Field level Authorization configuration in SAP BO issue !!!

Similar Messages

• Field Level Authorization

  Hi Gurus,
  Can you explain me how to proceed forward inrelation to Field Level Authorizations in SAP HR. For instance I want to restrict roles of individuals based on Field for example restrict users based on Field Workschedule in IT 0007 ( Planned Working Time).
  Regards,
  Happy

      AUTHORITY-CHECK OBJECT 'S_TABU_LIN'
        ID 'ORG_CRIT' FIELD 'MOLGA'
        ID 'ACTVT' FIELD '03'
        ID 'ORG_FIELD1' FIELD '10'
        ID 'ORG_FIELD2' FIELD '*'
        ID 'ORG_FIELD3' FIELD '*'
        ID 'ORG_FIELD4' FIELD '*'
        ID 'ORG_FIELD5' FIELD '*'
        ID 'ORG_FIELD6' FIELD '*'
        ID 'ORG_FIELD7' FIELD '*'
        ID 'ORG_FIELD8' FIELD '*'.
      IF sy-subrc NE 0 .
        MESSAGE e000 WITH 'No Authorization for area' v_text.
      ENDIF.
  Use S_TABU_LIN authority object for field level authorizations.

• SM30 Field level authorization check

  Hi,
  I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
  Thanks,
  Gagan Chodhry

  Hi,
  I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
  If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
  If anyone can send the sample or the way to skip the record based on the check.
  Also is there any other way to add the field level authorization to custom and standard tables...
  Thanks,
  Gagan Chodhry

• We need to give field-level authorization for some fields

  The schenario is as follows :
  1. There are various storage locations within a plant.
  2. There is one or more people incharge of creating PO and receiving
  stocks for every storage location.
  3. We dont want to authorise the person incharge of one storage
  location to receive stock in another storage location or even view the
  other storage locations at the time of creating the PO or any other
  transaction. The user incharge of one storage location should not be
  able to view any other storage location in any storage location field's
  drop down.
  regards
  Manish
  +91 9811647727

  Hi Umesh,
  Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
  SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu."  -> the pop-up "help - P_ABAP" appears.
  There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
  The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
  Object HR: Master data (P_ORGIN) (two authorizations)
    Infotype                  0002             ' '
    Subtype                   *                ' '
    Authorization level       R                ' '
    Organizational key        ' '              0001YYYYXXX
  Object HR: Reporting  (P_ABAP)
    Report name                SAPDBPNP
    Degree of simplification   1
  Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
  Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
  Hope this help
  Sarah

• Field level Authorization for IT0002

  Hi All,
  We have a requirement to control the authorization for the field NI Number/Social Security number from IT0002.
  This field is getting displayed in various standard reports which are in use by administrators/Managers etc....
  We want to disable the access of this field to every one, even the HR administartor.
  Kindly suggest if this is possible using authorizations.
  I know that we can hide the field in display access for PA20 or PA30, but I am particularly serching the option for various reports.
  Regards,
  Umesh Chaudhari.

  Hi Umesh,
  Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
  SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu."  -> the pop-up "help - P_ABAP" appears.
  There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
  The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
  Object HR: Master data (P_ORGIN) (two authorizations)
    Infotype                  0002             ' '
    Subtype                   *                ' '
    Authorization level       R                ' '
    Organizational key        ' '              0001YYYYXXX
  Object HR: Reporting  (P_ABAP)
    Report name                SAPDBPNP
    Degree of simplification   1
  Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
  Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
  Hope this help
  Sarah

• BW Field level Autorizations are not working in the WEBI Reports

  Dear All,
  1. I have created Authorization roles with Infoobjects Authorization Objects.
  2. In Bex Query Authoizations are working on the Infoobjects like for
  Ex: For USER1 I have given Company code = 1000 &
  User 2 I have given authorization for 1100.....
  3. Import those roles into Business Objects-CMC.
  4.Users were Imported.
  But in the WEBI Reports BW Field level Authorizations are not working i.e for USER1 authorization for Company code is 1000 , in WEBI report it is showing all the Company codes data for USER1.
  For USER2 also showing all the data in the WEBI report.
  Plz help me on this issue.
  Thanks,
  Kiran Manyam

  Hi,
  For Authorization to work in BO you can check the following:
  1. You need to create authorization variables in your BEx query.
       Also these variables should not be input ready.
  2. While creating universe in BO you need to select "Single Sign On" option available in the parameters iwhile creating a new
      connection.
  Regards,
  Rohit

• Object level authorization for SLT Configuration schema in HANA DB

  Hi All,
  We have connected SLT with HANA DB (& ECC as source system).
  Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
  With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
  Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
  Regards,
  Kumar

  Hi Santosh,
  You can find more info about SLT Roles and Authorization from below security guide.
  http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
  Regards,
  V Srinivasan

• Field level Validation in SAP PI

  Hi All,
  I am integrating with a 3rd Party system (File to Proxy scenario). Source file contains around 30 fields. I was asked to do field level validations for each of this field in PI. Is this a good practice. Do we do field validation in PI Integration development? I think PI should contain more of integration logic than field level validations. Please suggest.
  Also out of all the 30 fields few are numeric, some are text and some are dates. While creating data types do I need to created all as string or based on their nature I need to use integer,date etc? Please suggest which is the best practice.
  Thanks.

  I agree with Rahul.
  Yes we can perform validation in PI (most of the cases we do by request of the Business team).
  But always have a thumb rule for your self.
  1. Check first weather the source system is capable of doing the validation at its end.
  2. If YES make sure the source system does the validations required. (I am sure most of the app would be able to the validation).
  3.If NO then accept the validation process to be done in PI end.
  One Important thing:
  What kind of validation are you taking about? i assume this is field level validation rite?
  and this is a Proxy to file scenario rite.
  I will strongly suggest you to do following things at source and receiver Business systems.
  1.gather a meeting the with the end business teams (source and receiver).
  2.Force them to create data type at their end (sorce and target)with  same data type structure- with same field length even.
  ie, if source first field is integer with maxlen25  corresponding reciver field is also integer with maxlen25, if source has char field then in reciver also its char.
  If you make both the source and reciever business to have same data type at there end, NO VALIDATION would be required to be done in PI
  also in this case you can declare all the data type as STRING in PI and pass the data to receiver system. (which has the same data type as sender).
  Regards,
  Senthilprakash.

• Plant level authorization control for Internal Order

  Dear Sir,
  We create Internal Order using tcode KO01 and  being a multi plant scenario , we want to have an authorization control on Internal Order creation/change so that plant or profit-center level authorization rights can be given to the users .
  We request you to Kindly guide us about the steps to be followed for addressing such requirement .
  With thanks and Regards
  Sonia Agarwala

  Sonia-
  It can be done. You have two options.
  1. SAP security - when your security person can limit a user by plant, profit center etc using authorization objects.
  2. Validations - Here you can create a validation where you define you logic. In your logic you can restrict set of users who can access a set of fields (profit center, plant etc). If he deviates, the system can issue error messages which is maintained in validations. Use transaction GGB0 to create validations.
  Hope this helps.
  Shail

• Custom Attribute not available in Available Fields section of Configuration

  Hi Experts,
  My requirement is to add a custom search field in contact search screen. For that i tried various options
  Option1
  Added a model attribute in component/view  BP_CONT SEARCH/Search. The attribute got successfully added. But when i opened the Configuration tab, i could not see the attribute in the available fields.
  Option 2
  In the view CRMVC_SDESIGN, i created a new entry for my attribute in object type: BP_CONTACT and design object . But doing so, i got an error and was not able to add my attribute
  Option3
  Since the View context node 'Search' is bound to the Component Controller Context node 'Search'. I created my custom attribute in compoennt controller also. But this also did not help.
  Option 4
  I deleted the enhancement of the view and created a new enhancement. I created a value node in Search context node. But still the attribute is not available in the Availble Fields in the Configuration of component/view BP_CONT_SEARCH/SEARCH.
  Kindly provide your valuable suggestions to resolve this issue.
  Regards,
  Radhika
  Edited by: Radhika Chuttani on Jan 6, 2012 7:28 AM

  Hi Radhika,
  You need to enhance the search query structure as well in order to get the field in the configuration.
  You can find the BOL structure for the corresponding context node bol model.
  In your case, the BOL model is the search object 'BuilContactAdvancedSearch'.
  The corresponding structure can be found at the BOL Model Browser, under Dynamic Query Objects
  for the search object 'BuilContactAdvancedSearch'. The corresponding structure 'CRMT_BUPA_IL_CONP_SEARCH'
  has to be enhanced with the new custom attribute. Only then, this field would be available in the configuration
  when the following htm code gets executed when you open the configuration tab.
  <thtmlb:advancedSearch id                = "advs0"
                                   fieldMetadata     = "<%= controller->GET_DQUERY_DEFINITIONS( ) %>"
                                   header            = "<%= SEARCH->get_param_struct_name( ) %>"
                                   fieldNames        = "<%= controller->GET_POSSIBLE_FIELDS( ) %>"
                                   values            = "//SEARCH/PARAMETERS"
                                   maxHits           = "//SEARCH/MAX_HITS"
                                   ajaxDeltaHandling = "false"
                                   onEnter           = "search" />
  Here you can see that, it reads the parameter structure using the method SEARCH->get_param_struct_name( ) of
  the context node.This is used for configuration as well.
  Also if you have an F4 help for your custom attribute, you have to add it in the GET_DQUERY_DEFINITIONS( )  of the
  view controller. These additional information will help you to understand better.
  Regards
  Leon
  [SAP Community Network Forums on mobile|https://cw.sdn.sap.com/cw/ideas/7910]

• E-Recruitment - Requisition - Infotype Field Level Change Log

  Hi Experts,
  We are implementing SAP E-Recruitment, and would like to know how to capture the changes made in Requisition at infotype field level.
  For example: If a support team member is added/delete in the Requisition (Tab - Support Team), then these changes (NEW/DELETE) at the infotype field level are required.
  I have tried to maintain the infotype and the required fields in V_T582A, V_T585A, V_T585B and V_T585C. But didnt get any result when I executed the report RPUAUD00. Is there any additional configuration required for this?
  Please adivse.
  Thanks and Regards,
  Dinakaran R

  Hi,
  You can just to that with the infotype table log. Support team is stored in table HRP5131.
  Regards,
  Nicole

• How to block field groups instead of fields on tcode BP in SAP ECC

  Hi Experts,
  Does anyone know how I can block modification of entire tabs in tcode BP for a given user access role instead of down at the field level only? Example: how can I make the entire Address tab of the General Data view nonmodifiable instead of having to find the field grouping for Street 2 and make it nonmodifiable? It would be much faster and easier if I could block tabs at a time for specific user roles, ex. allow Cashier to modify banking related fields but not general data fields.
  So far I've successfully tested making individual fields non-modifiable by finding the correct field grouping (ex. field grouping 63 for Street 2) and adding this to SPRO: Cross-Application Components -> SAP Business Partner -> Business Partner -> Basic Settings -> Authorization Management -> Define Field Groups Relevant to Authorizations.
  Your help is appreciated. Thank you.

  The control I use is a Person/Group Picker.  I tried in Property Promotion selecting either DisplayName, AccountID or even the PCPerson but none of them would give me the "Return Field As" field enabled to select to return as email.   It stays
  as grey out, disabled, and return as string.  
  I suspect this is also why I'm not getting the email when workflow starts.  Where can I check if an email is sent?  I have it sent to myself, by selecting myself in the Person/Group picker but I haven't received any emails.
  Thank you.

• Direct database data access without data level authorization check

  Hello,
  My customer raised issue about direct database data access. Due to the customeru2019s strong security policy, it shouldnu2019t be allowed.
  To prevent this kind of illegal data access, customer ask me to list up all the possibilities to display data without data level authorization check.
  The things in my mind are
  SQL Command Editor (for Oracle based system) : ORASPACE, DB02, ST04
  Query Based : SQVI (Quick Viewer), SQ01/SQ02/SQ03 (SAP Query)
  Data Browser : SE11, SE12, SE16, SE16N, SE17
  Table Maintenance : SM30
  Function Module : RFC_READ_TABLE
  Function Module : DB_EXECUTE_SQL (DML)
  Anyone knows anything which is not listed above?
  Thanks

  HI,
      Generally in production user's should not be given all these authorizations.
  Ram.

• Discount level authorization in sales order

  Hi,
  I have one scenario where customer want to give discount level authorization for some customer, please find below example and suggest possible solution
  Ex. There would be like 3 level discount authorization in sales order like sale manager 2%, manager 3-4% n sales head 5%.
  If sales manager make the order n enter  3 %  and more discount then error show like " you are not authorized for this discount" and order can not be saved ,same will be applicable to manager and sales head.
  Note: There may not be different level user id used here means Sales manager and manager will be using same ID.
  Please suggest the configuration step by step
  Edited by: KHAPREVIPIN on Jan 4, 2012 7:51 AM

  Hello
  there is a process of Basis roles that can help u in doing this. Using these roles u can give permission the condition types
  u create 3 diffrent condition type ZCP1,ZCP2ZCP3 and give authorization only to the required level.
  Example : manger can only add ZCP1 not others.
  Through this no need to create any program... for each specifice condition type u can give authorizatoin this is standard in SAP.
  Mager      ZCP1 discount 30%
  user :      ZCP3 Dicount 5%
  If the system must determine automaically : make a requirement for each condition and check the role(USER ID) and pass the condition
  If it is the manual discount then the user can only add the discount they can not give others.

• XI message status at Adapter engine level using a table (SAP table)

  Hello Experts,
  XI message status at Adapter engine level using a table (SAP table).
  We want to write a custom report using ABAP so Pls tell why the status u2018Holdingu2019 and u2018To be deliveredu2019 are present in message monitoring of RWB but not in the status (MSGSTATE) field of SXMSPMAST table.
  My need is to write a report to get the messages based on the these status from table level.
  Please let me know the table name and field name for this and the table name for the desciption of the status of XI messages at Adapter level.
  Thanks
  Gopesh

  Hi Gopesh,
  the Adapter Engine Messaging System messages are on the Java schema,
  i.e., see the following -
  [XI/PI tables|https://www.sdn.sap.com/irj/scn/wiki?path=/display/xi/xi+tables]
  Regards
    Kenny