F9K3 and authorization object in su24

Similar Messages

• Problem while loading texts and authorization objects file in RAR

  Hi all,
         i am getting internet explorer error while loading the texts and authorization objects text files in RAR .actually we uploaded rule file before this,does this step causes any error ?if so how to resolve this error.do i need to remove all rules/risks and then load text and authorization files? is there any shortcut to renove all risks generated in one shot? please reply me soon to resolve this.
  Thanks,
  Joseph.

  Hi Joseph,
  Please make sure to convert both the files in UTF-8 encoding format and then try to upload the files again. This should resolve the issue and if not then please paste the logs here.
  Regards
  Harleen

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• 0Orgunit(hierarchy) and authorization object display getcell error in Webi

  Hello,
           We are facing with GetCellData error in WebI to SAP BEx Query.
           This works perfectly fine in Bex for a particular test user who has access to particular org unit value.
           But in Webi we are getting this Getcelldata error.
          Tried all the options and message as recommended in sdn group.
          mdxtest returns no value.
          looked at all below messages but no luck.
  GetCellData error in WebI to SAP BEx Query
  Re: SAP BO WebI Report on top of BI Bex Query with Authorization Variable
  in the rsecadmin, we get the same error like mentioned in below message
  Hierarchy Authorization doesn't work for MDX but works for BEx Query.
  Is any authorization required for this user to execute and view the authorized values in Webi?
  or we have to assign any authorization ?(0BI_ALL is not assigned).
  Please find below screenshots of BEx query auth log or Webi auth log (differences)
  Bex auth log:
  The Following Attributes Are Authorized and Thus Are Visible
  0BBPPURGRPX
  0BBPPURORGX
  0BBP_BUYID
  0BBP_ISCOMP
  0BUS_AREA
  0COMP_CODE
  0CO_MST_AR
  0CRMSALGRPX
  0CRMSALOFFX
  0CRMSALORGX
  0CRMSRVTGRP
  0CRM_SALGRP
  0CRM_SALOFF
  0CRM_SALORG
  0CRM_SRVORG
  0LEAVERS
  0LOGSYS
  0MAST_CCTR
  0PERS_AREA
  0PERS_SAREA
  0PLANT
  0PURCH_ORG
  0PUR_GROUP
  0SALESORG
  0SALES_GRP
  0SALES_OFF
  This above log is missing for mdxtest auth log.
  Is this the issue?
  Any quick reponse or help really appreciated.
  Regards,
  Ravi
  Edited by: Ravi Gadicherla on Feb 28, 2010 5:36 PM

  Hi,
      Here is the log of MDXtest:
  Buffering the Authorization Data  
    Buffering for InfoProvider 0PA_C01 and Users HRTEST93  
  InfoObject Properties Defined
  Reading of Directly Assigned Authorizations
  Direct Assignment Does Not Include Universal Authorization 0BI_ALL
  Reading the Indirect Assignments with Authorization Object S_RS_AUTH
  Does user have OBI_ALL?
  No, the User Does Not Have Universal Authorizion 0BI_ALL
  Negative Entry in SU53 Result of Failed Check for 0BI_ALL
  Indirect assignments found; no universal authorization
  Regards,
  Ravikanth

• Barcodes and authorization objects

  PLS TELL ME ABOUT THE AUTHORIZATION OBJECTS WHILE WE R CREATING THE
  TRANSACTION FOR ANY  USER DEFINED REPORT .
  22. WHAT IS THE use OF BAR CODES IN ANY WINDOW OF SCRIPT . AND HOW TO INSERT BARCODE IN WINDOW.PLS TELL IN DETAIL?

  Ideally, if in a role autorization is not provided for STMS, then the user id will not allow to use transaction code STMS.
  However, if SAP_All is provided, in that case, user will have access to all Transaction Codes.
  Regards,
  Rajesh Banka

• TCT* Info objects and Authorization objects

  When defining an authorisation object do I need to include TCT* info objects as fields in the authorisation object and if so why and which ones are required - if this is different for different scenario could someone elaborate? Thanks

  Hi,
  yes... you need to include the TCT fields as you would like to restrict the users based on the infoproviders and the time duration.
  Since in any organozation you have many type of users like the super users who can access anything...end users who have access to areas related to them only and may be some other kind as well.
  Suppose if a user is beloging to FICO department and he is only suppose to use the reports based on GL cubes then you will create an authorization object where you will give the values for authorization relavent objects like company codes,sales org and additionally you will maintain the value for the cube in 0TCAIPROV field.
  when you assign the user to this object he will only see the data in the queries based on the FICO cube and that too for the company codes specified in the authorization object.
  Now if there is another user who can see the data for all the company codes and all the areas but only for certain duration then you will create a new authorization object where you will not give any values for any object but will keep it as * but will maintain 0TCAVALID objects and give the validity period here.
  Thanks
  Ajeet

• Tcode and authorization objects

  hi gurus,
  i am confused :
  if in a role i have all the authorizations for one authorization object (for example S_TRANSPRT) but i don't have the tcode (for example stms) used by this authorization object in the list of tcodes will the users have access to this tcode ??
  thank you.

  Ideally, if in a role autorization is not provided for STMS, then the user id will not allow to use transaction code STMS.
  However, if SAP_All is provided, in that case, user will have access to all Transaction Codes.
  Regards,
  Rajesh Banka

• Authorization objects in web dynpro ABAP and SU24 transaction

  Hi,
  I have created a new authorization object to check a storage location for certain activities. I have added the authorization object in a specific web dynpro ABAP and I have created a new role in PFCG for my web dynpro ABAP.
  The organization level for storage location is not recognized in PFCG. Someone told me I have to maintain my authorization object in SU24 as it is done for transaction.
  I wanted to maintain my web dynpro in SU24 but I found no way to do that.
  It seems that we can maintain authorization for TADIR service and in those services there is R3TR WDYA but when I use the search help for  OBJ_NAME I don't find may web dynpro ABAP. I suppose I have to create a TADIR service for my web dynpro ABAP or something like that but I don't know how to do ?
  Does anybody  know how to deal with specific authorization in web dynpro ABAP and t ohave the organizational level recognized in PFCG.
  Thanks for your help,
  Emmanuel

  Hi,
  Please RUN the function module as "AUTH_TRACE_WRITE_USOBHASH" with following parameter
  R3TR
  "custom webdynpro application"
  SERVICE TYPE and Service can be kept blank
  after this try  SU24 it will be available in SU24 list.
  Thanks & regards

• How to check and maintain authorization objects

  Hi  Alll            
  Let me knowhow to check and maintain authorization objects  in SU24 ECC 6.0.
  Thanks
  sathies

  Hi Sathies,
  the old check flags
  U
  Unmaintained
  No indicator set. The check for corresponding authorization object is always executed. Field values are not displayed in the Profile Generator.
  N
  No check
  Check disabled. Field values are not displayed in the Profile Generator. This indicator cannot be set for HR and Basis authorization objects.
  C
  Check
  Check always executed. Field values are not displayed in the Profile Generator. For example: Printer authorizations.
  CM
  Check/maintain
  Check always executed. Field values are displayed for changing in the Profile Generator (yellow light).
  Have been divided now in
  Checkindicator : Check/NoCheck
  and
  Proposal: Yes/No.
  If defaults=yes, then you can modify them after clicking on the apropriate button.
  Please refer to the online help for SU24 too.
  Although the look of su24 has been changed significantly, the technique behind it is still the same.
  Once you have pressed the 'edit'-button on the top left corner, additional editing options will appear in the right-top-frame.
  b.rgds,
  Bernhard

• Authorization Object Related To Movement Type

  Hi,
  I meet one problem, one user want to check which user can use MB1A t-code with movement type 201 and 202, but I know there are some authorization object related to movement type and I want to use suim with mb1a t-code and authorization object to check the user, but I don't know the authorization object about movement type in MB1A t-code, does anyone can help?

  Go to SU24, enter the transaction code and press execute.
  Here you can see the all authorization object whose are used for the transaction code MB1C.
  Regards
  Dev

• BI authorization objects not appearing in RAR, error while generating role

  Hi
  I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
  (a)  In Risk Analysis and Remediation (RAR) component, I am creating Functions and
        Risks for Business Intelligence (BI) module. For that I have downloaded the
        descriptive text and authorization object data from BI development system and
        uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
        RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
        Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
        the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
        authorization objects for the actions in them.
  (b)  In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
         in DBI 100 and I put the  BI transaction codes in authorization data , I get the
         authorization objects . Risk analysis is also being done successfully. But at the time
         of Role generation in background mode , it is giving an error message :
         Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
         I am thus unable to generate any role in DBI 100.
  (c)  In Compliance User Provisioning (CUP), I have imported a standard role from DBI
        100. Then I have added Functional Area, Business Process, Subprocess  and
        Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
         gives an error Error creating request. But requests are getting created and roles are
         being assigned to users in ECC development  systems using the same Initiator, CAD, stage
         and path.
  Can anyone please help me ?

  -

• Wanted: Dictionary-/ Metadatatable for the Mapping of the (old,3.5.) Authorization Object to the (Auth.relevant) InfoObject

  Hi,
  I am looking for the concrete BW's dictionary-/ metadatatable(s)
  which contain/describe the
  Mapping of the (old,3.5.) Authorization Object to the (Auth.relevant) InfoObject
  of  the transaction "RSSM-Authorization for Reporting"
  For example:
  I got 3.5 Auth.Object ZCOMP_CODE and want to know to which   (Auth.relevant) InfoObject
  this is mapped, basically what's in the usage of this Authorization Object.
  ThanXs
  Martin

  Hi,
  As of now, your authorizations still in 3.x. so please check the below tables.
  RSSBAUTHGEN - it holds info provider and authorization object
  RSSBAUTHGENERATD - it have user name and info provider
  RSSBAUTHTRACE
  RSSBAUTHTRUSER
  RSSBAUTVAL
  RSSAUTHHIER
  RSSAUTHHIERNODE
  Coming to 7.x , Above mentioned T code kumar is enough to handle authorization concepts.
  There is best document about 3.x and 7.x comparison on Google.
  please search for it by using search term "An Expert Guide to new SAP BW Security Features"
  Written by Marc Bernard
  Thanks

• Maintain assignments of authorization objects for Z Webdynpros in SU24

  Hello experts,
  When we display the assignments of authorization objects for External Services -   Webdynpros in transaction SU24,  Z_webdynpros are not shown in the screen.
  We need to add more webdynpros in that table.
  I suposse that there must exist a way for updating that table with the Z webdynpros developed or some configuration is needed.
  Thanks in advance...
  Hector Longarte

  The Zwebdynpros I am talking about are Java Webdynpros in the SAP Portals, and the SAP ERP is onlyan ABAP stack.
  Is this configuration posible??

• Custom authorization object and check logic

  Hi gurus,
  we need to apply additional authorization check in our custom reports.
  so i created a custom fields & object, and put the statement
        AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                 ID 'ZROLEID' FIELD '03'
                 ID 'ZSOBID'  FIELD zzdwbm.
  in a abap class method centrally, so it could be called by many reports.
  but the test show that the sy-subrc always set to 0, even for users without any authorization.
  what i missed for adding custom auth check?
  for this case, do i need to maintain authorization check indicator in SU24?
  what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
  thanks and best regards.
  Jun

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• Authorization Objects and RSABAPSC

  Hi All,
  I'm trying to get all the authorization objects associated with a program, without using system trace. I've tried using RSABAPSC but there are some programs that it doesn't output any authorization objects. When I checked using system trace, these programs do have auth objects. Does this mean that there are no authorization checks written in the program code?
  Apart from using system trace and RSABAPSC, are there other ways of getting the authorization objects?

  Hello Benedict,
  I think that a trace (ST01) would be better. You can try with a user that has all the authorizations and you'll be able to see all the checks that were performed.
  Anyway, I think that there's no "perfect method" and as I said before the checks depend on the program flow. Also have a look at here: http://forums.sdn.sap.com/thread.jspa?threadID=1837972
  Are you trying to get the authorizations for a custom program? If not, why don't you start with SU24 proposals and testing scenarios? You'll probably get better answers in the Security forum.
  Cheers,
  Diego.