Basis authorization object class
Hi All,
Few roles contain ABAP & BASIS objects but 1 user should NOT get access to these. How can I restrict ABAP & BASIS objects only for 1 user id without disturbing access for other users.
I tried creating Z roles for this user id and deactivating BASIS objects but still some other roles containing ABAP objects are accessible which I dont want to give.
Is there any shorter way out?
thx
Bhushan
Hi Bhushan,
As i am not next to you, i cannot say on how the user gets to SU01. But if i were you, i would do the following
1. Go to table AGR_1251 and list all the roles used and check on the object S_TCODE
2. check for any presence of ranges
3. If the table result shows SU01, then you i am sure you know what to do - if the table shows SU01 in the output but you see that it is not in any of the role menus, then spend some time to understand about calling transactions and called transactions (Ex: PFUD internally calls for SU01). you can search the forum for more details
If you dont find desired results from the above try controlling / restricting the authorizations for SU01 for the related objects like: S_USER_AGR, S_USER_GRP, S_USER_SAS............
But I would never remove ALL basis objects (or) ABAP objects from my authorizations based on the object groupings in SAP.
S_DEVELOP is a ABAP object grouped in the BC class, but i wouldnt remove it entirely because my user is a functional consultant, there are ways of controlling the access of the object. As an example, sending customers from R/3 to an external systems using the BD* transaction would need authorizations on S_DEVELOP. Doing this is a functional job and S_DEVELOP is a ABAP object
so try controlling the access on the objects rather than removing the objects from the authorizations.
Similar Messages
-
Copy object from one authorization object classe to another one
Hello experts,
due our revision we have the demand to copy our custom context sensitve authorization object from the old authorization class to a new one.
Ist this generally possible? What are the impacts?
Any ideas?
Many Thanks!
Marco> due our revision we have the demand to copy our custom context sensitve authorization object from the old authorization class to a new one.
That is a strange revision (audit) demand... Did you challenge them whether they have ever done this before and survived as release upgrade?
Is SAP_ALL otherwise okay for them? For example that people can write their own programs or maintain PRGN_CUST to include Z-classes again...
Have you tried to simply remove all profile assignments to SAP_ALL and replace them with proper roles and restrict SAP*'s HR profiles to that which applies to all users which are not employees?
You are definately barking up the wrong tree here by moving SAP objects to Z object classes and expecting it to be secure...
Cheers,
Julius -
How to check and maintain authorization objects
Hi Alll
Let me knowhow to check and maintain authorization objects in SU24 ECC 6.0.
Thanks
sathiesHi Sathies,
the old check flags
U
Unmaintained
No indicator set. The check for corresponding authorization object is always executed. Field values are not displayed in the Profile Generator.
N
No check
Check disabled. Field values are not displayed in the Profile Generator. This indicator cannot be set for HR and Basis authorization objects.
C
Check
Check always executed. Field values are not displayed in the Profile Generator. For example: Printer authorizations.
CM
Check/maintain
Check always executed. Field values are displayed for changing in the Profile Generator (yellow light).
Have been divided now in
Checkindicator : Check/NoCheck
and
Proposal: Yes/No.
If defaults=yes, then you can modify them after clicking on the apropriate button.
Please refer to the online help for SU24 too.
Although the look of su24 has been changed significantly, the technique behind it is still the same.
Once you have pressed the 'edit'-button on the top left corner, additional editing options will appear in the right-top-frame.
b.rgds,
Bernhard -
Authorization Object and Authorization...!!!
Hi BW Experts,
Could anyone plz tell me what is the difference between Authorization Object and Authorization..!!!
Thanks in Advance.
Regards,
Giftedbrain.Giftedbrain,
Authorization Object:
An authorization object groups up to ten fields that are related by AND.
An authorization object allows complex tests of an authorization for multiple conditions. Authorizations allow users to execute actions within the system. For an authorization check to be successful, all field values of the authorization object must be appropriately maintained in the user master.
Authorization objects are divided into classes for comprehensibility. An object class is a logical combination of authorization objects and corresponds, for example, to an application (financial accounting, human resources, and so on). The line of the authorization object class is colored orange in the profile generator.
For information about maintaining the authorization values, double click an authorization object.
The line of the authorization object is colored green in the profile generator.
Authorization:
Definition of an authorization object, that is, a combination of permissible values in each authorization field of an authorization object.
An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
Authorizations allow you to specify any number of single values or value ranges for a field of an authorization object. You can also allow all values, or allow an empty field as a permissible value.
If you change authorizations, all users whose authorization profile contains these authorizations are affected.
As a system administrator, you can change authorizations in the following ways:
· You can extend and change the SAP defaults with role maintenance.
· You can change authorizations manually. These changes take effect for the relevant users as soon as you activate the authorization.
The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user has sufficient authorization for a particular activity. To do this, it compares the field values specified in the program with the values contained in the authorizations of the user master record.
The line of the authorization is colored yellow in the profile generator.
-Doodle -
Authorization Object inative in PFCG
Hi,
We created an authorization object for a Z BSP application that is used in htm page.
When I try to create a role allowing that authorization object in PFCG, auth. object remains inactive and there is no possibility to active it.
Does anyone knows how I can activate this object ?
Many thanks.I was having the same problem. I was adding an auth object S_ASAPIA of class BC_Z to role (both manually or via Selection Criteria, the authorization is in the selection criteria list) but for some reason I could not make it active, the authorization is brought into the role as inactive. After some digging I realized the problem by looking up the authorization object in SU03. When I tried to check for authorizations associated with the authorization object in SU03 I got an error message:
No fields have been maintained for this object
Message no. 01231
Checking table TOBJ I realized that this is not the only such problem:
Here are 4 objects in my ECC system that have the same problem. ([ObjectID] [Object Class ID])
K_ORGUNIT CO
S_ASAPIA BC_Z
S_RS_PPMAD RS
ZSTAT BC_A
I found these auth objects by searching for blanks in the field FIEL1 in table TOBJ.
By the way I also found a number of objects that were not assigned to a valid Authorization Object Class. PFCG will not allow you to add these objects at all, even though they do exist in table TOBJ. ([ObjectID] [Object Class ID])
CRMCONFMOD CRM
CRM_WSC CRM
CRM_WST CRM
PLM_LAYOUT PLMB
RSCRMBUPA RSAN
RSCRMEXTR RSAN
RSCRM_TG RSAN
RSDMEENGIN RSAN
RSDMEMBW RSAN
RSDMEMODEL RSAN
S_ESH_T_BG TST
S_ESH_T_MT TST
S_ESH_T_PR TST
I found these objects by copying all the classes in table TOBC and filtering out all the records in table TOBJ using exclude values in the field OCLSS. The resulting list is those objects not assigned to a valid object class.
Note that most of this data was SAP delivered.
Hope this helps to answer this Q. -
Translate Object class (for authorization objects)
I wonder where I can translate the objects class (SU21 - auth objects). I manages to find where I can translate the authorization objects in SE63.
What what is the object type for the objects class in order to translate it.SAP itself told me there is no way to do so. They recommend to directly edit the corresponding text table.
-
Creation of a new Authorization object
Hi ,
I need to create a new Authorization group and add three existing tables to it.
Kindly suggest a way.
Regards.Authorization Field
Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the database table TACT and the customer-specific table TACTZ.
Maintenance using transaction SU20.
Authorization Object
Repository object that forms the basis for authorizations. An authorization object comprises up to 10 authorization fields. The combination of authorization fields, which represent data and activities, is used for authorization assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
Maintenance using transaction SU21.
Authorization
Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
Maintenance in transaction SU03 or generation from transaction PFCG (profile generator for role maintenance).
Authorization Profile
Grouping of several individual authorizations or further authorization profiles. Can be entered in the user master record instead of individual authorizations. An authorization can be assigned to authorization profiles as often as you wish.
Maintenance in transaction SU02 or generation from transaction PFCG (profile generator for role maintenance). -
Characteristic base authorization in DMS
Hi Friends,
I need a characteristic base authorization in DMS.
User should be able to maintain/change a value of char for which he is authorized.
I tried a auth object in classification C_CABN_GRP but that is not working in DMS.It only works in tcode CT04.
Note:- Mr Saikrishna had such a problem and he solved it tru authorization group.If Saikrishna is watching this thread kindly provide the solution.
Regards
Abhijit A. PachgadeOur request is that all the users can display all the characteriscs values, but some users can modify certain characterics values.
The authorisation object C_TCLS_MNT may be a solution.
*in class master date, define the organisatioal area (SICHT)
*for the characteristics assigned to a class, assigne the organisational area defined for the class
*user autorisation object C_TCLS_MNT in one autorisation role.
But the "stupid" point is that there is only 23-Maintain in the "Actvitiy" area of object C_TCLS_MNT. In this case, an user who has the "23" in autorisation for a certain organisational area can display and modify characteristics valeur, an user who does not have "23" for a organisation area can not even display the characterics value.
So in my point of view, object C_TCLS_MNT is not a good solution to limit characterics valuation. -
Hi,
I need to create one authorization object which contain only one field as sy-uname.
I carry out the following stapes:
1. I went to SU21
2. Create a class
3. create a authorization object
4. Add a field sy-uname in the field
Now , my query is that,
1. is it allowed to add sy-uname in there in the field or i have to put just 'uname' there. or what??
2. Is there any other steps required after adding the field in the authorization object
3. Do any one has some document on how these authorization object work execpt the F1 help on the 'AUTHORITY-CHECK' in the editor???Hi
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Reward points if useful
Regards
Anji -
Authorization object in zee report
Dear experts,
How to restrict a user from viewing ohter sales office.
What are the steps to be followed.
Who will create authorization 0bject or authorization group abaper or functional person.
I am using AUTHORITY-CHECK in my report for a authorization object which is already created but
it is not giving the correct results.
Do I have to make a new authorization object and class for this.
How should I control my zee transaction which is attached to this report.Hi,
How to restrict a user from viewing ohter sales office.
What are the steps to be followed.
Who will create authorization 0bject or authorization group abaper or functional person.
You need to identify the correct authorization object. BASIS team can help you in this.
Usually all security related activities is taken care by the BASIS team. It depends on project to project.
I am using AUTHORITY-CHECK in my report for a authorization object which is already created but
it is not giving the correct results.
What do you mean by not giving correct results. You might be having access to the sales areas you are trying to execute. That why check is successful.
Do I have to make a new authorization object and class for this.
Not required i hope as you already got the reply for this.
How should I control my zee transaction which is attached to this report.
Give the right authorization group in T-code as well (SE93). Even if you don't give, since you already have the check in the program, no issues i hope. But it is always advised to control this through BASIS at user role level rather than at ABAP level.
Please note that authorization check statement won't give any error. You need to through the error if sy-subrc NE 0
after the AUTHORITY-CHECK statement.
Hope you are clear now:)
Thanks,
Vinod. -
When to create new authorization objects
Hi Experts,
I am learning SAP Security.
I have one question , what is the necessity of creating new authroization field and object , when SAP gives a huge list of objects /fields.
Is there any reason behind like, whenever a customised transaction is created, a new authorization object or filed has to be created?
Regards,
RekharajTrick is to find not only a standard authorization object with the same field you are looking for, but an object already assigned to the users with those roles with the same semantic for all it's fields - so that you can simply reuse the existing concept which is also assigned to the sets of users.
Often you will find "base" function modules and classes you can use to do all that work for you. Just call them at the correct location in the code and dont forget to check the return code and react to it.
If you use BAPI APIs to access or process data, then many of them make these same semantically correct checks "out of the box".
Cheers,
Julius -
Authorization object per systems
HI,
1. There is different authorization object in different systems (like R3 BW CRM) .
2. When we get R3 system we get out of the box authorization object and roles like for admin ...
or we have to build it?
RegardsThe Netweaver "Basis" AS ABAP for example has it's objects, regardless of which components are installed. E.g. S_DEVELOP, S_DATASET, S_RFC, etc etc etc. See the BC* classes.
The application components also have their own objects (assigned to the packages of those components).
SAP does provide some roles as templates and profiles to get you started if you have nothing else (E.g. the SAP* roles and SAP_ALL profile), as well as portal roles for which you need to build the backend authorization for, as well as nothing other than the SU24 check proposals from which you need to building your own role from scratch depending on your business process design (choice of transaction).
In some cases, absolutely nothing is delivered except the coding. Those are the real buggers.
Cheers,
Julius -
HR-Authorization Objects (Personal Area)
Dear All,
Can anyone please tell me how to findout the Authorization objects for Personal Areas.
My Requirement is for Some Z- Screens and Reports, I have to provide Authorization objects on
Personal Areas.
If found then how to proceed to provide Authorizations..
Fruitfull aswer is definitely rewarded.
Thanks in Advance,
Regards,
Satya.Hi
Generally Authorization objects are created by BASIS consultants.
To create/find Authorization object for personnal Area,
Goto SU03- access Class HR -> Object P-ORIGIN-> then check/create the values for the field PERSA (Personnal Area).
For checking authorization Reports, we use command 'AUTHORITY-CHECK OBJECT'.
Below is the link for documentation on the above command [http://help.sap.com/erp2005_ehp_03/helpdata/EN/fc/eb3ba5358411d1829f0000e829fbfe/frameset.htm]
Regards,
Shrinivas -
Report to check authorization object used in customized programs
Hi Guys,
An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
Edited by: Jarod Tan on Nov 25, 2010 9:42 AMNote that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
Code review is an art form!
Cheers,
Julius -
hi all,
in me52n transaction, in account assignment tab there is field called costcenter. its field name is kostl and strucutre is cobl. now i have requirement to create an authorization object on this costcenter. that is for example , if i try to make any changes in the cost center field it should allow me to do it. but if some others are using it should not allow them to make any changes. plz let me know the solution how to do step by step. points will be awarded . this is urgent requirement. plz reply fast.
thanking u in advance,
a.srinivasHi deniz,
Use this to set up the autherisation object
AUTHORITY-CHECK OBJECT '<objectname>'
ID 'ID FIELD SY-UNAME.
IF SY-SUBRC NE 0.
MESSAGE S999 WITH 'You are not Authorised to change entries'.
EXIT.
ENDIF.
Inform the Basis team to assign the role only to ur id...so that no other person wil u autherized
Award points if useful
Regards
Gowri
Maybe you are looking for
-
Hi All, Im have created a data source with table joins T001W and T134M. Filed MANDT has been maintained when the join condition has been established at Data source level. Adhoc query in business rule identifies the deficiency. But some filed in the r
-
Which type replication recommend me?
Hello all, My scenario is very small. I have 1 server and 2 remote sites with only 1 PC, connected through VPN. I would like replicate online two remote sites with the server. The remote Pc's contains POS applications. The data that I want replicate
-
Sales order creation using BAPI is predefined function
then what is the necessity of creating again?Can any one explain clearly the need of creation of sales order using BAPI
-
HT4061 I want a refund for the storage upgrade purchase
I need to know how to get a refund for a storage upgrade purchase
-
New Firefox display took away all my yahoo tools and bookmarks, how do I get them back?
After installing the new firefox, I can not get my yahoo toolbar back. I re-downloaded it, but can not get it to open and install. I had dozens of categorized bookmarks in there, critical for my business.