Deletion of auth objects Corresponding to tcodes

Similar Messages

• *How to Delet one same object from different roles*

  I need to delete one auth object from different roles, Couls any one please advise me how can i do this and if there will be any complications involved with tis.
  Best regards:
  Maq

  In PFCG, it may be that you have added some objects manually. To remove them you will have to go to pfcg.
  Even if you first remove the objects from su24, you will have to go to all the roles through pfcg to generate them in expert mode by selecting the third option (edit old status and merge with new data)

• Custom TCODE-Auth Object Assignment

  Hello All- I see a very weird thing with custom TCODE assignment, here is what I see:
  1)We have Display role which has all functions tcodes in it, which goes to every one on PRD.
  2)Usually we assign custom tcodes which are not critical to this role, and this custom tcode would have no auth objects assigned or checked during access.
  3)When I assign custom tcode to test role, I see its not pulling auth objects in PFCG which is what I expected.
  ***4)However when I assign this custom tcode to 'Display role' which have many standard tcodes in it, I see many of the auth objects "lights turning in to Yellow" (as you know its asking me to maintain value)
  5)I checked in SU24/SU22, to see if its pulling any auth objects...no objects are tied to this tcode.
  I dont know why this is happening?
  Again if I assign to test role, no objects is showing up in PFCG which is what I want!
  Any suggestions of to handle this issue, I will really appreciate your thoughts.
  Thanks,
  AJ

  AJ wrote:>
  > Hello All- I see a very weird thing with custom TCODE assignment, here is what I see:
  > ***4)However when I assign this custom tcode to 'Display role' which have many standard tcodes in it, I see many of the auth objects "lights turning in to Yellow" (as you know its asking me to maintain value)
  > 5)I checked in SU24/SU22, to see if its pulling any auth objects...no objects are tied to this tcode.
  >
  > I dont know why this is happening?
  >
  > Again if I assign to test role, no objects is showing up in PFCG which is what I want!
  >
  This is happening not because of the Custom TCodes you have added. The reason are either of the following:
  1. In previous cases when some other TCodes (SAP Standard) were added, the the profile regeneration was not carried out by entering Authorization data through "Expert Mode for Profile Generation" (or used with option "Edit Old Status" only). Instead, "Change Authorization Data" was used. And thus the Object proposals for New entries in Menu were not pulled into Profile Generator at that time. Now it's coming. Surely you entered with Expert Mode for Profile Generation --> Read Old status and Merge with New data.
  2. Other option can be: Earlier some Objects were changed which were present there only with "Standard" status. It should have been done by copying the Object and change the copied one. Then make the standard one "Inactive".
  3. The Inactive Object described in the 2nd point has been Deleted and the object with status "Changed" is left only. Now when you are entering with "Expert Mode for Profile Generation" it's pulling those standard proposals again.
  Let me know if the probable reason of Yellow traffic lights are clear to you or need more details.
  Regards,
  Dipanjan

• Same Auth Objects CM in su24

  Hi All –
  In SU24 for a Tcode SU01 in “S_TCODE” the following auth objects are CM.
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  & for Tcode PFCG
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  I am developing a role initially with SU01 Tcode. For the auth object S_USER_AGR, I am giving 01,02,03,06 field values.
  Later I add PFCG Tcode for same role “P_TCODE”. For the auth object S_USER_AGR , I am giving 22,21 field values.
  My question is if the role is assigned to a user
  1.     will he be able to create, change, display, & delete roles using PFCG ????
  2.     What is the best way to restrict the user’s in create, change, display, & delete???
  3.     For PFCG Tcode none of the Auth. Obj’s (the objects that are added by adding SU01 or PFCG Tcode VIA MENU)are maintained in the role what would be the implication??
  Thanks,
  VJ

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• New t-codes & auth. objects

  Hi All-
  we are upgrading form 4.6c to ECC 6.0
  Can any pleas give the list of T-codes & Auth. objects that are new in ECC 6.0 compared to 4.6C
  Thanks in advance,
  Vj

  > I guess you can view all the new authorization objects by looking at SAP_NEW profile which contain all the latest modifications.
  Or, if you delete SAP_NEW after the previous upgrade, then all of SAP_NEW will be new.
  > For new tcode entries may be a download of TSTC tables from both the versions and comparing them will fetch you some new tcodes.
  Or use the search to find the table which contains the release dependency of "transactions"... -)
  Cheers,
  Julius
  PS: When searching, if you find any absolutely useless posts which clogg up the search, then please use the "Report Abuse" button and I will investigate them and clean them out.

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• Auth Objects in ABAP Programs

  Dear All,
  how could I find the auth object being validated in programs?
  Using SU24 I am able to find transactions checking auth object...but I am not quit sure sure if there are some other programs using/checking those auth objects.
  In general I want to check one specific auth object where is used/checked.
  I will appreciate your help.
  Regards
  FedeX

  Please use the standard report RSABAPSC to check the authority check statements used in the program for any TCode. Also you can look into ABAP codes in more details by using the program RSANAL00.
  Regards,
  Dipanjan

• APO roles and auth objects

  Hello all,
  Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
  thanks

  I was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
  http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
  There is a list of useful APO transactions here
  http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
  I can't help with the standard roles as I build my own.

• Error "Inconsistancy in the auth object P_ORGIN"

  Hello Gurus,
  I have to add a tcode which involves auth object P_ORGIN. When I add the tcode and go to authorization tab then it gives the error as "Inconsistancy in the auth object P_Orgin"
  Please let me know how should I add the tcode now. Thank you !
  Regards,
  MA

  PLease provide tcode
  The reason why the profile generator cannot correctly insert the
  default values of these transactions is due to a data inconsistency in
  table USOBT_C (default values for customers). The table does not
  contain an entry for field BTRTL of authorization object P_Orgin.
  You can immediately correct the incomplete data in your customer table
  USOBT_C using the following steps:
  Step 1 Execute transaction SU24
  Step 2 Enter the transaction affected by this error ie XXXX
  Step 3 "Change check indicator" (F6) in the application toolbar.
  Step 4 With "Display field values" (F7) you check the default values of
  P_Orgin. Please document the values.
  Step 5 Go back to the previous screen and set the check indicator from
  "Check/maintain" to "Check" for P_Orgin.
  Step 6 Set the indicator for P_Orgin back to "Check/maintain".
  Step 7 Choose the function "Change field values" (F6) and insert the
  formerly documented values for AUTHC in object P_Orgin.
  Now you see also the field BTRTL being presented.
  Save the changes.
  Repeat steps 3-7 for each of the transactions affected.
  Hope you are clear with the steps.
  Thanks,
  Prasant
  Edited by: Prasant K Paichha on Mar 3, 2010 3:01 PM

• Delete all the objects in a package

  Hi Guys,
  My requirement is that i need to write a program to delete all the objects in a package. In the selection screen i enter the package name and then i get all the objects in the package from TADIR table and display them in an ALV.
  There when i select a object and press the delete button ,the object (program ,table, domain,data element etc..) should be deleted .
  For this i tried to DEBUG in SE80 and tried to know how SAP is trying to delete the object. But i couldnot unterstand which Function Module or which Class and Method it uses to delete an object.
  Guys please let me know how it can be done.
  Regards,
  Chaithanya.

  hi
  check this ...
  REPORT  zxxxxxx.
  TYPE-POOLS: slis.
  DATA: x_fieldcat  TYPE lvc_s_fcat,
        it_fieldcat TYPE lvc_t_fcat,
        g_grid    TYPE REF TO cl_gui_alv_grid,
        x_layout TYPE lvc_s_layo,
         g_custom_container type ref to cl_gui_custom_container,
          g_container type scrfname value 'I_CONTAINER'.
  types: BEGIN OF ty_itab ,
          check(1) TYPE c,
         PGMID LIKE TADIR-PGMID,
               END OF ty_itab,
  data:itab type standard table of ty_itab,
         itab1 type TADIR.
    call screen 100.
  *&      Module  STATUS_0100  OUTPUT
        text
  module STATUS_0100 output.
    SET PF-STATUS 'ZSTATUS100'.
    if g_custom_container is initial.
      create object g_custom_container
             exporting container_name = g_container.
      create object g_grid
             exporting i_parent = g_custom_container.
  SELECT PGMID
    FROM TADIR
     INTO CORRESPONDING FIELDS OF TABLE itab where DEVCLASS = selection screen package
  x_fieldcat-fieldname = 'CHECK'.
  x_fieldcat-seltext = 'CHECK'.
  x_fieldcat-checkbox = 'X'.
  x_fieldcat-edit = 'X'.
  x_fieldcat-tabname = 'ITAB'.
  x_fieldcat-col_pos = 1.
  APPEND x_fieldcat TO it_fieldcat.
  CLEAR x_fieldcat.
  x_fieldcat-fieldname = 'PGMIDt'.
  x_fieldcat-seltext = 'PGMIDt'.
  *x_fieldcat-edit = 'X'.
  x_fieldcat-tabname = 'ITAB'.
  x_fieldcat-col_pos = 2.
  APPEND x_fieldcat TO it_fieldcat.
  CLEAR x_fieldcat.
  CALL METHOD g_grid->set_table_for_first_display
    EXPORTING
      IS_LAYOUT                     = x_layout
    CHANGING
      it_outtab                     = itab
      IT_FIELDCATALOG               = it_fieldcat.
  endif.
  endmodule.                 " STATUS_0100  OUTPUT
  *&      Module  USER_COMMAND_0100  INPUT
        text
  module USER_COMMAND_0100 input.
  DATA: ls_outtab LIKE LINE OF itab.
  DATA: l_valid TYPE c,
        ok_code like sy-ucomm,
         r_ucomm LIKE sy-ucomm,
         ls_celltab TYPE lvc_s_styl,
        lt_celltab TYPE lvc_t_styl,
        l_index TYPE i.
  CALL METHOD g_grid->check_changed_data
    IMPORTING
      e_valid = l_valid.
  IF l_valid EQ 'X'.
  case sy-ucomm.
  when 'DELETE'.
  LOOP AT itab INTO ls_outtab where check = 'X'.
     move ls_outtab-object to itab1.
    delete TADIR from itab1.
  ENDLOOP.
  endcase.

• Auth objects required for creating super,power,end user roles

  Hi ,
  I need to create 3 roles according to the below requirement. can you tell me what auth objects req inorder to fulfill customer requirement.
  1.     Super User: 
       Have the access to Create/Modify/Delete own queries
       Can create Variables, CKF, Structures, Formulas & RKF at the cube level (global)
  2.     Power User :
       Have the access to Create/Modify/Delete own queries
       Can create Structures, Formulas at the query level
  3.     End User
       Have the access to run and navigate reports at the local level
  Hope I will get reply soon
  Thanks

  Karunakar -
  Few things you have to keep in mind when you are giving access to the reports and queries.
  S_RS_COMP only will not do.
  have you assigned S_RS_COMP1 and S_RS_MPRO for info areas and multi/info providers.
  and one more auth object S_RS_ICUBE for info cubes. you have to assign what ever the info cubes that you need to give access to the users.
  Then only user will get full access.
  precisely in order you can say,
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  and S_RS_MPRO.
  These are main auth objects which are related to info cube, info area access and BEx access.
  Hope this would give you clear pic.

• Auth Objects on ME23N

  Hi Guys,
  I'm trying to find the authorisation objects that control the GRIR information on the Display PO's tcode - ME23N.
  I have to seperate roles with ME23N tcode - one shows the GRIR info on the details section and the other not.
  Just trying to understand which auth object controls the display and which values to assign to have it displayed or not.
  Rgds,
  Thinus

  I use SU24 to see which auth objects is involved.
  The problem I have is that the amounts on the Purchase Order History tab is not showing when I assign one role, but when I assign the other, it does.
  I guess what I should do is do a comparison on the auth objects and values with the 2 ME23N's in both roles.
  This might give me an indication on the possible differences.
  Comments??

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• Under FI Auth Object F_BKPF_BUK is Activity 7 and 77 considered update?

  Does the Activity 7 and or 77 alone or in combination with any other Activity in Auth Object F_BKPF_BUK give access greater than read or Display?

  Hi,
  01     Create or generate
  02     Change
  03     Display
  06     Delete
  07     Activate, generate
  08     Display change documents
  22     Enter, Include, Assign
  43     Release
  77     Pre-enter
  C4     Decrypt Payment Card
  activites for auth object F_BKPF_BUK .

• SU24 on M_EINK_FRG auth object

  Hello Gurs,
  Requirement
  To make the release code/group to Org filed . Currently is not a Org filed.
  What I have done:
  The auth object is  M_EINK_FRG.
  Before I make it org field, I was cleaning up some tcodes  for eg : Me35 ,ME35K and ME28 to deactivate the object in SU24 ( meaning NO in the proposal u201Ctabu201D  as no users are assigned to this tcode in production.
  Question:
  After capturing in transport I am getting pop up with " Data automatically corrected " message and changes are getting reflected in SU24 once I click on this pop green check mark button. no sure why
  I have problem with this object only not which other auth object
  Please suggestion or did you experience any of this sort
  Damodar

  I think he only wants the proposal flag as 'No', but then SU24 automatically corrects the value based on TSTCA.
  See How to handle unwanted SU24 proposals which are automatically "corrected"? and the post by Keerti Vemulapali, which points to SAP note 1404093.
  PS: What would be very usefull for an "automatic correction" would be in the case of report type transactions to check whether the submitted report has been assigned to an S_PROGRAM group, and fill that with p_action SUBMIT. Any chances..? 
  Cheers,
  Julius