Creating a auth group

Similar Messages

• How to Assign Event to Auth Group

  Hello All,
             Please suggest is there any way to assign Event to Auth Group.
  Scenario is:-
  Add event ZHCM*  to its own authorization group.These changes to SM64 are needed in order to assign the transaction (restricted to the custom program only) to Payroll for kicking off their interfaces after each payroll run. Please create custom auth group say ZPAY and assign the ZHCM* event to this new auth group.
  Thanks in Advance !!
  Best Regards,
  CB

  i hope you are assigning to the radio group not to a radio button. i mean u could have radio group xx with buttons butt1,butt2 , butt3 etc. u cant have
  xx.butt1 := 100
  Besides that it's perfectly acceptable by oracle to assign to a radio group unless of course the variable is badly spelt
  Hope this helps
  Lewis

• Auth group to a table

  Hi All,
  We need to assign an auth group to one of our custom table,,,can you please tell me how can I do that ??
  The only way that I know is to go to se11->utilities->table maintenance generator and there we can assign the auth group. but when I tried doing this I found that Auth group can be of only 4 character long.... but when we created the auth groups for our program we could able to create upto 8 character long.. is the auth grp for the program and table are the same? and if not is there a way where we can see what auth groups are assgined to table (as for a program we can go to table trdir)
  Thanks,
  Rajeev

  Hello
  You can use se54 to create an auth group for a custom table.
  Search the forum for more details
  Regards
  Greg Kern

• Application area for the Auth Group

  Hi All,
  I want to create an authorization group, and make sure that this should work for every program where I will put it ir-respective of the application of the program...i.e I should have an ability to assign to the FI,HR and all other programs. So can you please tell me under which application should I create this Auth Group using table TPGP.
  Thanks,
  Rajeev

  Hi Rajeev,
  It is not required that you assign the authorization group to any application. The application has a documentary purpose only. However, if you still want to assign your authorization group to a program, just ignore the warning message when editing the attributes of the program and save your entry.
  Cheers,
  Shahram

• Accounts being created with administrative group rights

  Hello,
  The server is a Windows 2003 R2 Enterprise fully patched used for Shared Hosting purposes.  It runs Hsphere control panel.  I am trying to identify how the following hack is happening. 
  1) There are users being created with Administrative group rights.   Below is the EventViewer log for the user creation:
  User Account Created:
       New Account Name:    username
       New Domain:    PCNAME
       New Account ID:    PCNAME\username
       Caller User Name:    PCNAME$
       Caller Domain:    DOMAINNAME
       Caller Logon ID:    (0x0,0x3E7)
       Privileges        -
   Attributes:
       Sam Account Name:    username
       Display Name:    <value not set>
       User Principal Name:    -
       Home Directory:    <value not set>
       Home Drive:    <value not set>
       Script Path:    <value not set>
       Profile Path:    <value not set>
       User Workstations:    <value not set>
       Password Last Set:    <never>
       Account Expires:    <never>
       Primary Group ID:    513
       AllowedToDelegateTo:    -
       Old UAC Value:    0x2DAB2B0
       New UAC Value:    0x2DAB2B0
       User Account Control:    -
       User Parameters:    <value not set>
       Sid History:    -
       Logon Hours:    <value changed, but not displayed>
  There exists entries as well where the primary group ID is changed to the Administrative group, but I am omitting such.
  2) I tried to identify what Caller Logon ID:    (0x0,0x3E7) means.  I found out from here:
   http://blog.joeware.net/2013/01/14/2667/ that I can use LogonSessions.exe to identify it.
  Output from LogonSessions.exe is pasted below (snippet):
  [0] Logon session 00000000:000003e7:
      User name:    DOMAINNAME\PCNAME$
      Auth package: NTLM
      Logon type:   (none)
      Session:      0
      Sid:          S-1-5-18
      Logon time:   9/11/2014 12:41:53 PM
      Logon server:
      DNS Domain:   
      UPN:          
          4: System
        316: smss.exe
        364: csrss.exe
        392: winlogon.exe
        440: services.exe
        452: lsass.exe
        628: svchost.exe
        756: LMAgent.exe
        840: svchost.exe
       1000: spoolsv.exe
       1252: avagent.exe
       1268: camWMIAgent.exe
       1324: cissesrv.exe
       1380: cpqrcmc.exe
       1404: vcagent.exe
       1440: svchost.exe
       1480: HsQuotas.exe
       1740: inetinfo.exe
       1780: EmailAgent.exe
       1856: snmp.exe
       1884: sysdown.exe
       1920: smhstart.exe
       2192: svchost.exe
       2388: cmd.exe
       2396: hpsmhd.exe
       2444: cqmgserv.exe
       2464: cqmgstor.exe
       2484: HSphere.exe
       2596: wmiprvse.exe
       2676: cmd.exe
       2684: rotatelogs.exe
       2692: cmd.exe
       2700: rotatelogs.exe
       2732: searchindexer.exe
       2812: hpsmhd.exe
       2824: cqmghost.exe
       2852: svchost.exe
       3044: cmd.exe
       3052: rotatelogs.exe
       3080: cmd.exe
       3088: rotatelogs.exe
       5452: svchost.exe
       5596: GravitixService.exe
       7392: csrss.exe
       7232: winlogon.exe
       6888: csrss.exe
       9832: winlogon.exe
      10388: wawrapper.exe
      10352: cpqnimgt.exe
       9496: msiexec.exe
       6068: w3wp.exe
       4748: webalizer.exe
  3) I also learned from http://support.microsoft.com/kb/243330/en-us that   Sid:          S-1-5-18 means:
  SID: S-1-5-18
  Name: Local System
  Description: A service account that is used by the operating system
  That is all great info, but I am not sure I can put together what I have learned to attempt and get closer towards identifying how in the world users are being created and then being assigned administrative group rights.
  I am a Linux person mostly, but I am comfortable following a properly explained thread regarding windows 2003 R2 Enterprise issues.
  The server is fully patched and it is running Lumension security product.  What's more, Norman Malware tracker, tdskiller.exe (Kaspersky) and McAfee rootkitremover.exe have been run without any apparent Malware/Virus infection
  Hope someone with advanced admin skills can advise.
  Thank you

  Hi,
  You mentioned that, “I am trying to identify how the following hack is happening”, would you please tell us that why did you think the event represent a hacking behavior?
  In a Shared Server Hosting environment, the underlying hosting control panel tool (Hsphere in this case) should be creating only virtual FTP users with a specific group.  So no users with Administrative group should be ever created.  If this happens,
  it constitutes a breach of server security=positive hacking attempt.
  >how in the world users are being created and then being assigned administrative group rights.
  In addition, would you please be more specific about this question? Did you find the event message on a domain joined machine?
  I want to be able to understand in full how/what process is allowing users to be created with Admin rights.  In other words, I want to know what IP was used to issue the command, if ASP.net was used (abused in this case), or anything else related to
  it so that we can patch this particular hole.
  Best Regards,
  Amy

• Auth Group for Accounting Doc and Account authorization for  Vendors

  Hi guys,
  I have question regarding Accounting Doc for Vendor and G/l Account.  I have a security client whree I build my business roles for end user but we we configuration client where all the functional focus wokring and doing configuration.  My questiion when I start creating business roles  and start going  into these authorization objects and filling up the field values (F_BKPF_BEK, F_BKPF_BES,  F_BKPF_BLA).
  I won't  see auth group that will be c reated by functional  cocus because they are working on configuration Client and they probably create auth group for above authorization objects in Config lcient and I'm building Roles in my security client. 
  If it is true what would be the best way to create business role.  I'm in realization face of the project  Should I build my roles in Config client?   Please advise.
  Thanks in advance
  Faisal

  What is the benefit of a "security client" in DEV? I don't get it...
  You anyway need to protect the namespace... and the authorizations for role development (SU24) and admin (PFCG).
  Anyway, you have closed your question so we can only lick our wounds now
  Cheers and good luck on your project (let is know how it goes if you stick around for long enough to experience a release upgrade...
  Julius

• Restrict posting period only a limited set of users using Auth Group

  Hi all,
  Can someone help me in restricting posting period to only a limited number of users?
  Currently OB52 settings look like below:
  From Per.1  Year  To Period           From per.2   Year    To Period
      7                 2009         8                          8              2008            8
  My requirement is:
  I want to only few users to post in the 7th period and all others to post in the 8th period.
  I know this can be done via authorization group: Can someone please help me with the steps invloved in solving the same?
  Thanks in advance
  Sidharth
  Basis Administration

  Hi Alex,
  Thanks for your response!
  I have added F_BKPF_BUP object manually in the test role and assigned 0002 auth group in it.
  I have created auth group 0002 and assigned table T001B in SE54.
  Auth group 0002 is then assigned in the OB52 at the last column. This should restrict the posting for period 1 which i need to restrict for some users.
  Now as per the logic, if we dont assign any auth group, users should not be able to post for that period. But in my case user is able to post successfully via F-02.
  Please help me as we need to implement this before month end.
  Many thanks for your valuable help!
  Thanks
  Sidharth

• Restricting SM30 via auth. groups, any flaws in thinking?

  Hi,
  I got a request to assign SM30 to a role as table J_1IEWT_ACKN_N needs to be maintained monthly. I checked an earlier thread regarding this table, and in this case maintaining table in DEV + transport is also not accepted.
  This role also includes other table maintenance activities (period opening/closing, exchange rate maintenance), but for these SM30 is not required. As this role would now include SM30, it would possibly grant access to quite a bunch of tables (through S_TABU_DIS, DICBERCLS values KC and FC31).  User with this role would not have any other roles.
  I created a Zxxx-authorization group in SE54, assigned it to the J-table and then included this auth group to S_TABU_DIS object.
  As this role only needs access to a few tables, I was thinking of changing the authorization group assignments of these tables from KC/FC31 to Zxxx and then giving only DICBERCLS value Zxxx to the role.
  Does this sound like a reasonable solution? Can I just change the auth group assignments of the tables in SE54 or does this have any consequences that should be acknowledged and that I'm not aware of?

  You should try to find an existing group which contains data with the same classification as this one, and use SE54 to assign the value to it. Possibly, if the correct set of users are already classified for that group then you don't need to change anything inthe roles.
  If nothing which already exists matches the classification of the data, then classify it yourself by creating the Zxxx group and assign it via Se54.
  If Z-groups already exist, as for the documentation on the concept so that the one you create or use is conform with the intended concept and naming conventions.
  There is nothing wrong with a Z-table authorization group.
  Cheers,
  Julius

• Assigning Auth group using std program

  Hi All,
  I am working on assigning Auth Groups to few of my programs...and for this I used the standard program provided by SAP i.e. RSCSAUTH. Now one of my program is in RQ and I need to change the auth group attached to it ... can I change the auth group attached to that program using the same program RSCSAUTH (without doing any changes in the development box or without creating the new transport)..... can you please help me with this.
  Thanks,
  Rajeev Gupta

  Hi rajiv, iam facing the same porblem, can you pls guide me on this. iam new to authorizations. Thanks.

• How do Auth Groups assigned to BOMs

  Security Folks,
  How can the auth groups used on the Bill of Material (BOM) ? I assume they need to be created by Functional folks via SPRO. Any input is appreciated.
  Thanks.

  Hi,
  Auth groups are assigned within the BOM itself.   When you create or change a BOM, you add the auth group in the header section.  Whoever is responsible for the creation / change of BOM's maintains the auth group which can then be used with C_STUE_BER.

• SCU3 Activity 02 on S_TABU_DIS Auth Group SA?

  Hi,
  We recently moved from EHP5 to EHP7 and an additional check is done when using transaction SCU3 for S_TABU_DIS / Group SA / Activity 02.
  We have 2 Z tables maintained by our data team; 2 Z transactions allows for the table maintenance via SM30; both tables have been associated to a Z authorisation group.
  Since EHP7 has been implemented we can no longer view the log on these tables.
  SU53 and traces are listing the need for S_TABU_DIS Activity 02 for the SA Auth group; that group is created by SAP and covers quite a few other tables; I have tried to limit the access to the log table DBTABLOG via S_TABU_NAM but it is still not working.
  I can't understand why activity 02 should be required at all in that scenario and can't find any related OSS Note.
  Has anyone come accross a similar issue. I am not sure why a change activity shoudl be required when I only want to display the change log.
  thank you
  Coco

  Hi,
  are you sure that missing authorization for DBTABLOG is causing your issue? It is checked because you can delete logs in SCU3. Hence it has to check for 02 - change. It should not get checked when you only want to display logs. Have you tried to debug this transaction and see what's going behind?
  Cheers

• How to create a authority group for our customer table(se54)?

  Hi,everyone:
        I found a problem when I create a authority group for my customer table,I can't write the creation
  to a request no(can't assign to a package),I want to know whether the authority group I created can be
  transport to the PRD when I realse the request no.
  Thanks!!!

  Auth Group is nothing but a table entry so for sure it can be transported to any environment, before Assigning any Auth group create one in SE54 when you try saving it it would ask you the TR number which you can transport to PROD.

• List of Auth Group Sorted By Modules needed.

  All
  I have been trying to create the Display Roles for
  FI
  SC
  HR
  modules
  I need to add the Auth Group for S TABU DIS.
  Can someone please tell me if there is any link out there
  that has the Auth Group SORTED by Modules (FI SC HR etc)
  Thanks,
  From
  PT.

  I am not aware of any specific table which holds the table group : module link, other than the naming convention of the table groups and of course correct assignment to tables. So, you could try by sorting TDDAT on field CLASS.
  Take note that the transaction and master data tables (indexes) of the modules typically do not have auth groups assigned, and are therefore replaced by a symbolic group '&NC&'. I don't think it is possible or desirable to assign auth groups to all tables for display purposes, and then still split them into modules. Basis folks can become irritated when people browse VERY large indexes. Business owners as well when they realize that these roles can bypass all their application and org controls to protect their data.
  Cheers,
  Julius
  PS: I see 41 unresolved questions. 9 are no longer outstanding.

• Can't create a "simple" group/course - and no upload

  Hi all,
  I'm quite new to this task of managing iTunesU for my institution (ICTP, www.ictp.it), and we just got admitted to the iTunesU platform since few days, so please bear with my poor experience (but I'm carefully reading the guides provided by Apple).
  Now... I've had no problem in creating/editing a few test pages/groups/courses, but I'm not able at all to create a "simple" group course, the edit menu only lead me to the two options: "smart" and "feed". And I cannot find the tool menu item to do the "Upload and Manage Files" (I guess it doesn't appear because there are no simple groups, the only ones that can accept manual uploads, am I right?).
  Just to explain better: of course I'll eventually implement a transfer script to upload our videos (I'm working on re-encoding some thousands hours of lectures...), but for now I would like to make some preliminary tests, and upload manually a few videos. What am I doing wrong?
  Is it possible that maybe our approval is still pending, and I'm not allowed to upload anything? But I can edit the site (but not publish it).
  I tried both interfaces, the iTunes.app native and the web one (the "iTunesU Public Site Management" on phobos.apple.com):
  the former is more complete but is missing upload option and "simple" group course creation, while the latter gives me only tools to edit the graphic appearance of the main page (banner, styles, etc...).
  thank you for any help, it will be appreciated very much!
  Carlo,
  Trieste (Italy)

  I think I've found the answer by myself in this thread:
  https://discussions.apple.com/thread/2018158?threadID=2018158&tstart=0
  Unfortunately, it's not the answer I was hoping for... apparently the option to store contents in Apple's servers isn't available anymore for newcomers to iTunesU.
  Now I have to manage a way to do local storage and RSS feeds, new challenge!
  Hope this may help others,
  Carlo.

• How do I create an email group on iPad 2?

  How do I create an email group from email or contacts to send emails to groups of like contacts

  It's a comma (or semicolon) rather than a decimal point, if you're doing it manually, but that method does work across iPhone, iPad and iPod touch.
  This is actually close to how our "MailShot" app works (unlike most other group email apps) except that MailShot manages the groups for you and makes it easier to delete and add contacts to your groups.
  If your groups are small you can try our free version on
  http://itunes.apple.com/us/app/mailshot-group-email-done/id410279354?ls=1&mt=8.
  There's an upgrade path to the full version if you like it in that app. or you can go straight to the Pro version:
  http://itunes.apple.com/us/app/mailshot-pro-group-email-done/id445996226?ls=1&mt =8
  Any problems, get in touch on our support email.
  Peter
  Soluble Apps
  Disclosure: I am the developer of MailShot and MailShot Pro and may benefit from their sales.