How to authorization object S_TABU_LIN in BW/BI step by step

Similar Messages

• Authorization object: S_TABU_LIN

  Hello to all,
  I have created an authorization on company code and everything works fine when i use the value for which the user is authorized. But the problem is, that the user sees all company codes.
  I know that it is possible that a user only sees the values of a master data info Object for which they have the authorization when pushing S_TABU_LIN authorization but I don't find how to applicate.
  Thanks in advance for any ideas.

  Hi,
  Standard Roles and Standard Authorization Objects
  SAP delivers standard roles covering the most frequent business transactions. You can use
  these roles as a template for your own roles.
  Refer the links
  www.scribd.com/doc/11546905/User-Roles
  www.sap.com/germany/about/company/revis/pdf/DS_Leitfaden_BW_en.pdf
  www.biavenue.co.za/downloads/3%20-%20BI%207%20Developers%20Guide.pdf
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30adcac6-7a55-2a10-9fa9-a61d947f6ec9
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e0a93c0e-3a98-2b10-55ae-8dbcbad61f8e
  Hope the above links will hwlp you
  Naresh

• Query on  authorization object

  Hi,
          I need to create one authorization object which contain only one field as sy-uname.
  I carry out the following stapes:
  1. I went to SU21
  2. Create a class
  3. create a authorization object
  4. Add a field sy-uname in the field
  Now , my query is that,
  1. is it allowed to add sy-uname in there in the field or i have to put just 'uname' there. or what??
  2. Is there any other steps required after adding the field in the authorization object
  3. Do any one has some document on how these authorization object work execpt the F1 help on the 'AUTHORITY-CHECK' in the editor???

  Hi
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Reward points if useful
  Regards
  Anji

• How to use CRM authorization object.

  Hi All,
  I have a specific requirement to restrict user while he/she tries to save a record. It appears that if that restrictions are implemented the save logic for an entity has to be changed because there are some validation regarding relationship management in SAP system. SO I need to bypass that validation to allow some users of specific(Marketting) role to save the entity record bypassing that validation. here I am planning to use the CRM authorization objects. But dont know how to use these and which authorization object to refer.
  Please let me know if you guys have any idea.
  Regards,
  Bikramjit.

  Hi Bikramjit.,
  You might need to create a Custom authorization object and then use it. Else you can create one Z table and maintain the User ID of all users. The mainatin one field with flag and set it to X for the user that are aloowed to save the transaction.
  Also once you maintain the table, generate the table maintenance so that it becomes easier for future use.
  Hope this helps

• How i know Authorization object in system?

  Hi all,
  i create new BAdi with Enhancement Spot: ZWORKORDER_GOODSMVT (copy WORKORDER_GOODSMVT in standard SAP)
  now i have Badi definition: ZWORKORDER_GOODSMVT
  with Interface: ZIF_EX_WORKORDER_GOODSMVT
  all ok.
  now how i can see authorization object in Badi definition: WORKORDER_GOODSMVT (standard)? i already creat Authorization object but now i don't know what field and choose in maintain the authorization (from Badi definition: WORKORDER_GOODSMVT )
  ex: 1. in package BSFC have interface IF_EX_BSFC_POLICY and method GET_POLICY
       2. Authorzation object: B_BSFC (have field name: BSFC_APPL and ACTVT in maintain the authorzation)
  because i get this and solve in my job.
  when i activate the BAdI function called WORKORDER_GOODSMVT and assign to the a.m. authorization object???
  Processing Logic: 
  •     The backflush errors are created after the execution of backflushing transaction in Repetitive Manufacturing (REM) – t-code MF42N or MFBF
  •     If during the backflush execution the components are not available in the respective production storage location then system by default will create backflush errors
  •     Backflush errors will need to be cleared everyday and must be cleared before end month stock take
  •     Backflush errors can be processed using the following t-code:
  o     MF45 – Individual
  o     MF46 – Collective
  o     MF47 – Post processing List
  o     COGI – Post processing Individual Components
  Authorization will be applied only for COGI, while others will not be used in PSECI
  •     Create new authorization object called Z_PP_COGI to be assigned later to the user id
  •     Activate the BAdI function called WORKORDER_GOODSMVT and assign to the a.m. authorization object
  •     For unauthorized users, an errors message will appear if they try to delete the backflush errors in COGI transaction as follows:
  o     You are not authorized to change/ delete the backflush errors! Please contact your superior!
  Thanks so much all, ......

  Hi Nguyen,
  Check the following links:
  http://help.sap.com/saphelp_erp2004/helpdata/en/b8/bdb83b5b831f3be10000000a114084/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/6714a9439b11d1896f0000e8322d00/content.htm
  Regards,
  Rajesh K Soman
  <b>Please reward points if found helpful.</b>

• How to add authorization field to a standard authorization object

  Hi All,
  I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
  But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
  How to limit user to can only create & change X order type and only display the rest of order type?
  I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
  regards,
  Andre

  Hi,
  your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
  The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
  Cheers

• How to use authorization object P_PERNR ?

  Hi, Gurus~
  In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
  So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
  Authorization level:  W,S,D,E
  Infotype: 0008
  Interpretation of assignment personnel number: E
  Subtype: *
  and then, i maintain her master data 0105's subtype 0001-system user name as 00041
  i think she shouldn't maintain her own 0008 now ,but she still can maintain it
  i want to know why and how to solve it, did i do it in the right way?
  Thank you in advance!

  P_PERNR   HR: Master Data - Personnel Number Check
  You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
  The following values are possible for the PSIGN field:
  I   =          Authorization for personnel number assigned, that is for own personnel number
  E  =          Authorization for all personnel numbers excluding own personnel number
  You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
  This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
  Example of Personnel Number Check P_PERNR
  The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
  The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
  PSIGN = I
  INFTY = *
  SUBTY = * AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0008
  SUBTY = *
  In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
  The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
  As the following examples illustrate, inconsistent authorizations can be granted.
  Example 1:
  AUTHC = *
  PSIGN = I
  INFTY = 0014
  SUBTY = M* AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0014
  SUBTY = *
  The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
  The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
  The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
  Example 2:
  AUTHC = *
  PSIGN = *
  INFTY = *
  SUBTY = *
  This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
  As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
  Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
  If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
  P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.

• How to add function group to the  authorization object S_RFC ?

  Hi All,
  Can you  please tell you how to add the function group FG_DIAGLS_DATA_ENRICHMENT  to the authorization object
  S_RFC?
  In solman_setup under basis configuration when I execute the step "SetupDPC/DCC Web Service URL" its getting failed because of the
  following error which i found it in the agent log
  "java.rmi.RemoteException:RfcExecutionException; nested exception is:
  com.sap.sup.admin.abap.rfc.exception.RfcExecutionException: An
  exceptionoccured during the execution of the function
  'FM_DIAGLS_PUSH_PHYSICAL_HOST': RFC_NO_AUTHORITY >
  com.sap.sup.admin.abap.rfc.exception.RfcExecutionException:An exception
  occured during the execution of the function
  'FM_DIAGLS_PUSH_PHYSICAL_HOST': RFC_NO_AUTHORITY >
  com.sap.mw.jco.JCO$Exception:No RFC authorization for function module
  FM_DIAGLS_PUSH_PHYSICAL_HOST. <Mid"
  Thanks,
  Satheesh E

  Hi,
  Please follow below steps:
  1) Go to SE01
  2) Click on create New workbench request and give desc once popup appears, Click Ok
  3) Now open the trasport in edit mode
  4) Add
  Program ID - R3TR
  Object Type - FUGR
  Object name - Name of the Function group
  >note that if you tranport Function group all the latest Function modules in function group along
  >with screens will be included in the transport.
  Regards
  Shital
  Formatted by: Vijay Babu Dudla on Apr 25, 2009 5:08 AM

• What is authorization object and how to create it for a table

  Hi All,
  What is authorization object and how to create it for a table?
  Thanks

  Hi
  Authorization
  For authorization checks, there are many ways of linking authorization objects with user actions in an SAP system. The following discusses three possibilities in the context of ABAP programming.
  Authorization Check for Transactions
  You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.
  Authorization Check for ABAP Programs
  For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.
  Authorization Check in ABAP Programs
  A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.
  AUTHORITY-CHECK OBJECT object
                          ID name1 FIELD f1
                          ID name2 FIELD f2
                          ID namen FIELD fn.
  object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With  f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the useru2019s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1  FIELD f2 with DUMMY.
  After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.
  Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:
  ·        0: The user has an authorization for all specified values.
  ·        4: The user does not have the authorization.
  ·        8: The number of specified fields is incorrect.
  ·        12: The specified authorization object does not exist.
  A list of all possible return values is available in the ABAP keyword documentation. The content of sy-subrc has to be closely examined to ascertain the result of the authorization check and react accordingly.
  REPORT demo_authorithy_check.
  PARAMETERS pa_carr LIKE sflight-carrid.
  DATA wa_flights LIKE demo_focc.
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'S_CARRID'
                    ID 'CARRID' FIELD pa_carr
                    ID 'ACTVT' FIELD '03'.
    IF sy-subrc = 4.
      MESSAGE e045(sabapdocu) WITH pa_carr.
    ELSEIF sy-subrc <> 0.
      MESSAGE e184(sabapdocu) WITH text-010.
    ENDIF.
  START-OF-SELECTION.
    SELECT  carrid connid fldate seatsmax seatsocc
      FROM  sflight
      INTO  CORRESPONDING FIELDS OF wa_flights
      WHERE carrid = pa_carr.
      WRITE: / wa_flights-carrid,
               wa_flights-connid,
               wa_flights-fldate,
               wa_flights-seatsmax,
               wa_flights-seatsocc.
    ENDSELECT.
  Regards
  Hitesh

• How can we define plant section field as a authorization object?

  Hi Expert
                  I checked plant section field by t-code S_BCE_68001412( By Field, Text ) and confirm it isn't a authorization object, But in real business we have defined different plant sections and we want to control user actions by this field, how can we  get to this point, Pls show me some lights.
  Best regards
  George

  George,
    You could potentially achieve the same with the help of the "Authorization group" field on the equipment master.You could create Authorization groups equivalent to plant sections and assign the same to the equipment master, whenever the plant section is populated. You could then use the standard Auth object "I_BEGRP Authorization group"  to control the access to that specific record.
  Regards
  Narasimhan

• How we can remove  one authorization object from multiplt roles

  How we can remove one authorization object from multiplt roles

  > Correct me if I am wrong !!
  O.K., Here I go
  > But if the object is maintained in SU24 and if you use Expert mode for generation of the role then again those objects may be pulled.(make sure you never use expert mode once you delete the objects)
  Actually using expert mode and choosing 'edit old status' is the only way to avoid objects being 'pulled in' after menu changes.
  > As jurjen said, you may download the tables and instead of deleting the object from the excel sheet, change the value of the object in column "DELETED" = X, by doing this only the objects get inactivated(but remain in PFCG).
  I am not speaking of downloading tables but about downloading roles from PFCG. This will not get you a spreadsheet but a flat textfile. If you whish to set the object status to deleted you'll have to swap the space on position 207, right behind the 'U, S, G' flag,  with an 'X' for all corresponding lines.
  Jurjen

• How to add id to the existing Authorization Object

  Hi,
  I want to add one id to the existing Authorization Object,How to add this?
  Here is my Object and existing ID's
  authority-check object 'Z_W2WALL' for user sy-uname
            id 'ZFREEZE' field r_freeze
            id 'ZLI01' field r_li01
            id 'ZLI11' field r_li11
            id 'ZLI14' field r_li14
            id 'ZLI11R' field r_li11n
            id 'ZLI20' field r_li20
            id 'ZMI10' field r_mi10
            id 'ZUPLOAD' field r_upload
            id 'Z_ARTFRZ' field r_artfrz.
  Now for this i want to add
    id 'Z_BIN' field r_frz.
  How to do this?
  Thanks

  Hi Sai,
  as there are already defined other id's have been added, you could also do the same way
  but this will also done through your basis end, where for this id your basis team will provide the
  authority to this id for the same purpose..
  authority-check object 'Z_W2WALL' for user sy-uname
            id 'ZFREEZE' field r_freeze
            id 'ZLI01' field r_li01
            id 'ZLI11' field r_li11
            id 'ZLI14' field r_li14
            id 'ZLI11R' field r_li11n
            id 'ZLI20' field r_li20
            id 'ZMI10' field r_mi10
            id 'Z_BIN' field r_frz
            id 'ZUPLOAD' field r_upload
            id 'Z_ARTFRZ' field r_artfrz.

• How we can show authorization object  at infoprovider  level

  hi all
  how we can show authorization object at infoprovider level..
  shalini

  S_RS_ICUBE:
            Auth objects for working with Infocubes and their sub-objects. For example,
            protecting users who can define the Infocube, applying update rules, and
            looking at the data in the Infocube.
  In order to execute any query, u must have access to R_RS_ICUBE and S_RS_COMP. S_RS_COMP is
  a powerful object that enables u to make choices on how to secure.

• Authorizations in CRM 2007 - How to check missing authorization objects?

  Hi,
  In our project we are currently busy with the set up of authorizations.
  I did create the necessary PFCG and Business roles.
  For the PFCG roles, I did create all of them by copy of the standard SAP_CRM_UIU_FRAMEWORK so that the user can  access to the web layout.
  Now I need to give authorizations for other CRM objects, my question is: How can I see which objects are missing to displaying or creating activities in the new WEB Layout?
  In the old days we used the SU53 to check the authorization objects that were missing, how can we do it now in this new release? I tried it and didn't worked out.
  Thx
  Regards
  Hugo

  Hi,
  For report CRMD_UI_ROLE_PREPARE you have to input a business role - not a PFCG role. Are you doing that?
  Are you getting no results at all in ST01 or are all results just with return code 0?
  You have to remember to set a filter for your user in ST01 before activating the trace. Another thing to check is if you are using several application servers. I would imagine the trace has to be activated on the same application server as the Web UI. You can change the application sever in SM51.
  /Anders

• How to control the  authorization of IM05 through  authorization object

  Now we want to control the  authorization of IM05 through  authorization object C_PRPS_USR, but C_PRPS_USR is not assigned to tcode im05.How can we assign authorization object C_PRPS_USR to tcode im05? OR do we have any other method to obtain the same result?

  write a factory method that controls the number of instances for you:
  import java.util.List;
  import java.util.Arrays;
  public class Bar
     private static final int MAX_BARS = 5;
     private static int numBars = 0;
     private int id;
     public static void main(String [] args)
        try
           int numBars = ((args.length > 0) ? Integer.parseInt(args[0]) : MAX_BARS+1);
           Bar [] bars = new Bar[numBars];
           for (int i = 0; i < bars.length; ++i)
              bars[i] = Bar.create();
           System.out.println(Arrays.asList(bars));
        catch (Exception e)
           e.printStackTrace();
     private Bar() { this.id = numBars++; }
     public String toString() { return "I am bar number " + this.id; }
     public static Bar create()
        Bar nextBar = null;
        if (numBars < MAX_BARS)
           nextBar = new Bar();
        return nextBar;
  }%