BI Authorization Objects paste into a Role,

Similar Messages

• Change authorization object in a derived role

  Hi Gurus,
  What's happen if someone has added a new authorization object in a derived role?
  He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
  <u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
  What do you think about this ?
  Thanks
  Hery-zo

  Do i understand this right??? do functional teams have access to PFCG to create roles???
  If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
  1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
  2 ask all functional teams to describe the roles points to be adressed:
     A TRX in every role
     B all wanted restrictions on every TRX (described functionally)
     C orglevels on which restrictions should be build.
     D Test process for every TRX in every role (both positive and negative)
     E  check all roles against table USOBT and look for manually added objects,  
         if they can not give a good reason for adding these REMOVE them.
  3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
  4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
  5 check your roles for the corrected TRX after this change and update the other roels involved as well.
  6 ONLY allow roles that have followed the above process to go to Production.
  The above steps are the only way to create a secure SAP Production system for you!

• Authorization object for a technical role

  Hi all,
  I have a technical role "SM_ORDERAPPROV_00", to which I need to find out the authorization object.  Could anybody help me in finding this.  I searched this in SUIM also, but I didn't find any.
  Thanks,
  bsv.

  Hi,
  Please check in transaction PFCG.
  Regards,
  Renjith Michael.

• Authorization object in SAP BI Role

  Hi,
  Currently we had a Z roles in BI that will
  When a power user logins in Query Designer on the Info area tab/button user can access any data target to create a query
  But my requirement is to create a role
  Created a Analysis Authorisation object (S_RS_AUTH) in RECADMIN with the list of all infoproviders that user can access
  How can i create a role so that when user logins in Query Designer on the Info area tab/button user can access only data target  he is authorised to view ( which is maintained in analysis authorization object)  to create a query
  Thanks

  Hi Maxi,
  Creae a zrole and add auth objects and maintain s_rfc and s_tocde
  add s_bds_d,s_bds_ds, s_oc_send with * as auth.
  Now create a zzauth object with required infoproviders  and add this in S_RS_AUTH.
  add on these and give required auth s_rs_comp,s_rs_comp1,s_rs_icube

• Copying values of a singular authorization object between roles?

  Suppose I have an authorization object assigned to a role and its fields hold a large amount of data (say S_TCODE with a lot of transaction codes specified via ranges). Suppose further that I want to have this same object with this same data in another role. The other objects of the two roles are different and I'd rather not type the large amount of data into the authorization object again.
  Is there a way to copy/paste just one authorization object between two roles?
  I know how to make a copy of an authorization object and its values within the same role, but I haven't found a way to copy between roles.
  ursa

  Hi Ursa,
  I havent come across any export object kinda thing...
  This may help you in practical situation...
  Let us consider your particular requirement related to s_tcode.
  for that go to suim -
  transactions -> executable for role .
  Give the role name get the list of transaction codes.
  Download into excel file. then copy from there and paste into your new role menu or in s_tcode object.
  Mostly we dont get that much list for other objects.
  One more thing you can do.
  click on display tab beside the object in your source role, you get the list window.
  type ctrl + Y and then copy the 7-8 lines and paste it in the object of new role.
  Cheers.
  Shamish
  Message was edited by:
          Shamish Lele

• Link users - positions - roles - authorization objects

  Hi guys,
  I want to write a report that would link USERS to POSITIONS to ROLES and finally to AUTHORIZATION OBJECTS. The user would enter the SAP username in the selection screen and the report should extract all the information listed above.
  I am able to link the following:
  + Users to positions via function module RH_BRANCH_GET
  + Users to roles via table AGR_USERS
  + Roles to authorization objects via function module PRGN_1251_READ_FIELD_VALUES
  Unfortunately, I dont know how to link positions to roles
  Does anyone know how to do that?
  Also, is there a more efficient way, than the approach highlighted above, to complete this requirement
  Thanks for your time
  -TR

  Hi,
  you can find a link between role and HR object in table HRP1001. The field SOBID contains name of the role. You need to find way how to convert object ID into position role. Be careful about additional fields from that table.
  Cheers

• Mass change of authorization objects in several roles

  Hello,
  we have to change a authorization object in almost 200 roles. Is there any possibility for mass change of authorization objects in several roles? We don't use the central SAP user administration.
  Best Regards
  Andreas Walter

  > at the moment all entries has the value "*". We want to change this value into "0001".
  Good!
  Here comes:
  1- download all relevant roles in once from PFCG. Make sure you use an appropriate codepage so you don't loose special characters in the role and menu texts.
  2- copy and backup the download file
  3- in the download file (is a text file)  look for all lines starting with AGR_1251 and conatining M_MATE_WGR and the field you want to change
  4- take out the star and two spaces and replace by 001. This file is a set of fixed record length table exports and keeping the original length is very important.
  5- upload the edited file and generate the profiles.
  As you may see this is not SAP standard and completely at your own risk. Best try in a sandbox client first.
  Good luck!
  Jurjen

• [SAP-PM] Restrict authorization object

  Dear All,
  Currently, I have some querries with authorization. Below are the details:
  1. Authorization Object : I_AUART --> Order type
  2. 2 roles use same authorization object (Let's say Role 1 and Role 2)
  3. One is to change and other is only display
  4. Let's say the order type are (I_AUART) : PM01 - PM05
  5. Role 1 (change) contains PM05
  6. Role 2 (Display) contains PM01-PM04
  And the question is:
  What should I do to assign that roles into one user name. In condition that the related user name only able to change order type PM05, and on the other side user still able to display all order types?
  Many thanks for your incoming advice.
  Kind Regards,
  MD

  hi
  while creating roles itself in the USER tab page assign this to the user id .after specified the user id then both the roles will be seen for that user id
  for other user create seprate role for diplay only for all order types and assign to the respective user id
  or use T code SU10 select the user id and specify the roles created for the respective user
  regards
  thyagarajan
  Edited by: thyagarajan krishnamurthy on Jan 15, 2008 4:07 PM

• Authorization Object inative in PFCG

  Hi,
  We created an authorization object for a Z BSP application that is used in htm page.
  When I try to create a role allowing that authorization object in PFCG, auth. object remains inactive and there is no possibility to active it.
  Does anyone knows how I can activate this object ?
  Many thanks.

  I was having the same problem. I was adding an auth object S_ASAPIA of class BC_Z to role (both manually or via Selection Criteria, the authorization is in the selection criteria list) but for some reason I could not make it active, the authorization is brought into the role as inactive. After some digging I realized the problem by looking up the authorization object in SU03. When I tried to check for authorizations associated with the authorization object in SU03 I got an error message:
  No fields have been maintained for this object
  Message no. 01231
  Checking table TOBJ I realized that this is not the only such problem:
  Here are 4 objects in my ECC system that have the same problem. ([ObjectID] [Object Class ID])
  K_ORGUNIT     CO
  S_ASAPIA     BC_Z
  S_RS_PPMAD     RS
  ZSTAT     BC_A
  I found these auth objects by searching for blanks in the field FIEL1 in table TOBJ.
  By the way I also found a number of objects that were not assigned to a valid Authorization Object Class. PFCG will not allow you to add these objects at all, even though they do exist in table TOBJ. ([ObjectID] [Object Class ID])
  CRMCONFMOD     CRM
  CRM_WSC     CRM
  CRM_WST     CRM
  PLM_LAYOUT     PLMB
  RSCRMBUPA     RSAN
  RSCRMEXTR     RSAN
  RSCRM_TG     RSAN
  RSDMEENGIN     RSAN
  RSDMEMBW     RSAN
  RSDMEMODEL     RSAN
  S_ESH_T_BG     TST
  S_ESH_T_MT     TST
  S_ESH_T_PR     TST
  I found these objects by copying all the classes in table TOBC and filtering out all the records in table TOBJ using exclude values in the field OCLSS. The resulting list is those objects not assigned to a valid object class.
  Note that most of this data was SAP delivered.
  Hope this helps to answer this Q.

• Authorization Object for data downloading from application server

  Hi friends ,
     My program downloads and uploads data from the application server .
  My requirement is  ,
  Authorization checks should be performed on the Server directories to ensure that the user has access to read and write to the directory. It should check the s_dataset authorisation object for this.. If a user does not have the s_dataset authorisation object no upload or download should be allowed.
  Can you please tell me how to deal with this ? how do we check the above condition ??
  Many thanks ,
  Hemant

  hi,
  This is not a single step process.
  First of all you have to create a field for authorization for server directories from su20 and then create authorization object from su21.then define a role from pfcg with this authorization object and assign this role to user profile from su01 with values defined.
  Then you have to call this authorization object in your program at selection screen.

• F9K3 and authorization object in su24

  Hello,
  We want to add authorization object F_KNA1_BUK to new role for check in F9K3 transaction.
  The problem is it is not being checked. I tried to debug and stop on authority-check but it's not stopping on this object.
  But the object is showned in transaction SU24 - as CHECK / NO.
  So it should be checked during F9K3 transaction run, correct?
  Anyone knows what we're missing here ?
  Thank You in advance for help,
  Best regards,
  Artur

  Hi,
  What appears in SU24 is not a reliable indicator of what is actually checked.  It may be that F_KNA1_BUK is checked at some point depending on either how the tx is used or what menu options are used but I wouldn't bet my house on it.
  Cheers

• Red Light with Authorization Object in PFCG

  Hello All - I have a question with authorization objects, there are three roles with red lights 'ON' in authorization object screen in our PRD. However users who are using these roles have no auth issues, standard procedure is to make all lights green in PFCG by maintaining these auth objects.
  Big question is "what is the down fall by leaving these objects RED, I need to support my theory when I say all lights green with auth objects.
  Why best practise says maintain all lights to green?
  Please suggest, appreciate your suggestions.
  Thanks.
  Edited by: AJ on May 12, 2009 9:44 PM

  Hi,
  > "What will be the difference between leaving that red lights 'ON' vs "disabling" these red objects? (I am bit confused on this).
  Red Object: As you know that authorization Objects comprises of Authorization fields. There are certain fields, which are known as "Organization Level" fields and need to be maintained Centrally. If you miss this fields, then the traffic light icon is RED. For all other authorization fields, light will be Yellow if you miss any blank field to maintain. During check, these fields will provide missing authorization (but you may not get error if same object is present in the role with all fields maintained status).
  Disabled Object: If you make any Object Disable, then during check, this Object will not be treated for checking Authorizations. But profile generator will keep this in mind, so you don't get Standard Objects repeatedly (if already present in Deactivated status also) whenever you go to "..Merge with New Data".
  You all other questions are very nicely answered already.
  Regards,
  Dipanjan

• Assign authorization objects

  HI ,
  1. When i create new set of WS do i need to create to them authorization object ?
  2. if i create new set of users from scratch in the system and i want to provide to them one role that
  I create and contain for instance all the report and transaction that i want to provide,
  do i need to add to them another authorization objects ?
  3. if i create authorization object in the system how i add it to certain role ,i don't see these
  option in PFCG.
  Best Regards
  Michael

  HII,
  Yes u can aad  other authorization object to the existing role if the role needs it because user is unable to perform any task releated to it because of missing authorization object after seeing it in su53 because sometimes tcode assigned but corresponding authorization is not added by system automatically this creates prob for the user to perform task as far as adding up an authorization object u can added it  throught su24 or pfcg in pfcg u need to click on manuaally option u can added upto 8 authroziation objects and if u want to added it through su24 u click on add authorization object feild
  but never forget to save and generate the profile after adding authorization object and also do user comparsion and complete comparsion so this object gets added to the role
  byeeeeeeeeeeee
  takecare

• Error in Transport of Authorization Object

  Hi,
  I have created a authorization object in my development and transported it to testing. In the transport log I can see that it was succesfully imported but I am not able to see the Authorization object in SU21 of testing system but I tried to see that Authorization object through SUIM and able to see that object.
  I tried to create a sample role and assign this authorization object manually to that role but not able to do that.
  Can any one help me in this issue.

  Hi Martin,
  Thanks for the reply
  Yes I forgot to transport Authorization class. I have done that now and able to access the Authorization object.
  Can you please let me know the complete process whether we have to transport only Authorization class...
  Then the Authorization object will be transported on its own..
  Thanks in advance

• Authorization object for Internal order

  Hi experts,
  My requirement is while creating the PO using the internal order as reference  i need to check the internal order is valid for that user or not.
  Is there is any standard authorization object  for internal order is available using which i can validate the internal order by assigning this authorization object in the user role.

  Hello,
  When you try to create internal order and once you get the error.
  Open another session with /OSU53
  This gives you the details of authorization objects or transaction codes you are lacking.
  Provide this to security administrator of your team.
  Hope your problem will be solved.
  Regards,
  Ravi