Deselect auth. check for infocubes (Checks for infocubes) in RSSM

Similar Messages

• Can we give more than one value for an Authorization field in Auth-Check.

  Hi all,
  Can we give more than one value for an Authorization field in Auth-Check.
  Ex: AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD <Value 1> <Value 2> <Value 3>.
  IF SY-SUBRC 0.
  MESSAGE E...
  ENDIF.
  If yes, please help me with exact syntax.
  Think it will be like
  ID 'CUSTTYPE' FIELD: <Value 1>, <Value 2>, <Value 3>.

  Hi,
  yes we can give more than one field.
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object> 
     ID <authority field 1> FIELD <field value 1>. 
     ID <authority field 2> FIELD <field value 2>. 
     ID <authority-field n> FIELD <field value n>. 
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  please reward points, if it is useful.
  satish.

• Need to deactivate structural auth. check for a custom Report

  Hi all experts:
  I have a report that is based on PNPCE logical database and it displays work hours for a project, all non-sensitive information.  We would like a wide range of users to have access to this but since this is based on PNPCE logical database whenever a user runs it, the str. authorization check is performed.  I have tried deactivate this check with P_ABAP object and coers 2 but it only ignores infotype auth. check but still checks the structural.  We don't want to expand str. profile for users. 
  Do you know if there is a way to deactive this just for one report?
  Your help will be greatly appreciated.
  Regards,
  Net

  Thanks Kiran. I had tried that value but still got the same message.  I am having problem understanding exactly when this value 2 ignores structural authorization because it works on some reports and not others.  Anyway, we implemented BADI for this report to ignore structural auth. check and it is working fine.
  Thanks again,
  NT

• No auth checks for custom transactions

  Hi,
  In my SAP system there are many custom trasanactions in which there are no auth checks in their respective programs,
  Is their any way to restrict these transactions based on the organisational levels without doing any changes to the program.
  Can we restrict these transactions by adding a authorization through se93 ?
  If any documents are there on the same issue please share.
  Thanks,
  Sanketh.

  I would take a slightly different approach, as a least worste option.
  > Assuming that there is reluctance/inability to modify the code
  In that case the code is modularized, but the security front-end is lazy.
  What you can do is assign an authorization group to the report type program as well which has the org.value in the P_GROUP field of S_PROGRAM in it, and create a variant for it protected by P_ACTION = VARIANT. The users can submit reports if they are authorizated for the variant action as well, but not directly.
  Then create an myriad of parameter transactions per org level and submit the report via transaction START_REPORT (so, via the varint!) with the variant set for the org. level in the selection screen.
  But this completely defies thze concept of modularizing code and not maintaining redundant code, as well as redundant variants, and redundant menus of roles which could have been modularized as well.
  The only potential "up side" of this is maintaining the SU24 data of the parameter transactions, but who does that?
  Yes, if you maintained SE93 then the system would do it for you (automatic adjustement) but the scalability and flexibility of org. level maintenance in roles and well as the modularization (and maintainability) of code would be toasted.
  Probably developers would not make authority-checks at all anymore, and that would be like going back to the conceptual stone ages.
  Even the Commodore 64 was more modularized than that....
  Cheers,
  Julius

• Suppress a normal auth check

  I know in most business scenarios this is not normal.  However, please consider this question.
  A developer, at the request of the business partner, wants to create a  custom transaction code like a traditional transaction...say me22n.  It's purpose is to update a standard PO (NB), which the user is not normally authorized to do.   The developer has been asked to only offer 2 fields for update, not all fields.
  So, normally, the user would have me22n, but not have m_best_bsa for updating an NB type of purchase order - but he is allowed to update other types of purchase orders.  However, though this  custom transaction, we would like him to be able to update the standard PO, but only two fields. 
  Because the custom transaction runs the standard program, the normal auth checks are taking place, preventing the person from updating the standard purchase order.  If we grant the access required by the program, we will introduce a problem.  The user already HAS me22n to update other types of purchase orders "legally"...but now we've granted the object they did not have.  Via me22n, they can now update all fields on a standard purchase order (type NB).
  So, do you copy the standard program and make a custom program, and then suppress the auth checks in it?  Therefore, you never have to grant m_best_bsa update to type NB.  And through ME22n, they can't update a standard PO, which is what we want.
  OR, is there another, better way to do this.

  You may want to play around with the SU24 settings for your new transaction.
  See [SAPhelp on Authorization Checks|http://help.sap.com/saphelp_nw04/helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm] for more information.
  Jurjen

• Sec. Optimization self-service - Customer specific auth Checks

  Hi There,
  checking some automatic check like 0750 I see in SolMan there are some tabs like Green, Red, Recommendation (0705)
  checking the Customer specific auth Checks I found out only some of them.... I would be interested to know if it is possible to configure "something" in order to have the  tab Recommendation (9XXX)  for Customer specific auth Checks .
  Thanks
  FedeX.

  Hi,
  I still test and no quit sure if I am doing the right process...what I have done:
  use st13 to create my own alerts > 9000.
  use st14 for creating the report on target system... I check on the target system and by viewing data of the generated report there is a list of users because security specification > 9000.
  export report to SolMan ... successfully
  on SolMan ... what are the steps that I have to do?..I am not quit sure ... I go to session workbench ...here there are already some info of the previous check that I did days before ......  I click on the option collect data (ST13, ST14)..I delete the old number and introduce the new GUI Number and click on collect button... the rest of the fields are filled in ... and no additional message appear..
  one of the existing entries on the left side  is Customer specific Auth check ...it is in red..
  being on the collect data (ST13, ST14) entry I just click on save + next open check an the focus/cursor jump automatically to the last entry check session consistency  I do not identify any change in the entry Customer specific Auth check which still red and not showing the expected list ( what I see in target system)
  well hope this give some idea about the issue and possible solution
  Thanks
  FedeX

• Auth obj for Tax number 1 and Tax number 2 in fk02

  In tocde FK02 and FK03 we want to restrict some of the fields i.e Tax number 1 and Tax number 2 i.e field stdc1 & stdc2 ,to be visible to some users only ,Is there any auth obj for these fields which we could restict to specific users.

  Hi,
  You can give the authorization for tab wise Genaral data/accounting data/Payment transaction
  Check the auth. objects:
  F_LFA1_BUK     Vendor: Authorization for Company Codes
  F_LFA1_BEK     Vendor: Account Authorization
  F_LFA1_APP     Vendor: Application Authorization
  F_LFA1_AEN     Vendor: Change Authorization for Certain Fields
  Regards,
  Kishore K

• ABAP Query Auth-Check

  Hello,
       I have an issue in regards to ABAP Queries that are accessed via SQ00.  The issue was that a lot of the reports (based on a sample) do not have any authorization check.
  There is over a 1000 queries, is there any way for me to check the code for the auth check on mass ?  It is very tedious and time consuming going in one at a time to look for the auth check.  Any help would be greatly appreciated.
  Thank you

  Hi Chris,
  As standard there is no data level auth check in SAP Queries.  Just one reason why they are often a poor solution for reporting.
  Those based on Logical Databases have any checks that are present in the LDB.
  Auth checks are placed in the infoset code, so it's only the infosets that you need to review to see if auth checks are included.  If you have lots of queries hanging off a small number of infosets, this will be a fair bit easier.  Your dev team should be able to point you towards the relevant section of the infoset that contains any additional validation code.

• EHSM: Use Auth Check BAdI to hide Incident

  Hi all,
  I have enhanced the standard Auth Check BAdI BADI_EHHSS_INC_EXT_AUTH_CHECK for EHSM. Works like a charm.  But I just got another requirement and thought maybe someone else has done this before.
  Right now, I have it set up so people with out the correct access can only view incidents.  Is there a way to use the BAdI to completely hide an incident when a user clicks on it?
  Hope this makes sense.
  Cheers,
  Kevin

  Hey all,
  Our requirements ended up changing a bit but ended up putting authorization checks into class methods that control visibility for the sections of EHSM that we wanted to hide.  So, we got the result we were looking for.
  Cheers,
  Kevin

• Auth check in VA03 & VA05

  Hi,
  I have a query regarding authorization in one transaction in SD. We have created one custom auth object for WERKS and assigned to VA01. Here it is working fine and assigned to user for their perticular plant. This way they are restricted to their own plant and can not run the transaction for other plant.
  Same way we want to do it for VA03 and VA05 so that user can run the transaction for their own plant. It seems that these transactions are not checking authorization at plant level.
  Can any body help on the same pls?
  Thanks in advance..
  Regards,
  Prashant

  HI,
  Thanks a lot for your reply.
  I have done the same thing but unfortunately it is not working in the case of va03 while it is working perfectly fine for va01.I have observed that in role, if i assign only va01, it is adding plant in authorisations. Where as in va03, it is not adding plant at organization level. Probably in VA03 it is not checkin at plant level at all.
  Any other way to check or restrict would really help me. Pls guide me.
  Thanks in advance,
  Prashant

• DIsable smtp auth only for an ip

  Dear gurus,
  I have sun messaging server 6 running perfectly alright and only new thing which I would like to incorporate is to disable smtp auth only for one ip address.I am new to this system and have gathered following information from sun messaging docs, the steps which I followed..
  1) Create a table DISABLE_SMTPAUTH_IP similar to INTERNAL_IP mapping table in mapping file
  INTERNAL_IP
  10.18.18.19 $Y
  10.18.18.38 $Y
  10.18.18.30 $Y
  127.0.0.1 $Y
  * $N
  ! Added on 01092008 for disabling smtp_auth
  DISABLE_SMTPAUTH_IP
  external.ip.addres $Y
  *$N
  2) ALLOW PORT ACCESS
  *PORT_ACCESS
  *|*|*|*|* $C$|DISABLE_SMTPAUTH_IP;$3|$Y$E
  *|*|*|*|* $C$|INTERNAL_IP;$3|$Y$E
  3) Then right after the current rewrite rule in imta.cnf file Created new TCP CHANNEL
  ! Do mapping lookup for internal IP addresses
  [] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon
  added a new rewrite rule:
  ! Do mapping lookup for "no smtp auth", non-internal IP addresses
  [] $E$R${DISABLE_SMTPAUTH_IP,$L}$U%[$L]@tcp_nosmtpauth-daemon
  ! ttcp_nosmtpauth-daemon
  tcp_nosmtpauth-daemon smtp mx single_sys subdirs 20 maxjobs 7 pool SMTP_POOL nosasl nosaslserver
  tcp_nosmtpauth-daemon
  ! tcp_local
  tcp_local smtp mx single_sys remotehost inner switchchannel subdirs 20 maxjobs 30 pool SMTP_POOL maytlsserver maysaslserver s
  aslswitchchannel tcp_auth loopcheck threaddepth 32 blocklimit 5120 notices 1 2 backoff "pt5m" "pt1h" "pt2h" "pt4h" destinati
  onspamfilter1optin spam
  tcp-daemon mumbbmr1.dataone.in
  ! tcp_intranet
  !tcp_intranet smtp mx single_sys subdirs 20 dequeue_removeroute maxjobs 7 pool SMTP_POOL maytlsserver allowswitchchannel sasl
  switchchannel tcp_auth blocklimit 2500
  !tcp_intranet smtp mx single_sys subdirs 20 dequeue_removeroute maxjobs 7 pool SMTP_POOL maytlsserver allowswitchchannel sasl
  switchchannel
  !tcp_intranet-daemon
  run /opt/SUNWmsgr/sbin/imsimta refresh
  alternatively tried imsimta cnbuild and imsimta restart
  but still i get Mail rely denied when I try sending messages from the same trusted IP without doing AUTH.
  I would like to know...
  1) If there is something mising or wrong in above steps
  2) HOw do i check if the messages from that IP(for which smtp auth is disabled) is passing from the tcp_nosmtpauth channel...
  THanks for giving your valuable time...

  thanks very much shane for giving time...
  Please always provide the exact version of Messaging Server (./imsimta version).
  mumxxxx1 # ./imsimta version
  Sun Java(tm) System Messaging Server 6.2-6.01 (built Apr 3 2006)
  libimta.so 6.2-6.01 (built 11:20:35, Apr 3 2006)
  SunOS mumxxxx1-a-fixed 5.9 Generic_118558-28 sun4u sparc SUNW,Sun-Fire-V440
  mumxxxx1#
  Why would you want to disable SMTP Authentication? What are you attempting to achieve by doing this -- what is the problem you are trying to solve?
  We are an ISP and therefore sometimes required to send bulk mail, for which we are currently using perl bulk mail module script and there we specify the users in text file to send message, everytime this module try sending it get Mail Relaying denied as it doesnot supply user and passwd required for smtp auth in base64.
  Therefore I wanted to disable smtp auth for an ip address using which smtp auth is not reqauired and mails should be openly relayed.
  Why are all of the above entries commented out? Did you intend to disable (break) the tcp_intranet channel?
  no it is not commented in config files.
  +./imsimta refresh is no longer a valid comment, you need to use ./imsimta cnbuild;./imsimta restart+
  as per sun mesaging server 6 admin guide it is given to be working. Alterntively I tried ./imsimta cnbuild;./imsimta restart.
  Please provide the mail.log_current line that matches the attempted email delivery which was rejected.
  mumxxxx /opt/SUNWmsgsr/sbin # tail -f /mta/logs/imta/mail.log_current
  08-Sep-2008 13:42:19.52 7079.0fca.710096 tcp_local J 0 [email protected] rfc822; [email protected] mailserv 530 5.7.1 Relaying not allowed: [email protected] SMTP
  bash-3.00# telnet mumxxxx 25 Trying 10.18.18.19...
  Connected to ::ffff:10.18.18.19.
  Escape character is '^]'.
  220 mumxxxx.datxxxx.in -- Server ESMTP (*)
  ehlo mumxxxx.daxxxx.in
  250-mumxxxx.daxxxxx.in
  250-8BITMIME
  250-PIPELINING
  250-DSN
  250-ENHANCEDSTATUSCODES
  250-HELP
  250-XLOOP 82F58AB6E3453199924062C516F2E337
  250-AUTH PLAIN LOGIN
  250-AUTH=LOGIN
  250-ETRN
  250-NO-SOLICITING
  250 SIZE 0
  mail from: [email protected]
  250 2.5.0 Address Ok.
  rcpt to: [email protected]
  530 5.7.1 Relaying not allowed: [email protected]
  rcpt to: [email protected]
  Also please clarify if you want to disable the ability to perform SMTP auth or whether you want to allow email to be sent without requiring SMTP auth -- these are two completely different objectives.
  No I do not want to disable SMTP auth for everyone.DEfault is it should be forced to all except from one ip. ie disable smtp auth only for an ip address.
  Regards
  Pradeep

• BRFPlus - Control Rule maintenance using Auth checks (BADI?)

  Hello BRFPlus gurus,
  We are reviewing BRFPlus for use in our global project and here is our question.
  We want to develop some rules, for use in Business Workflow, using BRFPlus and make them available for change to users. Some of these rules are going to be based on company code and we want to control rule maintenance based on company code to ensure users can only modify/create/display rule (e.g. decision table entries) entries only for the company code that they belong to. e.g. user for company code 0001 should not be able to change decision table entry for company code 0002.
  currently we have similar rules maintained using ECC custom table maintenance and we use  table maintenance Events' to code authority checks for custom auth objects.
  I am wondering if BRFPlus has any BADI (or similar mechanism) available to allow us program these auth checks depending on 'Element' values.
  I would greatly appreciate your response.
  Thanks,
  Saurabh

  Hi Carsten,
  Thanks for making us aware of that hidden feature that we could use.
  would you mind sharing some high-leve steps that we could follow to complete the BRFPlus prototype we are doing?
  Ability to control modification of these objects using auth is one of the key criteria for prototype success .
  Looking forward to learn more about this rule engine.
  Thanks,
  Saurabh

• Is there a listing of all Auth.Objects for SAP and the discription for them

  I would like to know if there is a listing of all the Auth.Objects  for SAP out there somewhere??
  Thank you,
  Robert

  > Auth.Objects  for SAP out there somewhere??
  You want all the customer objects as well in all SAP systems?
  (Or just those in your TOBJ?)
  PS: Please try the F1 key on fields to find their tables (or structures) and give the search a try as well...
  Cheers,
  Julius

• Auth Group for Accounting Doc and Account authorization for  Vendors

  Hi guys,
  I have question regarding Accounting Doc for Vendor and G/l Account.  I have a security client whree I build my business roles for end user but we we configuration client where all the functional focus wokring and doing configuration.  My questiion when I start creating business roles  and start going  into these authorization objects and filling up the field values (F_BKPF_BEK, F_BKPF_BES,  F_BKPF_BLA).
  I won't  see auth group that will be c reated by functional  cocus because they are working on configuration Client and they probably create auth group for above authorization objects in Config lcient and I'm building Roles in my security client. 
  If it is true what would be the best way to create business role.  I'm in realization face of the project  Should I build my roles in Config client?   Please advise.
  Thanks in advance
  Faisal

  What is the benefit of a "security client" in DEV? I don't get it...
  You anyway need to protect the namespace... and the authorizations for role development (SU24) and admin (PFCG).
  Anyway, you have closed your question so we can only lick our wounds now
  Cheers and good luck on your project (let is know how it goes if you stick around for long enough to experience a release upgrade...
  Julius

• How to get list of Users under an Auth Group (for executable Programs)?

  Hi experts.  I have a requirement to get a list of all users under a particular Auth Group for Program Objects.
  Goal of this requirement is to identify the users allowed to use/access a program - we're doing some sort of Program Inventory and we'd like to identify the users per program, via the Auth Group. 
  So question is:  Which tables hold data about Program <-> Auth Group <-> Users, and how are they linked?
  I know this is Basis/Security stuff, but I was thinking of developing a report program to output the information needed.
  Thanks in advance.
  Edited by: George Esquerra on Nov 17, 2011 10:24 AM

  This is available in the standard via tx SUIM - user - users by complex selection criteria - by authorization values.
  If you enter auth object = S_PROGRAM and value = auth group, you will get the list of users.
  You can analyse how this program finds the information and incorporate it into your own logic.
  Thomas