Characteristic base authorization in DMS

Similar Messages

• Mass change in ACL Authorizations in DMS

  Hi guru
  I'm working with ACL authorizations in DMS. I don't know how delete (one shot) the authorizations of the user that is resigned. For example I have many  documents where I set the write access for the user : Jack.
  If Jack is resigned is there a transaction or report to:
  mass delete this data or
  sostituite the user JAck with new employee ?
  Thanks in advance
  Ciao

  Hi,
  I create the report as written in the note. The report doesn' solve my problem because:
  select only for a document not for a range of documents
  I know the user resigned not the document so I should have a report for a user , the report should show me all the document where the user has been assigned a acl authorizations.
  According to you, is there a standard solution or is possibile to realize a custom solution?
  thanks in advance
  Vanessa

• Characteristic base planning

  Hi Experts,
  would just like to ask how would i configure the planning in APO such that if I am using characteristic base planning for make to order and the sales order item provides multiple values for a single characteristic. Say, paper color is red, yellow, or purple. and the planned order will be created with the color that has the available stock?
  Kindy advise.
  Thanks a lot for your help.
  Ria

  Hi Ria,
  I have given below the SAP notes containing detailed configuration of classes and characteristics in APO.
  1038904 - Changes to characteristics not transferred to APO
  714929 - Integration of characteristics and class
  832393 - Release restrictions of SCM 5.0
  449565 - Integration with CDP in APO
  949246 - Error message during CIf of characteristics and class
  For the error of characteristics not seen in APO, you refer to note 1038904.  For detailed settings for ciffing class and characteristics to APO, use notes 714929.
  Please get back to me with your observations.
  Regards
  R. Senthil Mareeswaran.

• Logical Data Base- Authorization Check

  Hi,
      Please tellme when is the authorization checked if the LDB is used in the program. If I am not using 'GET PERNR' statement in the START-OF-SELECTION then will this authorization check will be performed for the data being extracted from the Data base using select statement.
  Waiting for reply,
  Shwetambari.

  HI,
  No it won't perform if you write the select statment, when you write the code GET PERNR, then internally it will get the data based on the Auth check and a SET PERNR will be triggers. so better to use the GET statment
  Regards
  Sudheer

• Basis - Authorization  for Customise Program

  Hi,
  In Customise Program they give the Tcode, Ex: ZMMR001
  how to control the Oranization Level & Plant in Authorization.
  Pls explain.
  Thanks

  Hi,
  You should check with your basis. Every company create there own objects as per there need.
  Regards,
  Atish

• Installed Base - Authorization Management

  Dear Experts
  We're looking for any way to limit authorizations for Installed Base and iObject maintenance. So far we were able to identify COM_PRD as the only relevant authorization object (for iObjects) - I strongly assume there are more sophisticated capabilities than this one? I see authorization groups are available, we're looking for some more flexibility however.
  E.g.
  - differentiate between product and object maintenance
  - limit visibility based on e.g. country
  - limit maintainability of the installed base itself
  Best
  Christian

  Hi Joost, All,
  during our investigation we found that the object you are referring to is not checked any more (SU24 does not return any hits neither in transactions nor in web services). A trace comfirmed this assumption so far.
  We are currently assuming that this object is not used anymore in CRM 2007 and later versions.
  Any comments from anyone here?
  Thanks
  Alex

• Basis authorization object class

  Hi All,
  Few roles contain ABAP & BASIS objects but 1 user should NOT get access to these. How can I restrict ABAP & BASIS objects only for 1 user id without disturbing access for other users.
  I tried creating Z roles for this user id and deactivating BASIS objects but still some other roles containing ABAP objects are accessible which I dont want to give.
  Is there any shorter way out?
  thx
  Bhushan

  Hi Bhushan,
  As i am not next to you, i cannot say on how the user gets to SU01. But if i were you, i would do the following
  1. Go to table AGR_1251 and list all the roles used and check on the object S_TCODE
  2. check for any presence of ranges
  3. If the table result shows SU01, then you i am sure you know what to do - if the table shows SU01 in the output but you see that it is not in any of the role menus, then spend some time to understand about calling transactions and called transactions (Ex: PFUD internally calls for SU01). you can search the forum for more details
  If you dont find desired results from the above try controlling / restricting the authorizations for SU01 for the related objects like: S_USER_AGR, S_USER_GRP, S_USER_SAS............
  But I would never remove ALL basis objects (or) ABAP objects from my authorizations based on the object groupings in SAP.
  S_DEVELOP is a ABAP object grouped in the BC class, but i wouldnt remove it entirely because my user is a functional consultant, there are ways of controlling the access of the object. As an example, sending customers from R/3 to an external systems using the BD* transaction would need authorizations on S_DEVELOP. Doing this is a functional job and S_DEVELOP is a ABAP object
  so try controlling the access on the objects rather than removing the objects from the authorizations.

• Object vs Class base authorization concepts with J2EE/JAAS

  Hello,
  I'm evaluating J2EE and JAAS and I'm wondering how I can implement my business model using these techniques:
  As far as I understand JAAS, it's a class based authorization architecture. What I need is an object based architecture, specially when using CMP entity beans.
  Is it possible to design an object based access control based on JAAS and (perhaps) CMP entity beans?
  More detailed:
  Let's look at a simple (web-) application: A database contains only a table with documents, a document consists of an ID (primary key) and some plain text.
  I've got two EJB, one for editing documents and one for reading documents.
  Now I can easily design my application with J2EE and JAAS:
  An "editor" role with access on the edit bean and a "reader" role with access on the reader bean.
  The document class could be easily implemented as a CMP entity.
  BUT: What happens if I need a restriction on WHAT documents a user/role can edit/read, in other words, if authorization is not controlled by the EJB (code/class based) but by the ID (primary key/object based).
  E.g.
  User1 should have read access on Doc1, but not on Doc2.
  User2 should have read and write access on Doc2, but not on Doc1...
  As far as I understand JAAS, it's not possible to solve this problem using JAAS. If this is right, then I have to implement my own authorization system, JAAS could only be used for authentication. In this case, JAAS is just a tier in the security concept, just like different database users with restricted access to different tables and fields.
  If I'm right, then it's not possible (or possible but it makes no sense) to use CMP entity beans, because I can't use the "automatic" authorization pattern (I have to call my own access control system before invoking the entity bean, and so my clients loose some of their "leightweight").
  Regards,
  Jens

  Hi,
  I have study JAAS with J2EE for the last two months, don't know whether my ideas can help you. I believed JAAS was designed for java programmer who wanted to have security implement in there application but do not want to write the security themself. JAAS provided a robust system so that someone else can come alone to plug in the security module and security would be implemented.
  Base on your problems, I think what you should do is to have what know as a security access level implement in your object. When you uses JAAS to verify username & password, you can get user's access level as well maybe from LDAP server attribute, store in your principal. So whenever you want to check whethere you're a editor or author.
  You have to identify what is business logic and security logic access level is a business logic, therefore you will have to implement in your application tier. There is no perfect solution, but having these module will save you lots of coding and flexibility.
  Cheers,
  ps: Please correct me if my view are wrong.

• Plant level authorization in DMS

  Hi Gurus,
  My client needs to control the document access by plant level.
  In CV01N, 02N, 03N & 04N.
  Is there any way to control the same document type aginst different plant.

  Hi,
  I would say that the best way would be to implement the BADI DOCUMENT_AUTH01 to create a special authorization check on the desired field values.
  So this check should work to restrict specific users on entering document info records.
  Best regards,
  Christoph
  P.S.: Please reward points for useful information.

• How to base authorization on worksets

  Hi All,
  I see different postings about this topic, but I'm not sure where it stands.
  We have different users that access PCA reports, CCA reports and a combination of both.
  We have a PCA workset and a CCA workset that has the BW iView reports assigned to them.
  We would like to have one role where the worksets are "dynamic".  So for the users that have authorization for both PCA and CCA reports do not need to have 2 different tabs labeled "PCA Reports" and "CCA Reports".  It would be one role that has both worksets assigned.
  Then for users that only have PCA authorization, they do not see the CCA workset in this one role.
  Is this possible?
  Thanks.

  For this u need to have two roles and u have to merge ur roles.
  Create a role and name it as PCA Role and assign PCA reports to it and go to property editor of the role and in MERGE ID filed give a name and save it
  Create a another role and assign CCA reports to it and  go to property editor of the workset and in MERGE ID filed give a name(give the same name which u have given in for first workset) and save it.
  Now assign roles to users as u like.
  if u assign Role1 to user1 he can see only content 1.
  if u assign both roles he can see both content1 and content2.
  If u assign both roles also user can see PCA and CCA reports under one role .
  Regards
  Krishna.

• DMS - view authorization control

  when users have view authorization in DMS, can i control print and save / "save as" options. Do not want users to print the originals or save the originals.

  Hi,
  In SPRO Define workstation application
  When you display an original application file that is stored in a secure storage area, this indicator determines whether the file can be renamed.
  Use
  To display an original application file that is stored in the SAP database, a vault, or an archive, the system creates a copy.
  u2022 In the standard SAP System, the copy is assigned a name according to the naming convention defined in the program.
  u2022 Some viewing programs can only find an original application file if the copy of the file has the name that the file had when it was saved to a secure storage area. In this case, the naming convention links the redline file to the viewer file.
  If you set this indicator, the copy is assigned the name that the original application file had when it was saved to the secure storage area.
  Procedure
  Only set this indicator if your viewer application does not allow renaming of the file.
  1. Define workstation application in networking, donu2019t set u2018PRINTu2019 option for you aplication.
  2. Set up office interation u2013Appl type- donu2019t select u201Cprintu2019 option for your aplication
  Also check this url, it is very help full all.
  http://www.valleybusinesswv.com/docs/solutionreference.pdf
  Also ,
  u coluld use Filter options, in Define prfile.
  Benakaraj
  ??P

• New Data Basis using infocbe 0BCS_C11

  Hi,
  I am creating new data basis using Infocube 0BCS_C11 in SEM BCS 4.0. Data Stream has been generated properly. Company and Consolidation Profit Center has been assigned Role ''Consolidation Unit'.
  However, I am not getting Company as characteristic in 'Authorization/Validity check' tab. I can see:
  Consolidation Group
  Consolidation Profir Center Group
  Consolidation Profit Center
  We are using Infocube 0BCS_C11 as we think that in future we might use Matrix Consolidation, though there is no current requirement. At present we are going to use Legal Consolidation only.
  Can you please advise?
  Best Regards,
  UR

  Solved. It was just saving and going out of the screen. Thanks

• Analysis Authorization Problem

  Hy, i have create a Analysis Authorization object ZCOMPCODE with 0COMPCODE as characteristic.
  So i assign this object to a users and i create a variable to filter 0COMPCODE with processing type "authorization".
  The problem is that when execute the BEx query i receive the message : No authorization.
  When assign 0BI_ALL to user the ZCOMPCODE has not effect but the query run correctly.
  How can i resolve this serious problem?
  Regards,
  Andrea Maraviglia

  Dear Andrea,
  When you have a problem with authorization data access, may be you need check the following stuff:
  1 All InfoObjects are relevant authorization (see Business Explorer the check box authorization relevant for each InfoObject Tcode RSD1) which these are part of InfoProvider where query request data. It is very important, because you have to include all of this InfoObject (Characteristic) in your analysis authorization.
  2. Remember add the standard characteristic. 0TCAACTVT (3 value), 0TCAIPROV (InfoProvider Tech Name), 0TCAVALID (* value).
  3. In each characteristic relevant authorization, I suggest that add the colon “:” value to avoid problem with variable authorization in the query.
  4. Furthermore, the user need one role for standard object authorization: 
  . S_RS_COMP (Activities 03, 16)
  . S_RS_COMP1 (Query owner)
  . S_RFC (BEx Analyzer or BEx Browser only)
  . S_TCODE (RRMX for BEx Analyzer)
  I hope that can help you!
  Luis

• Authorization Error  while executing Workbooks,

  Dear ALL
  We have authorization in place where users are restricted to execute Workbooks PLANT wise.
  For this 0PLANT is kept authorization relevant.
  0PLANT__0COMP_CODE  is Navigational Attribute of 0PLANT also marked as authorization relevant.
  Till now all user were assigned the Analysis authorization A_PLNT_XX as  0PLANT = XX
  But suddenly now the users are getting authorization error of NOT BEING AUTHORIZED .,
  The error log is as shown below.
  Relevant Characteristics for Detailed Authorization Check  
  (Characteristics with Full Authorization Are Not Listed!)
    List of Effective Authorization-Relevant Characteristics for InfoProvider ZMMIMMP05:  
  0PLANT 
  0PLANT__0COMP_CODE 
  0TCAACTVT 
  Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    Check Added for Aggregation Authorization:     0PLANT__0COMP_CODE  
    Authorizations missing for aggregation (":")  
  Characteristic  1 
  0PLANT__0COMP_CODE    Empty   
  Entries marked with red do not have aggregation authorization
  You can find more information about this here 1140831
    The authorization check stops here as this selection is no longer needed  
    Message EYE007: You do not have sufficient authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  51 ( 0PLANT )
    Authorization Check Complete  
  Please let me know the reason for the same.
  Also How can  i track these  changes to avoid such errors
  Regards,
  Ajit

  Hi Ajit,
  The authorization log has been improved constantly and try to make it easy to understand.
  It says:
  Authorizations missing for aggregation (":")
  Characteristic 1
  0PLANT__0COMP_CODE Empty
  Entries marked with red do not have aggregation authorization
  You can find more information about this here 1140831
  So please click the "1140831" which is a hyperlink bringing you to OSS note 1140831.
  The note says:
  1140831  Colon authorization during query execution
  Part 1:  Description of the authorization check
  You require aggregation authorization ("colon authorization") to view
  the values of an authorization-relevant characteristic in aggregated
  form. What does this mean exactly?
  Example:
  The calendar year (0CALYEAR) characteristic is authorization-relevant
  and is contained in the InfoProvider that is in use. You defined a query
  as follows:
  1.  0CALYEAR is in the free characteristics (not in the drilldown)
      without any selections
  - or -
  2.  0CALYEAR does not exist in the query at all.
  In both cases, no 0CALYEAR values are displayed in the query. Also, the
  query is not restricted to any 0CALYEAR values. A colon is required for
  the authorization check in this situation.
  The note contains some more detailed explanation. You could read through it to understand the concept.
  Regards,
  Patricia

• Authorization Required in satellite system to create RFC

  Dears,
  In Solman 7.0 tcode SMSY i am adding satellite system(ECC6).As while creating RFCs
  SM_<SID>CLNT<client>_READ
  SM_<SID>CLNT<client>_TRUSTED
  SM_<SID>CLNT<client>_TMW
  in SMSY it askes for three times satellite system user name and password.
  Now Issue is that with what authorization i should enter in satellite system so that RFCs can be created successfully as SAP_ALL can be assigned due to policy.I gave almost all basis tcodes to my user in satellite system but still RFC are generating error.
  Please suggest.
  Deepak

  Hi,
  You need to have these authorization objects. Along with your BASIS authorization add the following objects.
  S_RFC
  S_RFCACL
  This should solve your problem.
  Feel free to revert back.
  --Ragu