Get authorization data by passing user role

Similar Messages

• What report is run in SAP to get the DATE on which Users are locked ?

  Hello,
  What report is run in SAP to get the DATE on which Users are locked ?
  I have tried with RSUSR200 ,-- last logon ,last password change , but i did not get a option to find the date on which are Users are locked .
  Can anyone suggest what report should be executed to get the date on which Users are locked and by whom ?
  As a alternate , i  am usig SUIM to get extract this data but i am looking for a report .
  thanks & regards
  Ganesh

  Hi Ganesh,
  You can try the below link where many of the options are described:
  How i can check at what date perticular user was locked and who lock it?
  Regards,
  Nilanjan

• How to approach in getting the dates for the user given periods

  Hi All,
  I have areuirement where the calendar would be like as 466 for a period
  for eg. period 1(Jan) has 4 weeks
  period 2(Feb) has 6 weeks
  period 3(Mar) has 6 weeks
  again period 4(Apr) has 4 weeks
  period 5(May) has 6 weeks
  period 6(June) has 6 weeks
  How to get the dates (from date and end date) for the periods.
  Anybody's help will be appreciated
  Regards
  Saugata

  I have areuirement where the calendar would be like as 466 for a periodWhat does that mean? Is 466 the format of the data?
  The end date depends on the start date. This query might be helpful for you
  SQL> WITH data AS(
    2    SELECT 1 period, 4 duration FROM dual UNION ALL
    3    SELECT 2, 6 FROM dual UNION ALL
    4    SELECT 3, 6 FROM dual UNION ALL
    5    SELECT 4, 4 FROM dual UNION ALL
    6    SELECT 5, 6 FROM dual UNION ALL
    7    SELECT 6, 6 FROM dual)
    8  SELECT
    9    period,
  10    duration,
  11    SYSDATE + SUM(duration) OVER (ORDER BY period RANGE UNBOUNDED PRECEDING) * 7 AS end_date
  12  FROM data
  13  ;
      PERIOD   DURATION END_DATE
           1          4 16-NOV-07
           2          6 28-DEC-07
           3          6 08-FEB-08
           4          4 07-MAR-08
           5          6 18-APR-08
           6          6 30-MAY-08
  6 rows selected.
  SQL>

• Pass user roles in headers.

  Access Manager has to set the role as an Header variable. Application has to retrieve the header variable for authorization purpose.

  Yes, use nsroledn attribute in Header forwarding parameter.
  But you should be aware of these things:
  1. nsroledn can only show you the ldap role "explicitly" assigned to this user. If you have nested role setting,
  you have to use nsrole (instead of nsroledn) to get all "implied" roles.
  2. What you get from nsroledn/nsrole attribute is a list of DNs, not a list of the friendly role names, usually the RDN part (cn=myrolename,...) is the friendly names. So your applications have to recognize this format.

• How to see the authorization data of a user in Web Dynpro ABAP

  Hi all,
  if I have authorization problems in a normal SAP transaction I can use transaction SU53 to see the missing authorization objects.
  How can I get the missing authorization objects for a Web Dynpro ABAP application?
  regards

  What about using SU53 again - just log into ABAP system and use the F5 - "other use"r option to select the user having the issues.
  There is unfortunately no way to see this as standard from the WDA application.
  Sorry,
  Chris

• Authorization object in procurement that checks user role

  Hi Experts,
     Please let me know if we have any standard authorization objects in the transactions PO or PR that checks the SAP User role. Authorization check can be done by sap role, we are not botherd checking on company code, purchase group and so on, Is there any standard procedure to find out that or any function module available to check that by passing user role.  << removed >>
  Cheers
  Mohan
  Edited by: Rob Burbank on Feb 19, 2010 12:24 PM

  easiest way to find all authorization objects is to execute SU24.
  There you enter the transaction code for which you want find the authorization objects.

• Rebuild Authorizational data (User Buffer) Dynamically

  We want to rebuild the authorizational data in a user's buffer by adding additional authorizations (auth obj with field values) during the logon procedure (user exit) (by executing a function module which will read a custom table) - however this has to be dynamic, that is we do not want the user to have to logoff.
  Anyhelp is welcomed !
  Mushtaq Mahmood
  Saudi Aramco

  I would be very carefull of this.
  Buffers, like caching, can become invalidated or corrupt so there are mechanisms to refresh or correct them after logon or a period of time has elapsed. This can be as little as 2 minutes appart as far as I know, depending on the memory area.
  Additionally, saving of a change in SU01 etc or the import of a role which IS already assigned to a user will refresh the buffers as well and possibly wipe your dynamic buffer away if it thinks that you have also removed the role (or profile) when saving.
  Depending on how you code this, it might even write the dynamic buffer data to the database, making it permanent and "stranded" data, which you might only be able to remove by synchronizing the tables again and resetting the buffers. If you do that while all your other dynamicly authorized users are logged on, it will cause a mess when they suddenly loose their access.
  I would keep the USRBF3 mechanism and consider scheduling report RSUSR405 regularly to simulate a change incase there is something wrong...
  Being a large organization with many orgs and users to administrate over a possibly large number of different systems, perhaps it is worth your while to take a look into an IdM (Identity Management System).
  I am sure you will find one which is more supported and sustainable than a reconstructed user buffer...
  Cheers,
  Julius
  Edited by: Julius Bussche on May 11, 2009 2:20 PM

• Need how to get the data from the external file in eCatt

  Hi ,
    Could any body suggest how to get the values from the external file(Excel,CSV file,Text file) and pass it as varaiable in ecatt Test script.
  Problem: Need to execute FK01-Vendor creation Transaction with multiple set of data .As per my understanding we could achive through Variants in Testdata set in eCatt .
  But is there any way to store the data in excell file and get the data and pass it to FK01 Test scripts
  Appreciate response on this

  Hi
  See the links they may be useful
  check these link,
  eCATT- An Introduction
  /people/sumeet.kaul/blog/2005/07/26/ecatt-an-introduction
  Creating Test Scripts
  /people/sumeet.kaul/blog/2005/08/10/ecatt-creating-test-scripts
  eCATT Logs
  /people/sapna.modi/blog/2006/04/18/ecatt-logs-part-vi
  eCATT Scripts Creation – TCD Mode
  /people/sapna.modi/blog/2006/04/10/ecatt-scripts-creation-150-tcd-mode-part-ii
  Creation of Test Data Container
  /people/sumeet.kaul/blog/2005/08/24/ecatt-creation-of-test-data-container
  eCATT Scripts Creation - SAPGUI Mode
  /people/sapna.modi/blog/2006/04/10/ecatt-scripts-creation--sapgui-mode-part-iii
  Integrating ECATT & MERCURY QTP Part -1
  /people/community.user/blog/2007/01/02/integrating-ecatt-mercury-qtp-part-1
  Using eCatt to Test Web Dynpro ABAP
  /people/thomas.jung/blog/2006/03/21/using-ecatt-to-test-web-dynpro-abap
  and
  -command reference
  http://help.sap.com/saphelp_nw04/helpdata/en/c6/3c333b40389c46e10000000a114084/content.htm
  /people/sapna.modi/blog/2006/04/10/ecatt--an-introduction-part-i
  http://prasadbabu.blogspot.com
  https://www.sdn.sap.com/sdn/developerareas/was.sdn?page=test_tool_integration_for_sap_e-catt.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/1b/e81c3b84e65e7be10000000a11402f/frameset.htm
  http://www.erpgenie.com/ecatt/index.htm
  hope this helps.
  Reward points for useful Answers
  Regards
  Anji

• Difference between Change Authorization Data / Display Authorization Data

  Hello,
  My question is wrt to implementation of "principle of treble control" i.e three SAP administrators i.e.
  1. Authorization data administrator
  2. Authorization profile administrator
  3. User Administrator
  I have created a role & added a transaction to it e.g. "FAGLL03" or "FF67".
  No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile. Even when I save the profile with the proposed name, it status still says "No authorization data exists". Since no authorization data is available, administrator 2 is unable to generate profile. If administrator 1 has to generate profile then why is administrator 2 required.
  Definition of Administrator 1 is:
  The authorization data administrator creates the roles, selects transactions and
  maintains the authorization data. He or she simply saves the data in the Profile
  Generator since he does not have the necessary authorization for generating the
  profile. He or she accepts the proposed profile name “T-...”. The authorization data
  administrator may not change users, nor generate profiles.
  Definition of Administrator 2 is:
  The authorization profile administrator starts transaction “SUPC” and chooses All
  Roles. He or she then restricts his selection, for example by entering the ID of the
  role to be edited. On the next screen, he or she chooses Display Profile to check
  the data. If all the data is correct, he or she generates the authorization profile. The
  authorization profile administrator may not change users, change the data for roles,
  nor generate profiles containing authorization objects beginning with S_USER*.
  Thanks.

  Hasan Saeed Khan wrote:
  Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
  I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.
  On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."
  It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:
  Create role
  Add transactions to menu
  Edit profile, org levels & authroization data.
  Hit 'save'.
  Accept proposed profile name.
  Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')
  And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"
  So it should be possible to maintain roles and profiles separately.

• UWL Universal Worklist use User Role Negate Filter

  Hi, SDN Expert.
  In my UWL configuration, I am trying to exclude to display my task items to one user role.
  I know that the "User Role" parameter can help me to restricts/allows who can get work items via the user role. I can also have multiple user roles separated by semi-colon to cover all the roles to receive the task.
  BUT in my case, I only want few roles NOT to receive the task items, and all other roles to receive them.
  My question is can I use the "NEGATE SIGN" , "!" (means Not Equal To) to exclude the particular user role to receive the task item, says I want to exclude the role name: "mydemorole", I just enter this "!mydemorole" in the "Use Role" parameter of the UWL configuration.
  If NOT, what is the right way I should use to achieve this purpose?
  Thanks for advise,
  KC

  Michael, you can do this in the UWL but only with a 6.40 backend (ex. ECC 5) with a specific patch level (can not remember that patch level).
  Before this you need to set these substituion in the R/3 inbox.
  This being said it is only for workflow task routing. If I read your message correctly you want a manager to assign his authorizations (roles in R/3 or the portal) to a secretary. This is not supported in any standard SAP (or portal) scenario as far as I am aware.
  Cheers,
  D.

• Best way to accept a date from a user

  Hi Guys,
  Whats the best way to get a date from a user and add it in an
  insert record to access.
  I have a form that adds a record and it works well enough as
  long as the data added is in the correct format.
  Untill now ive just had a text box with an explination to the
  user on how to add the date and what format....
  But Im fed up with having to change bad entrys and need to
  place a control or something on the form but dont know whats
  easiest and best?
  Any ideas welcome.
  Thanks

  If you want today's date set the database up to insert the
  date
  automatically. If you want other dates than today's use a
  date picker or
  calendar to insert the date.
  Dave
  "Tag2007" <[email protected]> wrote in
  message
  news:epj87p$mar$[email protected]..
  > Hi Guys,
  >
  > Whats the best way to get a date from a user and add it
  in an insert
  record to
  > access.
  >
  > I have a form that adds a record and it works well
  enough as long as the
  data
  > added is in the correct format.
  >
  > Untill now ive just had a text box with an explination
  to the user on how
  to
  > add the date and what format....
  >
  > But Im fed up with having to change bad entrys and need
  to place a
  control or
  > something on the form but dont know whats easiest and
  best?
  >
  > Any ideas welcome.
  > Thanks
  >

• Performance Monitoring - How to get the data

  Hi all,
  we have a tool to monitor non sap systems and services and would like to use the same tool to get some runtime information from PI services, specially soap interfaces. The information we want is available at runtime workbench, performance monitoring.
  Is there a standard function we can use to get this data (EJB , Bapi, RFC, etc...) ? Today we are importing daily a file with this information from RWB, but this is enough only for statistical purposes, not for monitoring.
  Some tip?
  thank you.
  regards.
  roberti

  Roberti,
    Three are a number of ways to tackle these things - I usually like CCMS just because SAP spends so much time making it work for everything anyway - if your tool can connect to this - you can get some decent information from here about your system status, queue's and java.
    Speficially for Messages, I don't think that there are monitors defined as RFC BADI's or BAPI's to use but if you feel saucy, tables for messages are SXMSPMAST2 and SXMSPMAST - should give you a programming head-start to get some data and pass that back although you would only replicate the functions in CCMS.
    Of course with all SAP Products, you have to go through the application to get this data, no ODBC connections or otherwise - there are other options like DBCON to allow you to 'send' data to other Db's if you need to do it that way.
    Hope that helps somewhat and if this answers your question, please set your thread to answered.
  Edited by: David Milliken on Feb 22, 2008 8:06 PM

• ERM - "Unhandled error; n/a" error in Authorization Data section

  Hi experts,
  We are implementing ERM 5.3 with support package (SP 5 patch 1). We run all synchronization background jobs (org values, tran/obj/field, activity) and apparently they all finished successfully.
  We have imported all SAP backend roles to ERM through the "mass role import" feature, and the job ended successfully for every role. However, we have found that for some particular roles, when trying to view in ERM the authorization data imported for that roles (clicking on the "authorization data" button inside the role), the screen shows no data and comes up with the error "Unhandled error; n/a".
  We tried re-importing those roles (again the job history shows "imported successfully" for every role) but the error is still there when trying to view the role authorization data.
  Any ideas of why this is happening for this roles giving that they all got imported successfully?
  Any thoughts on this will be very much appreciated!
  Regards,
  Pablo

  Two things i can think of without actually looking at the logs:
  1. Configuration > Miscellaneous settings need to be rechecked.
  2. Role Management > Mass Maintenance needs some attention.
  If you can send me the log saying "roles successfully imported" that would help me in troubleshooting this.
  Thanks & Regards,
  Amol Bharti
  amudee.com

• CUA: User & Role Master Data Change Document

  Hi Team,
  I would like to know is there any way to find out CUA user master & role assignment change document data from CUA Central System & All Targets Systems.
  I am looking for user friendly tool similar to SUIM.
  I have looked into other methods of CUA change document tips and tools but it is not so fruitful to convenes my Audit team.
  FYI.  System Users (CUA_ADMIN) is not the user which i want to see in my change document window, i want to know actual security consultant ids within that.
  Kindly get back to me.
  Appreciate, for your response.
  Regards,
  Asif

  HI Matt:  Your understanding is correct for CUA Tier2 Setup.
  FYI.
  We have successfully configured trusted relationships between SAP Systems with the help of my BASIS & UNIX team.
  To do this:  We have performed following actions:
  u2022     Trusted System trust relationships for the RFC Connection has been maintained from the Central to the Child System and from All Child to Central System via transaction code SMT1.
  u2022     UNIX Database level trusted relationship entries has also been added with the help of UNIX Team
  u2022     RFC Destinations has been reconfigured with Current user option (SM59).
  u2022     For Security Administrator special authorizations has been provided in order to get trusted relationship RFC authorizations. 
  Note:
  I have added Full Authorizations under these new special objects S_RFC, S_ICF, S_RFCACL, & S_RFCADM  and same was assigned to all our Security Administrators.  Remote Logon & Trusted Connectivity is working fine for all of us.
  We are 4 Security Administrator here, And for All of us this new concept of Trusted RFC for CUA is working fine.
  New Authorizations updated on both CUA and the Child System.
  Our ids are replicating as a log in the last change by field of SU01 and change document of SUIM. Happy to see this. 
  But unfortunately there are strange ABAP dumps are started generating from CUA (SolMan) System soon after this Implementation.
  When we look into ST22, runtime errors CALL_FUNCTION_SINGLE_LOGIN_REJ &  CALL_FUNCTION_SYSCALL_ONLY are keep generating.
  Following are the example of dump logs and all the dump are with similar fashion but with different user-ids within that.:
  Short text:  No authorization to logon as trusted system (Trusted RC=0).
  What happened?  : Error in the ABAP Application Program The current ABAP program "SAPMSSY1" had to be terminated because it has come across a statement that unfortunately cannot be executed.
  Error analysis:  An RFC call (Remote Function Call) was sent with the invalid user ID "(End user user-ids)".  Or the calling system is not registered as trusted system in the target system.
  How to correct the error: The error code of the trusted system was 0.
  Meaning: 0    Correct logon as trusted system mode
  1 No trusted system entry for the calling system "BIP " (like other child System) or the  security key entry for the system "BIP " is invalid
  2 User "111552 " (Type of End user) does not have RFC authorization (authorization object
       (S_RFCACL) for user "End User id " witl client 100.
  3    The timestamp of the logon data is invalid
  The error code of the SAP logon procedure was 6. (6    No external user check)
  My Point: I think All these End users are trying to connect CUA Trusted RFC connections through individual different child Systems..
  Why they need to Connect to CUA and for what reason they need special Trusted RFCu2019s authorization???
  Pls help me to fix this problem.
  I have gone through the old SDN posts related to the same topic and few SAP notes and help link but it wont help.
  Note 1579570 - Problem with trust relationship after using HMAC
  Note 128447 - Trusted/trusting systems
  Note 131387 - No authorization to log on as a trusted system
  Note 986707 - No authorization to log on as a trusted system (RC=1)
  Few More SAP Notes: 986707, 333441, 1151790 & 128447
  http://help.sap.com/saphelp_nw04/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/frameset.htm
  We donu2019t see any logs under SCUL, BD87 & ST01.
  Please anyone can assist me on this.
  Regards,
  Asif

• PM Role - Order - Authorization Data

  Hello,
  I create a role, can define notifications' attributes as i want. But i could not define orders'.
  For example, my order is Z001 and my user will change and display but not create the order.
  From pfcg --> Change Authorization Data i couldn't find the correct node for this.
  could you help?
  thanks in advance.

  We have a similar scenario where we limit certain users to certain order types. We have a role for production supervisors to create emergency orders (only) and the maintenance planner can create, change, display all types of orders.
  WIthin IW31/IW32, there is an auth.object:   I_AUART which can be used to control access to orders.  For example, our Prod.Spvr has I_AUART:
  Order type:  Z001
  Mtnc Plan.Plant 0001
  but our Mtnc Planner has a 2nd role with I_AUART:
  Order type:   *
  Mtnc Plan.Plant 0001
  If your basis team can limit this to the order type you want for each role (one for key user, one for operator) for your mtnc planning plant.  Look at SU24 for the transaction to make sure this auth. object is checked.  The user will get an error saying they are not authorized for this order type in this planning plant.  We did not have any user exits to make this work.