Custom Made Authorization Object ZPLANT

Hi
We have custome made auth objects; zplant, zcountry, zsalesrg etc. We are getting problems with one of the report we created; based on a MP. When user access the report, some of them getthe error that "Warning you do not have authorization to read object ZPLANT Authorization at plant".
The user has access to 4 plants and can access other reports based on the Infocubes that is used in the MP. Also some of the user gets warning for ZSALESORG etc..
We are getting this error only for the newly created report; Have any of you faces such type of problem? If yes then can you advice me how to resolve it?
Thanks in advance
Ishi

Hi there again,
Sorry my mistake, it is S_RS_ICUBE instead of S_RS_CUBE. In that authorization you can specify the InfoCubes or MultiCubes alloweded to display. Your multiprovider might be included or not in that object.
S_RS_COMP  and S_RS_COMP1 is for BEx.
You can include this:
S_RS_COMP:
Activity: 03, 16 (display and execute)
InfoArea: * (all of them, or sepcify an InfoArea where the InfoProviders which contains the queries are)
InfoCube: * (all of them, or specify the InfoProviders which have the queries you want the users to run)
Name (ID) of a reporting compo: * (all of them)
Type of a reporting component: CKF, QVW, REP, RKF, STR, VAR
S_RS_COMP1:
Activity: 03, 16 (display and execute)
Name (ID) of a reporting compo: * (all of them)
Type of a reporting component: * (all of them)
Owner (Person Responsible) for: * (all of them)
You can also use transaction RSSMQ to execute a query with another user and analise the authorizations of that user.
Diogo.

Similar Messages

  • The scope of the customer-specific authorization object

    Dears,
    Could someone please feedback about the scope of the customer-specific authorization object; e.g. if we are to create a customer-specific authorization object to replace authorization object P_ORGIN in the HR module, to be able to add an extra authorization field to the newly created authorization object, the scope of the newly create authorization object (which will have a new validation code generated by report RPUACG00) will be the whole ERP system ? 
    The worry is caused by the fact that P_ORGIN is already used in several authorization roles granted to users in the different ERP modules (i.e. FI, SD, MM, CS), so the replacement would affect these modules.
    Thanks.
    Reda

    Hello Reddy,
    We are about to implement the HCM module (We are now in the testing
    phase), on the same client as that of our SAP ERP implementation.
    We need to authorize on the personnel number grouped by 'Payroll Area'
    in transactions PA30, PA40
    In authorization object P_ORGIN, the field VDSK1 is already used to
    authorize on an attribute : cost center (organizational key) for each
    organizational unit, so we can't configure it to authorize on other
    fields from info type 0001 (e.g. Payroll Area).
    We need to continue using the conventional / general authorization and
    not the structural authorization, to stay in compliance with our
    authorization schema already implemented in our FI, MM, SD & CS modules.
    ( Also, as per thread : Steps for creating structural authorization profile using trans. OOSP
    the structural authorization cannot be used to authorize on Payroll Area.)
    We need to go through the HR module implementation without any changes
    in the ABAP code.
    So, the last way out is the custom-specific authorization object, and as I mentioned before, the authorization object P_ORGIN was already used in other ERP modules; e.g. FI, MM, SD & CS,
    ( Note : I haven't started yet implementing this solution.)
    Thanks.
    Reda

  • HR Authorization : Custom Authorization Object  for P_ORGIN

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    but still it is taking the P_ORGIN object

    Online Help
    <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a>

  • HR custom authorization objects

    Is it possible to have more than one custom HR authorization object active at the same time? For example if I need 2 custom variations of P_ORGINCON (I  have some very complex requirements),  is that possible, or am I limited to just 1? Having more than 1 seems to present a problem when I run RPUACG00 to generate include MPAUTCON. It overlys the code generated fo the first cusom object with code for the second object, therefore only allowing cgenerated code to exist for 1 of the objects.
    And one additional question - when I create a custom HR object (one which contains infotype, subtype, persg, persk etc), am  I limitied to only using fields from PA0001 in that object?  If I include some other field that does not exist on PA0001, when I run RPUACG00 it gives me the error "Field xxx is not allowed  in authorization object Z_xxx".
    Many thanks,
        Mike

    One example of a  requiremnet I have is for a manager to have 3 different types  of authority based on when a position was in his org structure. So if a position is currently in his org structure he might have WRITE access to their infotype 2,6,8... for positions that were in his org strucure between 1 and 60 days ago (but are not in his structure as of today) he might have WRITE access to their infotype 2 and 6 and READ access to other infotypes, and for people that were in his structure 61-9999 days ago, he might have only READ  access to all the position's infotype data.
    I was thinking of using 3 disctinct HR authorization objects to cover each of these 3 scenarios, but ran into the issue mentioned above with the generation program RPUACG00.

  • Authorization Object: P_ORGXX - fields can be from a custom infotype ?

    I need to create a customer-Specific Authorization Object, but the documentation states that we can use any of the fields in IT0001, and also customer-specific additionald fields. But we need to know if those additional fields can be from a custom infotype.
    If it is not possible, we need to replicate the std P_ORGXX and the way it validates the field pa0001- SACHZ. But with fields from a custom infotype. Is there any way to do it?
    I hope you can help me with this.
    Regards,

    Hi,
    Try the link from SAP as reference for authorization object creation and how functionality for authorization object works w/ infotype.
    http://help.sap.com/saphelp_470/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm
    http://help.sap.com/saphelp_470/helpdata/en/16/b8b83b5b831f3be10000000a114084/content.htm
    Thanks,
    Ameet

  • How to add custom authorization object to a SAP standard transaction

    Hi All,
    I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
    Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
    - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
    - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
    - tcode SU24 - insert of new authorization field e check indicator (green)
    - tcode SU22 - check indicator - check (green)
    After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
    We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
    It seems new authorization object was not checked.
    My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
    Thanks
    Maurizio

    > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
    >
    No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
    So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
    Regards,
    Dipanjan

  • Custom authorization object and check logic

    Hi gurus,
    we need to apply additional authorization check in our custom reports.
    so i created a custom fields & object, and put the statement
          AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                   ID 'ZROLEID' FIELD '03'
                   ID 'ZSOBID'  FIELD zzdwbm.
    in a abap class method centrally, so it could be called by many reports.
    but the test show that the sy-subrc always set to 0, even for users without any authorization.
    what i missed for adding custom auth check?
    for this case, do i need to maintain authorization check indicator in SU24?
    what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
    thanks and best regards.
    Jun

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
    but still it is taking the P_ORGIN object.

  • Custom Authorization Object for HR

    Hi,
    As per our Company's internal needs I have created a Custom Authorization Object for HR named ZP_ORGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction & do a trace on it, the object ZP_ORGIN is never checked (for a user having this object in his/her User Master). Only P_ORGIN object is checked instead.
    I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell  which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked.
    Your help will be appreciated.
    Thanks,
    Mandeep Virk

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
    but still it is taking the P_ORGIN object.

  • Report to check authorization object used in customized programs

    Hi Guys,
    An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
    Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

    Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
    To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
    Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
    Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
    Code review is an art form!
    Cheers,
    Julius

  • Authorization Issue with Custom Pending Value Object and Anonymous Users

    Hi,
    I am just converting my demo from version 7.1 to 7.2. I am not doing upgrade. The demo uses a custom pending value object USER_REQUEST. The idea is that new employee goes to Java AS as anonymous user and enters her details and store where she will work. After submitting request there is an approval process using custom entry type USER_REQUEST. If the request is approved then IdM converts USER_REQUEST into MX_PERSON entry. This works nice in 7.1 but I am having problems with replicating this in 7.2. I created new UI task accessible by anonymous that creates new USER_REQUEST entry. I also assigned role idm.anonymous with UME action idm_anonymous to UME built in group Anonymous users.
    My problem is with the field STORE. This field is a reference field to another custom entry type STORE (this entry type will be used in context based assignment). Every new employee must selects a store where she will work. The problem is when user clicks on button "Select". Web dynpro terminates and returns authorization error. I also tested this with entry type MX_ROLE. I added attribute MXREF_MX_ROLE and same issue. So it seems that just assigning UME action idm_anonymous is not enough to list objects from identity store. I found a workaround for this issue. When I assign also UME action idm_authenticated to Anonymous users then it does not dump and I get a pop up window where I can search for store. It does not seem right to assign idm_authenticated to anonymous users.
    Another issue is with display task for entry type USER_REQUEST. I assigned a display task to entry STORE and I set that Anonymous have access to this task in Access control tab. I assigned default value to the field store. So when a user opens page she can see a hyper link to display already assigned store. When user clicks on this hyper link it opens a new pop up window and user must authenticate against Java AS. After successful authentication the display task for entry STORE is displayed. I would assume that anonymous user can display it without authentication.
    So to me it seems like authorization checks have been changed in 7.2 versions and are more strict for anonymous tasks. Hence my question is how can I implement my scenario. Am I missing some configuration or what's the proper solution to my two issues? I don't count assigning idm_authenticated to Anonymous users as a solution. This workaround does not solve my second issue.
    Thanks

    Some of the folks from Trondheim labs check, but rather infrequently.  There's another person who I guess is in consulting that also checks from time to time.
    Sorry I can't help you with your main question...
    Matt

  • Custom authorization object

    Hi all,
    I have created a custom authorization object to define a data security based on the Company code field.
    These are the steps I did:
    - I create a new authorization object containing the Company code field (BUKRS).
    - I create a new role with this authorization object, and I have assigned a specific value to the Company code field.
    - The role contains also the standard authorization object HR Master data which contains the field: infotype, personnel area...
    - I have assigned the new role to a user and I have executed a report, but I had not the expected result.
    - I had assigned the custom authorization object to the report transaction through SU24 and SU22, but I had not the expected result.
    As expected result I was expecting that the data are filtered based on the Company code I put in the authorization field.
    Any idea about the problem?
    thx!

    Please check that you have followed all of the steps listed here when creating your object:
    <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm">http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm</a>
    - April

  • Authorization object to restrict a particular customer code in a sales org

    Hi,
    I have a requirement whereby a sap user who is assigned to Sales organization A needs to access a particular customer from sales organization B. However the sap user has no access to sales organization B. However the requirement is such that the sap user cannot be given access to all the customers in Sales organization B. He must only access one particular customer from Sales organization B and not all the customers in Sales organization B.
    The problem here is if we give the sap user access to Sales organization B, then the sap user can access all the customers in Sales organization B. So how can we give access only to a particular customer in the Sales organization B?
    Is there any authorization object which can accomplish this?

    Hi.
    You can use The Authorization object
    <b>V_KNA1_VKO</b>
    Tcode for Authorization objects: SU21
    Tcode for Authorization FIELDS: SU20
    Statement to perform Auth. Check  AUTHORITY-CHECK(See F1 HELP)
    <b>Reward if Helpful</b>

  • Can we reuse the Authorization objects in MM01 for  Custom TCODE  ZMM01

    Hi all,
    We need to create screens  or transaction code ZMM01 which will have all views in the form of a tab like sales data will have a tab to input sales information like plant data as its own tab to input plant specific data
    ceating material  masters  entries in Ztables like ZMARA,ZMARC,ZMVKE.
    Now my question is can we use the same authorization objects which are being used for standrard MM01 transaction code because same users who use MM01 will use ZMM01.
    If this is possible how can I know what are the authorization objects which I need to program for my ZMM01 Tcode.
    All replies are rewarded.
    Regards
    Martin.

    hi yes
    it is possible go to transaction SU21
    and search MM_G object class you can reuse the same for ur Z transaction
    also u will have to use SU22 to assing tcode to the obejct class
    Harish

  • BW Custom Authorization Objects

    We are in need of enabling authorization checking on several characteristics in BW.  I have enabled authorization on the characteristic and created authorization objects for them.  When I add them to a role and try to add values, I get a message SA303 saying that table /BI0/M**** (eg. SALES_OFF) does not exist.  I have narrowed this to occuring only on characteristics that do not have attributes.
    Is it possible to use a text only characteristic as a authorization object?  If so, how do I get past the message during creation/maintenace of the role.  I tried just typing in the values.  The system accepts them, but does not appear to execute the check correctly.
    Thanks in advance for your assistance.
    Regards,
    Kevin

    Hi Kevin,
    please have a look at the documentation on authorizations for master data:
    http://help.sap.com/saphelp_nw04s/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
    regards,
    Tanja

  • Authorization object for manual condition type in sale order

    Hi experts
    I want ask them, If exist an authorization object for manual Condition type (KOMV-KSCHL) in the sales order (VA01/VA02), that the user don' t can create neither modify the sale orden with a specific manual condition type (payment term) by stardard way.
    Best regards
    John Angulo

    HI John,
    I would be surprised to know that someone uses the Payment terms as a condition in the Pricing procedure for sales orders. The payment terms define when the customer agrees to pay, (15, 20, 45 ,....days or 5 years or 10 years....whatever it be)
    this detail for what i know is in the sales order header,and ideally has nothing to do with the Item level material price conditions.
    its ok, If you mean something else by payment terms.....in principle you can have a conditon type restrcited such that manual entries on the condition are not possible. this cane be done in SPRO customizing, i am sure your functional consultants would know what to do (SPRO->Sales and Distribution->Basic Function->Condition Types), in the tab "Changes that can be made" have a value that says manual Processing is not allwowed
    The ABAP route mentioned above is for a different scenarion and i dont think it is necessary for your requirement

Maybe you are looking for

  • Request: UEFI/GOP bios for N660 TF 2GD5/OC

    Hello guys, Could someone give me a GOP BIOS for my N660 TF 2GD5/OC? S/N: 602-V287-050B1302030755 Motherboard: MSI B75MA-P45 on BIOS version 1.9 Thanks! EDIT: fixed S/N

  • Forward error to other jsp from .java file

    Hi all i have simple app html with log in (username and passwor) and submit button when the user click submit after he put his username and passwor the servelet will call loginHandler now in logInHandler will forward to welcom.jsp if login and passwo

  • Certified LabVIEW Developer needed for an on-site project in Singapore (contract 15 - 24 days work)

    Hello Developers, Our client in Singapore (name of the MNC to be divulged to the interested candidates) has a project going on with us that involves NI OPC server & certain PLCs. The equipment is already supplied. We are looking for a CLD to do the L

  • IAC error when closing Editor

    I have found that when closing the editor which automatically opens the organizer, sometimes the photo does not appear in the Organizer with a gray border around it indicated it has been edited and without the changes made in the editor having been m

  • Count with multiple conditions (XML publisher)

    I'm trying to only count an EMPLID if multiple conditions have been met in an RTF. This works for 1 condition: <?count(xdoxslt:distinct_values(EMPLID[../FIRSTYEARFRESHMAN=1]))?> But how do I do multiple conditions? I've tried <?count(xdoxslt:distinct