Check performed on an Auth Object?

Similar Messages

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• Same Auth Objects CM in su24

  Hi All –
  In SU24 for a Tcode SU01 in “S_TCODE” the following auth objects are CM.
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  & for Tcode PFCG
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  I am developing a role initially with SU01 Tcode. For the auth object S_USER_AGR, I am giving 01,02,03,06 field values.
  Later I add PFCG Tcode for same role “P_TCODE”. For the auth object S_USER_AGR , I am giving 22,21 field values.
  My question is if the role is assigned to a user
  1.     will he be able to create, change, display, & delete roles using PFCG ????
  2.     What is the best way to restrict the user’s in create, change, display, & delete???
  3.     For PFCG Tcode none of the Auth. Obj’s (the objects that are added by adding SU01 or PFCG Tcode VIA MENU)are maintained in the role what would be the implication??
  Thanks,
  VJ

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• Do 2 same auth objects with different values bleed together?

  If I had a user who had Auth object F_BKPF_BUK with Activity 01 and Company Code 1200 and also Auth Object F_BKPF_BUK with Activity 03 and Company Code 1300, would the user have 01 and 03 for both Company Code 1200 and 1300 or would the user be restricted to 01 for 1200 and 03 for 1300?

  It depends on the object and how the result of the authority-check is "built".
  For the result of a single authority-check Sanju is correct.
  It would not make sense to attempt to display something (retrieving the value from the record) which has not been created yet (checking the value in the entry screen).
  However the opposite can be true for authority-checks within arguments:
  -  IF weak_check_failed    "user is not authorized...
  -  THEN perform strong_check    "permit everything if passes...
  -  ELSE return_to_...     "Go back to list...
  However, in many cases this weaker : stronger check is against different objects.
  Other transactions will completely bypass the one object and only use a stronger one.
  F_BKPF_BUK should be okay for transactions FB01 and FB03, for example.
  Cheers,
  Julius

• BW Authorizations/Report. Auth Object/KF's vs. Calc. KF's

  We implemented a custom/reporting auth. object to protect key figures (1KYFNM) and it works well. The issue is that our user community never ceases to come up with new and even more creative requirements.
  Let me illustrate the latest requirement:
  I have locked-down access to certain key figures (let's call them 'KF A' and 'KF B') and therefore subsequently secure all combinations involving either one of the two meaning calc. KF D (KF A plus KF C) is locked down as well. I also need to mention that users are supposed to be able to create their own ad-hoc queries, which eliminates the option of limiting them to a query or set of queries that accomplish the following requirement.
  There are certain totals, which are calc. KF's that the users are allowed/required to see even though they are not supposed to see what makes up these numbers (they should see calc. KF K which is made up of KF A, KF B, and KF H, etc. but not KF A and KF B).
  Without the option of providing the users with rather static queries, I see another option as calculating 'KF K' (from the previous example) at the time of the load and just making it another key figure in the cube which then can be excluded from the auth. check previously mentioned based on the naming convention. The problem with that is that this will make reporting rather inflexible, increase load times as this calculation is rather complicated, and it will also create redundant information in an environment that is already experiencing substantial growth and volume.
  Does anyone see any other solution?
  Thanks,
  Joerg

  Jeorg,
  I'm afraid that there's no special authorization handling for calculated key figures. To my best knowledge, the approach to create another key figure at data load time via transfer rules or update rules would be the only one can work. While this approach may not be flexible, but the load time should not increase significantly if you just add two key figure values into a new one.
  If you find this is approach is unacceptable or it is a common requirement among BW community, you might consider submit such requirement through ASUG BI Group or via OSS development request.
  Thank you for your question and patience.
  Regards,
  Amelia Lo
  SAP NetWeaver RIG, US
  SAP Labs, LLC

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• Can we control Work center group links using auth object UIU_COMP

  Hello All,
  We are running into an issue while doing our PFCG role configuration.
  I need to know if we can control Work center group links in a business role through auth object UIU_COMP.
  We can control Workcenter's but not 'Work Center Group Links'.
  Here is what we did:
  - We have a business role Z_RA_DEFAULT.
  - The Nav Bar Profile SRV-PRO for this business role has some work center group links that are checked in menu and visible.
  - I'm trying to find the values in the auth object UIU_COMP to restrict Work center group links.
  - Even though the values Work center group links are in menu and visible,
  I want to remove these Work center group links from the screen using the auth object.
  - If we remove the check from in menu and visible in the business role the Work center group links disapper from the screen.
  Right now this is only way we are able to controle Work center group links.
  Question:
  - Can I use UIU_COMP to restrict Work center group links?
  - any another auth object that controle Work center group links?
  - any document/ website / info  available which tells us what can we restrict with auth object UIU_COMP?
  - or any other way of doing this... like code change, user exit, ....?
  Really appreciate your help.
  Thanks,
  Nasir

  I am not sure if I have understood the issue correctly, but still what stops you from actually creating a clone business role to your existing business role and deactivating the in menu visible work center group links. Use this new business role for users who need to be prevented from viewing the work center groups links in question.
  If you are going to use authorization objects to control the visibility wont it impact all users (still defeating your original purpose?)
  Again apologies in case I have got the question wrong.

• Where we check the authorization group & authorization object?

  Hi all,
  i have a  std program & tcode  like fb03 . now i want to know the authorization group & authorization object. so where we will check..?
  help me.
  thanks.
  Vipin

  Hi,
  Use transaction SU21 & SU22 for Auth Objects & Class

• Auth Objects in ABAP Programs

  Dear All,
  how could I find the auth object being validated in programs?
  Using SU24 I am able to find transactions checking auth object...but I am not quit sure sure if there are some other programs using/checking those auth objects.
  In general I want to check one specific auth object where is used/checked.
  I will appreciate your help.
  Regards
  FedeX

  Please use the standard report RSABAPSC to check the authority check statements used in the program for any TCode. Also you can look into ABAP codes in more details by using the program RSANAL00.
  Regards,
  Dipanjan

• ORA-38301: can not perform DDL/DML over objects in Recycle Bin

  Oracle 10.2.0.4:
  When performing DDL on a table I get the error "ORA-38301: can not perform DDL/DML over objects in Recycle Bin". I ran purge recyclebin but didn't help. I then ran following sql (below) and it returned whole bunch of rows for that user. Does it mean that purfe recyclebin didn't work? What should I do?
  select r.obj#, r.original_name, u.username from recyclebin$ r, dba_users u where r.owner#=u.user_id

  I ran purge recyclebin but didn't helpis this a rac env?
  check the metalink note performing DML/DDL operation over object in bin ORA-38301 - 578075.1
  Bug 4760728 - ORA-38301 during DROP TABLE when already dropped from a different node 4760728.8

• CC5.2: Auth objects database table for legacy systems

  Hi,
  Where are the auth objects for legacy systems stored?
  I mean, for SAP systems the auth objects ar stored in the tables SAPOBJ and SYSSAPOBJ.
  Can anybody help me?
  Thanks in advance

  correct formatting...I wish you could edit your posts instead of reposting!
  Just a performance tip--> since it looks as though you are looping through and performing the same statement many times, you should consider using a prepared statement:
  PreparedStatement ps = con.prepareStatement("insert into Table1 (Col1,COl2,Col3) " +
  "values ( ? , ? , ? )");
  for (int k=0; j<array1.length; k++) {
  if (array1[k] !=null)
  tt = array1[k].getArray2();
  for (int j=0; j<50; j++) {
  if (array2[k] !=null)
  ps.setString(1, tt[j].getString1);
  ps.setString(2, tt[j].getString2);
  ps.setString(3, tt[j].getString3);
  ps.executeUpdate();You will notice a significant performance gain if you are looping many times.
  Advanced--> huge performance gain if you use batch statement in this loop!
  PreparedStatement ps = con.prepareStatement("insert into Table1 (Col1,COl2,Col3) " +
  "values ( ? , ? , ? )");
  for (int k=0; j<array1.length; k++) {
  if (array1[k] !=null)
  tt = array1[k].getArray2();
  for (int j=0; j<50; j++) {
  if (array2[k] !=null)
  ps.setString(1, tt[j].getString1);
  ps.setString(2, tt[j].getString2);
  ps.setString(3, tt[j].getString3);
  ps.addBatch();
  //when completed all looping
  int[] insertCount = ps.executeBatch();Jamie

• Error "Inconsistancy in the auth object P_ORGIN"

  Hello Gurus,
  I have to add a tcode which involves auth object P_ORGIN. When I add the tcode and go to authorization tab then it gives the error as "Inconsistancy in the auth object P_Orgin"
  Please let me know how should I add the tcode now. Thank you !
  Regards,
  MA

  PLease provide tcode
  The reason why the profile generator cannot correctly insert the
  default values of these transactions is due to a data inconsistency in
  table USOBT_C (default values for customers). The table does not
  contain an entry for field BTRTL of authorization object P_Orgin.
  You can immediately correct the incomplete data in your customer table
  USOBT_C using the following steps:
  Step 1 Execute transaction SU24
  Step 2 Enter the transaction affected by this error ie XXXX
  Step 3 "Change check indicator" (F6) in the application toolbar.
  Step 4 With "Display field values" (F7) you check the default values of
  P_Orgin. Please document the values.
  Step 5 Go back to the previous screen and set the check indicator from
  "Check/maintain" to "Check" for P_Orgin.
  Step 6 Set the indicator for P_Orgin back to "Check/maintain".
  Step 7 Choose the function "Change field values" (F6) and insert the
  formerly documented values for AUTHC in object P_Orgin.
  Now you see also the field BTRTL being presented.
  Save the changes.
  Repeat steps 3-7 for each of the transactions affected.
  Hope you are clear with the steps.
  Thanks,
  Prasant
  Edited by: Prasant K Paichha on Mar 3, 2010 3:01 PM

• Custom TCODE-Auth Object Assignment

  Hello All- I see a very weird thing with custom TCODE assignment, here is what I see:
  1)We have Display role which has all functions tcodes in it, which goes to every one on PRD.
  2)Usually we assign custom tcodes which are not critical to this role, and this custom tcode would have no auth objects assigned or checked during access.
  3)When I assign custom tcode to test role, I see its not pulling auth objects in PFCG which is what I expected.
  ***4)However when I assign this custom tcode to 'Display role' which have many standard tcodes in it, I see many of the auth objects "lights turning in to Yellow" (as you know its asking me to maintain value)
  5)I checked in SU24/SU22, to see if its pulling any auth objects...no objects are tied to this tcode.
  I dont know why this is happening?
  Again if I assign to test role, no objects is showing up in PFCG which is what I want!
  Any suggestions of to handle this issue, I will really appreciate your thoughts.
  Thanks,
  AJ

  AJ wrote:>
  > Hello All- I see a very weird thing with custom TCODE assignment, here is what I see:
  > ***4)However when I assign this custom tcode to 'Display role' which have many standard tcodes in it, I see many of the auth objects "lights turning in to Yellow" (as you know its asking me to maintain value)
  > 5)I checked in SU24/SU22, to see if its pulling any auth objects...no objects are tied to this tcode.
  >
  > I dont know why this is happening?
  >
  > Again if I assign to test role, no objects is showing up in PFCG which is what I want!
  >
  This is happening not because of the Custom TCodes you have added. The reason are either of the following:
  1. In previous cases when some other TCodes (SAP Standard) were added, the the profile regeneration was not carried out by entering Authorization data through "Expert Mode for Profile Generation" (or used with option "Edit Old Status" only). Instead, "Change Authorization Data" was used. And thus the Object proposals for New entries in Menu were not pulled into Profile Generator at that time. Now it's coming. Surely you entered with Expert Mode for Profile Generation --> Read Old status and Merge with New data.
  2. Other option can be: Earlier some Objects were changed which were present there only with "Standard" status. It should have been done by copying the Object and change the copied one. Then make the standard one "Inactive".
  3. The Inactive Object described in the 2nd point has been Deleted and the object with status "Changed" is left only. Now when you are entering with "Expert Mode for Profile Generation" it's pulling those standard proposals again.
  Let me know if the probable reason of Yellow traffic lights are clear to you or need more details.
  Regards,
  Dipanjan

• BI Role with Analysis Auth Object

  Hi
  How can i use Authorisation Object created in RECADMIN with all the list of Infoproviders in S_RS_COMP and S_RS_COMP1
  So that user can perform mentioned action on the data providers mentioned in analysis authorization object.
  As i need one place to list all the data targets user can access insted of maintaining in S_RS_COMP and S_RS_COMP1 and in Analysis Authorization object
  Thanks in advance

  Thanks Everybody for giving suggestions; I really appreciate alll your efforts.
  I followed step by step book of kamaljeet and findout that , I was missing to add related info objects of the inforprovider .added those info objects to auth analysis object.
  Now query is working fine without errors;
  problem is i am not able to restict the query since it showing all the data ; i am trying to put only few values in "0wbs_elemt "  .
  I added 0wbs_elemt in my analysis auth object;
  Clicked on 0wbs_elemt and kept values in value authorizations and also kept wbsh in hierarchy name , selected type 1, HI 0.
  still i am unable to restrict the data;
  Functinal consultants build WBSE  set up on a hierarchy. like
  18ICT-07/2011
        18ICT-07/2011-1
              18ICT-07/2011-1-AUDTM
                    18ICT-07/2011-1-AUDTM-01
              18ICT-07/2011-1-CETX_
                    18ICT-07/2011-1-CETX_-01
  they want to restrict like if we are giving 181ct-07 then they want to access every thing under it;
  same way like 181ct-08  etc etc..
  looks like they want to restrict the date very granuler level like  restriction on " Attribute Navigation   "
  Can anybody please do let me know how can we achieve  Navigation Restriction.
  Thanks.

• Auth Objects & Programs

  Sorry wrong forum...
  Hi,
  checking with suim I found out in wich program is used one specific auth. object.
  Is there some table where I can find this information Programs->Auth. Objects?
  Thanks.
  FedeX
  Edited by: FedeX on Nov 4, 2008 4:35 PM

  Hello FedEx,
  Table TSCTA is what you are looking for --- I have also included a very helpful link to the SAP Help Page to help you with a few other questions you might have regarding authorization.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
  Cheers,
  Nate