Document authorization check

Similar Messages

• Document search error in webshop(Error in authorization check: user unknow)

  Hi All
  actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
  actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
  actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
  <b>Error in authorization check: user unknown.</b>
  Can you please help me where to check the authorizations in the system for accessing the documents.
  Regards
  Sunil

  Hi Sunil generally this kind of error will occur when you choose acknoledgement
  for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
  Reward if helpful
  Venkat

• Sales Document initial load Authorization check.

  Hi Guys,
  I am trying to do an initial download of all the Sales Documents from R/3 to CRM but I get the error "An authorization check could not be executed".
  SU53 is not showing any authorization failure for the corresponding user.
  Thanks in advance,
  Regards,
  Siva.

  Hi Siva,
  As SU53 is not showing you anything, means there could be problem with rights of RFC user.
  Check if your RFC user have all the required rights.
  Best Regards,
  Pratik Patel
  Reward with points if it is of any help to you!

• Authorization check when creating shipment document

  Dear Experts,
  I have a shipment document type that is shared for all shipping point. I found that there are no shipping point checking when we select outbound deliveries. Can we add shipping point authorization check when we select delivery document?
  Please advice.
  Thanks.

  If you want to use frameworks, I think the right model would be to place the methods in EJBs and then use security constraints and user roles and the like.
  OTOH, Spring probably has something very similar without requiring EJBs. It will require the beans come from the Spring container however and not the JSF managed bean container.

• CRM - Process Flow of Authorization Check in Business Transactions

  Hello Folks:
  I have implemented CRM security using Process Flow of Authorization Check in Business Transactions.
  What I have in place:
  CRM_ORD_OP (inactive, don't want access to own documents)
  CRM_ORD_LP (inactive, not using standard org level values Distribution Channel, Sales Group, Sales Office, Sales Organization, and Service Organization.)
  CRM_ACT (active)
  CRM_CMP (active)
  CRM_ORD_OE (active, restricted to display with dummy value ' ' for Distribution Channel
  Sales Group, Sales Office, Sales Organization and Service Organization, as we are not restricting on them)
  CRM_ORD_PR (active and restricted to display)
  Issue:
  Restrictions to display for documents works fine when using CRM backend system and the system throws out a message that you are not authorized to change. But, when i come in through Portals (PCUI), i dont get the display at all and it throws out a message insufficient access authorizations.
  Traces on backend CRM reveal failing on change access for CRM_ORD_LP and CRM_ORD_PR, which we dont want to give out b/c we dont want to provide change for documents.
  OSS notes to SAP have resulted in no results....please advise what is wrong here.
  Thanks
  KT

  Thanks for the Priyanka for the reply, but what you mention is not correct.
  BSP errors are different from what I am refering to.
  The issue is still open...and looks like a SAP bug, which even they havent been able to fix so far.
  Regards,
  KT

• Authorization check of Tcode FCH7 (reprint check) / FCHN (display check)

  Hello to you all,
  Does any of you know of an option of extended the authorization check of Tcode FCH7 (reprint check) / FCHN (display check) using authorization object F_BKPF_BEK / F_LFA1_BEK?
  Regards,
  yoav Bernstain

  Hi,
  Authroization: User need authroization to post Financial Accounting Document for Vendor
  Object: F_BKPF_BEK
  Activities: 01-Creat, 02-Change and 06-Deleter
  Authroization: User need authroization for vendor Master Data (03-Display activity can also work)
  Object: F_LFA1_BEK
  Activities: 01-Creat, 02-Change, 03-Display and 06-Deleter
  Regards,
  Prashant Rane

• Authorization check failed

  hello experts!
  i created a program via smartforms but when my user try to generate a printed form an error message appear than FORM
  cannot be displayed. when i check Tcode: SU53 Authorization check failed.
  Object Class HR Human Resources
  Authorization Obj. P_ABAP  HR Reporting\
  Authorization Field COARS Degree of simplification for authorizaton check       1
  Authorization field REPID ABAP program name     ZHRPY00018C
  Please help on this one...
  How to fixed this
  Thank you

  hello...
  actually this report has 2 display a List display and via smartforms...
  we laready add this program  in her authorization profile... the only problem
  is when she try to generate the report via smartform she cannot produced the
  the output print docu. because an error appears that my FORM cannot be display.
  But when i check it in the development i can produced a test document.
  please help...

• Authorization Check on Radio Button

  Hi,
  I have a custom report which has a radio button. Can I provide the authorization on this radio button, meaning only selected no. of users can run this report with radio button checked. I know it's possible through maintaining a list of users in custom table, But I want to check if we can do it using authorization object/group etc...

  Birendra, you're absolutely correct that we need to consider future maintenance efforts. But this is exactly a weak side of the parameter approach that you've suggested. The jet analogy is impressive, but way out of proportion in this case.
  Using authority check command in ABAP code and modifying screen elements is not hard-coding. The parameter approach also requires writing some code, so it has no advantage here.
  Also it requires someone (a Basis admin?) to update the user profile and a table entry that you've mentioned. To use the standard authorizations, only one authorization object will need to be created (although it may even be possible to use another, existing object if it's the same authorization level). It won't take more space or more time to create than an SM30 entry. Updating the roles might be more of a hassle than updating the user parameter, but the difference can hardly be considered significant and it's a one-time thing anyway.
  It is a matter of preference whether to hide a control, disable it or display a message. (By the way, in many standard transactions you'll find that controls or menu options are hidden/disabled based on authorization, so it is nothing exotic.) But I stand by my suggestion of using standard authorization check functionality specifically because it makes the future maintenance easier.
  1) Basis admins most likely already maintain some document regarding the role assignment. It might be actually easier to them to maintain the roles than to keep track of the additional profile parameter and remember it in future.
  2) Imagine years from now you're gone and all the new people are maintaining the system. The user gets a 'no authorization' message and, naturally, contacts a system admin. Again, naturally, admin will check security trace. Now guess what - your parameter thingy cannot be tracked anywhere. No one knows about it and it will take an ABAPer to figure this out.
  With standard approach it will only take a second to run SU53 and a few minutes to resolve an issue by a Basis admin. Additionally, authorization objects have 'where used' button, so it would be easy to check if and where the object is used (e.g. if the report has been changed/deleted it will be easy to spot the 'orphaned' object). With the profile parameter sooner or later someone will have to wonder what the heck it is for and might accidentally delete it. By the way, sometimes users actually have access to their own parameters, so it's not a very secure option either.
  I understand you mean well, but, unfortunately, in my work quite frequently I have to deal with some things that were developed by well-meaining consultants who overlooked some long-term effects of their approach.

• Authorization Check in Personnel Cost Planning (PA-CP)

  Dear Experts,
  We are facing an issue where there is no authorization checking when performing the Cost Planning functions. The requirement here is to put in an authorization check such that when:
  1) collecting cost plan data for employees (tcode: PHCPDCEM), it will check against HR Master Data (e.g. P_ORGIN, P_ORGINCON) or HR Clusters (P_PCLX) (e.g. check which Personnel Area the user has authorization for). Currently, the Data Record Log does not have this checking.
  2) Creating, generating, viewing and maintenance of cost plan (e.g. tcode: PHCPADMN), it should have the same checking as above
  We are using SAP ECC 6.0.
  Has anyone encounter the same issue and has a resolution for it (configuration or user exit?)? I see that there is a user exit HRHCP00_RESP_OBJECTS available, but it does not provide the authorization check even when it returns "NO_AUTHORITY".
  Thanks very much in advance.
  Alex

  Hi Alex,
  I am not very sure about Personnel Cost Planning,
  But an approach I have used in the past when exploring a module about which there is limited documentation or SAP standard model roles is to
  1) Switch on Trace using ST01.
  2) Carry out a series of transcations using a user id which has a lot of authorizations or SAP_ALL.
  3) Anlayse the trace document and identify all the authorization object.
  4) BUild a new role with the auth objects and assign to test user id.
  5) test and confirm that the authorizations are not too many or too less.
  A time consuming but thorough approach.
  hope this helps.

• HR strutural Authorization check in the Lean order Interface (LORD)

  Hi ,
  We place Quotations , Orders in CRM 7.0 , via the Lean order Interface Screen (LORD) . So users in ECC have HR structural authorization and they seems to the checked ( for the HR# part of the Sales Team , and comming accross as partner function in the Quotations , Orders documents )
  Can we avoid the HR structural Authorization check in the Lean order Interface ?

  Dear Christophe,
  I do not understand the requirement...you create ERP orders via CRM interface, and you have set up authorization in ERP for the users. Why do you want to prevent the authority check when coming from CRM when it is needed ?
  However please consider note 1446253 quesiton 9.
  You might activate or deactivate the "current user" flag in sm59 for your ERP system.
  Hope this information helps...
  Regards
  Rene

• Authorization Check in Business Transactions

  Hi All,
  i need to create Authorization Check for Business Transactions ( create/display/change ).
  The standart sap Authorization  object CRM_ORD_OP  or CRM_ORD_LP is no good for me .
  does  anyone know  a BADI or something else i can use ?
  Thanks
  Lilach.

  I would suggest to give the authorization with CRM_ORD_OE if he isn' t in the document may be he is the organization which is selected on the activity..
  For details, please have a look at this link :
  http://help.sap.com/saphelp_crm70/helpdata/EN/48/a44236ceb873e8e10000000a42189b/content.htm
  BR,
  Cenk Sezgin

• Skip Authorization Check in ECC5.0

  I have noticed a major diffrence in authorization check for tcodes in ECC5.0 . In earlier versions in debug mode I found that if there is a command like :
  CALL TRANSACTION 'PA30' and SKIP FIRST SCREEN
  If i press F5 it directly shows me the error message "Not authorised to PA30" in case there is no auth to execute it, and the debugging stops.
  But in Earlier versions it used to goto a function module to check the auth. I just want to customize the function module to skip the auth check for a certain set of users.
  Any clue for this?

  Hi Alex,
  I am not very sure about Personnel Cost Planning,
  But an approach I have used in the past when exploring a module about which there is limited documentation or SAP standard model roles is to
  1) Switch on Trace using ST01.
  2) Carry out a series of transcations using a user id which has a lot of authorizations or SAP_ALL.
  3) Anlayse the trace document and identify all the authorization object.
  4) BUild a new role with the auth objects and assign to test user id.
  5) test and confirm that the authorizations are not too many or too less.
  A time consuming but thorough approach.
  hope this helps.

• Authorization check in VF03

  hi Expert,
  i met a problem when I created a single role for displaying billing document,
  this role only contains one tcode:VF03,
  and i specify a certain distribution channel in this role , e.g.: E1,
  i only want the user to display the billing document that related to E1;
  after i created the role and assigned to a user(the user only has this role), but it is strange that the user can also display other distribution channels' billing document, it looks like that the setting for distribution channel in the role doesn't work.
  i am confused,
  can anyone give me some advice?
  thanks in advance
  happygj

  hi Damu,
    i used su24 to check the authorization objects as you told
    yes, it checked the sales area as below:
  V_VBAK_VKO     Sales Document: Authorization for Sales Areas     Check     YS
  V_VBRK_VKO     Billing: Authorization for Sales Organizations     Check     YS
  but for billing, it only check the sales org., not the sales area.
  thanks,
  happygj

• Kanban authorization checks (SU24, PK13N, PK*)

  Hi,
  Does anyone know why the Kanban transactions (PK*) have mostly disabled authorization check indicators in SU24?
  In PK13N, for example, there is functionality to do a goods receipt (MIGO GR) and also functionality to create POs (and maybe more that I have not looked into yet).
  However, the related auth objects in SU24 are not enabled (check indicator = do not check).  This seems strange for these authorization objects.
  Especially in light of SoD.  Users could create POs or do Goods Receipt via PK13 without proper auth check and these 2 functions conflict already (using default GRC ruleset).
  But that's beside the point.  The question is: Is there a good reason why these are disabled and how is this NOT a secuty risk?
  Now, there is one object that is enabled: C_KANBAN
  But, I feel that this is insufficient to really secure the goods receipt action and the PO creation action.
  For reference, a list of disabled auth objects:
  C_STUE_WRK CS BOM Plant (Plant Assignments)
  C_TCLS_MNT Authorization for Characteristics of Org. Area
  F_BKPF_KOA Accounting Document: Authorization for Account Types
  F_FICA_CTR Funds Management Funds Center
  F_FICA_FTR Funds Management FM Account Assignment
  F_FICB_FKR Cash Budget Management/Funds Management FM Area
  F_FICB_FPS Cash Budget Management/Funds Management Commitment Item
  F_LFA1_APP Vendor: Application Authorization
  F_SKA1_BUK G/L Account: Authorization for Company Codes
  L_BWLVS Movement Type in the Warehouse Management System
  L_LGNUM Warehouse Number / Storage Type
  M_BANF_BSA Document Type in Purchase Requisition
  M_BANF_EKG Purchasing Group in Purchase Requisition
  M_BANF_EKO Purchasing Organization in Purchase Requisition
  M_BANF_WRK Plant in Purchase Requisition
  M_BEST_BSA Document Type in Purchase Order
  M_BEST_EKG Purchasing Group in Purchase Order
  M_BEST_EKO Purchasing Organization in Purchase Order
  M_BEST_WRK Plant in Purchase Order
  M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
  M_MRES_BWA Reservations: Movement Type
  M_MRES_WWA Reservations: Plant
  M_MSEG_BWA Goods Movements: Movement Type
  M_MSEG_BWE Goods Receipt for Purchase Order: Movement Type
  M_MSEG_BWF Goods Receipt for Production Order: Movement Type
  M_MSEG_LGO Goods Movements: Storage Location
  M_MSEG_WMB Material Documents: Plant
  M_MSEG_WWA Goods Movements: Plant
  M_MSEG_WWE Goods Receipt for Purchase Order: Plant
  M_MSEG_WWF Goods Receipt for Production Order: Plant
  M_RAHM_BSA Document Type in Outline Agreement
  M_RAHM_EKG Purchasing Group in Outline Agreement
  M_RAHM_EKO Purchasing Organization in Outline Agreement

  Hi Steven
  Normally, when I submit OSS messages about security gaps the response is "working as designed", so I thought I'd try SCN first... perhaps it REALLY IS working as designed and there is a good reason why no auth checks should happen in this case.
  Unfortunately this is all too common. However, I have found a lot of the times it is a Level 1 Support person in SMP advising you of this. With perseverance and escalation to a the next level the chance of a fix is greater (still not a guarantee)
  It's a pity if working as per design they could explain why.
  MIGO can be used in display mode only. If PK13 and PK13N are meant to be display transaction and the SU24 allows you to perform change (i.e. none of the underlying auths are checked for change) then I would refuse to close the customer incident until SAP responds further. At the end of the day, if a display transaction allows modification then it isn't a display transaction
  I get the impression SU24 and some other security (e.g. authority check on '' instead of dummy) has been allowed to exist as customers give up and change the values themselves instead of getting SAP to fix their solution.
  You could also look at SE97 if call transaction can be switched to yes so users cannot jump from PK13N to MIGO (assuming the code was a CALL TRANSACTION)
  Regards
  Colleen
  P.s. - understand the comment with stale thread but take note of timezone and if you raise it on a Friday people may not see it until the following week. Although you did consider this, a lot of people on SCN put urgent in their question and then within the same day respond to their thread to "bump it" on the list

• Authorization check for KE24

  Hi all,
  Need to enforce an authorization check on KE24 for certain users are allowed to view records pertaining to some profit centers. 
  SAP suggested to use KE97 for Authorization Check.
  If anybody knows step-by-step document to do this pls share with me. 
  Thanks

  HI,
  well, I know that this own-defined authorization objects are working well (I used this once for own defined customer groups), but I am not totally sure what needs to be done in the user authorization maintenance to make it running (my former user-authorization responsible colleague did that).
  Maybe its because your test-user has some other user rights that overrule the BUKRS / PRCTR restriction.
  So try first to create a test-user with only KE24 authorization AND the limitation to one company code / profit center combination of your new created authorization object to ensure that this works fine.
  Second step is to check how this authorization works in combination with all other authorization objects your users will have.
  Best regards, Christian