Check for Authorization object

Similar Messages

• How to turn off the authorization checks for a object in infoproviders?

  Hi - how can I turn off the authorization check for an object (ex: 0orgunit) in infoproviders?
  I have 0orgunit as an authorization-relevant object and is used in one of the cubes. When reports are run for this cube, this is causing authorization issues. The object is present in other cubes also but I have to remove or turn off the authorization check of this cube alone. How to do this? Please help.
  Thanks,
  Raj.

  Hi Raj,
  Srinivas, is right , however in BI7 the correct transaction is RSECADMIN and not RSADMIN.
  In BW3.5, use RSSM transaction to do thins.
  OR
  Go to transaction RSECAUTH ---> Choose  the authorization object that has been created for org unit(and has been assigned to the user). Go to change mode. Remove the cube from the dimension 0TCAIPROV
  If you are using old authorization concept in 3.5 or in 7.0
  Go to RSSM. In the checks for infoprovider, enter your infoprovider name. Choose change.Here you will see a checkbox to switch off the authorization.
  Hope this helps you,
  Best regards,
  Sunmit.

• Transaction AFAR doesn't check for authorization

  Hi,
  I've added transaction code AFAR in one of the role that has Check/Maintain for authorization object A_PERI_BUK which should restrict on company code. Ive even check the associated program RAAFAR00 which has the authority chekc statement.
  But, when I restrict the access to a specific company code in the role, the transaction is still allowing the users to execute it with other company codes. User doesn't have any other roles assigned and all the other tcodes such as AFAB, AFBP are giving authorization errors.
  Can some one help!!
  Regards,
  Raghu

  Hi,
  it is not throwing failed authority check error but should work just fine.
      AUTHORITY-CHECK   OBJECT  'A_PERI_BUK'
                        ID      'AM_ACT_PER'      FIELD con_31
                        ID      'BUKRS'           FIELD x093c-bukrs.
      IF sy-subrc NE 0.
  *       WRITE: / text-f08, x093c-bukrs. commented by C5053255
        CONTINUE.
      ELSE.
  *      Rücklesen des eingegebenen Geschäftsjahres pro Buchungskreis
        p_gjahr = sav_gjahr.                                  "> 627533
      ENDIF.
  CONTINUE statement executed in case of failed authority-check causes loop to skip processing for this item ... so only elements for which user has proper authorizations are processed. Try debugging to confirm
  Best regards,
  FS

• Authorizations in CRM 2007 - How to check missing authorization objects?

  Hi,
  In our project we are currently busy with the set up of authorizations.
  I did create the necessary PFCG and Business roles.
  For the PFCG roles, I did create all of them by copy of the standard SAP_CRM_UIU_FRAMEWORK so that the user can  access to the web layout.
  Now I need to give authorizations for other CRM objects, my question is: How can I see which objects are missing to displaying or creating activities in the new WEB Layout?
  In the old days we used the SU53 to check the authorization objects that were missing, how can we do it now in this new release? I tried it and didn't worked out.
  Thx
  Regards
  Hugo

  Hi,
  For report CRMD_UI_ROLE_PREPARE you have to input a business role - not a PFCG role. Are you doing that?
  Are you getting no results at all in ST01 or are all results just with return code 0?
  You have to remember to set a filter for your user in ST01 before activating the trace. Another thing to check is if you are using several application servers. I would imagine the trace has to be activated on the same application server as the Web UI. You can change the application sever in SM51.
  /Anders

• Duplicate check for Connection Objects in CRM

  Hi,
  I want to implement a duplicate check for connection objects in CRM. The duplicate check shall use the address of the connection object and perhaps additonal attributes. I have found a duplicate check for business partners using the basis address service and TREX as index pool. However, I couldn't find a similar functionality for connection objects. Does somebody know:
  1) How to implement a duplicate check for connection objects which is based on the address of the connection object?
  2) Is there a way to use the TREX-based duplicate check which is integrated into the basis address service for connection objects?
  Thanks in advance!
  Best regards,
  Frank

  I also have a requirement to check for duplicate address at connection object level and we are using SAP data servies to validate the address. Can anyone share their experience.

• How to do the Unicode Check for Business Objects ?

  Hi all,
  How to do the Unicode Check for Business Objects ?
  Note: All business Objects are stored in BOR (Business Objects Repositary)
  Thanks in advance
  Sri..

  Hi..
  i have used the  UCCHECK  transaction for some business Objects
  For some business objects it is showing that No Unicode Errors found Ex: Z00MARA
  and for Business Objects it showing the message like : There is no program corresponding to this selection.
  Why system is showing like this ?
  Thanks in advance
  Sri..

• JS to check for Anchored Object in a textFrame

  Hi, any knows of JS to check for anchored objects in a textFrame.
  Thank you.

  if (myTextFrame.textFrames.length > 0)
     // then there are anchors in myTextFrame
  Peter

• Prompt for Authorization Object

  Dear Experts,
  I would like to have control on certain authorization objects which are common among the roles while creating them.
  Is it possible that while maintaining or creating a role, if by mistake the administrator does not block the object OR add an entry which we do not authorize, the system should alert the administrator as a popup or alert message?
  I am aware about the report "RSUSR008_009_NEW" for maintaing critical authorizations, however, running a report and giving a prompt are two different things.
  Any possibility of an alert?
  Thanks and Regards,

  Hi J K
  I take the following approach with SU24:
  Complete Proposal - completely maintain an authorisation proposal when that values applies for any situation in PFCG role build. E.g. transaction FB03 for object F_BKPF_BUK has fields ACTVT and BUKRS. You can allow the value as ACTVT = 03 and BURKS = $BUKRS (org value) or each scenario
  Partial Proposal - only maintain some of the fields where it will be consistent. E.g transaction OB52 for posting periods and S_TABU_DIS with field ACTVT and DIBERCLS. You leave ACTVT blank as sometimes you want change whilst DIBERCLS for auth group is static so you can enter a value there
  Empty Proposal - leave the proposal values completely blank as the requirement will depend on the scenario. E.g transaction SM30 you might leave S_TABU_DIS empty as it will depend on the role for both fields.
  If you take this approach, you minimise the need for deactivating object, copying/changing and manual objects in PFCG. You maximise role authorisation under status of Standard or Maintained.
  Now if we set the proposals in su24, it will be applicable for other new roles as well for which we DO want the proposals to exist.
  Yes if you change SU24 you should clean up all impacted roles but before you build roles you should review
  At the end of the day your need to have competent security administrators who know what a display activity is and have attention to detail/meticulous enough to build the role with appropriate restrictions (i.e. do not put change access in a display role).
  How can we avoid the "new authorizaiton objects" to be added to this display role.
  To avoid this you are trying to avoid using SU24 integration. If you are tying to build a SAP display all role then you might as well copy SAP_ALL and go through and deactivate/remove any display access from the role. In this case you would not use the role menu.
  Not all solutions are technical. It's why you need to have a clearly defined process that is adhered to.
  My trick of display roles - I got the AGR_1251 role and look at the entire contents of the role and scan this list of objects and what's in the role. However, I do this as I know the objects relatively well and can identify the specific objects that are change/display  but do not use ACTVT field (e.g. PLOG/P_ORGIN/P_PERNR)
  Wonder why SAP prompts warning and errors messages doing a business/financial transaction and not security.
  Exactly what would you want the system to prompt? How would SAP know what a display role is?
  We noted that every time we add a t-code, the authorization object added is marked as "new" in the list. we jsut disable those and generate it
  If you take this approach you cannot guarantee the transaction code will work. The user may need the underlying values and that is why SU24 has them marked as proposal.
  My summary - defined your process to include a quality check after building a role and hire security administrators who know more than how to tick and click buttons in PFCG (i.e. they understand security objects and why some are sensitive).
  Regards
  Colleen

• Is there any way to force a Role Check for authorization from a Ztable

  Hi all,
  I have an issue that deals with Authorization check using a role. I have to know if there is any way to make a Role force to check if an entry exists in a Ztable.
  Eg. A User is assigned a role Z:Ztable_check. Can we now force this Role to somehow check for a particular entry in a Ztable which has a Username and its Corresponding Authorized Cost center. Can the role check from the Ztable and allow the user to view only those cost centers that he is allowed to.
  Don't know if this is even theoretically possible.

  hi
  see if this helps you
  <b>The SAP Authorization Concept
  Authorization checks are a means of protecting functions or objects in the R/3 System. The programmer of the function determines where and how these checks are made, while the user administrator determines (within the framework defined by the programmer) who can execute a function or access an object.
  The terms central to the SAP authorization concept are:
  Authorization field
  This is the smallest unit against which checks can be made. The programmer can create authorization fields by selecting Tools &#8594; ABAP Workbench &#8594; Development &#8594; Other tools &#8594; Authorization objs &#8594; Fields.
  Example: ACTVT and CUSTTYPE.
  Authorization object
  An authorization object groups together 1 to 10 authorization fields which can then be checked as a combination. The programmer can create authorization fields by selecting Tools &#8594; ABAP Workbench &#8594; Development &#8594; Other tools &#8594; Authorization objs &#8594; Objects.
  Example: The authorization objekt S_TRVL_BKS groups together the authorization fields ACTVT and CUSTTYPE.
  Authorization
  An authorization is a combination of permitted values for each authorization field of an authorization object. The user administrator creates authorizations by selecting Tools &#8594; Administration &#8594; Maintain users &#8594; Authorization.
  Example:
  S_TRVL_CUS1 is an authorization for the authorization object S_TRVL_BKS with the values
  for customer type (CUSTTYPE) and
  02 for activity (ACTVT).
  Users who have this authorization are allowed to change the bookings of all customers.
  S_TRVL_CUS2 is an authorization for the authorization object S_TRVL_BKS with the values
  B for customer type (CUSTTYPE) and
  03 for activity (ACTVT).
  Users who have this authorization are allowed to display the postings of all customers.
  Authorization profile
  An authorization profile represents a simple workplace in the context of authorizations. An authorization profile contains authorizations for the authorization objects a user needs to operate effectively in a restricted task area. The user administrator creates authorizations by selecting Tools &#8594; Administration &#8594; Maintain users &#8594; Profiles.
  User master record
  Your user master record is checked when you logon to the R/3 system. Through the authorization profiles, this provides restricted access to the functions and objects of the R/3 System. The user administrator creates authorizations by selecting Tools &#8594; Administration &#8594; Maintain users &#8594; Users.
  Authorization check
  The programmer can perform authorization checks with the ABAP command AUTHORITY-CHECK by specifying the value to be checked for each authorization field defined. The system then scans the profiles in the user master record for the authorizations specified. If one of the authorizations found for all fields of the authorization object covers the values specified by AUTHORITY-CHECK, the check was successful.
  Example: Check whether the user is allowed to change the postings of business customers:
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
                  ID 'ACTVT'    FIELD '02'
                  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
    MESSAGE E...
  ENDIF.
  If the authorization S_TRVL_CUS1 exists in the user's master record, the authorization check is successful. However, if the authorization S_TRVL_CUS2 exists, but not the authorization S_TRVL_CUS1, the check fails.
  Authorization assignment
  The system administrator is responsible for assigning user master records with the correct authorizations. You should use the Profile Generator to maintain authorization profiles. However, you can also change them manually. Each authorization object contains authorizations. These are grouped together in authorization profiles such that each authorization profile represents a job description, for example 'flight reservations clerk'. You assign one or more authrization profiles to each user master record. You can assign an authorization to as many authorization profiles as you like, and an authorization profile to as many composite profiles and users as you like. Composite profiles are used in manual authorization maintenance, and form a further division in the authorization structure. However, they are not strictly necessary.
                    User master record
                  Auth. profile  Composite auth. profile
             Authorization              Auth. profile
               Values              Authorization
                                 Values</b>
  plz reward if satisfied

• Missing authorizations for authorization object UIU_COMP

  I have generated the pfcg role for a business role using report CRMD_UI_ROLE_PREPARE and assigned the pfcg role to a user.
  The user is apparently able to perform navigation as required. However, when a ST01 trace is run for the user, there are few missing authorizations for UIU_COMP. Could anyone please explain the reason for this? No changes have been made to object UIU_COMP  i.e. only values generated by the report is present there. Should the missing authorizations be added manually to the role?

  I would recomend that you define for component UIU_COMP in your pfcg role full access (all set to *), because this authorization object is used for access to web ui components. Even thou if you define this object to full access users will still see just components defined in business role.
  Regards.

• Translate Object class (for authorization objects)

  I wonder where I can translate the objects class (SU21 - auth objects). I manages to find where I can translate the authorization objects in SE63.
  What what is the object type for the objects class in order to translate it.

  SAP itself told me there is no way to do so. They recommend to directly edit the corresponding text table.

• Table for authorization objects

  Hi All,
  What is the table where all authorizations for a user for a particular authorization object is maintained?
  Thanks,
  Neelima.

  hi friend
  usr04 -User master authorizations alone
  usr07 - it will display all the authorisation object field name.
  if its helpful reward for the same
  regards
  vijay

• Field Validation for Authorization Object field on selection screen

  Hi Experts,
  We have included a new field u2018Authorization Objectu2019 in the selection screen which should be reflected in the field Authorization Object of the spool property. Please let us know how we can provide F4 help for this field and also validate it in the code.
  The data element "RSPOAUTH" is used for the field on selection screen parameter. However, as there is no value table attached to the domain, we are unable to provide any F4 help and hence cannot validate the field in the code.
  Looking forward for your valuable reply.
  Thanks in advance.
  --Warm Regards,
    Prajakta Kanitkar.

  Hi Prajakta,
     You can refer the following code for getting F4 help.
  TYPES: BEGIN OF stru_btc,
           zesgbtc TYPE zhr_del_btc,
         END OF stru_btc.
  DATA: it_btc TYPE STANDARD TABLE OF stru_btc
  SELECT-OPTIONS: s_zzbtc FOR pa0001-zzbtc NO INTERVALS.
  AT SELECTION-SCREEN ON VALUE-REQUEST FOR s_zzbtc-low.
    SELECT * FROM zbtc INTO CORRESPONDING FIELDS OF TABLE it_btc.
    CALL FUNCTION 'F4IF_INT_TABLE_VALUE_REQUEST'
      EXPORTING
        retfield        = 'BTC'
        dynpprog        = sy-repid
        dynpnr          = sy-dynnr
        dynprofield     = 'S_ZZBTC'
        value_org       = 'S'
      TABLES
        value_tab       = it_btc
      EXCEPTIONS
        parameter_error = 1
        no_values_found = 2
        OTHERS          = 3.
    IF sy-subrc <> 0.
  MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
          WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
    ENDIF.
  Hope this will help you.
  Thanks & Regards.
  Aniruddha

• Checking for released objects.

  I'm trying to release some objects, but the code crashes on the release, because I suspect the object has been released already. I tried to check for nil, but this doesn't seem to work
  eg:
  - (void)f1 {
  object = [[Object alloc] init];
  - (void)f2 {
  [object release];
  // object= nil; /* I shouldn't need to do this? */
  - (void)f3 {
  if (object) // sometimes this still points to a memory address, though the contents of the memory is a bit funny
  [object release]; /* code crashes here sometimes because f2() was run
  is there a better way to check if an object has been fully released?
  BTW: this is all the on iPhone 2.1, so I know the memory management is a little diffferent.

  Deallocation does nothing but mark that space as free for subsequent allocations. Uncomment the second line of f2.

• Role Maintenance - Automatically generated names for authorization objects

  Hello NG,
  I've got a question concerning the mentioned subject.
  Currently I am maintaining the roles/authorizations of a customers system (Rel. 3.0) which has moved to Rel. 7.0.
  When I add an authorization object to a role, the technical name is generated automatically. How can I set up the naming conventions for the authorization objects?
  Thank you very much.
  Regards ..

  Hi SUNIL L,
  I refered to 3.0 but I think that the release version has no relevance for my problem. I think I should try to explain my problem once more:
  When I add an authorization object to a role, a technical name is generated automatically and assigned to it. Is it possible to set any naming conventions for this?
  Regards..