GOS Authorization

Similar Messages

• Disable 'Delete' button for posted invoices  in GOS Attachment List

  Hi,
  when i open the attachement list of a generic object i see the attached files. In this dialog i want to disable the   "Delete" ( attachment)  button  for Posted invoices ( In MIR4 tcode -> If the invoice is already posted it should not allow to delete the attachment )
  I read oss notes and some ides of copying diverse classes but nothing really helps.
  I found two badis
  GOS_SRV_REQUEST
  GOS_SRV_SELECT
  but i dont know where we have to write our code .
  I read so many posts related to attachments but all the places described about authoriztion object .
  Can you please give some ideas to disable the delete button for posted invoices.

  Hello,
  For GOS there is no SAP Standard authorization concept. The only way to
  manage GOS authorizations is implementing it via custom code as
  described in SAP Note: 491271.
  Please have a look at the SAP notes:
  491271 Authorizations for generic object services
  701609 Authorizations for services: Final classes
  For the use of S_OC_ROLE: this object states if a user is an office
  administrator he can create, modify or delete every document, even
  those created by other users. If the user is not an office admin, the
  user is still able to create his own attachments.
  Regarding to the issue, there is an role object S_GUI for upload.
  To match your inquiry, pleaes find the user's role and active the
  object S_GUI.
  Regards,
  David

• Arch.link doc.attribute is missing in GOS attachment list

  Hi,
  Currently the company that I work with is in implementing archive link to attach documents (e.g.
  office document) to some object types (e.g. BUS2007,BUS1001). I have done the required configuration and the functionality is working fine.
  However when I display the document in attachment list, the followings are not shown :
  1.the title of document is not showing instead it shows the description of document type description (this is from customizing)
  2.the creator name is blank
  I compare with standard GOS file attachments, the above functionality are working fine.
  Appreciate if anyone can help me on this.
  Thanks & Regards,
  Hendra

  hi,
  hendra,
  this could be possble please see the below URL,
  http://help-abap.blogspot.com/2008/11/generic-object-services-gos-toolbar.html
  Also chect with GOS authorization
  http://help.sap.com/saphelp_nw04/helpdata/EN/1e/31a40415b711d4a39200a0c943858e/frameset.htm
  Benakaraj
  ??P
  Edited by: benaka rajes on Jul 14, 2009 8:27 PM

• CL_GOS_SERVICE - Authorization check before activating GOS

  Hi,
  I am trying to figure out if it is possible to restrict the activation of GOS button depending on the user authorization for the selected object.
  Based on my very basic level understanding of abap, i think that we would need to inherit a class from CL_GOS_SERVICE And then status of service VIEW_ATTA would be set to active or inactive/invisible based on the authorization check.
  Scenario detail:
  Transaction: PA20 or PA30
  Authorization object in user's profile:P_ORGINCON
  When user enters the transaction PA20, the GOS button is not visible by default. After entering any personnel number (whether authorized or not) and pressing enter key, the GOS button becomes visible. I want to prevent this when the personnel number entered by user is not authorized based on the values contained in authorization object P_ORGINCON in the user's profile.
  Apprecaite if someone can guide me whether this is possible or not.
  Many thanks
  Regards,
  Zubair Naseer

  HI,
  Please check this sap note 491271 might be helpfull.
  Regards
  Hiren K.Chitalia

• Authorization for generic object services - GOS - payroll data

  Is there anyway to restrict what people see via GOS?  I can't see any authorisations behind it except S_OC_ROLE.  Seem users can view payroll details of a workflow agent in the workflow logs(view with technical details).   Its a wild shot that an end user will find this information in the container tab but it look like a massive security flaw.
  I will be interested to know if others have the same problem and how they resolved it.
  Thanks

  This issue relates to authorisations.  Depending on infotypes available to the user, they will be able to view data relating to the info type.
  I will now have to review all authorisations to ensure there is no unauthorised access.

• ECC6: Authorizations for GOS

  In ECC6, I should give two different levels authorization into generic object services Toolbox.
  I have two type of users:
  1. Administrator
  2. Accountant
  The Administrator should be able to create, edit, display and delete notes.
  The Accountant should be able just to create and display notes.
  Administrator users were given the S_OC_ROLE athorization object .
  Accountant users were given the S_GOS_ATT authorization object, though this doesnu2019t work since the accountant users are still able to edit and delete notes.
  My question is: how can I remove the edit and delete authorizations for accountant users?
  Thanks,
  Kind Regards

  A concrete scenario I have to deal with:
  The scope for all business partners and transactions should be limited to central Europe.
  The relevant field for this authorization is the id (number range) respectively the business partner grouping.
  - I would use ACE rules to filter the relevant business partners by their ID or grouping and relevant transactions by their account-assignment
  - I would set up ACE rights to limit access for the actions read, write and delete
  - to handle the create authorization, I have to define a PFCG role and limit access to certain CRM components
  The user should be allowed to read Corporate Accounts,
  to read, edit, create Contacts,
  is not allowed to deal with Opportunities,
  is allowed to create, read all activities and to read, edit, delete own activities (if he is the creator),
  is not allowed to deal with any report or pipeline performance.
  - ACE role/right to read Corporate Accounts
  - PFCG role to restrict create access for the BP_HEAD component
  - (ACE role/right to limit search results for opportunities)
  - PFCG role to restrict create, search, overview access for the BT111M component
  - Business role without Work Centers or Logical Links to opportunities
  - ACE role to limit access to read activities
  - ACE role to limit access to read, edit, delete activities which the user has created
  - PFCG role to restrict access to all pipeline performance components
  - remove PFCG roles for report access (e.g. SAP_CRM_OR_USER)

• How to enable GOS at sales order item

  Hi Experts,
  I have a requirement where I have to provide the customer an option to see the workflow overview at sales order item level (using Generic Object Services).
  I have developed a class based custom workflow for sales order approval and wish to intergrate GOS in VA02/VA03 at item level and not header level. I know that this is possible at header level using Business Object 2032. But I wish to know if this is possible at item level and that too in a class based workflow approach.
  Please provide your valuable suggestions.
  Thanks,
  Ajay

  Hi Janos,
  Thanks a lot for your reply. The breakpoint wasn't triggered in FM SUSR_USER_LOGONDATA_GET. Please check if the steps I followed are correct.
  1. Set external breakpoint in the FM SUSR_USER_LOGONDATA_GET.
  2. Run transaction VA02 for an order pending approval.
  Am I missing something here ? Do I need any authorization ?
  Thanks,
  Ajay

• Authorization object for Object services

  Hello together,
  I want to know if there is an authorization object for Generic object services functionilty especially the WF options like WF overview, start WF, Archieve WF..............................
  My understanding is any user who has access to a particular Business object, can user GOS to view WF stuff..................Is my understanding correct or should we have extra functions.....................
  Regards

  Check authorization objects S_OC_ROLE and, for recent releases, S_GOS_ATT.
  Regards,
  Raymond

• Create Attachments - Authorization

  Hi @ all
  I have following example:
  My colleague wants an authorization restriction for creating attachments, for example in equipment.
  Two issues are important for him:
  At first he wants that some employees can create via u201CCreateu2026 -> Create Attachmentu201D (Services for Objects), but some should not be able to create attachments. I have found the transaction SGOS, but there you only can set this option inactive for all users.
  At second the deletion of these attachments should not be able in general. I have found the authorization object S_WFAR_OBJ for the ArchiveLink u2013 object which is already maintained. But I haven´t found anything for above mentioned objects.
  Could anybody help me? Do you know which authorization objects are necessary?
  Thank you very much in advance!
  Kristin

  Explained in [ wiki|http://wiki.sdn.sap.com/wiki/display/SI/FrequentlyaskedquestionsaboutGenericObjectServices+(GOS)]
  Hope it helps

• Need authorization for business document services attachment list with user status in ps claim for clm2 and clm3

  Dear Friends,
  client wants to restrict the attachment list changing, deletion after the user status sets to close in PS Claims for transaction clm2 and clm3.
  Currently any one can attach documents as GOS and delete even the claim is completed and status is closed.
  How can we restrict all users even who created the claim can not change create and delete attachment list documents once the claim is completed and approved and user status sets to closed.

  HI,
  what is the claim creation transaction in that 01 is for creation 02 is for edit and 03 for display so with the help of basis consultant you can assigned transaction in user's assigned role accordingly.
  But user who is authorize for create claim can not modified or edit once he save the job. this would be limitation.
  Regards,
  Sanjeev

• Difference between usage of "System -- Services for object" and GOS direct

  Hey folks,
  i was wondering if you know an answer for that problem:
  1) Start ME23N (no SAP Gui classic design!) and go to System - Services for Objects in order to start the GOS Toolbox. Try to to store a business document. In my case i don't have the authorisation S_WFAR_OBJ so i get the  Message no. 00398 "You do not have authorization for this function" Thats the behavior a want
  2) Start ME23N and activate GOS Toolbox by clicking directly on the button on the top left corner. Try to a store a business document. But there is no message coming up?! Same user, same PO! It seems that the Toolbox is just beeing restartet and thats it.
  Same behavior in IW53/IW33 too, no auth error message if GOS is started via "System --> Services for Objects".
  Thats our system:
  ERP ECC 6.04 with NW 7.01
  SAP Gui 7.20 PL 3 (signature design)
  Thanks for your help and best regards
  Olli
  Edited by: Oliver Grewenig on Jan 18, 2012 11:30 AM

  Hi Oliver,
  I have done a similar testing for Tcode FB03 since I have done Archivelink configuration for this FI object.
  Case 1:
  =======
  Start FB03 (no SAP Gui classic design!) and go to System - Services for Objects in order to start the GOS Toolbox. Try to to store a business document. In my case i don't have the authorisation S_WFAR_OBJ so i get the Message no. 00398 "You do not have authorization for this function"
  Case 2:
  ========
  Start FB03 and activate GOS Toolbox by clicking directly on the button on the top left corner. Try to a store a business document. Still got the same error message "You do not have authorization for this function".
  Later I added the required object in the authorization profile and it worked in both the cases mentioned above.
  Since the same program is being executed behind both the cases, it will check the same authorization object as designed.
  What I would suggest is that you perform this test again and ensure that no one modifies the authorization during your testing period.
  Regards,
  Deepak Kori

• Open and close posting period authorization control TCODE: S_ALR_87003642

  HI All,
  Is there any chance to control the user to open and close another company code posting period variant in TCODE: S_ALR_87003642.
  In our system we are using the same client for different countries. So user can able to change the other country company code posting periods.
  We would like to control either on the country (or) organizational unit(company code) (or) posting period variant so that user can only open/close  their country / company code posting periods.
  Our present authorization role for open and close posting period contain the auth.Obj. : S_TABU_DIS.
  Please share your knowledge if you come across this problem..
  Thanks in advance..

  Hey Sandhya,
  Congratz, this can be done using linbe item authorization with the object S_TABU_LIN.
  Field ORG_CRIT - Value 02
  Field ORG_FIeld1 - Value ZT001B
  We have successfully done it in our client.
  You need to contact your BASIS consultant for this.
  Thanks,
  Nitish

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• Analysis Authorization Issue 7.3

  Hello Friends,
  System BW 7.3, Currently there are 80 odd analysis authorization objects
  We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
  Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
  Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
  Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
  I do not want to change all the existing analysis authorization objects to add GL Account.
  Your inputs are most welcome.
  Thanks
  Ed.

  Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
  Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
  I have done the following steps
  1. Made the GL Account object authorization relevant in RSA1,
  2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
  3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
  4. Created authorization variable in BEx.
  5. No existing analysis authorization objects have been changed.
  When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
  But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
  Guess I am missing some thing here.
  Do you need any other screen shots.
  Thanks
  Ed.

• Analysis Authorization Issue

  Hi:
  I created an analysis authorization ZCO_CODE to trstrict it by a company code.
  I added following objects in authorization with values.
  0COMP_CODE = 1000
  0TCAACTVT = 03
  0TCAIFAREA = *
  0TCAIPROV = *
  0TCAVALID = *
  Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
  When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
  Help will be appreciated.

  Hi Sachin:
  Okay here is my issue.
  I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
  In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
  How can I see whether it has updated existing profile?????
  Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
  For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???