How to assign authorization objects to a cube

Similar Messages

• Assigning authorization through assigning authorization objects

  hi all,
  can anybody tell me the whole procedure for assigning authorizations by assigning authorization objects from the scratch along with the example with guide for assigned authorizaon using this method.b'coz this is the requirement of our organization.
  I mean to say assign authorization manually without assigning trnsaction codes.
  suggestion are always accepted.
  if you want to send me the documents then my email id is [email protected]
  thanks in advance,
  waiting for reply............
  hardik patel.

  hi kumar,
          thanks for your help.
          ok i got it and i agree that i can find the authorization object by your suggested way.
      now my point is that i find that this perticulat object is corresponding to this particular trnsaction code. now if i want to aloow only four transaction code out of all transaction codes belongs to that authorization objects. so, for this how can i maintain authorization for this authorization objects.
  It means on " Change authorization tab" it shows fields of that added authorization objects. so what values should i give to those fields so that i can allow only particular transaction codes which i want. so, how can i determine these values for allowing particular transaction codes, not all transaction codes. can you guide me regarding this?
  Please help me regarding this?
  thanks for your support,
  waiting for your reply...............
  Regards,
  Hardik Patel.

• How to assign authorisation object to  user

  hi,i have created authorisation object now i want to assign it to role and
  then to user
  how to get this.
  i went into pfcg transaction but i didnt know how to assign authorisation object to
  role and then to user
  can any one tell me how to procedd further?
  Message was edited by:
          venkat s

  Hi Venkat,
  When you create authorization object in RSSM you only assign info object.
  How did you assign respective values?
  once your authorization object is saved you should find it in PFCG. even if you go to expert mode for profile generation
  Check tecnical name.
  Alternatively instead of inserting manually go to selection criteria  and the system will display all active authorization objects  and you can choose your object.
  Jaya

• Assign Authorization Object dynamically

  Hi,
  I just want to know through coding is it possible to assign authorization object to user based on some condition dynamically.
  Its related to BP and in CRM 6.0
  Pls provide some approach if its possible.
  Thanks a lot.
  Regards,
  Shobhit

  Shobhit,
  Displaying authorization details would not be much of a problem. We can add a flag in the customer master and fetch the customers with the flag in the search result. I believe there is BADI to do that.
  Once the customers are retrieved navigating to the account details should be standard procedure. It should make use of standard events to go to the BPHeadOverview screen.
  But, the concern is whether or not there is authorization failure when we are trying to save the activity created using these flagged customers.
  Regards
  Prasenjit

• How i know Authorization object in system?

  Hi all,
  i create new BAdi with Enhancement Spot: ZWORKORDER_GOODSMVT (copy WORKORDER_GOODSMVT in standard SAP)
  now i have Badi definition: ZWORKORDER_GOODSMVT
  with Interface: ZIF_EX_WORKORDER_GOODSMVT
  all ok.
  now how i can see authorization object in Badi definition: WORKORDER_GOODSMVT (standard)? i already creat Authorization object but now i don't know what field and choose in maintain the authorization (from Badi definition: WORKORDER_GOODSMVT )
  ex: 1. in package BSFC have interface IF_EX_BSFC_POLICY and method GET_POLICY
       2. Authorzation object: B_BSFC (have field name: BSFC_APPL and ACTVT in maintain the authorzation)
  because i get this and solve in my job.
  when i activate the BAdI function called WORKORDER_GOODSMVT and assign to the a.m. authorization object???
  Processing Logic: 
  •     The backflush errors are created after the execution of backflushing transaction in Repetitive Manufacturing (REM) – t-code MF42N or MFBF
  •     If during the backflush execution the components are not available in the respective production storage location then system by default will create backflush errors
  •     Backflush errors will need to be cleared everyday and must be cleared before end month stock take
  •     Backflush errors can be processed using the following t-code:
  o     MF45 – Individual
  o     MF46 – Collective
  o     MF47 – Post processing List
  o     COGI – Post processing Individual Components
  Authorization will be applied only for COGI, while others will not be used in PSECI
  •     Create new authorization object called Z_PP_COGI to be assigned later to the user id
  •     Activate the BAdI function called WORKORDER_GOODSMVT and assign to the a.m. authorization object
  •     For unauthorized users, an errors message will appear if they try to delete the backflush errors in COGI transaction as follows:
  o     You are not authorized to change/ delete the backflush errors! Please contact your superior!
  Thanks so much all, ......

  Hi Nguyen,
  Check the following links:
  http://help.sap.com/saphelp_erp2004/helpdata/en/b8/bdb83b5b831f3be10000000a114084/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/6714a9439b11d1896f0000e8322d00/content.htm
  Regards,
  Rajesh K Soman
  <b>Please reward points if found helpful.</b>

• How to use authorization object P_PERNR ?

  Hi, Gurus~
  In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
  So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
  Authorization level:  W,S,D,E
  Infotype: 0008
  Interpretation of assignment personnel number: E
  Subtype: *
  and then, i maintain her master data 0105's subtype 0001-system user name as 00041
  i think she shouldn't maintain her own 0008 now ,but she still can maintain it
  i want to know why and how to solve it, did i do it in the right way?
  Thank you in advance!

  P_PERNR   HR: Master Data - Personnel Number Check
  You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
  The following values are possible for the PSIGN field:
  I   =          Authorization for personnel number assigned, that is for own personnel number
  E  =          Authorization for all personnel numbers excluding own personnel number
  You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
  This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
  Example of Personnel Number Check P_PERNR
  The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
  The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
  PSIGN = I
  INFTY = *
  SUBTY = * AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0008
  SUBTY = *
  In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
  The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
  As the following examples illustrate, inconsistent authorizations can be granted.
  Example 1:
  AUTHC = *
  PSIGN = I
  INFTY = 0014
  SUBTY = M* AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0014
  SUBTY = *
  The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
  The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
  The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
  Example 2:
  AUTHC = *
  PSIGN = *
  INFTY = *
  SUBTY = *
  This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
  As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
  Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
  If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
  P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.

• Assign authorization objects

  HI ,
  1. When i create new set of WS do i need to create to them authorization object ?
  2. if i create new set of users from scratch in the system and i want to provide to them one role that
  I create and contain for instance all the report and transaction that i want to provide,
  do i need to add to them another authorization objects ?
  3. if i create authorization object in the system how i add it to certain role ,i don't see these
  option in PFCG.
  Best Regards
  Michael

  HII,
  Yes u can aad  other authorization object to the existing role if the role needs it because user is unable to perform any task releated to it because of missing authorization object after seeing it in su53 because sometimes tcode assigned but corresponding authorization is not added by system automatically this creates prob for the user to perform task as far as adding up an authorization object u can added it  throught su24 or pfcg in pfcg u need to click on manuaally option u can added upto 8 authroziation objects and if u want to added it through su24 u click on add authorization object feild
  but never forget to save and generate the profile after adding authorization object and also do user comparsion and complete comparsion so this object gets added to the role
  byeeeeeeeeeeee
  takecare

• Programmatically assigning Authorization Objects to roles

  Hi there,
  I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
  What I want to do is the following:
  There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
  In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
  Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
  I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
  Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
  Thank you very much,
  Gregor
  Edited by: Gregor Bender on Mar 11, 2008 8:41 AM

  >
  Gregor Bender wrote:
  > I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
  Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
  For mass regenerating profiles there's transaction SUPC.
  For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
  If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.

• Assign authorization objects to newly created transaction

  I have just created a new transaction YMM02 as a copy of MM02. When I create a role using PFCG and enter in the new transaction there are no authorization objects proposed. Do these come from the original transaction or can I assign them through a SAP transaction or via a table entry?
  Regards,
  Brian

  Hi Brian,
  that's transaction SU24.
  See also its documentation if needed : http://help.sap.com/saphelp_nw70/helpdata/en/52/671449439b11d1896f0000e8322d00/frameset.htm
  BR
  Sandra

• Assigning authorization objects to transaction

  Hi All,
  While creating a new role using transaction PFCG, If i enter transaction SE38, i will get lot of authorization objects, fields where i can decide whether i should allow only display or change or create etc. But if i create my own transaction, then i will not get these authorization objects. Where should i assign there objects for my transactions.
  I tried to assign this in transaction se93, but that did not work.
  Thanks in advance.
  Best Regards,
  Surendra<b></b><b></b>

  TRY with SE97.
  and check the check box change mode and try running there you can change the authorizations..
  vijay

• Assign authorization object to standard transaction (VA02)

  I've success to create an authorization object and assigned to va02. I also use su24 to check indicator for my customize object. There are reported that it is Check. I think it is activated. Then i access va02, but it still can access, I suppose i no have right to access the va02. What's wrong for my setting. Acutally, I no much ideas for the authorization object. Can you give me some advise. Thanks a lot.

  Hi Giri,
  You could (and probably should) specify the check in SU24, but this won't make the check happen.  The values in SU24 are used in transaction PFCG when a role is created that includes this transaction.
  To make the authorisation check at runtime you'll need to code a user exit or similar to check your new authorisation object.
  Regards,
  Nick

• PO account assignment authorization object

  Dear Guru's,
  We want to restrict PO creation (ME21n) for certain Account assignment catagories (one for one particular plant and not system wide).
  Is there any Authorization oject for this using which we can restrict the creation?
  Kindly share your idea.
  Thanks and Best Regards,
  Mohan

  No. There isn't.
  We discussed this a couple of times over in the security forum. If you search there, you will find solutions that other boarders have applied (exits, etc.).

• Authorization object assignment on USERS

  Hi,
  i have to maintain authorization objects in transaction types and users in our company, such that the executives (management of all org. units) of the company are able to see all the transactions including activities within the whole company.
  on the other hand the employees (<b>not executives</b>, belonging to a specific org unit) should be able to see ONLY the transactions belonging to his org. unit
  useful info is avlbl at: http://help.sap.com/saphelp_crm50/helpdata/en/26/99973915e69238e10000000a11402f/frameset.htm
  but where and how are these authorization objects assigned?
  Kindly help, thnx, all answers appreciated.
  Jacob.

  hi Jacob,
  Look at <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/81/0e0f61b566dc44bbb4055b3ccd25be/frameset.htm">Identity Management</a> maybe it helps you.
  Regards.
  Manuel

• How to control the  authorization of IM05 through  authorization object

  Now we want to control the  authorization of IM05 through  authorization object C_PRPS_USR, but C_PRPS_USR is not assigned to tcode im05.How can we assign authorization object C_PRPS_USR to tcode im05? OR do we have any other method to obtain the same result?

  write a factory method that controls the number of instances for you:
  import java.util.List;
  import java.util.Arrays;
  public class Bar
     private static final int MAX_BARS = 5;
     private static int numBars = 0;
     private int id;
     public static void main(String [] args)
        try
           int numBars = ((args.length > 0) ? Integer.parseInt(args[0]) : MAX_BARS+1);
           Bar [] bars = new Bar[numBars];
           for (int i = 0; i < bars.length; ++i)
              bars[i] = Bar.create();
           System.out.println(Arrays.asList(bars));
        catch (Exception e)
           e.printStackTrace();
     private Bar() { this.id = numBars++; }
     public String toString() { return "I am bar number " + this.id; }
     public static Bar create()
        Bar nextBar = null;
        if (numBars < MAX_BARS)
           nextBar = new Bar();
        return nextBar;
  }%

• Authorization object  assigning to user profile

  Hi all,
    Wht are the steps involved in assigning authorization object S_GUI with activity 60 (S_GUI ACTVT=60) to the users profile.
  Thanks

  you can assign authorization profile to user through Role..
  goto PFCG, either create a new role or change an existing role(which the user has)
  go to authorization tab, change authorization, click manually button,
  add S_GUI and then click on values, select 60.. save the role, generate it..
  if it is new role that you have created, then go to SU01 - roles, add it.. save user..