Details about authorization Object

Similar Messages

• More Details about Info Objects

  I want to enrich my technical skillset.
  So could you experts pls guide me in more detail about Info Objects in SAP BI
  Thanks,
  Vijayakumar

  HI,
  Actually the info given on thatpage is a copy paste of the information from Help.sap.com.
  [Editing InfoObjects|http://help.sap.com/saphelp_nw04s/helpdata/en/80/1a63cde07211d2acb80000e829fbfe/frameset.htm]
  [Creating InfoObjects: Key Figures|http://help.sap.com/saphelp_nw04s/helpdata/en/80/1a63b3e07211d2acb80000e829fbfe/frameset.htm]
  And So on
  Regards,
  Gaurav

• About authorization object

  Hi basis guys........
  i am not able to give print request.its showing authorization error
  "no authorization for LOCAL PRINTER" and "output could not be issued"
  i checked su53 screen. and i assigned that activity in authorization object.
  even then its showing authorization problem.
  Is there any object to add to get printing ?
  and what is "s_gui" object ? is that works?
  Please tell me your suggestions
  Regards........nagendra.

  Hi
  Check whether for the user a printer is assigned or not. Only the printer which is assigned to the user in SU01 can be used by the user.
  What u can try is assign the Local Printer in default printer for that particular user.
  Also if you have assigned the authorization object that was missing then there should not be a problem.
  Regards
  Sumit Jain
  [reward with points if the answer is useful]

• Upload Document Authorization Object

  I try to set the authorization for uploading a document onto the report via the Portal website.
  However, I can't find any proper authorization object for this purpose. (I tried the authorization object 'S_RS_ADMWB', but it is not workable)
  May you all help me in this issue? It will be highly appreciated if you also give me details of authorization object parameters?

  Hello,
  Mash recently reported a similar error here :
  when i try to upload oracle authorization objects getting errors
  obviously, we can't see the attached file
  Cheers,
  Diego.

• Authorization object for Internal order

  Hi experts,
  My requirement is while creating the PO using the internal order as reference  i need to check the internal order is valid for that user or not.
  Is there is any standard authorization object  for internal order is available using which i can validate the internal order by assigning this authorization object in the user role.

  Hello,
  When you try to create internal order and once you get the error.
  Open another session with /OSU53
  This gives you the details of authorization objects or transaction codes you are lacking.
  Provide this to security administrator of your team.
  Hope your problem will be solved.
  Regards,
  Ravi

• TOBJ Authorization Object Details

  Hi All,
  I am trying to see the logic of a Z-Authorization object. I can see an entry in the table TOBJ but am wandering about where to see the details for that Z-authorizations.
  Where can i get the details for any authorization objects?
  Please help.
  Thanks!

  Hi ,
  At run time/Debugging  Create a BreakPoint using key word 'authority-check'.
  The Debugger will stop at all those place where Authority check is done.
  See attached screen shot for reference.
  Regards,
  Vikas

• Authorization object to import mb51 detail list to excel

  Dear all,
  What is authorization object to import mb51 detail list to excel ?
  Able to see report material document list,but export to local file is greyed out ?
  Jeyakanthan

  Hi,
  you can export ALV using menu option List -> Export -> Local file. Icon with green arrow which is usually used for download functionality in ALV has a different meaning in MB51. I know it's confusing. It's used to get full MM documents from archive. It's active only if you set option Short Documents in the section Data Source.
  Cheers

• Authorization objects details

  Hi everyone,
  How can I get the list of all authorization objects and their details for a specific user ?
  Is there a function ?
  Thanks.
  Regards.

  Hi
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  <b>Reward points for useful Answers</b>
  Regards
  Anji

• MB51 Detail list import to excel - Authorization object

  Dear all,
  What is authorization object to import mb51 detail list to excel ?
  Jeyakanthan

  HI,
  Try this link
  Problem with authorization object belongs to MB51
  Regards
  KK

• BW 3.5 which authorization objects available rssm (checks for infoprovider)

  Hi all,
  How does SAP generates the list of authorization objects in RSSM when you enter a specific infoprovider (checks for infoprovider)? Are only the authorization object related to this infoprovider listed?
  Is there any documentation about the purpose in RSSM for the button 'update check status (Authorization objects, infoprovider).
  thanks for your help.

  Based on which criteria?
  Is there somwhere detailed documentation available about the RSSM part in BW authorizations? It seems hard to find any...
  Thanks,

• Barcodes and authorization objects

  PLS TELL ME ABOUT THE AUTHORIZATION OBJECTS WHILE WE R CREATING THE
  TRANSACTION FOR ANY  USER DEFINED REPORT .
  22. WHAT IS THE use OF BAR CODES IN ANY WINDOW OF SCRIPT . AND HOW TO INSERT BARCODE IN WINDOW.PLS TELL IN DETAIL?

  Ideally, if in a role autorization is not provided for STMS, then the user id will not allow to use transaction code STMS.
  However, if SAP_All is provided, in that case, user will have access to all Transaction Codes.
  Regards,
  Rajesh Banka

• Restrict HR Authorization Object PLOG By HR Structural Auth Profile

  Via OSS Note 453786, SAP requested customers not to use HR Authorization Object PLOG_CON. 
  We have a requirement to restrict HR Authorization Object PLOG by HR Structural Authorization Profiles. How are other customers able to accomplish this objective without authorization object PLOG_CON being used?
  (Custom solution:  ZPLOG_CON/custom FM, or use HRBAS00_STRUAUTH BADI)?
  Thank you,
  Ken

  Ken,
  1. the note you mentioned is specific to sap version 46b. is that the version your client is on? just wanted to check.
  2. then you have not mentioned anything about the requirement, i mean explicit details.. without which it is very difficult to come to a solution.
  3. you look like you are on the right track of thinking though with the z-auth-object/function module/badi thingy...
  4. ultimately solution is dependant on the explicit requirements.
  the 'con' bit usually refers to context sensitiveness of security when a mixture of regular and structural auths would not meet the security requirements.... so at a high level:
  1. design the structural profile with the right combo of eval path and function module(z-fm?)
  2. do the right thing by plog by explicitly mentioning levels of suths for all objects and subtypes and infotypes as well.
  3. use p_origincon to assign the structural profile
  4. a combination of all of the above should do the trick...
  good luck
  cheers

• Prompt for Authorization Object

  Dear Experts,
  I would like to have control on certain authorization objects which are common among the roles while creating them.
  Is it possible that while maintaining or creating a role, if by mistake the administrator does not block the object OR add an entry which we do not authorize, the system should alert the administrator as a popup or alert message?
  I am aware about the report "RSUSR008_009_NEW" for maintaing critical authorizations, however, running a report and giving a prompt are two different things.
  Any possibility of an alert?
  Thanks and Regards,

  Hi J K
  I take the following approach with SU24:
  Complete Proposal - completely maintain an authorisation proposal when that values applies for any situation in PFCG role build. E.g. transaction FB03 for object F_BKPF_BUK has fields ACTVT and BUKRS. You can allow the value as ACTVT = 03 and BURKS = $BUKRS (org value) or each scenario
  Partial Proposal - only maintain some of the fields where it will be consistent. E.g transaction OB52 for posting periods and S_TABU_DIS with field ACTVT and DIBERCLS. You leave ACTVT blank as sometimes you want change whilst DIBERCLS for auth group is static so you can enter a value there
  Empty Proposal - leave the proposal values completely blank as the requirement will depend on the scenario. E.g transaction SM30 you might leave S_TABU_DIS empty as it will depend on the role for both fields.
  If you take this approach, you minimise the need for deactivating object, copying/changing and manual objects in PFCG. You maximise role authorisation under status of Standard or Maintained.
  Now if we set the proposals in su24, it will be applicable for other new roles as well for which we DO want the proposals to exist.
  Yes if you change SU24 you should clean up all impacted roles but before you build roles you should review
  At the end of the day your need to have competent security administrators who know what a display activity is and have attention to detail/meticulous enough to build the role with appropriate restrictions (i.e. do not put change access in a display role).
  How can we avoid the "new authorizaiton objects" to be added to this display role.
  To avoid this you are trying to avoid using SU24 integration. If you are tying to build a SAP display all role then you might as well copy SAP_ALL and go through and deactivate/remove any display access from the role. In this case you would not use the role menu.
  Not all solutions are technical. It's why you need to have a clearly defined process that is adhered to.
  My trick of display roles - I got the AGR_1251 role and look at the entire contents of the role and scan this list of objects and what's in the role. However, I do this as I know the objects relatively well and can identify the specific objects that are change/display  but do not use ACTVT field (e.g. PLOG/P_ORGIN/P_PERNR)
  Wonder why SAP prompts warning and errors messages doing a business/financial transaction and not security.
  Exactly what would you want the system to prompt? How would SAP know what a display role is?
  We noted that every time we add a t-code, the authorization object added is marked as "new" in the list. we jsut disable those and generate it
  If you take this approach you cannot guarantee the transaction code will work. The user may need the underlying values and that is why SU24 has them marked as proposal.
  My summary - defined your process to include a quality check after building a role and hire security administrators who know more than how to tick and click buttons in PFCG (i.e. they understand security objects and why some are sensitive).
  Regards
  Colleen

• Mass update to FILENAME field in S_DATASET authorization object

  We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value.  I'd like to do this programmatically if possible.
  What I've learned so far is that I need to update the value in table USR12, but the value is encoded.  When I look at the table in SE16, I do not see the encoded value field.  The value does show in UST12, but I'm told this is an unreliable table.
  So I'd like to know..
  1. How can I look at the value if not in SE16?
  2. Is there an API I can use to encode/decode the value?  If not, where is the specification on how to build it?
  If this is better addressed in a different forum, which one should I try next?
  Thanks,
  Dan

  Hi there,
  Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
  But the behaviour as you have described:
  >
  > Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
  > =============================================================
  > *                                 X         X            DUMY
  > /temp/FI/..                       X         X            DUMY
  > /temp/FI               X                                 FIFI
  >
  ... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
  > Caution:
  > - If you enter paths generically in the table SPTH, the most precise specification counts.
  > - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
  So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
  So, the only check which is effective to protect the path, is:
  Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
  =============================================================
  /temp/FI               X                                           FIFI
  ... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
  Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
  form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                              MODE       type CLIKE
                              SUBRC      type SY-SUBRC.
  data: ACTIVITY like AUTHB-ACTVT.
     SUBRC = 0.
     case MODE.
       when 'R'.
            ACTIVITY = '03'.
       when 'W'.
            ACTIVITY = '02'.
       when 'D'.
            ACTIVITY = '02'.
     endcase.
     if ISPTH_HEAD-FS_BRGRU <> SPACE.  "Here it is... for BEGRU checks there must be a value...
        authority-check object 'S_PATH'
            id  'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
            id  'ACTVT'    field ACTIVITY.
         if SY-SUBRC <> 0.
            SUBRC = 3.
         endif.
     endif.
  endform.
  Cheers,
  Julius

• Analysis Authorization Object not working

  Hi Gurus,
  I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
  For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
  I have followed the below steps but still the report shows all data instead of restricted one.
  1)RSECADMIN -> Maintenance ->zz_div ->Create
  2) Add 0DIVISION in Auth structure , and in details 
  I     EQ     32
  I     EQ     33
  3) Add 0TCAIPROV with I     EQ     0SD_C03
  4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
  I     CP     *
  5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
  6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
  Following are the authorization object in that user's Role (Reporting Only)
  S_RFC 
  S_TCODE
  S_GUI
  S_BDS_D  
  S_BDS_DS 
  S_OC_SEND
  S_RS_AUTH - only having zz_div
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  S_RS_RSTT
  S_RS_TOOLS
  S_RS_PARAM
  I have surfed lots of thread for this issue but not getting a solution
  Tell me what i m missing in above or any additional setting need before creating analysis authorization
  Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

  Hi
  Thanks a Ton for ur reply
  I have checked in SPRO : Analysis Authorization
  where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
  We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
  Thanks
  Sonal....