Color change in authorization object in maintained, partially ,unmaintained

Similar Messages

• Mass change of authorization objects in several roles

  Hello,
  we have to change a authorization object in almost 200 roles. Is there any possibility for mass change of authorization objects in several roles? We don't use the central SAP user administration.
  Best Regards
  Andreas Walter

  > at the moment all entries has the value "*". We want to change this value into "0001".
  Good!
  Here comes:
  1- download all relevant roles in once from PFCG. Make sure you use an appropriate codepage so you don't loose special characters in the role and menu texts.
  2- copy and backup the download file
  3- in the download file (is a text file)  look for all lines starting with AGR_1251 and conatining M_MATE_WGR and the field you want to change
  4- take out the star and two spaces and replace by 001. This file is a set of fixed record length table exports and keeping the original length is very important.
  5- upload the edited file and generate the profiles.
  As you may see this is not SAP standard and completely at your own risk. Best try in a sandbox client first.
  Good luck!
  Jurjen

• Sales Order Change (VA02) Authorization Object

  Hi Experts,
  Please suggest me, what is authorization object for availability check in VA02.
  From
  Ramesh Kumar

  Hi Kapil,
  Thanks for your reply.
  I have already checked it. But i am not finding this object.
  Basically, I want to restrict a user for change in delivery schedule dates. So please suggest me, how to restrict a user for that.
  From
  Ramesh Kumar

• QM Authorization object

  Dear Friends,
  may i know what are the key  Authorization object in QM module
  like  plant,company code,inspection type ,status profile
  Thanks & Regards
  Rah

  Hi Raj,
  Table maintenance authorization       S_TABU_DIS
  Transaction authorization     Q_TCODE
  Material authorization     Q_MATERIAL
  Authorization objects for maintaining the master data:
  Catalog maintenance
  - code groups     
  Q_CAT_GRP
  - selected sets Q_CAT_SSET
  Insp. method based on status     Q_STA_QMTB
  Insp. charac. based on status     Q_STA_QPMK
  Inspection plan maintenance     Q_ROUT
  Plan characteristics according to
  plan type     Q_PLN_FEAT
  Authorizations for inspection processing:
  nsp. type for insp. lot      Q_INSPTYPE
  Usage of codes from catalogs
  - group codes     
  Q_GP_CODE
  - usage decision code Q_UD_CODE
  Inventory postings     Q_STCK_CHG
  Inspection completion     Q_INSP_FIN
  Change control charts     Q_SPC
  For Plant and Company code there are different authorization obj. are used for different purposes.
  e.g.
  M_MATE_WRK will be used for material master access at plant level.
  along with the Authorization Field as 'WERKS'
  M_MATE_BUK will be used for material master access at company code level
  along with the Authorizarion Field as 'BUKRS'
  While for Inspection type the Authorization obj. is Q_INSPTYPE
  Regards,
  Shyamal

• Problem in transporting authorization object

  Hi,
  I am facing a problem in transporting the authorization object. We have an existing cube in development and production. In production the object has 3 authorization objects checked. Now I want to change the authorization object assignment in my cube. So I changed the assignment in the development, but when I tried to transport the authorization object it collected all the cubes where the authorization object is used.
  I want to transport only the authorization object associated with that cube, not all. I understand that logically if we are transporting the authorization object from RSSM, it takes all the assignments. But I don't want to do that because there may be some inconsistencies between the system.
  Can you tell me weather we have any other way, so that the authorization object is transported only for one particular cube assignment not all.
  Thanks in advance
  Prashant

  Hi,
  I tried that but not getting anything.
  Can you please tell me the steps.
  Steps I have done are as follows.
  1. Go to RSSM and select the authorization object.
  2. We have a button which says transport authorization object. I clicked on that.
  3. I got a list of all the authorization objects there. I selected my authorization objects and clicked on Transfer Object button.
  4. Then I get the hierarchy authorization objects.
  5. After that I selected a request and everything is included in that request. I didn't got your above mentioned option.
  Do you want me to go to the table RSSTOBJDIR and delete all the other entries??
  It would be great if you can tell me the steps to do that.
  Thanks in advance
  prashant

• Programmatically assigning Authorization Objects to roles

  Hi there,
  I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
  What I want to do is the following:
  There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
  In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
  Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
  I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
  Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
  Thank you very much,
  Gregor
  Edited by: Gregor Bender on Mar 11, 2008 8:41 AM

  >
  Gregor Bender wrote:
  > I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
  Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
  For mass regenerating profiles there's transaction SUPC.
  For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
  If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.

• Authorization objects problem , unable to delete

  hi all,
  i hv created authorization object via SU21. ZZ_program, I am trying to modify but it prompts warning:
  <b>Field assignment for object ZZ_PROGRAM cannot be changed as auth. for it exist
  Message no. 01221
  Diagnosis
  You attempted to change an object for which authorizations exist. Authorization fields for the object cannot be changed here.
  Procedure
  If you want to change the object anyway, you must first delete all authorization belonging to this object.  Consider that other systems may also be affected.</b>
  after i enter the message, it prompts the whereuse list
  <b>Where-Used List                  
  Authorization Object             
  ZZ_PROGRAM                       
  Berechtigungen                   
  AA________00                     
  Rollen                           
  ZZPROGRAM   </b>      
  after that, the  fields are all greyed off, i am unable to change the authorizatiion fields  and i do not understand the where use list result, can anybody pls help ?
  i am working on sap 4.7

  There  is one particular check with Table <b>USR12</b> (User Master Authorization Values) and also with table <b>AGR_1251</b> (Authorization data for the activity group).
    SELECT distinct AUTH FROM USR12     
         appending table list              
         WHERE OBJCT =  OBJECT             
           and AUTH  ne '&_SAP_ALL'        
           and AUTH  ne '&_SAP_APP'        
         order by auth.
    if sy-subrc = 0.                                       
      insert 'Berechtigungen' into list index 1.           
      RC = 1.                                              
    endif.                                                 
    append 'Rollen' to list.                               
    index = sy-tabix.                                      
         SELECT distinct agr_name FROM AGR_1251            
           appending table list                            
           WHERE OBJECT =  OBJECT                          
           order by agr_name.   
  If that is sucessful , you cannot change the authorization object.
  See the content of <b>AGR_1251</b> table using your authorization object name. Then you will Role name from field AGR_1251-AGR_NAME
  with this role name, go to Tcode: <b>PFCG</b>
  and give the Role name and click on change button
  In authorization tab.Chick on Change Authorization Data.
  And find and remove this authorization object from there.
  And then proceed with changing the Authorization object.
  Hope this will solve ur issue.

• Table for authorization objects

  Hi All,
  What is the table where all authorizations for a user for a particular authorization object is maintained?
  Thanks,
  Neelima.

  hi friend
  usr04 -User master authorizations alone
  usr07 - it will display all the authorisation object field name.
  if its helpful reward for the same
  regards
  vijay

• PFCG - Alteration the 'authorization objects' of a profile.

  Good Morning My Friends,
  I have a profile created in PFCG, I want to change your authorization objects, using a BADI or function.
  Does anyone know which function to use?
  I've tried a lot and found nothing.
  This is an example of what I want to do.
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  Original profile.
  Profile Name: Profile_Deivison
  Object :.......... S_DEVELOP
  Auth :.............. T-TD55048100
  Field :.............. ACTVT
  Value :............ 01, 02, 03, 06, 07
  Modification of authorization objects of the profile (fictitious example).
  called function to change the profile.
  CALL FUNCTION 'CHANGES_OBJECT_AUTHORIZATION_PROFILE' "" "" This function does not exist
  EXPORTING
  name_profile = 'Profile_Deivison'
  object = 'S_DEVELOP'
  auth = 'T-TD55048100'
  field = 'ACTVT'
  value = '01, 06, 07 '
  Results function.
  Profile Name: Profile_Deivison
  Object :.......... S_DEVELOP
  Auth :.............. T-TD55048100
  Field :.............. ACTVT
  Value :............ 01, 06, 07
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  I thank.
  Edited by: Deivison.Lana on Jul 7, 2011 9:55 AM

  Thanks for the help.
  but from what I saw during the discussion was not found a solution, that with reference to 'Change Authorization Objects'.
  Edited by: Deivison.Lana on Jul 7, 2011 4:33 PM

• PFCG authorization objects vs SU53 checks

  Hi all,
  I was thinking I have understood for a long time authorization checks. But no.
  So Here's my question.
  When I ahd a transaction in PFCG menu, PFCG gets the authorization objects to maintain automatically (from SU24 checks). OK.
  When testing the role in ECC : : error. SU53 qays that authorization objects are missing. How the tests are working regarding SU53 and PFCG ?
  i.e tcode_de = MDBT in PFCG, PFCG gets M_MTDI_ORG object to maintain => OK
  When testing my role, SU53 says that other objects is missing, i.e S_ADMI_FCD. I don't understand because this object is checked with 'NO' in ECC.
  Thx.
  Laurent

  Hi
  > When testing the role in ECC : : error. SU53 qays that authorization objects are missing. How the tests are working regarding SU53 and PFCG ?
  The auth checks performed are dependent on lots of things: system config, functional config, master data setup, use of the transaction.
  The config in SU24 can't cater for all of those options so SAP gives us the ability to make them more accurate for our particular situations.
  > i.e tcode_de = MDBT in PFCG, PFCG gets M_MTDI_ORG object to maintain => OK
  >
  > When testing my role, SU53 says that other objects is missing, i.e S_ADMI_FCD. I don't understand because this object is checked with 'NO' in ECC.
  You can't deactivate a check on an S_ or P_ auth object.  These auths are fundamental methods of protecting the SAP application (S_) and personal data (P_)
  As David says, the SU53 only shows the last auth failure and there is often lots of spurious stuff reported that isn't required to allow the transaction to process.  In this respect ST01 is more useful as it (usually) shows you all the auth checks being evaluated so you can more easily focus on the important ones.

• How to check and maintain authorization objects

  Hi  Alll            
  Let me knowhow to check and maintain authorization objects  in SU24 ECC 6.0.
  Thanks
  sathies

  Hi Sathies,
  the old check flags
  U
  Unmaintained
  No indicator set. The check for corresponding authorization object is always executed. Field values are not displayed in the Profile Generator.
  N
  No check
  Check disabled. Field values are not displayed in the Profile Generator. This indicator cannot be set for HR and Basis authorization objects.
  C
  Check
  Check always executed. Field values are not displayed in the Profile Generator. For example: Printer authorizations.
  CM
  Check/maintain
  Check always executed. Field values are displayed for changing in the Profile Generator (yellow light).
  Have been divided now in
  Checkindicator : Check/NoCheck
  and
  Proposal: Yes/No.
  If defaults=yes, then you can modify them after clicking on the apropriate button.
  Please refer to the online help for SU24 too.
  Although the look of su24 has been changed significantly, the technique behind it is still the same.
  Once you have pressed the 'edit'-button on the top left corner, additional editing options will appear in the right-top-frame.
  b.rgds,
  Bernhard

• Authorization object to view Maintain Performance Documents on MSS

  Hi Experts,
  Would like to know which authorization object would require to view Maintain Performance Documents on MSS. Currently, we removed SAP_ALL access from MSS user and not able to peform Maintain Performance Documents.We are on EP 7 and ECC 6.
  It gives following error :
  java.lang.NullPointerException
       at com.sap.xss.hr.mbo.blc.BMboStatusComp.resetGlobalMboR3Data(BMboStatusComp.java:260)
       at com.sap.xss.hr.mbo.blc.wdp.InternalBMboStatusComp.resetGlobalMboR3Data(InternalBMboStatusComp.java:195)
       at com.sap.xss.hr.mbo.blc.BMboStatusCompInterface.resetGlobalMboR3Data(BMboStatusCompInterface.java:150)
       at com.sap.xss.hr.mbo.blc.wdp.InternalBMboStatusCompInterface.resetGlobalMboR3Data(InternalBMboStatusCompInterface.java:168)
       at com.sap.xss.hr.mbo.blc.wdp.InternalBMboStatusCompInterface$External.resetGlobalMboR3Data(InternalBMboStatusCompInterface.java:224)
       at com.sap.xss.hr.mbo.vac.VMboStatusComp.onBeforeOutput(VMboStatusComp.java:227)
       at com.sap.xss.hr.mbo.vac.wdp.InternalVMboStatusComp.onBeforeOutput(InternalVMboStatusComp.java:185)
       at com.sap.xss.hr.mbo.vac.VMboStatusCompInterface.onBeforeOutput(VMboStatusCompInterface.java:143)
       at com.sap.xss.hr.mbo.vac.wdp.InternalVMboStatusCompInterface.onBeforeOutput(InternalVMboStatusCompInterface.java:136)
       at com.sap.xss.hr.mbo.vac.wdp.InternalVMboStatusCompInterface$External.onBeforeOutput(InternalVMboStatusCompInterface.java:212)
       at com.sap.pcuigp.xssfpm.wd.FPMComponent.callOnBeforeOutput(FPMComponent.java:603)
       at com.sap.pcuigp.xssfpm.wd.FPMComponent.doProcessEvent(FPMComponent.java:569)
       at com.sap.pcuigp.xssfpm.wd.FPMComponent.doEventLoop(FPMComponent.java:438)
       at com.sap.pcuigp.xssfpm.wd.FPMComponent.wdDoInit(FPMComponent.java:196)
       at com.sap.pcuigp.xssfpm.wd.wdp.InternalFPMComponent.wdDoInit(InternalFPMComponent.java:110)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
       at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
       at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:754)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:289)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingPortal(ClientSession.java:733)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:668)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.clientserver.session.core.ApplicationHandle.doProcessing(ApplicationHandle.java:73)
       at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.sendDataAndProcessActionInternal(AbstractApplicationProxy.java:860)
       at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.create(AbstractApplicationProxy.java:220)
       at com.sap.portal.pb.PageBuilder.updateApplications(PageBuilder.java:1288)
       at com.sap.portal.pb.PageBuilder.createPage(PageBuilder.java:355)
       at com.sap.portal.pb.PageBuilder.init(PageBuilder.java:548)
       at com.sap.portal.pb.PageBuilder.wdDoInit(PageBuilder.java:192)
       at com.sap.portal.pb.wdp.InternalPageBuilder.wdDoInit(InternalPageBuilder.java:150)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
       at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
       at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:754)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:289)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Would appreciate kind guidance to resolve issue.
  Thanks in advance.
  Aashish

  I am closing this thread as opened at wrong place.
  Thanks,
  Aashish

• Authorization objects for  transaction, one to view, and one to maintain

  Hi all,
  My requrement is to create two authorization objects for  transaction, one to view, and one to maintain.
  I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
  Please suggest how to create object where i can asign activity codes.
  regards
  manish

  The Authorization Concept
  R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
  Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
  Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
  Do check this link as well.
  http://articles.techrepublic.com.com/5100-10878_11-5110893.html

• Change authorization object in a derived role

  Hi Gurus,
  What's happen if someone has added a new authorization object in a derived role?
  He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
  <u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
  What do you think about this ?
  Thanks
  Hery-zo

  Do i understand this right??? do functional teams have access to PFCG to create roles???
  If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
  1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
  2 ask all functional teams to describe the roles points to be adressed:
     A TRX in every role
     B all wanted restrictions on every TRX (described functionally)
     C orglevels on which restrictions should be build.
     D Test process for every TRX in every role (both positive and negative)
     E  check all roles against table USOBT and look for manually added objects,  
         if they can not give a good reason for adding these REMOVE them.
  3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
  4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
  5 check your roles for the corrected TRX after this change and update the other roels involved as well.
  6 ONLY allow roles that have followed the above process to go to Production.
  The above steps are the only way to create a secure SAP Production system for you!

• Change Authorization object to add another InfoOjbect

  Hi All,
  We have Custom Authorization Object developed in BW system which is successfully moved to Production. Now new requirement has come up to add new InfoObject in that
  Existing Custom Authorization Object. Is it possible?
  If yes can you please let me know the required steps?
  Thanks,
  Samir

  you can add the new infoobject in the BW system and after doing this you can transport the request related to this change from the  BW system to the production server but for this you need help from the Basis consultant.
  i hope this answer is of some use to u...if yes pla assign some points.
  Edited by: Denella  D'souza on Jan 30, 2008 10:49 AM