Budget Authorization Checking

Similar Messages

• Missing authorization check on the IM Reports

  Hi,
  We use RAIMINFO reports (S_ALR_87012805, S_ALR_87012806 u2026 ) to display
  structure and values in Ferrero Spa investment program
  On the initial screen, the value types which have to be output, are
  determined by the authorization checks to be carried out .
  For example in case that an user decides to display the plan or budget
  references to program position, the user has to have the authorizations
  on the Persons responsible (A_IMPR_VER). For us this is OK because we
  define responsibilities through A_IMPR_VER. But if user decides to
  display the appropriation request or measures and he doesnu2019t indicates
  the program position it seems that anything on the A_IMPR_VER will be
  performed. We need that the check on A_IMPR_VER will be performed always(for all objects: measures, appropriation request ).
  We think this is a function missing in RAIMINFO and in all the IM
  reports.
  Could you help us to solve this problem?
  Thanks and best regards,

  Hi,
  If you want use check box in crystal., then you can do this by writing piece of code.
  please try for
  If {Table.Field} = True Then
  'Display the checkbox of your choice here
  Formula = Chr(254).
  thanks.
  Bala

• Kanban authorization checks (SU24, PK13N, PK*)

  Hi,
  Does anyone know why the Kanban transactions (PK*) have mostly disabled authorization check indicators in SU24?
  In PK13N, for example, there is functionality to do a goods receipt (MIGO GR) and also functionality to create POs (and maybe more that I have not looked into yet).
  However, the related auth objects in SU24 are not enabled (check indicator = do not check).  This seems strange for these authorization objects.
  Especially in light of SoD.  Users could create POs or do Goods Receipt via PK13 without proper auth check and these 2 functions conflict already (using default GRC ruleset).
  But that's beside the point.  The question is: Is there a good reason why these are disabled and how is this NOT a secuty risk?
  Now, there is one object that is enabled: C_KANBAN
  But, I feel that this is insufficient to really secure the goods receipt action and the PO creation action.
  For reference, a list of disabled auth objects:
  C_STUE_WRK CS BOM Plant (Plant Assignments)
  C_TCLS_MNT Authorization for Characteristics of Org. Area
  F_BKPF_KOA Accounting Document: Authorization for Account Types
  F_FICA_CTR Funds Management Funds Center
  F_FICA_FTR Funds Management FM Account Assignment
  F_FICB_FKR Cash Budget Management/Funds Management FM Area
  F_FICB_FPS Cash Budget Management/Funds Management Commitment Item
  F_LFA1_APP Vendor: Application Authorization
  F_SKA1_BUK G/L Account: Authorization for Company Codes
  L_BWLVS Movement Type in the Warehouse Management System
  L_LGNUM Warehouse Number / Storage Type
  M_BANF_BSA Document Type in Purchase Requisition
  M_BANF_EKG Purchasing Group in Purchase Requisition
  M_BANF_EKO Purchasing Organization in Purchase Requisition
  M_BANF_WRK Plant in Purchase Requisition
  M_BEST_BSA Document Type in Purchase Order
  M_BEST_EKG Purchasing Group in Purchase Order
  M_BEST_EKO Purchasing Organization in Purchase Order
  M_BEST_WRK Plant in Purchase Order
  M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
  M_MRES_BWA Reservations: Movement Type
  M_MRES_WWA Reservations: Plant
  M_MSEG_BWA Goods Movements: Movement Type
  M_MSEG_BWE Goods Receipt for Purchase Order: Movement Type
  M_MSEG_BWF Goods Receipt for Production Order: Movement Type
  M_MSEG_LGO Goods Movements: Storage Location
  M_MSEG_WMB Material Documents: Plant
  M_MSEG_WWA Goods Movements: Plant
  M_MSEG_WWE Goods Receipt for Purchase Order: Plant
  M_MSEG_WWF Goods Receipt for Production Order: Plant
  M_RAHM_BSA Document Type in Outline Agreement
  M_RAHM_EKG Purchasing Group in Outline Agreement
  M_RAHM_EKO Purchasing Organization in Outline Agreement

  Hi Steven
  Normally, when I submit OSS messages about security gaps the response is "working as designed", so I thought I'd try SCN first... perhaps it REALLY IS working as designed and there is a good reason why no auth checks should happen in this case.
  Unfortunately this is all too common. However, I have found a lot of the times it is a Level 1 Support person in SMP advising you of this. With perseverance and escalation to a the next level the chance of a fix is greater (still not a guarantee)
  It's a pity if working as per design they could explain why.
  MIGO can be used in display mode only. If PK13 and PK13N are meant to be display transaction and the SU24 allows you to perform change (i.e. none of the underlying auths are checked for change) then I would refuse to close the customer incident until SAP responds further. At the end of the day, if a display transaction allows modification then it isn't a display transaction
  I get the impression SU24 and some other security (e.g. authority check on '' instead of dummy) has been allowed to exist as customers give up and change the values themselves instead of getting SAP to fix their solution.
  You could also look at SE97 if call transaction can be switched to yes so users cannot jump from PK13N to MIGO (assuming the code was a CALL TRANSACTION)
  Regards
  Colleen
  P.s. - understand the comment with stale thread but take note of timezone and if you raise it on a Friday people may not see it until the following week. Although you did consider this, a lot of people on SCN put urgent in their question and then within the same day respond to their thread to "bump it" on the list

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• Authorization checks for PNP LDB

  question    : how to validate authorization checks for pnp logical database?
  2 nd question: hr report
  this report is basically for salary survey. in this i had so many fields can any body let me know how
  can i form the internal tables. and i have to display overall 150 fields in csv file for that
  how can i take in to the final internal table.
  what is the logic behind this:
  T71JPR09-JOBCODE
  PA0000-PERNR
  HRP1000-STEXT
  P0006-PSTLZ
  PA0008-ANSAL * 100 / PA0008-BSGRD
  PA0015-BETRG
  PA0761-LTEXT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-GRADT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
  like that i had.
  please give me the steps how can i proceed.

  Hi,
  The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
  Hope this helps.

• CRM - Process Flow of Authorization Check in Business Transactions

  Hello Folks:
  I have implemented CRM security using Process Flow of Authorization Check in Business Transactions.
  What I have in place:
  CRM_ORD_OP (inactive, don't want access to own documents)
  CRM_ORD_LP (inactive, not using standard org level values Distribution Channel, Sales Group, Sales Office, Sales Organization, and Service Organization.)
  CRM_ACT (active)
  CRM_CMP (active)
  CRM_ORD_OE (active, restricted to display with dummy value ' ' for Distribution Channel
  Sales Group, Sales Office, Sales Organization and Service Organization, as we are not restricting on them)
  CRM_ORD_PR (active and restricted to display)
  Issue:
  Restrictions to display for documents works fine when using CRM backend system and the system throws out a message that you are not authorized to change. But, when i come in through Portals (PCUI), i dont get the display at all and it throws out a message insufficient access authorizations.
  Traces on backend CRM reveal failing on change access for CRM_ORD_LP and CRM_ORD_PR, which we dont want to give out b/c we dont want to provide change for documents.
  OSS notes to SAP have resulted in no results....please advise what is wrong here.
  Thanks
  KT

  Thanks for the Priyanka for the reply, but what you mention is not correct.
  BSP errors are different from what I am refering to.
  The issue is still open...and looks like a SAP bug, which even they havent been able to fix so far.
  Regards,
  KT

• Document search error in webshop(Error in authorization check: user unknow)

  Hi All
  actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
  actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
  actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
  <b>Error in authorization check: user unknown.</b>
  Can you please help me where to check the authorizations in the system for accessing the documents.
  Regards
  Sunil

  Hi Sunil generally this kind of error will occur when you choose acknoledgement
  for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
  Reward if helpful
  Venkat

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

  We want to add an authorization check in routine rssm_routines_maintain.    This is in the Infopackage scheduler in the Data Selection tab  under the column Type after selecting type=6(ABAP Routine).    This is a core modification.   We have checked with our Security team with traces and found nothing available to help us.
  Two questions:
  1) Is there any other way we can control who can create/change ABAP code by this method ?
  2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
  Your help would be appreciated.
  Robert Begin,
  450-677-9411 or
  514-924-4311
  or email at [email protected]

  Hi Chandran,  we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
  The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
  Do you have any solution/suggestions to lock this down?
  Much appreciated,
  Regards,
  Robert.

• ESS: Who's Who Authorization Checks

  Hi,
  I am testing the ESS iView (tcode PZ01) in the Portal and it seems to be restricting the search results by my authorizations.  I am not getting a full list of people in the system.  Anyone know how to turn-off this authorization check?
  I noticed this only happens when I changed the ESS Who's Who customizing in the IMG for PZ01.  If I uncheck the checkbox 'Output fields list', then it checks authorzations.  I'm thinking this has something to do with using the BAPI vs. using the query infoset, as the documentation states.
  Message was edited by:
          Kenneth Moore

  Old post but I have had a similar issue and it was caused by P_ORGIN
  Infortype 0105 subtype?????
  Seem if the subtype is restricted then they are not displayed if subtype populated in the HR record.

• Authorization Check for Special Stock Indicator in IE02

  Dear Gurus,
  Would like to check with you if there is an authorization check for change in Special Stock Indicator in IE02-SerData Tab?
  For example, the User will only be allowed to change the Special Stock Indicator only to "E" - Sales Order.
  Would appreciate your help.
  Thanks.

  Hi,
  This cannot be done by using standard auth object. Standard SAP doesnt support control via this field.
  Take help of your ABAP team and create an customized authorization object "Z_OBJECT" with field SOBKZ and which check these field value in table EQBS. Assign this auth object to role and profile you want.
  Use the user exit IEQM0003 Additional checks before equipment update. Give a logic to check auth object when while using equipment change tcode.

• Authorization check

  Hi ,
  i new to authorization so i need help ,
  i go to transaction SU21 and i choose some object for example:
  Object R_CPM_BSC
  Text Authorization Object SEM: BSC Elements
  Class SEM Strategic Enterprise Management*
  Author STASTNY
  Field name Heading
  SEMSCARD Scorecard
  SEMOBJTYPE Scorecard Elements: Object Type
  SEMOBJKEY Scorecard Elements: Object Key
  ACTVT Activity
  And when i push on permitted activities i get:
  R_CPM_BSC Authorization Object SE
  ACTVT Activity
  activists
  01 Create or generate
  02 Change
  03 Display
  04 Print, edit messages
  1. i have always just permitted activities for ACTVT ?
  if i wont that user just have display Authorization how i have to write it like below?
  AUTHORITY-CHECK OBJECT R_CPM_BSC
  ID ACTVT FIELD '03'
  thats it i don't use the other fields?
  Regards

  Hi,
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Thanks
  Vikranth

• How to do authorization check

  Hi, I am new for EP and study it using EP200. I installed EP and connected it to my IDES ECC 6.0
  Now, I configured self registration When I click Register Now... , I got the error message "You are not authorized to perform this action. Contact your system administrator."
  I want to know if htere's way to do authorization check like /nsu53?
  Thanks
  Fuyi

  Check the below option
  System Administration --> System Configuration --> UME Configuration --> User Admin UI
  --> Self Registration
  Enable Self Registration For Guest Users.
  Hope this may work for u.
  Mr.Chowdary