Change authorization object in a derived role

Hi Gurus,
What's happen if someone has added a new authorization object in a derived role?
He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
<u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
What do you think about this ?
Thanks
Hery-zo

Do i understand this right??? do functional teams have access to PFCG to create roles???
If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
2 ask all functional teams to describe the roles points to be adressed:
   A TRX in every role
   B all wanted restrictions on every TRX (described functionally)
   C orglevels on which restrictions should be build.
   D Test process for every TRX in every role (both positive and negative)
   E  check all roles against table USOBT and look for manually added objects,  
       if they can not give a good reason for adding these REMOVE them.
3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
5 check your roles for the corrected TRX after this change and update the other roels involved as well.
6 ONLY allow roles that have followed the above process to go to Production.
The above steps are the only way to create a secure SAP Production system for you!

Similar Messages

  • Authorization object for a technical role

    Hi all,
    I have a technical role "SM_ORDERAPPROV_00", to which I need to find out the authorization object.  Could anybody help me in finding this.  I searched this in SUIM also, but I didn't find any.
    Thanks,
    bsv.

    Hi,
    Please check in transaction PFCG.
    Regards,
    Renjith Michael.

  • Authorization object in SAP BI Role

    Hi,
    Currently we had a Z roles in BI that will
    When a power user logins in Query Designer on the Info area tab/button user can access any data target to create a query
    But my requirement is to create a role
    Created a Analysis Authorisation object (S_RS_AUTH) in RECADMIN with the list of all infoproviders that user can access
    How can i create a role so that when user logins in Query Designer on the Info area tab/button user can access only data target  he is authorised to view ( which is maintained in analysis authorization object)  to create a query
    Thanks

    Hi Maxi,
    Creae a zrole and add auth objects and maintain s_rfc and s_tocde
    add s_bds_d,s_bds_ds, s_oc_send with * as auth.
    Now create a zzauth object with required infoproviders  and add this in S_RS_AUTH.
    add on these and give required auth s_rs_comp,s_rs_comp1,s_rs_icube

  • Change Authorization object to add another InfoOjbect

    Hi All,
    We have Custom Authorization Object developed in BW system which is successfully moved to Production. Now new requirement has come up to add new InfoObject in that
    Existing Custom Authorization Object. Is it possible?
    If yes can you please let me know the required steps?
    Thanks,
    Samir

    you can add the new infoobject in the BW system and after doing this you can transport the request related to this change from the  BW system to the production server but for this you need help from the Basis consultant.
    i hope this answer is of some use to u...if yes pla assign some points.
    Edited by: Denella  D'souza on Jan 30, 2008 10:49 AM

  • BI Authorization Objects paste into a Role,

    Hello,
    i want a User, wich can work only with one Hierarchie node.. Wich Object i Need !??
    Best Regards
    barish

    Hi,
    With  Node, can select nodes for a hierarchy that you created previously for the characteristic 0TCTAUTH in hierarchy maintenance. The authorizations are available as virtual master data for the characteristic 0TCTAUTH and can be grouped hierarchically in order to create thematic arrangements.
    The authorizations that were just inserted are marked. This allows you to undo incorrect entries immediately.
    GTR

  • Mass change of authorization objects in several roles

    Hello,
    we have to change a authorization object in almost 200 roles. Is there any possibility for mass change of authorization objects in several roles? We don't use the central SAP user administration.
    Best Regards
    Andreas Walter

    > at the moment all entries has the value "*". We want to change this value into "0001".
    Good!
    Here comes:
    1- download all relevant roles in once from PFCG. Make sure you use an appropriate codepage so you don't loose special characters in the role and menu texts.
    2- copy and backup the download file
    3- in the download file (is a text file)  look for all lines starting with AGR_1251 and conatining M_MATE_WGR and the field you want to change
    4- take out the star and two spaces and replace by 001. This file is a set of fixed record length table exports and keeping the original length is very important.
    5- upload the edited file and generate the profiles.
    As you may see this is not SAP standard and completely at your own risk. Best try in a sandbox client first.
    Good luck!
    Jurjen

  • Manually added auth objects and Derived roles

    If there are manually added auth objects in the parent role do they come across to the derived roles?
    Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

    yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
    yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
    if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
    http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

  • Copying values of a singular authorization object between roles?

    Suppose I have an authorization object assigned to a role and its fields hold a large amount of data (say S_TCODE with a lot of transaction codes specified via ranges). Suppose further that I want to have this same object with this same data in another role. The other objects of the two roles are different and I'd rather not type the large amount of data into the authorization object again.
    Is there a way to copy/paste just one authorization object between two roles?
    I know how to make a copy of an authorization object and its values within the same role, but I haven't found a way to copy between roles.
    ursa

    Hi Ursa,
    I havent come across any export object kinda thing...
    This may help you in practical situation...
    Let us consider your particular requirement related to s_tcode.
    for that go to suim -
    transactions -> executable for role .
    Give the role name get the list of transaction codes.
    Download into excel file. then copy from there and paste into your new role menu or in s_tcode object.
    Mostly we dont get that much list for other objects.
    One more thing you can do.
    click on display tab beside the object in your source role, you get the list window.
    type ctrl + Y and then copy the 7-8 lines and paste it in the object of new role.
    Cheers.
    Shamish
    Message was edited by:
            Shamish Lele

  • Derived Role Z-transaction issue

    Has anyone had a problem with having custom (Z-transactions) transactions in your master role, then when the derived role is generated from this master role, these Z transactions and their authorization objects are missing in the derived role?

    Susan,
    The only way to make sure changes in SU24 is brought into existing roles is to update the role in expert mode with the "merge with new data option".
    Did you try to adjust all the derived roles from the Master role to see if this bring populate custom t-code & auth objects to the derived roles? (Authorization -> Adjust Derived -> Generate Derived roles).
    Have fun.
    Lye

  • Question on org level values in derived roles

    I have a set of derived roles for a retail org.
    They have set the org level for the WERKS object to the store number i.e. 0012. in the  M_MSEG_LGO, M_MSEG_WMB,   and M_MSEG_WWE but set it to "" in the  M_MRES_WWA and M_MSEG_WWA. Needless to stay the "" is overiding the site restriction.
    My question is, how can they allow store to store transfers and goods issues for other sites but only do POs and goods receipts for their default store?
    If the transactions in the role are using the same object, it doesn't seem like it can be done but I am told it can! I can't figure it out. Can anyone assist?
    Thanks

    If you are talking about  straight authorization object ( then your design cannot go with derived role concept )
    If your controls are only through the organizational object  only then derived role design will help
    If its a mix of both standard object + organizational level object derived role will not help you.
    Please note
    the WERKS is the organization level  in your case the plan value is 0012
    do not set the values in parent role and also do not populate this value were its "$werks"
    what is TCODE you are using ?
    Edited by: Franklin Jayasim on Jul 21, 2010 11:45 PM

  • Altering authorization objects

    Hi all,
      I copied the existing role to a new role and need to do some modifications to authorization objects. I entered the new role in change mode but in authorizations tab, I only have 'display authorization data' mode. I can not get it to 'change' the authorizations. In the users tab, I am able to change the users though. I tried the option 'display<-->change'  but still authorization tab is in display mode only. The profile name is blank. Do I need to generate the profile first, before I can change authorization objects?? And how do I generate the profile?
    Thanks and regards,
    Kim.

    Hi,
    You can generate the profile using a round button with red and white quadrants.
    Cheers,
    Kedar

  • Generation of derived roles when transported

    Hello Everyone,
    We are on ECC6.0 and I've come across a scenario where I've created certain number of derived roles from a parent role and generated the parent and derived one's from the parent role in PFCG and created a transport request. But,
    When I got them imported (SCC1) to a different client on the same box I can see that the authorization tab is still in yellow in all these derived roles,they do contain the same profile name in the authorization tab in PFCG as from the original client they were created in and I would like to know the reason why these roles under the auth.tab are in YELLOW and need a regeneration of profile? I remember doing it previously where I did not regenerate the profiles for the roles when they are imported/transported to a different client.
    And the status text in SUPC says " no current profile".
    Any ideas/inputs are much appreciated.
    Regards,
    Raj

    Hi,
    There may be more that one cases.
    What are the roles you included into the Transport request? You should include all the Derive roles along with the parent roles ideally. Also, I hope you have checked the authorization data for the derived roles in the development before transport.
    Other option could be the system change options for appending data in the target system.
    Please provide more information and also try to search for SAP Notes if there any with this kind of issues.
    Regards,
    Dipanjan

  • [SAP-PM] Restrict authorization object

    Dear All,
    Currently, I have some querries with authorization. Below are the details:
    1. Authorization Object : I_AUART --> Order type
    2. 2 roles use same authorization object (Let's say Role 1 and Role 2)
    3. One is to change and other is only display
    4. Let's say the order type are (I_AUART) : PM01 - PM05
    5. Role 1 (change) contains PM05
    6. Role 2 (Display) contains PM01-PM04
    And the question is:
    What should I do to assign that roles into one user name. In condition that the related user name only able to change order type PM05, and on the other side user still able to display all order types?
    Many thanks for your incoming advice.
    Kind Regards,
    MD

    hi
    while creating roles itself in the USER tab page assign this to the user id .after specified the user id then both the roles will be seen for that user id
    for other user create seprate role for diplay only for all order types and assign to the respective user id
    or use T code SU10 select the user id and specify the roles created for the respective user
    regards
    thyagarajan
    Edited by: thyagarajan krishnamurthy on Jan 15, 2008 4:07 PM

  • BSP_ALL authorization object for BSP Application

    We develop a BSP Application and want to give the correct authorization object in the user roles.
    After looking on help.sap.com We see, we must add the BSP_ALL object and give the name of the application.
    I add the object in the role but it not visible in the role. In the profile I see the object but it's not possible to me to change the value ' '.
    Why can I see this object in the role ? and how can I adapt the value of this object ?

    The class of this Object CRM is not defined on the table TOBCT

  • Authorization Object for data downloading from application server

    Hi friends ,
       My program downloads and uploads data from the application server .
    My requirement is  ,
    Authorization checks should be performed on the Server directories to ensure that the user has access to read and write to the directory. It should check the s_dataset authorisation object for this.. If a user does not have the s_dataset authorisation object no upload or download should be allowed.
    Can you please tell me how to deal with this ? how do we check the above condition ??
    Many thanks ,
    Hemant

    hi,
    This is not a single step process.
    First of all you have to create a field for authorization for server directories from su20 and then create authorization object from su21.then define a role from pfcg with this authorization object and assign this role to user profile from su01 with values defined.
    Then you have to call this authorization object in your program at selection screen.

Maybe you are looking for

  • How to pick the wage type (repeat structure) in pa0008 infotype.

    Hi all.      Iam writing code we pick the data from Pa0008-lgart Pa0008-brt01.     these two field are repeat structure.    here iam given code what we writen. select pernr           lgart           betrg             from pa0014             into tabl

  • Assign handling unit

    Hello, I looking for a bapi to assign open reservation of a process order to handling unit (like tansaction copawa). Thanks.

  • Can PPRO CS4 and PE8 on the same PC .

    The reason I want to know is ,I have just upgrade from CS2 to CS4 I miss the DVD auothring app that I had in CS2 and the PE8 would be more than enough for my need.thank

  • PAPI-WS for different Participants

    Hi, I'm working on PAPI-WS for 6.0, a newer 2.0 release of this service. From docs I understand there is a webapp for PAPI-WS, so I'm generating stubs through WSDL from this web application. But, unlike earlier versions their are no methods to create

  • Firefox.exe *32 continues to run in services after closing firefox

    i am running win 7 professional, and firefox 6.0.2