Howto add "With Authorization" for removel to Enrollment Profiles?

When I enroll a iOS device to our Profile manager it get's an "Remote Management" profile which the user can remove without restriction.
When I add profiles later on, they are all linked to this firest profile and can all be deleted by deleting the first profile. It doesn't matter if the latter has a removal restriction set.
So how do I lock the Enrollment Profiles??

Of course, the previous posting is not really related to this thread and therefore ought to have be posted as a New topic, but seeing as how AS has introduced the subject...
Here is the way to add a unique constraint to a populated column, ensuring that the existing values are unique as well.
ALTER TABLE t1
ADD CONSTRAINT t1_uk UNIQUE (col1,col2)
EXCEPTIONS INTO my_exceptions
/If the alter table statement fails this will populate the EXCEPTIONS table with the rows that contain duplicate values for (col1,col2). These are identified by ROWID. We can then chose to:[list]
[*] delete rows with a bad key;
[*] amend the values of the key columns;
[*] re-apply the constraint with the NOVALIDATE option.[list]
We should be wary of choosing the NOVALIDATE option. There's usually a good reason why the unique constraint is required and we should not circumvent it. Apart from anything else, Oracle allows us to build foreign keys referencing NOVALIDATE unique keys. This could result in child rows that have two parents, which is normal in biology, but very wrong in a database. NOVALIDATE is useful in datawarehouses and suchlike, because little updating occurs and the data integrity issues are of less imporatance. I don't think it ought to be used in OLTP situations.
Once we have handled the duplicate values we can re-run the alter table statement and apply the constraint.
If you don't already have an EXCEPTIONS table (it can be called anything, it's the structure that counts) you may need to run (or get a DBA to run) a script called UTLEXCPT.SQL, which will be in the $ORACLE_HOME/rdbms/admin directory.
Cheers, APC

Similar Messages

  • Issue with authorizations for BPS

    Hi Experts,
    There was an issue with authorizations for BPS. We have a large number of agents that need to enter plan data via a layout. In order to control the necessary authorizations, we would like to filter via something similar to a user exit using a function module in order to avoid having to define authorization objects for each of the agents who have access to the systems. Right now, we are not sure if there is user exit concept available as it is for BW variables. Any body experienced similar issue may share their experience.
    Regards,
    Ankit

    Hi,
    In BPS, you can use user specific variables or you can set up a Variable of type exit. You can also have a variable of type authorization which uses the security / authorization of the BW system.
    Hope it helps...
    Cheers,
    Tanish

  • Problem with Authorization for Planning folder

    Hi an having a problem with providing authorization for a planning folder
    i am getting the following error when i test it with test user
    Error while calling up RFC
    Message no. UPC202
    Diagnosis
    You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
    "You do not have authorization for InfoCube ZT_MR_T "
    Procedure
    Inform the system administrator.
    we are not pulling the data from any other server, all the data is on the sif any one has faced the same issue let me know.
    Regards,
    Abraham

    Calling Thru Trans code: BPS0 in ECC 6
    getting this error:
    Error while calling up RFC
    Message No. UPC202
    Diagnosis
    You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
    "An error occurred during the receipt of a complex parameter."
    after i check in bw trans code:st22
    Following this error message:
    Category                   Internal Kernel Error
    Runtime Errors         PARAMETER_CONVERSION_ERROR
    Application Component  BC-MID-RFC
    Short text
        An error occurred during the receipt of a complex parameter.
    What happened?
        During a remote function call, an error occurred while converting
        a complex parameter.
    What can you do?
        Note which actions and input led to the error.
        For further help in handling the problem, contact your SAP administrator
        You can use the ABAP dump analysis transaction ST22 to view and manage
        termination messages, in particular for long term reference.
    Error analysis
        An error occurred during the conversion of a complex parameter.

  • Problem with Authorization for BW BPS planning Folder

    Hi an having a problem with providing authorization for a planning folder
    i am getting the following error when i test it with test user
    Error while calling up RFC
    Message no. UPC202
    Diagnosis
    You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
    "You do not have authorization for InfoCube ZT_MR_T "
    Procedure
    Inform the system administrator.
    if any one has faced the same issue let me know.
    Regards,
    Abraham

    HI ,
    I Checked it out we dont have that cube in our system.
    Regards,
    Abraham

  • Authorization for IC Web Client Profile

    Dear Guru,
    This is the first time I involve in IC Web Client
    Project.
    I would like to limit IC Web Client Profile. What is authorization object which I have to limit ?
    Beside that, if users miss authorization in the web screen, what is  user have to do ( in R3 we can order user to run /nsu53 or I run ST01 to trace ) ?
    Pls advice.
    Thanks,
    SUGANDI

    You can use SAP delivered roles
    SAP_PCC_IC_AGENT
    SAP_PCC_IC_MANAGER
    SAP_PCC_CAMPAIGN_MANAGER.
    Each of these roles have access to Interaction Center BSP application 'CRM_IC' as well as other PCUI applications used in IC Web Client.
    Authorization object for BSP applications is 'BSP_APPL'.
    Talk to your security person and ask him to assign these roles to the user who are going to use the application.
    You can even customize these roles.
    Thanks,
    Thirumala.

  • LSMW with BAPI for Person's Qualification Profile - BAPI_QUALIPROF_CHANGE

    All,
    I tried to use BAPI 'BAPI_QUALIPROF_CHANGE' to upload the qualification profile for an employee. The corresponding object type for the function module is BUS7017 (& the method is CHANGE). But in standard SAP, in the initial LSMW attributes screen, it supports only those objects with an ALE interface. But, BUS7017 does not have an ALE interface.
    It is possible to create an ALE interface for a BAPI in the transaction 'BDBG'. After creating an interface, I get the business object in the F4 help for the Business object (LSMW attributes screen). But, I get an error in the step 'Maintain structure relations'. It is saying 'target structure could not be found'.
    Can you please tell me what I am missing here. Also let me know how to generate a function module for the inbound/outbound processing of an ALE with BAPI?
    Thanks in advance.
    Regards,
    Parvath.

    Hi,
      Did u get any solution to this . I am trying to upload cost centers and facing the same problem. If you have found any solution , please pass it.
    Sutapa

  • Customizing Authorization for Controlling

    Hello, Experts,
      I need to create a role with authorization for SPRO but only for the Controling branch.
    How do I do it ?
    Thank you !
    Rami Kleiman - HP

    Hi,
    DSK-  How do create configuration project ?
    Anil - Can you be more specific ? PFCG is transaction for creating roles.
    When I add SPRO to the role, it DOES NOT add all the authorization for
    the SPRO options.
    Thank you,
    Rami

  • Authorization for VF01

    Hi
    I have created a role with authorization for VF01 transaction. however when I try to execute the transaction VF01 it gives me an error. When I do SU53 it gives e an error for missing authorization object S_DOKU_AUT.
    Do we need to create a role with some common basis authorizations for each user. If yes, what are those common authorizations.
    Thanks
    Deepak

    hi,
    open the role that you have created for  VF01 authorization  by T-code PFCG
    click on authorization tab in that open change authorization and manually add this object  S_DOKU_AUT
    to this role and change the activity according to your requirement .generate the profile and assigened to the user.

  • Authorizations for document management

    Hi,
    I'm trying to figure out what every authorization means and which effects it has...
    I created a new user, gave him all the necessary authorizations to use certain transactions in Document management by making a new role/profile for him
    After trying everything out, I still have a few questions:
    - with Authorization for change object link (C_DRAD_OBJ)I have the following properties:
    Activity: change, display
    document type: DRM-DRM
    linked SAP object: *
    document status: *
    I know how to display my object link, but how can I change it? <b>Do they mean with changing the object link, the creating of long text for the link or is there more to it?</b>
    - with authorization for document access (C_DRAW_DOK), I can't figure out what the options "Display Application archive" and "Change application archive" mean.  Which effect does it have when I choose them? Where do I consult the application archive? What is the application archive? => SOLVED
    - Do I also have to give the authorization "Display" when I want to give the authorization to delete something?  How can I delete a document info record without displaying it? =>SOLVED
    - <b>With "Status dependent authorizations for documents" (C_DRAW_TCS) what do the following options do?</b>
            *change application start (which difference with change?)=>SOLVED
    display application start (which difference with display)=>SOLVED
            *<b>request</b>
            *display archive =>SOLVED
            *change archive=>SOLVED
    I know it are a lot of questions but I'm making documentation on the authorization profiles of document management and when I figured those few last things out, I can share my documentation with the rest of you...
    Message was edited by: Vicky Liesens

    Good morning,
    Havent been watching this thread for some time now, so please shout if you do have any questions.
    Just a quick note on deleting documents:
    Setting the deletion indicator will simply mark the DIR for deletion, but, it will still be on the dB.
    After you have set the DIR for deletion, you need to run the program "MCDOKDEL", which has a test mode and a real mode.
    This program will physically delete the documents that you have marked for deletion.
    Regards,
    Freddie Botha
    www.documation.co.za
    SAP DMS, CAD Integration, Data Archiving, Imaging and Scanning and Workflow
    [email protected]

  • Authorization for va01 and va02

    Hi all,
    I have a requirement to add an authorization for certain fields (not for editing) in va01 and va02. If i create an authorization object for the same, is it possible to integrate auth object to roles and What will be the fields of auth object ?. Anyone can put comments.
    Thanks and regards
    Jijo

    Hi,
    This is my code in so include program...
    AUTHORITY-CHECK OBJECT 'ZSO_SCHED'
             ID 'ACTVT' FIELD '02'.
    CASE SCREEN-NAME.
       WHEN 'RV45A-ETDAT' OR 'VBEP-WMENG'.
         IF SY-SUBRC  EQ  0.
           SCREEN-input = 1.
         ELSE.
           SCREEN-input = 0.
         ENDIF.
    ENDCASE.
    Now, i have to connect role to auth. object 'ZSO_SCHED'. Any idea how to do it?
    Thanks and Regards
    Jijo

  • Profile Manager - Why create Enrollment Profiles?

    So a similar question was asked previously:
    Why use an enrollment profile?
    I've read through it and I don't think the answers provided tell the whole story, so I'd like to ask again adding some of my own thought and clarifications on the previous thread.  This may be considered a "primer" by some - though I am certainly not the expert on Profile Manager.  I'm laying it out there to explain my understanding and off of that, ask a question.  If you are an expert, and understand how all this works, please just skip to my question below!
    First, my experience and understanding.  (I urge others to correct/clarify where they see fit):
    The previous thread attempted to make a distinction between the 3 different types of profiles:  Trust, Enrollment.and Remote Management Profiles.
    I believe the proper 3 distinctions should be: Trust, Remote Management/Enrollment, and Configuration Profiles.
    - The Trust Profile is basically a Profile (.mobileconfig file) that contains the Server Certificate that needs to be present to validate other signed Profiles.  It's a fancy way of packaging up the Root certificates.
    - The Remote Management/Enrollment Profile is a Profile (.mobileconfig file) that delivers the Remote Management "connection".  It registers the device with the Profile Manager server and facilitates the ability to use PM/APNS to push various Configuration Profiles as well as commands (wipe/lock/etc).  It is *only* called an Enrollment Profile when you explicitly create one (more on that below).  Because an Enrollment Profile does not need to exist to enroll (or rather it will use the implicit "unseen" enrollment), this is the most confusing of the 3 Profile types.  It is further confusing because the term "Profile" is used almost elusively on the device and not within Profile Manager.  In fact the "Enrollment Profile" is the only one explicitly called a "Profile" within the management interface!
    IOW: While it is not shown anywhere in Profile Manager, I believe that "Remote Management" (called a Profile on the device) is basically the *default* Enrollment Profile that is only inferred and seen when you use the Enroll function on MyDevices.  This means you don't need to create any Enrollment Profile to enroll your devices interactively via the MyDevices page.
    - The Configuration Profile is a Profile (.mobileconfig file) that delivers specific settings.  These Profiles are applied to either Users, Groups, Devices, or Device Groups.  They can be automatically pushed to an enrolled device, or they can be manually downloaded from the MyDevices page (seems to apply to User configuration only) for devices even if they are not enrolled (this would allow the end user the 'choice' to pull down settings).
    Having outlined that, the simplest steps to enrollment...:
    When you setup Profile Manager, you can go right to the MyDevices page on your device, login, and choose "Enroll." (sample device is let's say an iPad)
    Doing so will prompt you to install the "Remote Management" profile.
    Note that when enrolling in this way it does not appear necessary to install the "Trust Profile" for your server, even when using a Self-signed Cert.  It would appear that this "Remote Management" profile contains not only the SCEP Enrollment Request and the Device Management payload, but also the Certificates that would be installed with the "Trust profile"
    So we have seen here that one can enroll a device without explicitly creating any "Enrollment Profile."
    So why use an Enrollment Profile?
    Well according to https://help.apple.com/profilemanager/mac/3.1/#apd6DD5E89E-2466-4D3C-987E-A4FF05 676EB7, the answer is pretty straightforward:
    "The user does not need to authenticate or log in to Profile Manager’s user portal"
    This is a great feature.  For one, you can create an Enrollment Profile and send it via e-mail and the user doesn't need to visit a web page and login to enroll a device.  In fact, based on my experience Enrollment Profiles can't even be accessed via the MyDevices page unless you are a Server Admin.
    However, when distributing an Enrollment Profile you seemingly *must* install the Trust Profile prior to this, or you will get an error about communicating with the server.  Several docs/tutorials you can google explain how to set up your deployment systems (specifically OSX machines) to deploy systems with both the Trust and Enrollment profiles to facilitate automatic enrollment when a new system is deployed so it can instantly be managed.
    However, since a device that is already deployed will/may not have the Trust Profile installed, one would have to visit the MyDevices page to install that prior to being able to import a delivered Enrollment Profile.  Because of that it seems that from a distribution approach (as opposed to a deployment scenario) there is not much advantage of using an explicit Enrollment Profile anyway since we already need to visit the MyDevices page to get the Trust Profile, we might as well just use the standard MyDevices implicit Enrollment.
    All devices that have enrolled themselves via a defined/explicit Enrollment Profile will be listed under that Profile in Profile Manager.  Devices that have enrolled via MyDevices will not be listed under any Profile, but rather just under Devices (where *all* devices will be shown regardless of how they enrolled).
    So, now the questions:
    So, the idea of an Enrollment Profile makes perfect sense - it is basically the only way to create an exportable profile that can be distributed and configured to automatically enroll a device without interactive enrollment via the MyDevices page.
    What I don't get is WHY is there the ability to create multiple Enrollment Profiles rather than simply providing a default exportable profile?
    The reason it makes no sense to me is there is absolutely no correlation (that I can deduce) between an Enrollment Profile and the devices that used it to enroll.  While I can see a (non-exportable) list of each device enrolled via each Enrollment Profile, it ends there.  I can't, for instance, create Configuration Settings that I link to an Enrollment Profile.  Or dynamically populate a Device Group with all devices enrolled from a specific Enrollment Profile.  If I could do these things, it might make sense to me and I have spent much time looking at the interface and scouring documentation to see where the connection is.  I have simply determined that there isn't one.
    I can go ahead and create several Enrollment Profiles such as:
    iPads
    Lab Systems
    Main Office Systems
    High Security Systems
    And I can deploy these Profiles (either via mail/file or via initial deployment) to the respective devices.  I can then see under each Profile which devices enrolled.  But, since I can't actually do anything to correlate those systems to a configuration, why would I want to do this segregation?  Sure it gives me a listing of iPads apart from OSX machines, but I can't do anything with this listing!
    Now, of course, I can still pre-stage devices and add them into particular device groups so that as soon as they are enrolled (via any Enrollment Profile) they will get the Configuration Profile(s) attached to them.  This makes the inclusion of multiple Enrollment Profiles even more suspect.
    Am I missing something?  Can someone enlighten me as to what the purpose of creating more than one Enrollment Profile would be?
    We can easily say "Well it's not hurting having them there" but, in terms of complexity and confusion I believe it is.  Had they simply provided a single Enrollment Profile ("Remote Management") that was downloadable/exportable it would have been sufficient.
    Thoughts?

    So a similar question was asked previously:
    Why use an enrollment profile?
    I've read through it and I don't think the answers provided tell the whole story, so I'd like to ask again adding some of my own thought and clarifications on the previous thread.  This may be considered a "primer" by some - though I am certainly not the expert on Profile Manager.  I'm laying it out there to explain my understanding and off of that, ask a question.  If you are an expert, and understand how all this works, please just skip to my question below!
    First, my experience and understanding.  (I urge others to correct/clarify where they see fit):
    The previous thread attempted to make a distinction between the 3 different types of profiles:  Trust, Enrollment.and Remote Management Profiles.
    I believe the proper 3 distinctions should be: Trust, Remote Management/Enrollment, and Configuration Profiles.
    - The Trust Profile is basically a Profile (.mobileconfig file) that contains the Server Certificate that needs to be present to validate other signed Profiles.  It's a fancy way of packaging up the Root certificates.
    - The Remote Management/Enrollment Profile is a Profile (.mobileconfig file) that delivers the Remote Management "connection".  It registers the device with the Profile Manager server and facilitates the ability to use PM/APNS to push various Configuration Profiles as well as commands (wipe/lock/etc).  It is *only* called an Enrollment Profile when you explicitly create one (more on that below).  Because an Enrollment Profile does not need to exist to enroll (or rather it will use the implicit "unseen" enrollment), this is the most confusing of the 3 Profile types.  It is further confusing because the term "Profile" is used almost elusively on the device and not within Profile Manager.  In fact the "Enrollment Profile" is the only one explicitly called a "Profile" within the management interface!
    IOW: While it is not shown anywhere in Profile Manager, I believe that "Remote Management" (called a Profile on the device) is basically the *default* Enrollment Profile that is only inferred and seen when you use the Enroll function on MyDevices.  This means you don't need to create any Enrollment Profile to enroll your devices interactively via the MyDevices page.
    - The Configuration Profile is a Profile (.mobileconfig file) that delivers specific settings.  These Profiles are applied to either Users, Groups, Devices, or Device Groups.  They can be automatically pushed to an enrolled device, or they can be manually downloaded from the MyDevices page (seems to apply to User configuration only) for devices even if they are not enrolled (this would allow the end user the 'choice' to pull down settings).
    Having outlined that, the simplest steps to enrollment...:
    When you setup Profile Manager, you can go right to the MyDevices page on your device, login, and choose "Enroll." (sample device is let's say an iPad)
    Doing so will prompt you to install the "Remote Management" profile.
    Note that when enrolling in this way it does not appear necessary to install the "Trust Profile" for your server, even when using a Self-signed Cert.  It would appear that this "Remote Management" profile contains not only the SCEP Enrollment Request and the Device Management payload, but also the Certificates that would be installed with the "Trust profile"
    So we have seen here that one can enroll a device without explicitly creating any "Enrollment Profile."
    So why use an Enrollment Profile?
    Well according to https://help.apple.com/profilemanager/mac/3.1/#apd6DD5E89E-2466-4D3C-987E-A4FF05 676EB7, the answer is pretty straightforward:
    "The user does not need to authenticate or log in to Profile Manager’s user portal"
    This is a great feature.  For one, you can create an Enrollment Profile and send it via e-mail and the user doesn't need to visit a web page and login to enroll a device.  In fact, based on my experience Enrollment Profiles can't even be accessed via the MyDevices page unless you are a Server Admin.
    However, when distributing an Enrollment Profile you seemingly *must* install the Trust Profile prior to this, or you will get an error about communicating with the server.  Several docs/tutorials you can google explain how to set up your deployment systems (specifically OSX machines) to deploy systems with both the Trust and Enrollment profiles to facilitate automatic enrollment when a new system is deployed so it can instantly be managed.
    However, since a device that is already deployed will/may not have the Trust Profile installed, one would have to visit the MyDevices page to install that prior to being able to import a delivered Enrollment Profile.  Because of that it seems that from a distribution approach (as opposed to a deployment scenario) there is not much advantage of using an explicit Enrollment Profile anyway since we already need to visit the MyDevices page to get the Trust Profile, we might as well just use the standard MyDevices implicit Enrollment.
    All devices that have enrolled themselves via a defined/explicit Enrollment Profile will be listed under that Profile in Profile Manager.  Devices that have enrolled via MyDevices will not be listed under any Profile, but rather just under Devices (where *all* devices will be shown regardless of how they enrolled).
    So, now the questions:
    So, the idea of an Enrollment Profile makes perfect sense - it is basically the only way to create an exportable profile that can be distributed and configured to automatically enroll a device without interactive enrollment via the MyDevices page.
    What I don't get is WHY is there the ability to create multiple Enrollment Profiles rather than simply providing a default exportable profile?
    The reason it makes no sense to me is there is absolutely no correlation (that I can deduce) between an Enrollment Profile and the devices that used it to enroll.  While I can see a (non-exportable) list of each device enrolled via each Enrollment Profile, it ends there.  I can't, for instance, create Configuration Settings that I link to an Enrollment Profile.  Or dynamically populate a Device Group with all devices enrolled from a specific Enrollment Profile.  If I could do these things, it might make sense to me and I have spent much time looking at the interface and scouring documentation to see where the connection is.  I have simply determined that there isn't one.
    I can go ahead and create several Enrollment Profiles such as:
    iPads
    Lab Systems
    Main Office Systems
    High Security Systems
    And I can deploy these Profiles (either via mail/file or via initial deployment) to the respective devices.  I can then see under each Profile which devices enrolled.  But, since I can't actually do anything to correlate those systems to a configuration, why would I want to do this segregation?  Sure it gives me a listing of iPads apart from OSX machines, but I can't do anything with this listing!
    Now, of course, I can still pre-stage devices and add them into particular device groups so that as soon as they are enrolled (via any Enrollment Profile) they will get the Configuration Profile(s) attached to them.  This makes the inclusion of multiple Enrollment Profiles even more suspect.
    Am I missing something?  Can someone enlighten me as to what the purpose of creating more than one Enrollment Profile would be?
    We can easily say "Well it's not hurting having them there" but, in terms of complexity and confusion I believe it is.  Had they simply provided a single Enrollment Profile ("Remote Management") that was downloadable/exportable it would have been sufficient.
    Thoughts?

  • What happends when you give 2 groups with some of the same members different authorizations for a document

    Hello,
    I'm doing my internship at a litte Telekom company. I'm investigating how they can use MS SharePoint as their central place to put projectinformation. Now i've been thinking what happends when i do the following:
    Make one document library
    Add 2 groups to the Active Directory, group "A" with all the employees and group "B" with only four people working on a project. When i add a document to the document library and set the authorizations for the document as
    follows:
    Group B: Read/Write
    Group A: Read
    Does the people from group B still be able to edit the document, because they are also in group A?
    I don't have a test environment to test this myself.
    Why i want to know this? The company want's one place to place all their documents with projectinformation. This information is about different projects. You only wan't that people can change the specific document when they are working on the specific project
    where the document belongs to.  

    You get the union of permissions, so if one group allows access and the other not, you will get the union of both and therefore access. Of course, you can break security settings per library/folder or document, and specify new settings,
    if you need too.
    Kind regards,
    Margriet Bruggeman
    Lois & Clark IT Services
    web site: http://www.loisandclark.eu
    blog: http://www.sharepointdragons.com

  • Do not have authorization for access with activity 03 on the InfoProvider

    Hi,
    I have developed new cube & ODS and created new Web Templates based on queries on these Infoproviders.
    I have created new role and adde these templates to menu of this Role.
    In Authorization profile i have used following Authorization objects.
    S_RS_BTMP
    S_RS_COMP
    S_RS_COMP1
    S_RS_ICUBE
    S_RS_ODSO
    In all these objects i hace selected activity 3.
    Infoarea used for these new Cube & ODS is also added and for cube & ODS selection ihave used * (full authorization)
    But when user is opening the web template it is showing error messahe
    "You do not have authorization for access with activity 03 on the InfoProvider ZICXEROX."
    Is there is any authorization object missing in the profile?
    Regards
    SSS

    Dear SSS,
    Have the same problem ' You do not have sufficent  authorization for the infoprovider'. so could you please send the document from my mail id
    [email protected].......
    plaase very very urgent
    Regards
    Ahmed.

  • Add a new employee - Connection is busy with results for another command

    Hi all,
    I try to add a new employee in my SAP Business One system, but I get an error message like that : [Microsoft][SQL Native Client] Connection is busy with results for another command * (HEM5) (HEM5)
    So I try to see if I get the same message when I update an employee, and I don't get this message.
    Do you have an idea, why I get this error message when I add a new employee ?
    Message was edited by:
            Marc Riar

    Hello,
    I am afraid there maybe two users / workstations using the same user code and one of them is creating (add) and other is update. Try to ask the users/wrokstations.
    Another way out is try to run this query :
    select * from HEM5
    Rgds,
    JM
    http://groups.yahoo.com/group/SBO_Knowledge_Village
    [email protected]

  • How to Control authorization for users with certain status for level 2 WBS Element

    Dear All,
    Is there any standard way or enhancement available to control authorization for users with certain status for WBS Element i.e. for example
    Pre-requisite:
    There is only 2 level of project i.e.
    Lev_ WBSE_______Description
    1___ 7-14.E_______summay outage controller
    2___ 7-14.E.2310__ Plant/unit # 2310
    2___ 7-14.E.2310__ Plant/unit # 2220
    Project Controller  (authorization role assigned "Z_PS_OP7_OTGCON_C") have all project level authorization
    Plant/Unit Controller (authorization role assigned "Z_PS_OP7_PLNTOTG_C_2310") have only level 2 authorization with enhancement that we did in system by Z table.
    User ID_ Plant #
    123345_ 2310
    122455_ 2220
    Issue:
    After System Status released and User Status approved the WBS basic date for Plant/Units should be restricted from updating/changing by Plant/Unit Controller level and only project controller should have this authority.
    Solution required: 
    Can any one tell how to control this scenario either by standard or enhancement available to control authorization
    BR
    Saqib Usman   

    Hi,
    Did you explore SAP Enhancement CNEX0002 Using Transaction CMOD?
    Thank you and regards,
    Varshal Kachole
    The SCN Rules of Engagement

Maybe you are looking for