Documents authorization
Hi,
I have to create authorization for InfoProvider documents.
First I create documents in the Documents screen of the Administrator Workbench. After that, in Bex web Application Designer I use Single Document Item to dispaly documents from my InfoProvider on the Web.
But I have to restrict the acces to the documents on the web so that some users have only display privileges and others have maintain privileges too.
Can anyone help me, please?
Thank you!
Did you get the authorization setting? If not use "PFCG" select the Role, go to the Tap Authorization and press the button "Chang Authorization Data". Select now the button "Manually", put in the Objects S_BDS_D and S_BDS_DS
restrict the usage with: 01 create/change; 02 change; 03 display and 04 print. To select the InfoCube you must use the object S_RS_COMP.
Dario
Similar Messages
-
Hello,
Is there a BAPI call, that being given a pair 'user name' + 'document number' will say whether the user is authorized for at least read access?Well, let say I have a document in that is visible with use of CV04N transaction.
Clearly, when smb. tries to access (i.e. display) the document, SAP performs some authorization object checks:
C_DRAW_BGR
C_DRAW_TCD
and so on, basing on the profile of that user.
Also probably ACLs are checked if assigned any (in EasyDMS terminology).
So my desire is know whether there is a way to perform these checks remotely via BAPI call - passing a user and a document in question.
Please tell me if I can provide more details on my aim. -
Upload Document Authorization Object
I try to set the authorization for uploading a document onto the report via the Portal website.
However, I can't find any proper authorization object for this purpose. (I tried the authorization object 'S_RS_ADMWB', but it is not workable)
May you all help me in this issue? It will be highly appreciated if you also give me details of authorization object parameters?Hello,
Mash recently reported a similar error here :
when i try to upload oracle authorization objects getting errors
obviously, we can't see the attached file
Cheers,
Diego. -
Authorization Of Purchase Documents
Hi Gurus,
In workflow of Purchase document authorization, one system generated mail is automatically sent to the official mail box of the persons who are releasing the documents.
My question is, can we make in SAP that not only mails are going to those release persons mail box but an SMS to the person's mobile as well regarding a purchase document is waiting for your approval.
Can it be possible in SAP?????????
Regards
PKBHi ,
Yes its possible go through the following link
http://help.sap.com/erp2005_ehp_02/helpdata/en/d5/581ee8d56f1247bf34cfcd66d16d81/frameset.htm
BR
Diwakar
reward if useful -
Authorization for opening & Closing posting periods - OB52
Hi,
Is there any way to set authorization for opening & closing of posting periods in OB52?
My scenario:
I have 2 company codes - A & B assigned to 2 different posting period variant - say PPA & PPB.
The user belonging to CoCd A should not be able to open/close posting period of CoCd B and vice versa.
Is this possible through any authorization settings?
Request your help on this.
Regards,
SrideviHi Sridevi
Please go through the following:
You can assign authorization groups for permitted posting periods. This means that, for example, some posting periods can only be opened for particular users within monthly or annual closing. You can only assign the authorization group at document header level and it only affects period 1. The authorization object is called F_BKPF_BUP (Accounting document: Authorizations for posting periods). Read the corresponding chapter on "User maintenance" in the "Assigning authorizations" topic.
"User maintenance"
Due to the modular authorization concept of the system, you can define authorization profiles which are tailored to the workplace of your employees. You can, for example, assign authorization to a workplace in the Accounts Receivable, Accounts Payable or General Ledger Accounting areas.
By assigning authorizations you define which business-related objects your employees are allowed to process and which editing functions are allowed.
In the following activities for authorization management, you must carry out the following for employees who are to work with the system:
Assign authorizations
The authorizations are assigned by specifying permitted values for the pre-defined objects.
Define profiles
In the SAP system, authorizations are grouped together in workplace profiles. Therefore one or more profiles must be allocated to the individual employee in the master record.
I hope this helps.
Regards
Kavitha -
Restrict the user based on document type on migo transaction-prepare GRN
Hi,
We are running ECC6.0 R/3 system.We had a requirement as follows
In MIGO transaction , we want to restrict the user on document type i.e. we want that a particular user can prepare GRN for document type STO only. He cannot prepare GRN for other document type.
We checked SU24->maintain check indicators for transaction codes->enter migo->execute->check indicator.This returned us the authorisation objects present in Migo transaction.We checked the help of all these objects,but none of them we found suitable for above mentioned requirement.We were planning to find out the proper authorisation object to add to Profile generater.
The following is the objects which we have checked for.
A_B_ANLKL--> Asset Postings: Company Code/Asset Class
A_B_BWART--> Asset Postings: Asset Class/Transaction Type
B_USERSTAT--> Status Management: Set/Delete User Status
B_USERST_T--> Status Management: Set/Delete User Status using Process
C_AFKO_AWK--> CIM: Plant for order type of order
C_CACL_DSG--> Interface Design
C_DRAW_BGR--> Authorization for authorization groups
C_DRAW_DOK--> Authorization for document access
C_DRAW_TCD--> Authorization for document activities
C_DRAW_TCS--> Status-Dependent Authorizations for Documents
C_KLAH_BKP--> Authorization for Class Maintenance
C_STUE_BER--> CS BOM Authorizations
C_STUE_WRK--> CS BOM Plant (Plant Assignments)
C_TCLA_BKA--> Authorization for Class Types
C_TCLS_BER--> Authorization for Org. Areas in Classification System
C_TCLS_MNT--> Authorization for Characteristics of Org. Area
F_BKPF_BUK--> Accounting Document: Authorization for Company Codes
F_BKPF_BUP--> Accounting Document: Authorization for Posting Periods
F_BKPF_KOA--> Accounting Document: Authorization for Account Types
F_FICA_FOG--> Funds Management: authorization group of fund
F_FICA_FSG--> Funds Management: authorization group for the funds center
F_FICB_FKR--> Cash Budget Management/Funds Management FM Area
F_KNA1_APP--> Customer: Application Authorization
F_LFA1_APP--> Vendor: Application Authorization
F_SKA1_BUK--> G/L Account: Authorization for Company Codes
G_GLTP --> Spec. Purpose Ledger Database (Ledger, Record Type,
Version)
J_1IDEP_SL--> Authorization object for depot sale transaction
J_1IEXC_OT--> Authorization object for Other Excise Invoice Create
J_1IEX_PST--> Autorization object for posting Other Excise invoice
J_1IGRPT1--> Auth. for PART1 at GR
J_1IINEX --> Incoming Excise Invoice
J_1IRG23D--> Authorisation object for Depo Transactions
K_CCA--> CO-CCA: Gen. Authorization Object for Cost Center
Accounting
K_CSKS --> CO-CCA: Cost Center Master
K_CSKS_SET--> CO-CCA: Cost Center Groups
K_PCA--> EC-PCA: Responsibility Area, Profit Center
L_TCODE--> Transaction Codes in the Warehouse Management System
M_ANFR_BSA--> Document Type in RFQ
M_ANFR_EKG--> Purchasing Group in RFQ
M_ANFR_EKO--> Purchasing Organization in RFQ
M_ANFR_WRK--> Plant in RFQ
M_BEST_BSA--> Document Type in Purchase Order
M_BEST_EKG--> Purchasing Group in Purchase Order
M_BEST_EKO--> Purchasing Organization in Purchase Order
M_BEST_WRK--> Plant in Purchase Order
M_MATE_CHG--> Material Master: Batches/Trading Units
M_MATE_STA--> Material Master: Maintenance Statuses
M_MATE_WRK--> Material Master: Plants
M_MRES_BWA--> Reservations: Movement Type
M_MRES_WWA--> Reservations: Plant
M_MSEG_BMB -->Material Documents: Movement Type
M_MSEG_BWA--> Goods Movements: Movement Type
M_MSEG_BWE--> Goods Receipt for Purchase Order: Movement Type
M_MSEG_BWF--> Goods Receipt for Production Order: Movement Type
M_MSEG_LGO--> Goods Movements: Storage Location
M_MSEG_WMB--> Material Documents: Plant
M_MSEG_WWA--> Goods Movements: Plant
M_MSEG_WWE--> Goods Receipt for Purchase Order: Plant
M_MSEG_WWF--> Goods Receipt for Production Order: Plant
M_RAHM_BSA--> Document Type in Outline Agreement
M_RAHM_EKG--> Purchasing Group in Outline Agreement
M_RAHM_EKO--> Purchasing Organization in Outline Agreement
M_RAHM_WRK--> Plant in Outline Agreement
Q_TCODE QM --> Transaction Authorization
S_ADMI_FCD--> System Authorizations
S_ALV_LAYO--> ALV Standard Layout
S_BDS_DS--> BC-SRV-KPR-BDS: Authorizations for Document Set
S_BTCH_ADM--> Background Processing: Background Administrator
S_BTCH_JOB--> Background Processing: Operations on Background Jobs
S_CTS_ADMI--> Administration Functions in Change and Transport System
S_DATASET--> Authorization for file access
S_DEVELOP--> ABAP Workbench
S_DOKU_AUT--> SE61 Documentation Maintenance Authorization
S_GUI--> Authorization for GUI activities
S_OC_DOC--> SAPoffice: Authorization for an Activity with Documents
S_OC_ROLE--> SAPoffice: Office User Attribute
S_OC_SEND--> Authorization Object for Sending
S_PACKSTRU--> Internal SAP Use: Package Structure
S_PRO_AUTH--> IMG: New authorizations for projects
S_RFC--> Authorization Check for RFC Access
S_SCD0 --> Change documents
S_SPO_DEV--> Spool: Device authorizations
S_TABU_DIS--> Table Maintenance (via standard tools such as SM30)
S_TCODE --> Transaction Code Check at Transaction Start
S_TRANSLAT--> Translation environment authorization object
S_TRANSPRT--> Transport Organizer
S_WFAR_OBJ--> ArchiveLink: Authorizations for access to documents
V_LIKP_VST-->Delivery: Authorization for Shipping Points
V_VBAK_AAT-->Sales Document: Authorization for Sales Document Types
V_VBAK_VKO-->Sales Document: Authorization for Sales AreasHave you executed a trace while a functional user executes the transaction code for the specific parameters? (i.e. document type). The trace will then show which objects are being checked; then look at the object documentation in txn Su21 to determine if there are any ways to restrict on the particular value; in some cases, if the authorization group field is being checked, additional configuration is needed in order to implement the security (Su21 will explain in detail for the particular object).
-
Greetings, SDN members!
I am looking for a solution of managing DMS documents authorizations in such a way, that several files / folders which reside in the DMS would be accessible globally without any restrictions (for everyone), while resigning in departments sections which are blocked by SAP standard authorizations.
We were thinking about creating a new folder hierarchy and not maintaining authorizations for it, putting all public content there, but we are looking for a more "elegant" solution which would allow us to "mark" documents and folders as public (not restricted at all).
Thanks in advance!Hi,
Do the users world wide will be having SAP User ID and Password? If so then through WebDMS this functionality can be achieved.
Also, Easy DMS can be used if this is installed in individual systems.
Thank You,
Manoj -
Authorization and moving employes to another organizational assignment
Hello! I have a big problem with authorization.
Lately some employes have been moved from one organizational assignment to another organizational assignment.
After moving I prepared the user and the role for this user he will be able to read infotype records for employes in the organizational assignment where they were moved.
And now I have big problem because this user can read data of employes in current organizational assignment and also data of these people in old organizational assignment, thought I didn't give him authorization for this old organizational assignment.
I checked view of table V_T582A and there in infotype 0001, 0007, 0008 in detailes the field: Access auth was checked, so I executed tests and this field was unchecked. But this test wasn't successfule.
In table T77S0 I have the following settings for AUTSW:
AUTSW ADAYS 15
AUTSW APPRO 0
AUTSW NNNNN 0
AUTSW ORGIN 1
AUTSW ORGPD 0
AUTSW ORGXX 0
AUTSW PERNR 1
AUTSW VACAU
I changed them but the tests also weren't successfule.
Please, help me, where the error can be?. Now I don't know
where I can look for the solving of this problem.
I my company we have the system:
46C
SAPKE46CB0
the latest note: LCP CE 74
Thank you very much if anyone helps me.Hello Marta,
yes, the behaviour is corret. The old one can not see the new data but the new one the old. It's like a personal file where the new manager has access to and the old only knows what was entered up to the end of his responsibility.
This litle "picture" always helps me.
Please go to:
http://service.sap.com/erp-hcm
On the left side click:
Services for mySAP ERP HCM
- Special Documentation
In the document "Authorizations in mySAP HR (4.6C)" from page 70 chapter "4.4 Process of Time Logic" describes the behaviour in detail.
Hope to help,
Michael -
hi Expert,
i met a problem when I created a single role for displaying billing document,
this role only contains one tcode:VF03,
and i specify a certain distribution channel in this role , e.g.: E1,
i only want the user to display the billing document that related to E1;
after i created the role and assigned to a user(the user only has this role), but it is strange that the user can also display other distribution channels' billing document, it looks like that the setting for distribution channel in the role doesn't work.
i am confused,
can anyone give me some advice?
thanks in advance
happygjhi Damu,
i used su24 to check the authorization objects as you told
yes, it checked the sales area as below:
V_VBAK_VKO Sales Document: Authorization for Sales Areas Check YS
V_VBRK_VKO Billing: Authorization for Sales Organizations Check YS
but for billing, it only check the sales org., not the sales area.
thanks,
happygj -
How to block or restrict document type
Hi friends
How to block or restrict document types .
My Business people will not use document types in featureHi,
The documentation about the authority check within posting is given in the online documentation for the posting ta eg. FB01:
Perhaps you would like to read the documentation from IMG on the authorization:
Financial Accounting > Financial Accounting Global Settings > Document > Document Header > Check Display Authorization for
Document type
Defining Authorizations for Document Types
Use
You can define a special authorization for every document type. To do this, you need to determine what document types in which
form employees are allowed to process. Authorizations are checked for the following activities:
Posting documents
Document display and line item display
Changing documents
Programs that evaluate documents.
The system does not check the authorization for document types that are not assigned an authorization group.
Procedure
In Customizing for Financial Accounting, carry out the activity Maintain Enter an authorization group in the document type. You then assign autho For each document type, you can specify whether users are required to enter.
The same for check of the authorizations of gl accounts.
PLease check in OMR4 and in OBA7 that for the document types the athorizations groups are maintained.
F_BKPF_BLA Accounting Document: Authorization for Document Type
F_BKPF_BES Accounting Document: Account Authorization for G/L Account.
For example:
The transaction FB01 includes the above objects - you can see this in Trx. SU24, also as transaction F-02 is a parameter transaction with the original being FB01 these objects would be valid for F-02 also.
Please also refer to the following NoteS
150496 F_BKPF_BLA: Authorization for document types
198238 FI reporting: Authorization check for documen
I hope this helps to solve the problem.
Regards
Ravinagh Boni -
Restricting Document type in F-63
Hi All,
Please help as this is required to restrict Document Type in F-63 ,our requirement is that we want to create some new roles and in that we can only process for one Document type say "ZA" only and that document type shud be by default set in the F-63, i know the object responsible for this is F_BKPF_BAL with actvt 01,02,03,04,06.08,10,22,43,77 but this object is not maintained in F-63 .
Please help with the max possibile way to restrict the same along with the actvt field . Or is there any other way to achieve the goal.
Thanks,
ChandreshAs you Pointed out the Object F_BKPF_BLA is the one which Check/Maintaines the Accounting Document: Authorization for Document Types
The object consists of the "Authorization group" and "Activity" fields. The authorization group can be freely defined by the user. You take the possible input values for the "Activity" field from table TACTZ.
If you want to use this authorization, proceed as follows: Defined by SAP
Enter an authorization group for the document types that are to be specially protected.
Define the authorization that you want to assign to selected employees, in which you list the authorization groups and the activities allowed.
Allocate this authorization using the corresponding profile. -
Kanban authorization checks (SU24, PK13N, PK*)
Hi,
Does anyone know why the Kanban transactions (PK*) have mostly disabled authorization check indicators in SU24?
In PK13N, for example, there is functionality to do a goods receipt (MIGO GR) and also functionality to create POs (and maybe more that I have not looked into yet).
However, the related auth objects in SU24 are not enabled (check indicator = do not check). This seems strange for these authorization objects.
Especially in light of SoD. Users could create POs or do Goods Receipt via PK13 without proper auth check and these 2 functions conflict already (using default GRC ruleset).
But that's beside the point. The question is: Is there a good reason why these are disabled and how is this NOT a secuty risk?
Now, there is one object that is enabled: C_KANBAN
But, I feel that this is insufficient to really secure the goods receipt action and the PO creation action.
For reference, a list of disabled auth objects:
C_STUE_WRK CS BOM Plant (Plant Assignments)
C_TCLS_MNT Authorization for Characteristics of Org. Area
F_BKPF_KOA Accounting Document: Authorization for Account Types
F_FICA_CTR Funds Management Funds Center
F_FICA_FTR Funds Management FM Account Assignment
F_FICB_FKR Cash Budget Management/Funds Management FM Area
F_FICB_FPS Cash Budget Management/Funds Management Commitment Item
F_LFA1_APP Vendor: Application Authorization
F_SKA1_BUK G/L Account: Authorization for Company Codes
L_BWLVS Movement Type in the Warehouse Management System
L_LGNUM Warehouse Number / Storage Type
M_BANF_BSA Document Type in Purchase Requisition
M_BANF_EKG Purchasing Group in Purchase Requisition
M_BANF_EKO Purchasing Organization in Purchase Requisition
M_BANF_WRK Plant in Purchase Requisition
M_BEST_BSA Document Type in Purchase Order
M_BEST_EKG Purchasing Group in Purchase Order
M_BEST_EKO Purchasing Organization in Purchase Order
M_BEST_WRK Plant in Purchase Order
M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
M_MRES_BWA Reservations: Movement Type
M_MRES_WWA Reservations: Plant
M_MSEG_BWA Goods Movements: Movement Type
M_MSEG_BWE Goods Receipt for Purchase Order: Movement Type
M_MSEG_BWF Goods Receipt for Production Order: Movement Type
M_MSEG_LGO Goods Movements: Storage Location
M_MSEG_WMB Material Documents: Plant
M_MSEG_WWA Goods Movements: Plant
M_MSEG_WWE Goods Receipt for Purchase Order: Plant
M_MSEG_WWF Goods Receipt for Production Order: Plant
M_RAHM_BSA Document Type in Outline Agreement
M_RAHM_EKG Purchasing Group in Outline Agreement
M_RAHM_EKO Purchasing Organization in Outline AgreementHi Steven
Normally, when I submit OSS messages about security gaps the response is "working as designed", so I thought I'd try SCN first... perhaps it REALLY IS working as designed and there is a good reason why no auth checks should happen in this case.
Unfortunately this is all too common. However, I have found a lot of the times it is a Level 1 Support person in SMP advising you of this. With perseverance and escalation to a the next level the chance of a fix is greater (still not a guarantee)
It's a pity if working as per design they could explain why.
MIGO can be used in display mode only. If PK13 and PK13N are meant to be display transaction and the SU24 allows you to perform change (i.e. none of the underlying auths are checked for change) then I would refuse to close the customer incident until SAP responds further. At the end of the day, if a display transaction allows modification then it isn't a display transaction
I get the impression SU24 and some other security (e.g. authority check on '' instead of dummy) has been allowed to exist as customers give up and change the values themselves instead of getting SAP to fix their solution.
You could also look at SE97 if call transaction can be switched to yes so users cannot jump from PK13N to MIGO (assuming the code was a CALL TRANSACTION)
Regards
Colleen
P.s. - understand the comment with stale thread but take note of timezone and if you raise it on a Friday people may not see it until the following week. Although you did consider this, a lot of people on SCN put urgent in their question and then within the same day respond to their thread to "bump it" on the list -
Authorization Objects that allowed/disallowed FI Postings
Hi All,
May I know what are the Authorization Objects that allowed/disallowed FI Postings?
Thanks,
TeoDear:
Here is the list of FI objects i have maintained to allow or disallow the transactions into Customer, Vendor, Co code, GLs e..t.c Hope it will be helpful for your.
F_AVIK_BUK FI Payment Advice: Authorization for Company Codes
F_BKPF_BED FI Accounting Document: Account Authorization for Customers
F_BKPF_BEK FI Accounting Document: Account Authorization for Vendors
F_BKPF_BES FI Accounting Document: Account Authorization for G/L Accounts
F_BKPF_BLA FI Accounting Document: Authorization for Document Types
F_BKPF_BUK FI Accounting Document: Authorization for Company Codes
F_BKPF_BUP FI Accounting Document: Authorization for Posting Periods
F_BKPF_GSB FI Accounting Document: Authorization for Business Areas
F_BKPF_KOA FI Accounting Document: Authorization for Account Types
F_BKPF_VW FI Acc. Document: Change/Display Default Vals for Doc.Type/PKey
F_BL_BANK FI Authorization for House Banks and Payment Methods
F_BNKA_BUK FI Banks: Authorization for Company Codes
Regards -
Searching for Easy DMS documents using embedded search
Dear Experts,
we are using easy dms to manage documents. As far as I know it should be possible to index these documents using TREX.
-it is possible to perform a search for these documents using Embedded Search an get the search results as XML (a documentation would be very helpful)?
-how can the security be taken into account? Is there a method like AUTHORITHY_CHECK by SeS to perform security check?
thanks a lot for your help
kind regards
NicolaiI found that authorization checks can be performed using the following authorization objects:
-Authorization Object C_DRAW_TCD (Activities for Documents)
-Authorization Object C_DRAW_TCS (Status Dependent Authorization)
-Authorization Object C_DRAW_STA (Document Status)
-Authorization Object C_DRAW_BGR (Authorization Group)
-Authorization Object C_DRAW_DOK (Document Access)
-Authorization Object C_DRAD_OBJ (Object Link)
I could not find any information regarding my first question -
Urgent: User Roles assigned to Sales Orgs and document types
Dear Guru's :
I have job user roles one side and sales orgs on otherside. We are trying to find out which sales orgs are using what sales document types.
All i am trying to achieve is connect those two and make a report. it needs to be done by SE16
First step is :
PFCG- Enter Role u2013Click glasses-Authorizations-Display Authorization data
you need to identify the authorization objects for each T-code and then assign the appropriate values for each authorization object. these authorization objects assigned to a Role and then, allowed T-codes are assigned to Role and
My Basis Person to Create one AUTHORIZATION OBJECT V_VBAK_AAT Sales Document: Authorization for Sales Document Types and assign your required transaction codes to that authorization and assign them to the users.
User IDs which can use this Role (set of authorizations) can be assigned to this role.
Second step is achieved through SE16 ;
Execute this two table :
There is no one-shot for this However there is a way out for this outside SAP.
You can download AGR_1251 and AGR_1252 for the selected roles and use MS Excel or Access to do this compare for you. Its a bit more tricky than said, however once you get a hang of it, I think its a good way of reducing the efforts of making use of individual compare reports.
Any one knows how to do this i am kind of lost here. Could you help me to organize this process / steps.
Full points will be given to who helps me answer my question.
Thank you in advance.Dear Raghu and all:
I am very much thankful to you for your answer Raghu. This is exactley what i was looking for. Could you throw more light on this topic. Or do you know where can i get more info.or more tcodes related to this topic. I am using SUIM and PFCG. I dont know much about this transactions. Could you please help me to understand this topic.
I have Authorization object through which i found out which sales documents are attached to users. I dont know next step in this process. Or does any one know any thing about this subject. Any help will be grateful.
Van bills.
Maybe you are looking for
-
why doesnt my ipod connect to the computer? it keeps saying that my ipod is disconnected so i cant download my music or updates and ive tried everything help would be nice thanks
-
Make "File name" and "Files of type" fields read-only in JFileChooser
I try to make the "File name" and "Files of type" fields read-only in JFileChooser dialog. Anybody knows how to do? Thanks.
-
How does one take a PDF document and transfer it to a Word Power Point doc?
I have signed up for yearly plan with Adobe. And cannot figure out how to take my PDF doc and transfer it to a Power Point doc? Any help would so be appreciated. Thanks!
-
I replaced an older lesser quality mp3 with a higher quality version by replacing the original file. I've done this hundreds of times without a problem. I'm using 10.6.1, and when I replaced a song in this manner yesterday, I am unable to click on th
-
E-Recruiting Functional Configuration
Hi All, Can any one please provide me a document for the functional config part of the SAP e-Recruitment. Thanks, Srinivas