authorizations and Roles ,in detail.
regards,
AliLinks for Learning about Authorizations:
http://help.sap.com/saphelp_nw70/helpdata/en/44/599b3c494d8e15e10000000a114084/frameset.htm
http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm
http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
http://help.sap.com/saphelp_nw04/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
Links to learn about Roles:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
Assign points if helpful,
Venkat -
Hi all!!
Im creating an authorization object; for restrict some key figures of infocube.
I want to restrict only four or five key figures for one cube and the user can see all the characteristics; is possible to do this??
I found this way; but really is not that I want:
I created an authorization object; that contains for example: 0material and Key fig.
In transaction PFCG in the role; i go the authorization and include the object that I created and put the values * for material and the key figure that I want to see.
But I want that the user can see all the chars; no necessarily 0material and hide some key figures.
Thanks for the answer,
Greetings,
MonicaHi!!
Thanks for the answer
When I do this; and execute the query; I can see all the key figures; (they are in the area of columns) and for example I dont want to see one of them.
Im not sure If Im doing something wrong.
I followed this steps:
1. I created in RSSM and authorization object with only 1KYFNM
2. In PFCG I added to the role the object that I have created and put in the values of ratio; the ratios that I want to see.
3. I actualizated the roles for the user.
Then I executed the query and I see all the KF; I dont have any authorization variable in the query because I want that applied for all the chars.
Thanks again,
Mónica -
Check users authorizations and role
Hello!
How can I check the authorizations of
Web Dynpro application users and also his role.
Thanks
rgds
sasHI,
Pl go through Following link
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/wd%20java/web%20dynpro%20security.pdf
https://help.sap.com/javadocs/index.html
use the method isMemberOfRole.
Regards
Ayyapparaj -
End User Authorizations and Roles
Hi,
What all the authorizations i need to give to an End User, who uses the device.
Is it necessary for the userid to be same in <b>MI Client, MI server, Backend</b> systems.
Let me explain wat an end user does
>logs into MI client
>performs first synchronization
>Executes Mobile Application assigned
>and performs synchronization at the end of the day
rgds,
KiranHi Kiran
Probably I wanst clear with my reply. You need to assign both the above mentioned authorizations to the same user who is performing a sync from the MI Client. S_ME_SYNC is required for the user to perform a sync from MI Client to MI server. S_RFC is required for the same user so that the data can be transferred from MI server to SAP backend and vise versa.
Hope I am clear now
Best Regards
Sivakumar -
BI 7.0 authorizations and roles
Hi,
It's possible to use only old authorization profiles like in version 3.5 in BI 7.0 ?
I mean , i don't want to use the new authorizations that BI 7.0 has.
I wan to use the old authorizations like in BI 3.5.
I just wan to use PFCG.
I don't want to use the transactions like: rsecadmin,rsu01,RSA1,rsd1
It's possible ?
Thank's a lot.Hi,
SAP strongly recommend to use the new Analysis Authorizations in SAP NetWeaver 7.0. The Authorizations will not be further developed (enhanced). Pls chk this link;
http://help.sap.com/saphelp_nw04s/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm -SAP Service Marketplace /bifaq
You can use the Reporting Authorizations which are still the same in both.
S_RS_COMP and S_RS_COMP1 are the auth objects which controls the reporting parameters.
Authorizations to Work with a Query
http://help.sap.com/saphelp_nw04/helpdata/en/80/1a68b4e07211d2acb80000e829fbfe/content.htm
Example for Reporting Authorizations -
http://help.sap.com/saphelp_nw04/helpdata/en/41/05453caff4f703e10000000a114084/content.htm
Regards
CSM Reddy -
Authorization or roles assign?
Hi All,
I have installed Xi 3.0 on windows server 2003.but my users are getting this error not able to create a product. Its says "You
are not authorized to view the requested resource 403 forbidden".
What all the authorizations and roles i need to set for every user.
Regards,
RohitError: HTTP 403 Forbidden
Description: The server understood the request, but is refusing to fulfill it
Possible Tips:
Path sap/xi/engine not active
HTTP 403 during cache refresh of the adapter framework - Refer SAP Note -751856
Because of Inactive Services in ICF Go to SICF transaction and activate the services. Refer SAP Note -517484
Error in RWB/Message Monitoring- because of J2EE roles Refer SAP Note -796726
Error in SOAP Adapter - "403 Forbidden" from the adapter's servlet. Because of the URL is incorrect or the adapter is not correctly deployed.
<i>From
/people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
Regards,
Prateek -
Authorization Object And Roles For Functional Consultant
Dear Expert,
What kind of respective Authorization Object And Roles would be provided to Functional Consultant (FI,MM, SD, PM, PS, CO, HR )at the time of implementation ?
Thanx in advance
PavelThanks Juan,
We now already have it here and in the NW IDM forum a few times as well...
Cheers,
Julius -
Authorizations in role creation
hi,
any body can help me. in which table the status of maintained, changed, satandard is available. suppose when we change the filedvalues of one object it will be maintained in one table and shows the changed and maintained status flags in display autorizations screen of role. help me.Hi Mukka
Hope it will help you.
reward if help.
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Sy-SUBRC values
4 User has no authorization in the SAP System for
such an action. If necessary, change the user
master record.
8 Too many parameters (fields, values). Maximum
allowed is 10.
12 Specified object not maintained in the user
master record.
16 No profile entered in the user master record.
24 The field names of the check call do not match
those of an authorization. Either the
authorization or the call is incorrect.
28 Incorrect structure for user master record.
32 Incorrect structure for user master record.
36 Incorrect structure for user master record. -
Authorization for Role Assignment
Dear Experts,
I have a scenario whereby a user is able to assign a set of roles to end-users but should not be allowed to do so for himself. I could only think of assigning user groups to the person's authorization which restrict him to assign roles to end-users from specific user groups. However, this is not desirable in our scenario as this means we need to maintain user groups for the entire organization (which is a huge organization). I would like to enquire if anybody has implemented similar requirements via standard/alternative means. Any suggestion and advice is appreciated. Thanks.Louis,
I think this is a standard security and authorizations question, and not really HR specific. You are correct in that the standard way to achieve this is with user groups. However, it doesn't have to be as onerous as you are thinking. The usual way of achieving this, of having an authorizations administrator or user administrator who can manage standard end-users but not him- or herself is to assign just that user to a group, typically called SUPER, and not worry about assigning groups to all the other end-users (or at least, not for this purpose). You might also put all other high-power basis users, like the system administrator and any other security administrators, into this SUPER group, since you don't want anyone other than the super-superuser to manage them. Then, you assign the user administrator role the S_USER_GRP authorization with the usual activities for user group ranges 0-SUPEQ and SUPES-Z. This allows the role to manage users in all user groups except SUPER.
I would also only allow this role to work with authorization profiles starting with the standard T, and role names in the pattern Z. Then make sure that this role itself is not in the Z* customer namespace, but instead in the Y* customer namespace, and this way you prevent the user administrator from getting through a loophole and being able to create or modify non-SUPER users and simply assign them to the User Administrator role as a way of bypassing the above restriction.
You should also not allow the User Administrator role to directly modify roles or profiles, only to create users and assign them to existing roles in the Z namespace.
I trust that this helps.
--Matt -
Basic steps in creating an authorization group/role?
Hi,
What are the basic steps followed in creating an authorization group and role?HI,
http://help.sap.com/saphelp_wp/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm
Steps,
Go to PFCG
Enter role name say ZSALES ORDER PROCESSING and click on single role
Enter discription and save
Then click on MENU tab,then click on transaction and maintain t-codes like VA01,VA02,VA03 and click on assign transactions and save
Then click on AUTHORIZATION tab and click to Change autorization data,then it will ask for orgz. level maintain orgz.data or click on FULL Authorization
Then you can able to see modules from where the the transaction code belongs(SD)
Expand it to lower level node and maintain autorization for Perticular sales document, sales area
Then save and click on GENEREATE ICON (Shift+F5)
Now go to tab USER and assign users
Click on user comparision >> Complete comparision
Now when the assigned user log in syatem system will display this role for user and he/she may authorization for perticular sales document and sales area depending uppon your authorization provided in this role.
You can see existing roles and copy from existing one
kapil -
Background job fails for BDC profile creation and role assignment
Hi Experts,
I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
Below is the process of job
1. ZMIS_AUTH_OBJECT_CREATE
Variant : auth-create
2. ZMIS_AUTH_ASSIGN_TO_ROLE
Variant : auth-assign
The problem is in second program, runs in foreground but fails in background.
Code which i have written in my second program
***BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
***Generation of Profile created
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14 .
Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
Regards,
ChetanHi Praveen,
Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
To achieve this i have written two programs
1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
"" Creation of Authorization Object
CALL FUNCTION 'ZAUTHOBJ'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
g_authname_001 = 'ZDUMMY_MIS'
g_targetauth_002 = wa_tab-auth
g_authtxt_003 = wa_tab-short_desc
g_authtxtmd_004 = wa_tab-med_desc
marked_04_005 = 'X'
g_authtxt_006 = wa_tab-short_desc
g_authtxtmd_007 = wa_tab-med_desc
tctiobjnm_04_008 = 'ZBUS_UNIT'
g_authtxt_009 = wa_tab-short_desc
g_authtxtmd_010 = wa_tab-med_desc
marked_05_011 = ''
opt_01_012 = 'EQ'
low_01_013 = wa_tab-bu
g_authtxt_014 = wa_tab-short_desc
g_authtxtmd_015 = wa_tab-med_desc
marked_04_016 = 'X'
g_authtxt_017 = wa_tab-short_desc
g_authtxtmd_018 = wa_tab-med_desc
tctiobjnm_04_019 = 'ZCONTRCT'
g_authtxt_020 = wa_tab-short_desc
g_authtxtmd_021 = wa_tab-med_desc
marked_05_022 = ''
opt_01_023 = 'EQ'
low_01_024 = lv_contract
g_authtxt_025 = wa_tab-short_desc
g_authtxtmd_026 = wa_tab-med_desc
g_authtxt_027 = wa_tab-short_desc
g_authtxtmd_028 = wa_tab-med_desc
g_authname_029 = wa_tab-auth
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
"" Creation of role
LOOP AT it_role INTO wa_role.
CLEAR wa_text.
wa_text-text = wa_role-desc.
wa_text-langu = 'E'.
APPEND wa_text TO it_text.
wa_jobrole-agr_name = wa_role-role_name.
wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
wa_method-usmethod = 'CHANGE'.
CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
EXPORTING
jobrole = wa_jobrole
parent = wa_parentrole
method = wa_method
TABLES
* RETURN =
shorttext = it_text
* LONGTEXT =
* MENU_NODES =
* MENU_TEXTS =.
ENDLOOP.
2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
""*BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message .
COMMIT WORK AND WAIT.
""*Generation of Profile created
LOOP AT it_role INTO wa_role.
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
ENDLOOP.
For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
Regards,
Chetan -
How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client and i propose two methode
1- Creation of Ztcode ZVL32N and do changes ABAP program level
2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32NI think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.
-
Report to see user type and roles assigned to users in EP?
Hi,
a) Is there any reporting mechanism in EP? Any specific report which throws up user types and roles assigned to the users? There is an option of 'Export' in the user management role but unfortunately it does not give information on User Type.
b) If the group is assigned a role, How can we see ( in any report) the roles assigned to a group? In the 'export' option of the 'User Management' this information does not come.By default Portal UME comes along with the installation of portal.
Sometimes we may integrate external users using LDAP. At that time users come from ABAP stack or some active directories. But you can also create users in the portal UME. The purpose of using LDAP is to maintain the users centrally rather than creating again in portal.
You can check them in user administration->identity management and search for the users.
THere you can see some users will be from UME and some from LDAP.
User Admin tool is nothing but User Administration only.
Raghu
Maybe you are looking for
-
[Bug] Compiler bug in JDev 10.1.3.0.4 (SU5)
Hello, I would like to report a bug with Java 5 compiler in JDev 10.1.3.0.4 (SU5) build JDEV_ADF_10.1.3_NT_030125.0900.3673 regarding covariant return types. As of Java 5, it's now possible to override a method with a different return type as long as
-
How to unpause a HP Officejet Pro 8600. It is connected to the internet
We changed from a PC to Mac Mini and when we did the tech evidently paused the printer Office Jet Pro 8600. I need to unpause it so I can print from my Mac laptop.( I was able before the change)
-
Error in PL/SQL documentation regarding multidimensional collections?
Hi This is a small issue, but I think the following, from PL/SQL reference 11.2 (http://docs.oracle.com/cd/E11882_01/appdev.112/e25519/composites.htm#BABIBDDG), is wrongly calling the data types (and the variables created of those types) nested table
-
Hi! I am trying to create a mapping file, using regexpReplaceAll to populate some custom attributes. What I would like to do is use capturing groups using braces, to extract part of the filepath. Is this possible, and what is the correct syntax for t
-
How to attach sound using link to any button?
Hi, am using this code to call sound file after click on button. PAdha1.onRelease = function () { mySoundC = new Sound(this); mySoundC.attachSound("PAdhaSound1"); mySoundC.start(0, 99); //10 represents the number of loops