Authorizations in role creation

hi,
          any body can help me. in which table the status of maintained, changed, satandard is available. suppose when we change the filedvalues of one object it will be maintained in one table and shows the changed and maintained status flags in display autorizations screen of role. help me.

Hi Mukka
Hope it will help you.
reward if help.
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Sy-SUBRC values
4              User has no authorization in the SAP System for
               such an action. If necessary, change the user
               master record.
8              Too many parameters (fields, values). Maximum
               allowed is 10.
12             Specified object not maintained in the user
               master record.
16             No profile entered in the user master record.
24             The field names of the check call do not match
               those of an authorization. Either the
               authorization or the call is incorrect.
28             Incorrect structure for user master record.
32             Incorrect structure for user master record.
36             Incorrect structure for user master record.

Similar Messages

  • Authorization Object for role creation for query display?

    Hi,
    Can Anybody here tell me what is the Authorization object that we use for role creation for query display?
    I want to assign a role to the newly designed query! that query does not have any role so far!
    Pls suggest me
    Thanks,
    Ravi

    Hi,
    I could make the authorization tab green by entering the authorization object!
    But user tab still remains red as it is not allowing me to enter my username in the user tab!
    in the user tab  i am unable to enter my user name?
    Any suggestions?
    Thanks,
    Ravi

  • How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level.

    How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client  and i propose two methode
    1- Creation of Ztcode ZVL32N and do changes ABAP program level
    2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32N

    I think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.

  • Role Creation using CAT Scripts

    Hi,
    Step by step procedure needed.
    I need role creation using scripts(SECATT),org values that needs to maintain
    is full authorization.
    pls help me.
    ram

    Hi Ram,
    There is a SECATT tutorial here: http://www.*********************/tutorials/secatt_user_create.html
    If you learn that & the principles associated with SECATT then you can apply that to creating and populating roles.
    In my opinion SCAT is much easier to use, though less flexible,

  • Request Number is not generated for BRM "new" role creation

    Hello Gurus,
    I have configured BRM in SAP GRC AC 10, along with the workflow .
    I have selected the following methodology
    Define Role --> Maintain Auth >Analyze & Access Risk>Request Approval>Generate Roles>Maintain Test Cases
    Role name : Y_TEST_BRM_FUNCTIONALITY
    So i do the following steps and assign
    1) Role approver as Mr. ABC & Alternate approver as Mr. QRS
    2) Assign the Required transactions and do the RAR i.e i am done till step 3 of methodology
    When i click "Initiate Approval request"
    The approval triggers , and goes to the 1st stage as configured in MSMP
    1) Power User Approval .
    Here the Power User : EFG , open his workflow and see the request as
    Role approval required for role Y_TEST_BRM_FUNCTIONALITY
    The approver approves the request and then the request all together vanishes.
    Unfortunately i am not able to search the request for that role from NWBC -->Search request by
    Process Id : Role Approver Workflow
    It gives blank !!
    Hence neither i am able to find the request no able to do any debugging of it using
    GRFNMW_DBGMONITOR_WD
    Please note that the Request Id is created for any request in CUP.
    Is it that i have to create a number range for BRM request ??
    If so will you please let me know the object

    Hello All,
    I was wrong in posting the cause of problem.
    Please note no "Request number" is generated for Role creation Request.
    The problem was i was unable to search the Role Request approval status from "Search Request" via  Process Id
    It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
    My Issues is Resolved.
    Thank You.
    Regards,
    Victor

  • BRM-No Role Creation

    Hi gurus,
    I have just upgraded my GRC 10.0 to SP18 and when I access to create a new role in the NWBC, the button is in grey, I mean, I can not start the creation of it. However, I can modify the roles without problems.
    Any idea of what can be happening?
    Thanks,
    Regards,

    Hello All,
    I was wrong in posting the cause of problem.
    Please note no "Request number" is generated for Role creation Request.
    The problem was i was unable to search the Role Request approval status from "Search Request" via  Process Id
    It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
    My Issues is Resolved.
    Thank You.
    Regards,
    Victor

  • No authorization for the creation of resource WG10 00_1000_001

    Dear All,
    While checking SMQ1(Outbound queue), we found 2 displayed , pls check below details.
                   Queue Informationen
    Number of Entries Displayed:                11
    Number of Queues Displayed:                  2
      Cl. Queue Name               Destination                      Entries
      100 CFLDZ31CLNT100_0034      E06CLNT100                               4
      100 MCEX03                   NONE                                     7
    While Double clicking queue (CFLDZ31CLNT100_0034), Its shows Status SYSFAIL .
    Please check details log.
    Cl. Queue Name               Destination                      Entries    Status   Date 1     Time 1   NxtDate    NxtTim   Wait for queue
    100 CFLDZ31CLNT100_0034      E06CLNT100                               4  SYSFAIL  22.09.2011 12:57:11 22.09.2011 13:16:32
    Note : E06CLNT100 (SCM System).
    While double clicking SYSFAIL Its shows No authorization for the creation of resource
    00_1000_001.
    Kindly Suggest.

    And also User not able to do activate Integration Model using Transaction CFM2 , it is giving error as below .
    System:    E06CLNT100    User:  KAPGATEG 22.09.2011 12:57:11
    Function/Q/SAPAPO/CIF_RES_INBOUND4
    Text:        No authorization for the creation of resource WG10
    Kindly advise.

  • Role Creation in CUP 5.3

    Hello,
    I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
    My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.  
    It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
    Please tell me if I'm wrong.
    HM

    HM,
      The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
    The below statement is wrong.
    It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
    If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
    Regards,
    Alpesh

  • MSS (non-webdynpro) Authorizations and Roles

    Do you know the MSS 60.1 business package authorizations and roles that are required for the backend R/3 system?  I noticed an SAP note exists for the webdynpro version (#798967) but didn't see a note for the old package.

    Umair,
    I know this auth object is required for webdynpros in new business package but does it apply for old traditional java MSS package too?
    Thanks, John

  • Regarding Authorizations and Roles

    Hi All,
    Can anyone explain me about Authorizations and Roles ,in detail.
    regards,
    Ali

    Links for Learning about Authorizations:
    http://help.sap.com/saphelp_nw70/helpdata/en/44/599b3c494d8e15e10000000a114084/frameset.htm
    http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm
    http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
    http://help.sap.com/saphelp_nw04/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
    Links to learn about Roles:
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
    http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
    Assign points if helpful,
    Venkat

  • How to raise role creation/modification request in AC 10

    We are implementing AC10. I have issue more related to the process followed than technical. Please suggest from your experience.
    We found that we can raise the request for new user account, role assignment to user, etc in Acess Request(formerly CUP), but we cannot raise the request for role creation, role modification. This is directly done in Role management.  My question is, how the security admin will recieve the requests for creating or maintaining the roles. Is it necessary to use ticketing tool for users to raise the request for role creation and modification.
    Thanks everyone for your valuable solutions.

    Dear Ashish,
    Whatever you have mentioned is correct to have the common platform for every request, either for user creation or role creation.
    But what we decided earlier, that the end users can raise the request in CUP directly, rather than involving security admin. But after realizing that there is no request type for role creation, I think we have to use our ticketing tool as a common platform.
    Request will come to security admin from the ticketing tool and than he will create the request in CUP, thereafter it will follow the approval workflow.  Only problem I see in this, it goes to the manager twice, once in ticketing tool and than through CUP workflow. i think we need to take out the manager stage from the workflow.

  • Idm-Vaau Rbac role creations and mapping

    Hi All,
    I'm working on the integration between Idm and Vaau's Rbacx (role based access control) tool for role creation and provisioning...I've imported the spml.xml and SPMLGetObjectsform.xml into Idm for the SPML calls between Rbacx and Idm.
    The challenge I'm facing is mapping the attributes of Rbacx roles to enable the attributes to be populated in Idm...I'm able to export roles into Idm, but they are not populating with any attributes eg. resource type, resource attribute etc. I'm uncertain as to where I have to map these properties and do any customization for this to work. I would appreciate if anyone who has worked on this or know how to do this, to pls give me some pointers/share your experience. I don't have any documentation to refer to and am doing everything on trial and error basis.
    Any help is greatly appreciated!
    Thank you.

    Hi newbie,
    Were you able to solve this issue? I am facing the same problem while assigning resource attributes for a created role using a custom workflow.
    This is where I set the resource attributes in my workflow:
    <Action id='1'>
    <expression>
         <block trace='true'>
         <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].valueType</s><ref>ADGroupsValueType</ref></set>
         <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].requirement</s><ref>ADGroupsRequirement</ref></set>
         <append><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].value</s><ref>ADGroupsValue</ref></append>
         </block>
    </expression>
    </Action>
    where <ref>ADGroupsValue</ref> contains the attribute value.
    thanks,
    Lokesh

  • Approval of role creation

    Hi All
    I need to create a WET for role creation, this is simple But I need to incorporate approval of the creation of the new MX_ROLE entry. I can only find documentation/guides on how to implement approval of role and privilege assignment. Does anyone know if it is possible to setup approval on creation on a new entry?
    Kind regards,
    Heidi

    I have tried to implement the MX_INACTIVE solution. Now it is not possible to see the role on the "Adminstrate"-tab, and there is an approval task on the "To do"-tab. When I click this task, details on the role are displayed properly, but when I try to process the request by clicking the "Show request"-button (button name translated from Danish, it might be translated differently...) I get an error: "Access denied".
    I have set correct approver on the approval task, and I was able to process approval requests, before I set the role to inactive.
    On the approval task, I have checked the "Use inactive entries" checkbox.
    Does anyone have an idea what could be wrong?
    Kind regards,
    Heidi Kronvold

  • Authorization or roles assign?

    Hi All,
    I have installed Xi 3.0 on windows server 2003.but my users are getting this error not able to create a product. Its says "You
    are not authorized to view the requested resource 403 forbidden".
    What all the authorizations and roles i need to set for every user.
    Regards,
    Rohit

    Error: HTTP 403 Forbidden
    Description: The server understood the request, but is refusing to fulfill it
    Possible Tips:
    Path sap/xi/engine not active
    • HTTP 403 during cache refresh of the adapter framework - Refer SAP Note -751856
    • Because of Inactive Services in ICF –Go to SICF transaction and activate the services. Refer SAP Note -517484
    • Error in RWB/Message Monitoring- because of J2EE roles – Refer SAP Note -796726
    • Error in SOAP Adapter - "403 Forbidden" from the adapter's servlet. –Because of the URL is incorrect or the adapter is not correctly deployed.
    <i>From
    /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
    Regards,
    Prateek

  • Customizing Role creation form??

    Hi,
    We have requirement to customize the Role creation form. We have to store extra information in the role object. I know that we can store extra information by using properties attrinute of the Role. But the question is how to expose this to administrators through UI?
    I don't find any form mapping for role creation in the "Forms and Process Mappings" section. Anybody knows how to achieve this requirement? What is the default form used for role creation?
    Thanks in advance.

    There's a userForm configuration object called "Role Form" that is used when you create a new Role.
    You can add a new field to this form like so;
    <Field name='properties.Department'>
    <Display class='Text'>
    <Property name='title' value='Department'/>
    <Property name='disabled'>
    <Boolean>true</Boolean>
    </Property>
    </Display>
    </Field>
    Then the Department attribute will be saved against the Role attribute.
    Is this what you're looking for?
    Cheers,
    Paul

Maybe you are looking for

  • Stolen MacBook Air

    My 13" Macbook Air, S.N. RM632234U9B, was stolen from my office in Glendale, CA over the Christmas Holidays. I reported it to both company security and the  Police. I had Find My iPhone on it, so I activated the lock code and set the erase function. 

  • HT1423 More than 4 gb ram in each slot?

    I have a mid 2011 2.5 GHz Intel Core i5 iMac. I bought two 8GB RAM cards. Can I use them? The specs say there are 4 slots meant for 4 GB each. Do I need to return these for two more 4GB ram cards?

  • Failed to update files onto CVS

    I am trying to update file into the CVS repository, but the viewController shows conflicts under CVS and it gies the error message while trying to update Failed to update files onto CVS Can anyone let me know what is the problem with this?? Thanks

  • Internationalization of JRE messages

    I developed a applet and digitally signed its jar. When the user open the applet url, shows up an english warning security message asking if the user wants to install and run it. This message I think is from the JRE. Is there any way of configuring t

  • 10.5.8 to 10.6.3

    I currently have 10.5.8 that I am trying to upgrade to 10.6.3 but when I load disk it says "Mac OS X Snow Leopard cannot be installed on this computer". Any ideas? I am using an imac8 with Intel Processor.