Controlling Specific Posting Key Access by Security Roles
I am currently implementing Z-Option GLSU which is an excel based general ledger posting tool. The way it operates is that it runs FB01 and FBV1 as an SM35 batch job but basically allows a user to post to SAP without having to directly go into the SAP client.
There are security concerns now because users can change the posting keys to allow postings to areas other than the general ledger (vendor, customer, etc) though it may not have been intended for that user's security profile. Can someone tell me if the user's security authorization will automatically prevent them from posting to a vendor for example (if they don't have FB60 access) or if that is not possible if there is some user exit that can specifically restrict access for those t-codes to posting keys 40 and 50? Any suggestions would be greatly appreciated, thanks.
FYI...
We were able to resolve this dilemma. Here is how....
We created two types of access: application and content. We applied the "user type" access to the application, web intelligence, in the CMC. Then, applied the Content security to the folders.
Thanks
Similar Messages
-
Document types need restricted to specific posting keys
Hi,
When posting a KR document type with transaction F-43 we are able to post GL posting key (40) and posting key(50) without ever entering a vendor posting key(31).
The question is how do we prevent this situation and make sure that a vendor posting key is used. We can use a validation rule but can this be done with standard configuration.
Thx,
-JohnUse a Validation OB28. You can use document type or transaccion code(f-43) in order to make mandatory the posting key 31. Keep in mind that you would need to use the accounting key 40 in order to post the expense.
Regards -
Can I set Posting key 39 A as optional and 39 F as mandatory?
Hi,
Previously we set PO number as mandatory when user perform transaction F-47. The posting key is 39 F.
I change the config via OB41, posting key 39 PO is mandatory
Now Account use F-48 to post down payment. The posting key is 29 A.
After that they want knock off by F-44, posting key is 39A.
Then we hit error to key in PO number, but we don't have PO to key in.
May I know, is it possible to set specifically:
posting key 39 special GL indicator A, the purchasing document is optional?
posting key 39 special GL indicator F, the purchasing document is mandatory?
ThanksHello
At posting key level you control the field status of the document. Now in your case since the posting key 39/29 or for that matter any sgl posting key would be tagged to quite a few indicators so when you make changes for field status at posting key level it would result in central change for all these indicators.
So what i told you was to check the field status group which is in the alternate g/l account for the relevant special g/l indicator, when you created them. Then in the field status group of this g/l account you can make the choice as suppressed / Display/ Required / Optional as the priority is in that order.
Hope this clarifies -
Unable to assign all security roles to a user with a new custom security role
Dear All,
Happy New Year.!
I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
any desired security role to the new user.
However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
to assign some other security roles, including 'Support User Role', to new user 'y'.
I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
Appreciate any help that you can provide on the above issue.
Thanks in anticipation.Hi,
Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
Refer:-
http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
Hope this helps!!!
Thanks,
Prasad
Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question -
How can I limit/control the addition of auth. objects to security roles?
Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
Edited by: Armando Salas on Nov 29, 2011 7:41 PMHi Armando,
Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
I hope this helps you
Regards
Eduardo -
Hi, I keep getting this message: Creative Cloud attempted to access a secure website, Parental Controls restricts access to secure websites. To add this website to your approved list, click Add Website. To do this, you need an administrator password.
what is this? what password do i need?
I am trying to download Creative Cloud but it not working?Tamaro34896425 the error message you have posted appears to be related to the settings of your security software. You can find guidance on how to configure software firewalls at Sign in, activation, or connection errors | CC, CS6, CS5.5 - http://helpx.adobe.com/x-productkb/policy-pricing/activation-network-issues.html. You can find a link to the list of secure servers that the computer will need access to.
-
I see that you can control which form is used based on security roles, but can you control it based on other field values? I'd like a new record to use a different form until a given status is updated. I have a status of draft and active. So
it would be nice if I could use form1 for those in draft, form2 for those that are active. But I only see where you can control that via the security roles.
I can code all of this via JavaScript, but having the ability to use two separate forms would be nice. Is that even possible.
Best regards,
Jon Gregory RothlanderHello,
Recheck following article - http://gonzaloruizcrm.blogspot.com/2014/11/avoiding-form-reload-when-switching-crm.html
Dynamics CRM MVP/ Technical Evangelist at SlickData LLC
My blog -
Background FI Posting with clearing, posting key control, etc - How?
I have the requirement to post FI documents with clearing, with defined posting keys, where some of the fields come from file, some of them defaulted. It should happen in the background.
I used BAPI BAPI_ACC_DOCUMENT_POST. I had the posting key problem, however with Badi ACC_DOCUMENT using EXTENSION2 I managed to generate the FI docs with the right posting keys.
Now I have problem with clearing. It seems with this BAPI it's not possible to trigger clearing.
I found some threads about FM 'POSTING_INTERFACE_CLEARING', however I don't think I can have any influence on the posting key and generated line items. So it doesn't help to me.
FM BAPI_PAYM_ITEM_POST_CLEARING is for payments.
Using program RFBIBL00 would be difficult, as far as I can see it can only use file in the specific format as an input.
I should read my file and generate another file and call this program. This wouldn't be really the best approach.
In this moment the only solution I can think of is transaction recorder/call transaction approach. Unfortunately this solution would be really release-customizing dependent and not performance-optimized.
Any other idea?
Thanks in advance,
PeterHi Rob,
Thanks for your answer.
In one of the sap standard batch program I found FM FI_PSO_DOC_DIRECT_INPUT. I'll give a try, it might help also.
Best regards,
Peter -
Posting key 12 does not permit specification of a special G/L indicator Urg
hi all
i want to riverse the cross company code transaction showing follwing messages
Posting key 12 does not permit specification of a special G/L indicator
Posting key 22 does not permit specification of a special G/L indicator
regards
JK RaoHi
Please go to transaction code OB41 and for the posting keys 12 and 22 please ensure that there is a tick mark for the special G/L indicator. Then your entry can be completed.
Let me know if it helped and do assign points if found useful.
Check the posts in the thread tittled - "re:Cross Company Code Code Transaction Riversal urgent"
Karthik
Message was edited by:
Karthik Coneru -
Reverse posting key specification is missing for posting key 80
A FI document was wrongly posted with posting key "80" instead of 40. And now we are not able to reverse it. System is giving following error --
"Reverse posting key specification is missing for posting key 80"
Document posted as
50 207200 CASH - MAIN-O.H. 762.00-
40 410120 CONVEYANCE EXPENSES 702.00
<b>80 402440 STAFF WELFARE EXPENS 60.00</b>
Please suggest
Thanks & RegardsHi,
Go to OB41, select the posting key 80 and in the third tab "Other attributes" mention Reversal Posting key. Like you can observe for posting key 40, reversal key 50 would have been assigned.
Pl assign points, if helpful. -
Hi,
I am migrating a web application from Websphere to Weblogic. The web application has a security role defined in web.xml (Use LDAP for authentication).
security-role>
<description>Authenticated</description>
<role-name>Authenticated</role-name>
</security-role>
This role is mapped to a special subject "All authenticated user in appliation realm" in WAS.
In weblogic, I have the following setting in weblogic.xml
<wls:security-role-assignment>
<wls:role-name>Authenticated</wls:role-name>
<wls:externally-defined />
</wls:security-role-assignment>
And after deploy the application, have to manually add a security role and add the security policy "Allow access to everyone" to this role.
I am wondering if this setting can be specified in for example weblogic.xml so just deploy web applicaiton using deployment descriptor, and I don't need write script to do that .
ThanksHi,
You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
Hope this will solve your problem.
Regards
MuRam -
F-32 - Posting Key 07 does not permit specification of a spl G/L Indicator
Hi Expert
Pl help on following -
Customer has following
Advance Rs. 10000 - Entered via T.code F-28 (Note We have different type of advnces collected from a customer and therefore we entre special G/L Indicator here, .i.e. "A")
Outstanding Invoice Rs. 6000 - From Sales Module
In F-32, partical payment we want to clear the Advance, so that System should knock off Invoice and keep 4000 as credit balance for further adjustment.
However after we simutlate, we are getting error -
"Posting Key 07 does not permit specification of Spl G/L Indicator (Message No. F5761) which suggest to make following configruation changes.
To correct above issue, I tried to correct the accounting configuration (OB41) for posting key 07 and selected "Speical G/L' Check box in 'Other attribute. Here I have also provided the allowed Spl G/L Indicator i.e. "A".
However after above changes done, system is now reporting message F5311 "Incorrect automatic posting are cancelled" and coming out from F-32 Tcode itself.
One last oberservation, In OB41, for posting key 07 "Payment Transction' tick is NOT selected. Actually posting key 07 is "Other Clearing". In posting key 08 which is "Payment Clearing" , I can see 'Payment Transction" is Selected. Is this making the difference.
So I am in complete mess. Please help.
- SunilThanks for your answer.
I have following questiong
1. Why system is suggesting posting key 07, as it is automatically coming during simutatlion.
2. If using 07 is not correct, which one should be use and how to correct the configuration so that in simulation by defualt correct posting key will appear.
Thanks in advance.
- Sunil -
Can't access some secure sites through proxy?
can't access some secure sites through proxy server on osx it just keeps going local authority couldn't be contacted, i had the same problem with parental controls, but now that is off and its still doing it, is there a setting or something i need to enable?
In my original post, not today's, I had said I was having the issues on the Mini, running OSX 10.6.8 and Safari v.5.1.5 for my bank's pill pay. I should have been more specific as to which machine and OSX Safari browser I'm having the T-Mobile problem with. My mistake.
It is on both the MacMini and now the Air too. A moment ago, I was able to log in to my.t-mobile.com on the Air, but after putting into my Bookmarks folder, I can't do it anymore. The Log in button comes up greyed out instead of green.
I'm also still having trouble with my bank's bill pay section on both computers too.
I wonder if it's related to the saving of the log in info or putting in the Bookmark Folder? -
Does Azure SQL support AD and Security Roles
I would like to create Reporting Service reports using Azure SQL Database.
It is possible to attach Azure SQL to Active Directly and use its Security Roles so that I can filter reports based on AD groups of report user?
Kenny_IHi Kenny,
Thanks for posting here.
I suggest you to check this link for details.
http://www.infoq.com/news/2015/02/azure-sql-ad-media
http://www.developerfusion.com/article/121561/integrating-active-directory-into-azure/
http://www.codeproject.com/Articles/749588/Role-Based-Access-Control-with-Azure-Active-Direct
http://azure.microsoft.com/en-us/documentation/articles/best-practices-security/
Hope this helps you.
Girish Prajwal -
How reusable is a security role
Can I copy one from one org to another? More specifically, since the set of custom entities don't match, am I creating a problem or opportunity for collision by copying a security role from one org to another? Are custom entities managed by
guid or entityTypeCode within the security role?I've just done a test and managed to import a role that was controlling access to an entity present on the origin CRM but not present on the destination CRM. the import went though without errors. the role was created on the destination, but the role's
settings for the custom entity disappear. So, even if that may not break the system, it Can cause confusion. Specially if you are moving across DEV, TEAST and PROD systems. Not a good practice.
I Hope I could help. If I have answered please mark as 'Answer'. If was just helpful, please vote. Thanks and happy coding! Bruno Lucas, http://dynamicday.wordpress.com/
Maybe you are looking for
-
Conditions for PO approvals in R/3 system
Hi We are on SRM 4.0 classic scenario and backend as ECC5.0 We have a requirement where PO approval is to be done in backend R/3 system, only for POs which are created from SRM sourcing cockpit and R/3 manual POs. POs that are created from catalog ba
-
Mounting USB drives in general
Hello, I am having trouble trying to figure out how to mount a usb jumpdrive or similar product in Solaris 10. I have a good understanding of the mount command, it is just trying to figure out what I am supposed to mount. I can't seem to find what wa
-
Hi, after making an instance of FileWriter, a simple file to go along with it e.g., : FileWriter writer = new FileWriter("AFile.txt"); and then returning the encoding via: String aStringHere = writer.getEncoding(); When I display this string it is "C
-
Lenovo C255 - USB Drive and USB HDD is not recognized
Hi I am trying to attach SSD (Kingston SSDnow 300 - 60gb) drive to PC via bridge SATA-USB to USB 3 port, so i have "USB to ATA/ATAPI Bridge" stuff at installed devices and no HDD disks appeared at MyComputer . Still i have 2 disks at Device manager
-
Guest Snapshot/Disconnected Network Continues. NOT FIXED.
After about a gazillion patches, disable TCP chimney, change backup schedules, updated drivers, updated hotfixes... I STILL have VM's whose nework cards become disconnected see KB2263829 (this does not fix the issue btw) Clearly it is related to DP