Custom TCODE-Auth Object Assignment

Similar Messages

• Deletion of auth objects Corresponding to tcodes

  Q1.
  If a transaction is deleted from the menu wthr the Corresponding authorization objects are deleted.
  Q2.Eg
  What if the tcode MM02 is deleted from the role which has MM01/MM02/MM60/MM03 transaction codes, In this case some of the auth objects of MM02 are same as the other tcode auth objects, then how does deletion of MM02 from role ensure that only the corresponding object--> values are removed.?
  Rakesh

  Q1.
  If a transaction is deleted from the menu wthr the Corresponding authorization objects are deleted.
  It depends..
  If the auth object's status is 'standard' and it is coming from only one t-code which is being removed, then it gets removed. If the status is 'changed', then it doesn't get removed.
  Q2.Eg
  What if the tcode MM02 is deleted from the role which has MM01/MM02/MM60/MM03 transaction codes, In this case some of the auth objects of MM02 are same as the other tcode auth objects, then how does deletion of MM02 from role ensure that only the corresponding object--> values are removed.?
  No, the auth object won't get removed as that is coming from su24 from other t-codes also.
  If different t-codes are bringing different field combination values, then the instance which is coming from MM02(if it is being deleted) will get removed, again assuming that the instance is standard and not changed.

• BW Authorizations/Report. Auth Object/KF's vs. Calc. KF's

  We implemented a custom/reporting auth. object to protect key figures (1KYFNM) and it works well. The issue is that our user community never ceases to come up with new and even more creative requirements.
  Let me illustrate the latest requirement:
  I have locked-down access to certain key figures (let's call them 'KF A' and 'KF B') and therefore subsequently secure all combinations involving either one of the two meaning calc. KF D (KF A plus KF C) is locked down as well. I also need to mention that users are supposed to be able to create their own ad-hoc queries, which eliminates the option of limiting them to a query or set of queries that accomplish the following requirement.
  There are certain totals, which are calc. KF's that the users are allowed/required to see even though they are not supposed to see what makes up these numbers (they should see calc. KF K which is made up of KF A, KF B, and KF H, etc. but not KF A and KF B).
  Without the option of providing the users with rather static queries, I see another option as calculating 'KF K' (from the previous example) at the time of the load and just making it another key figure in the cube which then can be excluded from the auth. check previously mentioned based on the naming convention. The problem with that is that this will make reporting rather inflexible, increase load times as this calculation is rather complicated, and it will also create redundant information in an environment that is already experiencing substantial growth and volume.
  Does anyone see any other solution?
  Thanks,
  Joerg

  Jeorg,
  I'm afraid that there's no special authorization handling for calculated key figures. To my best knowledge, the approach to create another key figure at data load time via transfer rules or update rules would be the only one can work. While this approach may not be flexible, but the load time should not increase significantly if you just add two key figure values into a new one.
  If you find this is approach is unacceptable or it is a common requirement among BW community, you might consider submit such requirement through ASUG BI Group or via OSS development request.
  Thank you for your question and patience.
  Regards,
  Amelia Lo
  SAP NetWeaver RIG, US
  SAP Labs, LLC

• Custom Made Authorization Object ZPLANT

  Hi
  We have custome made auth objects; zplant, zcountry, zsalesrg etc. We are getting problems with one of the report we created; based on a MP. When user access the report, some of them getthe error that "Warning you do not have authorization to read object ZPLANT Authorization at plant".
  The user has access to 4 plants and can access other reports based on the Infocubes that is used in the MP. Also some of the user gets warning for ZSALESORG etc..
  We are getting this error only for the newly created report; Have any of you faces such type of problem? If yes then can you advice me how to resolve it?
  Thanks in advance
  Ishi

  Hi there again,
  Sorry my mistake, it is S_RS_ICUBE instead of S_RS_CUBE. In that authorization you can specify the InfoCubes or MultiCubes alloweded to display. Your multiprovider might be included or not in that object.
  S_RS_COMP  and S_RS_COMP1 is for BEx.
  You can include this:
  S_RS_COMP:
  Activity: 03, 16 (display and execute)
  InfoArea: * (all of them, or sepcify an InfoArea where the InfoProviders which contains the queries are)
  InfoCube: * (all of them, or specify the InfoProviders which have the queries you want the users to run)
  Name (ID) of a reporting compo: * (all of them)
  Type of a reporting component: CKF, QVW, REP, RKF, STR, VAR
  S_RS_COMP1:
  Activity: 03, 16 (display and execute)
  Name (ID) of a reporting compo: * (all of them)
  Type of a reporting component: * (all of them)
  Owner (Person Responsible) for: * (all of them)
  You can also use transaction RSSMQ to execute a query with another user and analise the authorizations of that user.
  Diogo.

• Assign auth. object to infoprovider

  Hello,
  i have transported a auth object zsales_orgn to production. have transported the queries, roles etc.
  i realised that the infoproviders are not assigned to this object.
  when i go to rssm->enter this object->select check for infocubes->change
  i dont see any cubes in the list. how do i assign this object to a cube??
  PLEASE SUGGEST?

  hi S B,
  to transport the authorization object itself, try SE03-> change object directory entry, in next screen, use SUSO (type in below DTEL) and reporting authorization object name, after that change package with icon pencil 'object directory'.
  RSSM for infoobject assignment to infoprovider
  How to Transport the Authorization Object
  hope this helps.

• Custom Tcode Authorization Error

  Dear Security Gurus,
  We are getting an authorization while testing Custom Tcode. This tcode is used for Uploading data.
  The authorization error shows missing Activity field value and a field called Operating Concern.
  The SU53 and the Trace(ST01) show the same error even though the role that is assigned to the user has exactly the required values.
  Also Authority Check in the Program of the tcode is maintained for only the Activity field and Operating Concern field.
  Hence we are unable to figure out why the auth. issue occurs even though the role assigned to the user has the missing values
  Please let me know how I can resolve this authorization issue.
  Regards,
  Arjun

  Hi ,
  Below is the Authority check section of the tcode :
  START-OF-SELECTION
    PERFORM F_AUTHORIZATION_CHECK
      AUTHORITY-CHECK OBJECT 'YTIPRC01' ID 'CEERKRS' FIELD P_ERKRS ID 'ACTVT' FIELD '01'
    PERFORM UPLOAD_DATA
      CALL FUNCTION 'GUI_UPLOAD'
        AUTHORITY-CHECK OBJECT 'S_GUI' ID 'ACTVT' FIELD '60'
  Even though I have the ACTVT value 01 and the corresponding CEEKRS (Operating Cncern ) Value in the role I still get the error.
  Thanks,
  Arjun

• Why still check S_TCODE "SE16" for customizing tcode (only in ECC)

  I want to limit the access for SE16. So i need to create customizing tocde that allow user to access the specific table by SE16; I try to create this tcode in SE93;
  When this tcode assign to role and add the additional necessary auth obj. S_TABU_DIS, put the value for AuthGrp with *, Actvt = 03; When i do the testing, the system still check S_TCODE "SE16". means testing id also need authorization "SE16". If this T-code assign to testing user, then i cant limit the access for SE16;
  I also have do the testing in CRM and use the same way to create the customizing tcode. In CRM system, no need S_TCODE "SE16", only assign customizing tcode & S_TABU_DIS to testing user, is ok, this customizing tcode can be used by tester directly;

  Hello,
  create a parameter transaction in SE93. An example is the already existing parameter transaction SE16_MARA. You can specify the table in the parameters of the transaction.
  You will still need S_TABU_DIS. To enter the * isn't a good idea. The better way is to get the correct table dictionary class for the table you have assigned to the parameter transaction. Get the class in transaction SE54 (there you can also specify one, if no class is assigned yet) or from table TDDAT.
  If you have a class and a parameter transaction you should join them in SU24. Add object S_TABU_DIS to your transaction and specify activity and class for S_TABU_DIS. Then these values will be added to the role, if you add the transaction in the menu.
  regards
  Rainer

• Same Auth Objects CM in su24

  Hi All –
  In SU24 for a Tcode SU01 in “S_TCODE” the following auth objects are CM.
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  & for Tcode PFCG
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  I am developing a role initially with SU01 Tcode. For the auth object S_USER_AGR, I am giving 01,02,03,06 field values.
  Later I add PFCG Tcode for same role “P_TCODE”. For the auth object S_USER_AGR , I am giving 22,21 field values.
  My question is if the role is assigned to a user
  1.     will he be able to create, change, display, & delete roles using PFCG ????
  2.     What is the best way to restrict the user’s in create, change, display, & delete???
  3.     For PFCG Tcode none of the Auth. Obj’s (the objects that are added by adding SU01 or PFCG Tcode VIA MENU)are maintained in the role what would be the implication??
  Thanks,
  VJ

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• Error "Inconsistancy in the auth object P_ORGIN"

  Hello Gurus,
  I have to add a tcode which involves auth object P_ORGIN. When I add the tcode and go to authorization tab then it gives the error as "Inconsistancy in the auth object P_Orgin"
  Please let me know how should I add the tcode now. Thank you !
  Regards,
  MA

  PLease provide tcode
  The reason why the profile generator cannot correctly insert the
  default values of these transactions is due to a data inconsistency in
  table USOBT_C (default values for customers). The table does not
  contain an entry for field BTRTL of authorization object P_Orgin.
  You can immediately correct the incomplete data in your customer table
  USOBT_C using the following steps:
  Step 1 Execute transaction SU24
  Step 2 Enter the transaction affected by this error ie XXXX
  Step 3 "Change check indicator" (F6) in the application toolbar.
  Step 4 With "Display field values" (F7) you check the default values of
  P_Orgin. Please document the values.
  Step 5 Go back to the previous screen and set the check indicator from
  "Check/maintain" to "Check" for P_Orgin.
  Step 6 Set the indicator for P_Orgin back to "Check/maintain".
  Step 7 Choose the function "Change field values" (F6) and insert the
  formerly documented values for AUTHC in object P_Orgin.
  Now you see also the field BTRTL being presented.
  Save the changes.
  Repeat steps 3-7 for each of the transactions affected.
  Hope you are clear with the steps.
  Thanks,
  Prasant
  Edited by: Prasant K Paichha on Mar 3, 2010 3:01 PM

• Auth objects required for creating super,power,end user roles

  Hi ,
  I need to create 3 roles according to the below requirement. can you tell me what auth objects req inorder to fulfill customer requirement.
  1.     Super User: 
       Have the access to Create/Modify/Delete own queries
       Can create Variables, CKF, Structures, Formulas & RKF at the cube level (global)
  2.     Power User :
       Have the access to Create/Modify/Delete own queries
       Can create Structures, Formulas at the query level
  3.     End User
       Have the access to run and navigate reports at the local level
  Hope I will get reply soon
  Thanks

  Karunakar -
  Few things you have to keep in mind when you are giving access to the reports and queries.
  S_RS_COMP only will not do.
  have you assigned S_RS_COMP1 and S_RS_MPRO for info areas and multi/info providers.
  and one more auth object S_RS_ICUBE for info cubes. you have to assign what ever the info cubes that you need to give access to the users.
  Then only user will get full access.
  precisely in order you can say,
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  and S_RS_MPRO.
  These are main auth objects which are related to info cube, info area access and BEx access.
  Hope this would give you clear pic.

• Restricting HR Tables fields via auth object?

  Happy Holiday's everyone!
  We have a custom tcode for Pricing Admin report which currenltly only has S_Tcode for an auth obj.  It was combined in a role that we removed the HR authorization from and apparently these were interdependent but undocumented.  Now the pricing transacation no longer functions. 
  Instead of just adding back the missing HR authorizations back into the custom Tcode I'm being asked if  we can restrict PA00002 (the table being called in the program) to first name, last name and personnel number fields.  Is there an authorization object that will let me restrict in this manner or do I need send this back to the developers to write in the code? 
  Or can I restict to these fields via authorization groups (something we are looking into implementing more next year).
  Thanks
  Kris Wise

  That is a bad omen for the next year...
  Try to change the code this year still to deliver only the fields you want from the infotype or go for an "existence check" which no authorization requirements as that is what you seem to be wanting.
  Being custom code, you should post the problematic part to discuss a solution.
  Cheers,
  Julius

• Auth Objects on ME23N

  Hi Guys,
  I'm trying to find the authorisation objects that control the GRIR information on the Display PO's tcode - ME23N.
  I have to seperate roles with ME23N tcode - one shows the GRIR info on the details section and the other not.
  Just trying to understand which auth object controls the display and which values to assign to have it displayed or not.
  Rgds,
  Thinus

  I use SU24 to see which auth objects is involved.
  The problem I have is that the amounts on the Purchase Order History tab is not showing when I assign one role, but when I assign the other, it does.
  I guess what I should do is do a comparison on the auth objects and values with the 2 ME23N's in both roles.
  This might give me an indication on the possible differences.
  Comments??

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• SU24 on M_EINK_FRG auth object

  Hello Gurs,
  Requirement
  To make the release code/group to Org filed . Currently is not a Org filed.
  What I have done:
  The auth object is  M_EINK_FRG.
  Before I make it org field, I was cleaning up some tcodes  for eg : Me35 ,ME35K and ME28 to deactivate the object in SU24 ( meaning NO in the proposal u201Ctabu201D  as no users are assigned to this tcode in production.
  Question:
  After capturing in transport I am getting pop up with " Data automatically corrected " message and changes are getting reflected in SU24 once I click on this pop green check mark button. no sure why
  I have problem with this object only not which other auth object
  Please suggestion or did you experience any of this sort
  Damodar

  I think he only wants the proposal flag as 'No', but then SU24 automatically corrects the value based on TSTCA.
  See How to handle unwanted SU24 proposals which are automatically "corrected"? and the post by Keerti Vemulapali, which points to SAP note 1404093.
  PS: What would be very usefull for an "automatic correction" would be in the case of report type transactions to check whether the submitted report has been assigned to an S_PROGRAM group, and fill that with p_action SUBMIT. Any chances..? 
  Cheers,
  Julius

• Custom TCode for Excel File Upload/Import - WebGUI Error

  We get an ABAP runtime error when uploading an excel file with a custom tcode using WebGUI.  It works ok with WinGUI.  Any ideas what could be causing that error?
  Runtime Errors         RAISE_EXCEPTION
  Date and Time          01/05/2011 17:27:16
  Short text
       Exception condition "JAVABEANNOTSUPPORTED" raised.
  What happened?
       The current ABAP/4 program encountered an unexpected
       situation.
  What can you do?
       Note down which actions and inputs caused the error.
       To process the problem further, contact you SAP system
       administrator.
       Using Transaction ST22 for ABAP Dump Analysis, you can look
       at and manage termination messages, and you can also
       keep them for a long time.
  Error analysis
       A RAISE statement in the program "C_OI_CONTAINER_CONTROL_CREATORCP" raised the
        exception
       condition "JAVABEANNOTSUPPORTED".
       Since the exception was not intercepted by a superior
       program, processing was terminated.

  You can use the below code. One more thing while running make sure there is no unsaved excel sheet open in your system.
  FORM sub_create_container .
  Create Instance control for container
    CALL METHOD c_oi_container_control_creator=>get_container_control
      IMPORTING
        control = iref_control
        error   = iref_error.
    IF iref_error->has_failed = c_check.
      CALL METHOD iref_error->raise_message
        EXPORTING
          type = 'E'.
    ENDIF.
  Create generic container linked to container in screen 100
    CREATE OBJECT oref_container
      EXPORTING
        container_name              = 'CONT'
      EXCEPTIONS
        cntl_error                  = 1
        cntl_system_error           = 2
        create_error                = 3
        lifetime_error              = 4
        lifetime_dynpro_dynpro_link = 5
        OTHERS                      = 6.
    IF sy-subrc <> 0.
      MESSAGE e000 WITH 'Error while creating container'(012).
    ENDIF.
  Establish connection to GUI Control
    CALL METHOD iref_control->init_control
      EXPORTING
        inplace_enabled      = c_check
        r3_application_name  = 'EXCEL CONTAINER'
        parent               = oref_container
      IMPORTING
        error                = iref_error
      EXCEPTIONS
        javabeannotsupported = 1
        OTHERS               = 2.
    IF iref_error->has_failed = c_check.
      CALL METHOD iref_error->raise_message
        EXPORTING
          type = 'E'.
    ENDIF.
  Create Document Proxy
    CALL METHOD iref_control->get_document_proxy
      EXPORTING
        document_type  = soi_doctype_excel_sheet
      IMPORTING
        document_proxy = iref_document
        error          = iref_error.
    IF iref_error->has_failed = c_check.
      CALL METHOD iref_error->raise_message
        EXPORTING
          type = 'E'.
    ENDIF.
  ENDFORM.                    " SUB_CREATE_CONTAINER
  FORM sub_create_document  USING    p_sheet TYPE i.
    DATA:  l_title   TYPE char40,
            l_char    TYPE char2,
            l_time    TYPE i,
            l_sheet   TYPE char12.
  Calculate the number of sheets to be created
    l_time = p_sheet - 1.
    CONCATENATE 'Assembly Table'(015) v_char INTO l_title
    SEPARATED BY space.
  Create document
    CALL METHOD iref_document->create_document                 " Open use Open_document method
      EXPORTING
        open_inplace   = c_check
        document_title = l_title
        no_flush       = c_check
      IMPORTING
        error          = iref_error.
  Open Spreadsheet interface
    CALL METHOD iref_document->get_spreadsheet_interface
      EXPORTING
        no_flush        = c_check
      IMPORTING
        sheet_interface = iref_spreadsheet
        error           = iref_error.
  Get number of sheets
    CALL METHOD iref_spreadsheet->get_sheets
      EXPORTING
        no_flush = c_check
      IMPORTING
        sheets   = i_sheets
        error    = iref_error.
  Reaname he sheet
    READ TABLE i_sheets INTO wa_sheets INDEX 1.
    l_char = p_sheet.
    CONCATENATE 'Sheet' l_char INTO l_sheet.
    CALL METHOD iref_spreadsheet->set_sheet_name
      EXPORTING
        newname  = l_sheet
        oldname  = wa_sheets-sheet_name
        no_flush = c_check
      IMPORTING
        error    = iref_error.
    REFRESH i_sheets.
    CLEAR: l_char,
           l_sheet.
  Add sheets
    DO l_time TIMES.
      l_char = sy-index.
      l_char = p_sheet - l_char.
      CONCATENATE 'Sheet' l_char INTO l_sheet.
      CALL METHOD iref_spreadsheet->add_sheet
        EXPORTING
          name     = l_sheet
          no_flush = c_check
        IMPORTING
          error    = iref_error.
    ENDDO.
  Get number of sheets
    CALL METHOD iref_spreadsheet->get_sheets
      EXPORTING
        no_flush = c_check
      IMPORTING
        sheets   = i_sheets
        error    = iref_error.
    SORT i_sheets BY sheet_name DESCENDING.
  ENDFORM.                    " SUB_CREATE_DOCUMENT
  FORM sub_save_document .
    DATA: l_changed     TYPE int4.
  Save the document
    CALL METHOD iref_document->save_as
      EXPORTING
        file_name = p_file
        no_flush  = c_check
      IMPORTING
        error     = iref_error.
  Close the document
    CALL METHOD iref_document->close_document
      EXPORTING
        do_save     = c_check
        no_flush    = ''
      IMPORTING
        has_changed = l_changed
        error       = iref_error.
  ENDFORM.                    " SUB_SAVE_DOCUMENT
  Thanks
  Subhankar