Default Authorization object P_ABAP for PA20

Dear colleagues!
After SP implementation roles werу adjusted and new authorization check for P_ABAP was added for transaction PA* (PA20, PA30...).
Where is hr-reporting checks in these transactions? It's critical for personnel data maintenance or used only for sub-menu reports?
Trace for PA20 shows the following values for P_ABAP check (PA20-Goto-Planning Data-...):
P_ABAP     RC=12 REPID=SAPMP50A;COARS=2;
P_ABAP     RC=12 REPID=SAPDBPNP;COARS=2;
SAP Release ERP 6.0 EHP4 (10 stack)
Regards,
A.M.

Hi,
The values mentioned for P_ABAP here is not necessary to be added in a role. SAPDBPNP is a logical database and providing P_ABAP with degree of simplification (COARS) = 2 is very dangerous, as it will bypass any authorization check while executing reports related to that logical database.
Providing such values will disturb your entire authorization design as even though you might restrict an user on few Infotypes in P_ORGINCON, but with this value, it actually bypasses any report using this logical database to check for Infotype authorization or structural auth restriction.
To suggest a possible solution, I would like to know exact activities intended to be done with PA20 and level to access provided in P_ORGINCON. Please can you share that here?
Thanks,
Deb

Similar Messages

  • Authorization object A_S_GSBER for Business area

    Dear group Members Warm Greetings
    Transaction code z_am_detail was added to the role from tcode pfcg .SAP proposed new values for certain organisation levels for example: the authorization object A_S_GSBER. The values proposed by the system for business area field are: 1000, 2000, 3000 & 9000. which are old, the 2 new business areas that were recently configured are not proposed which are 5000 & 6000. This could mean that there is some configuration setting with which the system suggests default values.
    Suggest me to fix this issue
    regards
    shamulheq
    Edited by: shamulheq on Mar 16, 2010 6:27 AM

    Hi Tipu,
    Have you tried creating Screen Variant  from the same Transaction SHD0.
    Try to create a screen variant for the Free Selection screen
    Program : SAPF110V
    Screen No: 0203
    Field Name  : F110V - TEXT1
    There is an option which saves the Variant "With Content"  & "Required", fill the Field Selection with "BSEG-GSBER" and check these check boxes.
    Hope this will work.
    Regards
    Andrew

  • Update the authorization object value for more than 1000 role

    I need to remove one of the activity value (06) from authorization object S_SCD0.
    I do a search and found out that there are more than 1000 roles which having the activity value = 06 for authorization object S_SCD0.
    However, I don't think I can create a SCAT script to update all these 1000 roles and I believe its going to be a very tedious if I am going to manually change it one-by-one. Hence, I am wondering is there any standard program/function which I can use to automate the above changes for all these 1000 over roles.
    Kindly advise.
    Thanks

    Direct update the table is the easiest way, but should be discourage for the obvious reason.
    Should take a step back, take a long term view, when you need to update 1000 roles, maybe a role redesign might be needed. For example, if you can change the role model to derive role model, once update to the parent role will take care of all the child role.
    Thanks,
    Lye

  • What User authorization objects needed for connecting to SAP from xMII?

    We eneter a SAP user and password for connecting to SAP from xMII to retrieve the metadata of the incoming IDocs.
    When I specify a user with SAP_ALL user profiles, the IDocs are received properly in xMII. If I specify a user with privileges to run only certain transactions, IDocs are not received in xMII.
    What user authorization objects are needed for this user to connect to SAP from xMII?
    Thanks,
    Sara

    Sam,
    I turned on the SAP System trace for this user and figured out the following auth. objects are required for receiving IDocs in xMII:
    C_TCLA_BKA
    S_RFC
    S_CTS_ADMI
    B_ALE_MAST
    S_IDOCDEFT
    The following auth. object is required for making JCO call to SAP from xMII:
    C_AFRU_AWK
    Thanks,
    Sara

  • Why authorization object M_MSEG_LGO for MB1B (MTy 301) is not symmetrical?

    When transfer posting (MB1B, MTy 301) from storage location 3030 in plant 1000 to storage
    location 8000 in plant 1910, authorization object M_MSEG_LGO is checked. The activity is 01,
    movement type is 301, storage location is 3030, and plant is 1000. But when transfer posting
    (MB1B, MTy 301) from storage location 8000 in plant 1910 to storage location 3030 in plant
    1000, the fields of M_MSEG_LGO are also need to be set 01 for activity, 301 for movement
    type, 3030 for storage location and 1000 for plant. Why not 8000 for storage location and
    1910 for plant? If I set 8000 for storage location and 1910 for plant and do transfer
    posting (MB1B, MTy 301) from storage location 8000 in plant 1910 to storage location 3030 in
    plant 1000, the system says "You do not have authorization for this transaction in storage
    location 3030".

    Thank you.
    I know the reason now. In SAP standard the authorization for storage locations is not active. We activate the authorization for storage location 3030, but not activate authorization for 8000.
    the menu path is:
    Customizing(IMG)
    - Materials Management
    - Inventory Management and Physical Inventory
    - Authorization Management
    - Authorization Check for Storage Locations

  • Authorization object required for materail and vendor.

    Hi All,
    I have Z report where material and vendor are there on the selection screen.I need to put authorization check on materail and vendor. Can u plz suggest which authorization object I should use for this?
    thnks
    MSi

    On the other hand, assuming your program will run in a properly maintained SAP installation, I would always use standard authorisation objects as much as possible. Try finding a standard SAP report with similar selections and output and see how it is done there. Trace the execution via ST01 and see which objects are being checked.
    Also use the repository infosystem to browse the available standard objects. Talk to a functional and/or security expert to clarify your requirement regarding necessary authorization checks.
    Thomas

  • Authorization object creation for transaction MIGO

    Hi,
    We have created the auth object for acct asignment category with values as activity & acct assignment category.
    But when assigned to respective users, its still allowing to perform the transactions.
    Basically I am using this object for doing Goods Reciept tcode MIGO.
    As in if auth object carries value 'K' in this object i.e. for cost center then other user with value 'P' i.e. project wont be allowed to perform the MIGO for POs with 'K'.
    Kindly tell me the specifications for the auth object, so that it will restrict users from performing the MIGO.
    Regards,
    Krutika

    hi!
    1) identify the infoobject which must have restricted access. I think it is Profit Center in your case or may be PSP element
    2) in infoobject maintainance screen check Whether it is marked as Authorization relevant(RSD1)
    3) goto RSSM and create a new authorization object and add your infoobject to it.
    4) in PFCG role maintainance screen add create a new role Project Management and addt eh users to it. under the authorizations tab go to maintaina authorizatioons and add your authorization object that you create in RSSM. and maintain the correct values with in it.
    with regards
    ashwin

  • Authorization Object for Marketing Attributes

    Hi Experts,
    We are working with CRM 2007 and use in BP Marketing Attributes. Does someone know if there are any authorization objects for Marketing Attributes? We would like to restrict some of users to see some Attribute sets!
    Thank you in advance,
    Roula

    Hi Roula,
    Thank you so much for awarding points.
    Please note that in Transaction PFCG you have to assign the appropriate three digit attribute set key under the authorization group BGKRL to the authorization object C_KLAH_BKL for assigning attribute sets and to the authorization object C_KLAH_BKP for editing attribute sets.
    Please have a look at the Note in the bottom of the page at the following link for further information.
    http://help.sap.com/saphelp_crm60/helpdata/en/46/3517cc86e01421e10000000a1553f6/frameset.htm
    Regards,
    Deepak

  • Authorization Object for Workbook

    Hi...
    I have a ENDUSER role. The users assigned to this role, can only display and execute queries. (S_RS_COMP & S_RS_COMP1 are given activities 'Display(03), Execute(16) and Enter, Include & Assign (22)'.
    But, the users now, cannot build Workbooks out of queries. Is there a way, where I can allow the user assigned to ENDUSER role, to build Workbooks.
    I found an authorization object S_RS_WKBK, which is relevant to this, but its says obselete (do not use). So, am unable to use it.
    Can anyone say me the Authorization Object used for allowing Users to create and save their workbooks?
    Thanks,
    Sai.

    Hi Sai,
    For saving workbooks in Favorites you need:
    S_GUI
    S_BDS_DS
    For saving workbooks in Roles you need:
    S_USER_AGR
    S_USER_TCD
    Best regards,
    Eugene

  • Authorization Object for Z Tcodes

    Dear SAP Guru's
    how to find authorization object for Z tcodes
    e.g. in our orgnisation we have created report ZSR( Sales Register)  and we want to restrict user for Plant & sales office
    so where i can get authorization object.
    kindly help
    Thanks
    Paramanand

    Hi,
    Goto T.Code "SUIM".
    Click on "Roles".
    Click on "By Transaction Assignment".
    Enter your T.Code here i.e. "ZSR".
    Click on Execute or Press F8.
    You will identify the role assigned to it.
    Copy that role.
    Goto T.Code "PFCG".
    Paste that role here.
    Click on Display.
    Goto "Authorisations" tab.
    click on "Display Authorization data".
    Goto Utilities-->Technical names on in menu bar.
    Here you can see the authorization object assigned for this T.Code.
    But in general all the Z transactions will be in S_TCODE authorization object.
    Also,goto that T.Code.
    Immediately after this enter,"/nSU53" T.Code.
    Regards,
    Krishna.

  • Check for Authorization object

    Hi All,
    I have a report which will authorize the person running the report.
    I have been given a requirement which is to not accept some users and accept some users.
    Now I know this is possible with authorization object but as I never worked with it so I exactly kind of getting in confusion as to how to go about it.
    Could some one let me know how to go about it. I have few questions.
    1. what is the exact use of authorization object.
    2. I can build in the logic but what all should one start with before going for before implementing authorization object for the report.
    3. I know there is some basis work involved in this but what is that ?
    Thanks,
    Mahen

    Hi,
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC <> 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    Reward points if useful
    Regards
    Anji

  • Report to check authorization object used in customized programs

    Hi Guys,
    An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
    Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

    Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
    To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
    Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
    Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
    Code review is an art form!
    Cheers,
    Julius

  • Analysis Authorization Object not working

    Hi Gurus,
    I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
    For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
    I have followed the below steps but still the report shows all data instead of restricted one.
    1)RSECADMIN -> Maintenance ->zz_div ->Create
    2) Add 0DIVISION in Auth structure , and in details 
    I     EQ     32
    I     EQ     33
    3) Add 0TCAIPROV with I     EQ     0SD_C03
    4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
    I     CP     *
    5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
    6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
    Following are the authorization object in that user's Role (Reporting Only)
    S_RFC 
    S_TCODE
    S_GUI
    S_BDS_D  
    S_BDS_DS 
    S_OC_SEND
    S_RS_AUTH - only having zz_div
    S_RS_COMP
    S_RS_COMP1
    S_RS_ICUBE
    S_RS_RSTT
    S_RS_TOOLS
    S_RS_PARAM
    I have surfed lots of thread for this issue but not getting a solution
    Tell me what i m missing in above or any additional setting need before creating analysis authorization
    Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

    Hi
    Thanks a Ton for ur reply
    I have checked in SPRO : Analysis Authorization
    where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
    We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
    Thanks
    Sonal....

  • Error while generation of the Authorization object (

    Hi Gurus,
    I have created a Authorization object Z_CCTR3 for 0costcenter authorization.
    but getting following error while generation of the Authorization object (type is Flat authorization)
    "Error occurred when reading the data from DataStore object Z_CCTR3"
    Any inputs will helpful...
    Sonal.....

    Hello everybody,
                             my problem is solved.For the UDConnect, whatever DATA SOURCES you create gets registered in a FUNCTION MODULE which has a capacity of only 99 enties, so to increase it implement the SAP NOTE 876340 - UDC Error available on SERVICE MARKET PLACE.
    This problem occurs with BW version 3.5 level 17 or below.
    Regards,
    Priyanka
    Edited by: Priyanka Joshi on Jun 10, 2008 11:03 AM

  • Mass maintenance of authorization objects

    Is there a SAP transaction available to mass maintain authorization objects?
    Let's say that I have 120 roles, in all of which I want to change the value of field Y of authorization object X.  For example, object S_TABU_DIS. I want to exclude an authorization group in all available roles. How can I do this for all roles which have this object?
    Modifying each role separately in PFCG is rather time consuming (and pretty unpleasant).

    Actually, SAP does provide a solution to promote and demote fields to org. levels. There are reports for this (use them and not the table maintenance transactions!) because they automatically adjust your roles as well - otherwise you end up with inconsistencies.
    But I agree with you, that org-levels is not a natural solution for this specific problem and although retrofitting security is the most expensive option, one cannot foresee all requirements from the start and Go-Live project pressure can be a factor as well to use * values for fields which on their own appear to be harmless...
    You could try to write an adjustment tool for PFCG, but with "only" 120 roles I think you will be faster and safer with doing it manually. I think that less than 1 day's work should fix it. However, if you are willing to invest 2 or 3 days more, you can also consider restoring the values from the SU24 proposals. Particularly if one group of transactions are in many of the roles and you can isolate the common transaction (the "guilty one...) then you can do it more centrally in future as well.
    However if you have not used the "Read old merge new" function in PFCG's expert mode, then you should be carefull with this as other objects might "correct" themselves as well. Particularly if you have been deleting standard authorizations in roles! (Why that button even exists, I don't know. No good can come of it...
    Cheers,
    Julius

Maybe you are looking for