Characteristic base authorization in DMS
Hi Friends,
I need a characteristic base authorization in DMS.
User should be able to maintain/change a value of char for which he is authorized.
I tried a auth object in classification C_CABN_GRP but that is not working in DMS.It only works in tcode CT04.
Note:- Mr Saikrishna had such a problem and he solved it tru authorization group.If Saikrishna is watching this thread kindly provide the solution.
Regards
Abhijit A. Pachgade
Our request is that all the users can display all the characteriscs values, but some users can modify certain characterics values.
The authorisation object C_TCLS_MNT may be a solution.
*in class master date, define the organisatioal area (SICHT)
*for the characteristics assigned to a class, assigne the organisational area defined for the class
*user autorisation object C_TCLS_MNT in one autorisation role.
But the "stupid" point is that there is only 23-Maintain in the "Actvitiy" area of object C_TCLS_MNT. In this case, an user who has the "23" in autorisation for a certain organisational area can display and modify characteristics valeur, an user who does not have "23" for a organisation area can not even display the characterics value.
So in my point of view, object C_TCLS_MNT is not a good solution to limit characterics valuation.
Similar Messages
-
Mass change in ACL Authorizations in DMS
Hi guru
I'm working with ACL authorizations in DMS. I don't know how delete (one shot) the authorizations of the user that is resigned. For example I have many documents where I set the write access for the user : Jack.
If Jack is resigned is there a transaction or report to:
mass delete this data or
sostituite the user JAck with new employee ?
Thanks in advance
CiaoHi,
I create the report as written in the note. The report doesn' solve my problem because:
select only for a document not for a range of documents
I know the user resigned not the document so I should have a report for a user , the report should show me all the document where the user has been assigned a acl authorizations.
According to you, is there a standard solution or is possibile to realize a custom solution?
thanks in advance
Vanessa -
Hi Experts,
would just like to ask how would i configure the planning in APO such that if I am using characteristic base planning for make to order and the sales order item provides multiple values for a single characteristic. Say, paper color is red, yellow, or purple. and the planned order will be created with the color that has the available stock?
Kindy advise.
Thanks a lot for your help.
RiaHi Ria,
I have given below the SAP notes containing detailed configuration of classes and characteristics in APO.
1038904 - Changes to characteristics not transferred to APO
714929 - Integration of characteristics and class
832393 - Release restrictions of SCM 5.0
449565 - Integration with CDP in APO
949246 - Error message during CIf of characteristics and class
For the error of characteristics not seen in APO, you refer to note 1038904. For detailed settings for ciffing class and characteristics to APO, use notes 714929.
Please get back to me with your observations.
Regards
R. Senthil Mareeswaran. -
Logical Data Base- Authorization Check
Hi,
Please tellme when is the authorization checked if the LDB is used in the program. If I am not using 'GET PERNR' statement in the START-OF-SELECTION then will this authorization check will be performed for the data being extracted from the Data base using select statement.
Waiting for reply,
Shwetambari.HI,
No it won't perform if you write the select statment, when you write the code GET PERNR, then internally it will get the data based on the Auth check and a SET PERNR will be triggers. so better to use the GET statment
Regards
Sudheer -
Basis - Authorization for Customise Program
Hi,
In Customise Program they give the Tcode, Ex: ZMMR001
how to control the Oranization Level & Plant in Authorization.
Pls explain.
ThanksHi,
You should check with your basis. Every company create there own objects as per there need.
Regards,
Atish -
Installed Base - Authorization Management
Dear Experts
We're looking for any way to limit authorizations for Installed Base and iObject maintenance. So far we were able to identify COM_PRD as the only relevant authorization object (for iObjects) - I strongly assume there are more sophisticated capabilities than this one? I see authorization groups are available, we're looking for some more flexibility however.
E.g.
- differentiate between product and object maintenance
- limit visibility based on e.g. country
- limit maintainability of the installed base itself
Best
ChristianHi Joost, All,
during our investigation we found that the object you are referring to is not checked any more (SU24 does not return any hits neither in transactions nor in web services). A trace comfirmed this assumption so far.
We are currently assuming that this object is not used anymore in CRM 2007 and later versions.
Any comments from anyone here?
Thanks
Alex -
Basis authorization object class
Hi All,
Few roles contain ABAP & BASIS objects but 1 user should NOT get access to these. How can I restrict ABAP & BASIS objects only for 1 user id without disturbing access for other users.
I tried creating Z roles for this user id and deactivating BASIS objects but still some other roles containing ABAP objects are accessible which I dont want to give.
Is there any shorter way out?
thx
BhushanHi Bhushan,
As i am not next to you, i cannot say on how the user gets to SU01. But if i were you, i would do the following
1. Go to table AGR_1251 and list all the roles used and check on the object S_TCODE
2. check for any presence of ranges
3. If the table result shows SU01, then you i am sure you know what to do - if the table shows SU01 in the output but you see that it is not in any of the role menus, then spend some time to understand about calling transactions and called transactions (Ex: PFUD internally calls for SU01). you can search the forum for more details
If you dont find desired results from the above try controlling / restricting the authorizations for SU01 for the related objects like: S_USER_AGR, S_USER_GRP, S_USER_SAS............
But I would never remove ALL basis objects (or) ABAP objects from my authorizations based on the object groupings in SAP.
S_DEVELOP is a ABAP object grouped in the BC class, but i wouldnt remove it entirely because my user is a functional consultant, there are ways of controlling the access of the object. As an example, sending customers from R/3 to an external systems using the BD* transaction would need authorizations on S_DEVELOP. Doing this is a functional job and S_DEVELOP is a ABAP object
so try controlling the access on the objects rather than removing the objects from the authorizations. -
Object vs Class base authorization concepts with J2EE/JAAS
Hello,
I'm evaluating J2EE and JAAS and I'm wondering how I can implement my business model using these techniques:
As far as I understand JAAS, it's a class based authorization architecture. What I need is an object based architecture, specially when using CMP entity beans.
Is it possible to design an object based access control based on JAAS and (perhaps) CMP entity beans?
More detailed:
Let's look at a simple (web-) application: A database contains only a table with documents, a document consists of an ID (primary key) and some plain text.
I've got two EJB, one for editing documents and one for reading documents.
Now I can easily design my application with J2EE and JAAS:
An "editor" role with access on the edit bean and a "reader" role with access on the reader bean.
The document class could be easily implemented as a CMP entity.
BUT: What happens if I need a restriction on WHAT documents a user/role can edit/read, in other words, if authorization is not controlled by the EJB (code/class based) but by the ID (primary key/object based).
E.g.
User1 should have read access on Doc1, but not on Doc2.
User2 should have read and write access on Doc2, but not on Doc1...
As far as I understand JAAS, it's not possible to solve this problem using JAAS. If this is right, then I have to implement my own authorization system, JAAS could only be used for authentication. In this case, JAAS is just a tier in the security concept, just like different database users with restricted access to different tables and fields.
If I'm right, then it's not possible (or possible but it makes no sense) to use CMP entity beans, because I can't use the "automatic" authorization pattern (I have to call my own access control system before invoking the entity bean, and so my clients loose some of their "leightweight").
Regards,
JensHi,
I have study JAAS with J2EE for the last two months, don't know whether my ideas can help you. I believed JAAS was designed for java programmer who wanted to have security implement in there application but do not want to write the security themself. JAAS provided a robust system so that someone else can come alone to plug in the security module and security would be implemented.
Base on your problems, I think what you should do is to have what know as a security access level implement in your object. When you uses JAAS to verify username & password, you can get user's access level as well maybe from LDAP server attribute, store in your principal. So whenever you want to check whethere you're a editor or author.
You have to identify what is business logic and security logic access level is a business logic, therefore you will have to implement in your application tier. There is no perfect solution, but having these module will save you lots of coding and flexibility.
Cheers,
ps: Please correct me if my view are wrong. -
Plant level authorization in DMS
Hi Gurus,
My client needs to control the document access by plant level.
In CV01N, 02N, 03N & 04N.
Is there any way to control the same document type aginst different plant.Hi,
I would say that the best way would be to implement the BADI DOCUMENT_AUTH01 to create a special authorization check on the desired field values.
So this check should work to restrict specific users on entering document info records.
Best regards,
Christoph
P.S.: Please reward points for useful information. -
How to base authorization on worksets
Hi All,
I see different postings about this topic, but I'm not sure where it stands.
We have different users that access PCA reports, CCA reports and a combination of both.
We have a PCA workset and a CCA workset that has the BW iView reports assigned to them.
We would like to have one role where the worksets are "dynamic". So for the users that have authorization for both PCA and CCA reports do not need to have 2 different tabs labeled "PCA Reports" and "CCA Reports". It would be one role that has both worksets assigned.
Then for users that only have PCA authorization, they do not see the CCA workset in this one role.
Is this possible?
Thanks.For this u need to have two roles and u have to merge ur roles.
Create a role and name it as PCA Role and assign PCA reports to it and go to property editor of the role and in MERGE ID filed give a name and save it
Create a another role and assign CCA reports to it and go to property editor of the workset and in MERGE ID filed give a name(give the same name which u have given in for first workset) and save it.
Now assign roles to users as u like.
if u assign Role1 to user1 he can see only content 1.
if u assign both roles he can see both content1 and content2.
If u assign both roles also user can see PCA and CCA reports under one role .
Regards
Krishna. -
DMS - view authorization control
when users have view authorization in DMS, can i control print and save / "save as" options. Do not want users to print the originals or save the originals.
Hi,
In SPRO Define workstation application
When you display an original application file that is stored in a secure storage area, this indicator determines whether the file can be renamed.
Use
To display an original application file that is stored in the SAP database, a vault, or an archive, the system creates a copy.
u2022 In the standard SAP System, the copy is assigned a name according to the naming convention defined in the program.
u2022 Some viewing programs can only find an original application file if the copy of the file has the name that the file had when it was saved to a secure storage area. In this case, the naming convention links the redline file to the viewer file.
If you set this indicator, the copy is assigned the name that the original application file had when it was saved to the secure storage area.
Procedure
Only set this indicator if your viewer application does not allow renaming of the file.
1. Define workstation application in networking, donu2019t set u2018PRINTu2019 option for you aplication.
2. Set up office interation u2013Appl type- donu2019t select u201Cprintu2019 option for your aplication
Also check this url, it is very help full all.
http://www.valleybusinesswv.com/docs/solutionreference.pdf
Also ,
u coluld use Filter options, in Define prfile.
Benakaraj
??P -
New Data Basis using infocbe 0BCS_C11
Hi,
I am creating new data basis using Infocube 0BCS_C11 in SEM BCS 4.0. Data Stream has been generated properly. Company and Consolidation Profit Center has been assigned Role ''Consolidation Unit'.
However, I am not getting Company as characteristic in 'Authorization/Validity check' tab. I can see:
Consolidation Group
Consolidation Profir Center Group
Consolidation Profit Center
We are using Infocube 0BCS_C11 as we think that in future we might use Matrix Consolidation, though there is no current requirement. At present we are going to use Legal Consolidation only.
Can you please advise?
Best Regards,
URSolved. It was just saving and going out of the screen. Thanks
-
Analysis Authorization Problem
Hy, i have create a Analysis Authorization object ZCOMPCODE with 0COMPCODE as characteristic.
So i assign this object to a users and i create a variable to filter 0COMPCODE with processing type "authorization".
The problem is that when execute the BEx query i receive the message : No authorization.
When assign 0BI_ALL to user the ZCOMPCODE has not effect but the query run correctly.
How can i resolve this serious problem?
Regards,
Andrea MaravigliaDear Andrea,
When you have a problem with authorization data access, may be you need check the following stuff:
1 All InfoObjects are relevant authorization (see Business Explorer the check box authorization relevant for each InfoObject Tcode RSD1) which these are part of InfoProvider where query request data. It is very important, because you have to include all of this InfoObject (Characteristic) in your analysis authorization.
2. Remember add the standard characteristic. 0TCAACTVT (3 value), 0TCAIPROV (InfoProvider Tech Name), 0TCAVALID (* value).
3. In each characteristic relevant authorization, I suggest that add the colon : value to avoid problem with variable authorization in the query.
4. Furthermore, the user need one role for standard object authorization:
. S_RS_COMP (Activities 03, 16)
. S_RS_COMP1 (Query owner)
. S_RFC (BEx Analyzer or BEx Browser only)
. S_TCODE (RRMX for BEx Analyzer)
I hope that can help you!
Luis -
Authorization Error while executing Workbooks,
Dear ALL
We have authorization in place where users are restricted to execute Workbooks PLANT wise.
For this 0PLANT is kept authorization relevant.
0PLANT__0COMP_CODE is Navigational Attribute of 0PLANT also marked as authorization relevant.
Till now all user were assigned the Analysis authorization A_PLNT_XX as 0PLANT = XX
But suddenly now the users are getting authorization error of NOT BEING AUTHORIZED .,
The error log is as shown below.
Relevant Characteristics for Detailed Authorization Check
(Characteristics with Full Authorization Are Not Listed!)
List of Effective Authorization-Relevant Characteristics for InfoProvider ZMMIMMP05:
0PLANT
0PLANT__0COMP_CODE
0TCAACTVT
Subselection (Technical SUBNR) 1
Supplementation of Selection for Aggregated Characteristics
Check Added for Aggregation Authorization: 0PLANT__0COMP_CODE
Authorizations missing for aggregation (":")
Characteristic 1
0PLANT__0COMP_CODE Empty
Entries marked with red do not have aggregation authorization
You can find more information about this here 1140831
The authorization check stops here as this selection is no longer needed
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
51 ( 0PLANT )
Authorization Check Complete
Please let me know the reason for the same.
Also How can i track these changes to avoid such errors
Regards,
AjitHi Ajit,
The authorization log has been improved constantly and try to make it easy to understand.
It says:
Authorizations missing for aggregation (":")
Characteristic 1
0PLANT__0COMP_CODE Empty
Entries marked with red do not have aggregation authorization
You can find more information about this here 1140831
So please click the "1140831" which is a hyperlink bringing you to OSS note 1140831.
The note says:
1140831 Colon authorization during query execution
Part 1: Description of the authorization check
You require aggregation authorization ("colon authorization") to view
the values of an authorization-relevant characteristic in aggregated
form. What does this mean exactly?
Example:
The calendar year (0CALYEAR) characteristic is authorization-relevant
and is contained in the InfoProvider that is in use. You defined a query
as follows:
1. 0CALYEAR is in the free characteristics (not in the drilldown)
without any selections
- or -
2. 0CALYEAR does not exist in the query at all.
In both cases, no 0CALYEAR values are displayed in the query. Also, the
query is not restricted to any 0CALYEAR values. A colon is required for
the authorization check in this situation.
The note contains some more detailed explanation. You could read through it to understand the concept.
Regards,
Patricia -
Authorization Required in satellite system to create RFC
Dears,
In Solman 7.0 tcode SMSY i am adding satellite system(ECC6).As while creating RFCs
SM_<SID>CLNT<client>_READ
SM_<SID>CLNT<client>_TRUSTED
SM_<SID>CLNT<client>_TMW
in SMSY it askes for three times satellite system user name and password.
Now Issue is that with what authorization i should enter in satellite system so that RFCs can be created successfully as SAP_ALL can be assigned due to policy.I gave almost all basis tcodes to my user in satellite system but still RFC are generating error.
Please suggest.
DeepakHi,
You need to have these authorization objects. Along with your BASIS authorization add the following objects.
S_RFC
S_RFCACL
This should solve your problem.
Feel free to revert back.
--Ragu
Maybe you are looking for
-
How to call pl sql stored procedure or function in OAF 10 plus versions
Hello All, I am using J-dev 10.1.3.3.0.3 version.I want to call stored procedure from package in one of my controller. I tried using "txn.createCallableStatement" but it is saying that createcallablemethod is not available.Does any one knows about th
-
Can I have a slider impact a timeline just at one point?
I am using AE CS6, on an HP 820z, Win 7. I would like to have a series of layer objects follow different paths to an end point where they line up horizontally curving back in space on the sides. Here is a small example: But at the end point, I'd like
-
HT1222 what is the problem with my pc
my computer is always having a problem when i on face book...malware virus
-
Hello All The attached vi shows an extract from an XML file. I can successfully extract the values of interest to me, such as Mean (the syntax I am using is shown on the left) I now want to associate the value such as Mean with its key e.g. SENS0710:
-
Why can't Adobe do something as simple as giving us a desktop shortcut? Or even better allow us to access direct from print option as we could do if we had the software installed?