HR custom authorization objects

Is it possible to have more than one custom HR authorization object active at the same time? For example if I need 2 custom variations of P_ORGINCON (I  have some very complex requirements),  is that possible, or am I limited to just 1? Having more than 1 seems to present a problem when I run RPUACG00 to generate include MPAUTCON. It overlys the code generated fo the first cusom object with code for the second object, therefore only allowing cgenerated code to exist for 1 of the objects.
And one additional question - when I create a custom HR object (one which contains infotype, subtype, persg, persk etc), am  I limitied to only using fields from PA0001 in that object?  If I include some other field that does not exist on PA0001, when I run RPUACG00 it gives me the error "Field xxx is not allowed  in authorization object Z_xxx".
Many thanks,
    Mike

One example of a  requiremnet I have is for a manager to have 3 different types  of authority based on when a position was in his org structure. So if a position is currently in his org structure he might have WRITE access to their infotype 2,6,8... for positions that were in his org strucure between 1 and 60 days ago (but are not in his structure as of today) he might have WRITE access to their infotype 2 and 6 and READ access to other infotypes, and for people that were in his structure 61-9999 days ago, he might have only READ  access to all the position's infotype data.
I was thinking of using 3 disctinct HR authorization objects to cover each of these 3 scenarios, but ran into the issue mentioned above with the generation program RPUACG00.

Similar Messages

  • How to add custom authorization object to a SAP standard transaction

    Hi All,
    I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
    Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
    - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
    - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
    - tcode SU24 - insert of new authorization field e check indicator (green)
    - tcode SU22 - check indicator - check (green)
    After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
    We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
    It seems new authorization object was not checked.
    My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
    Thanks
    Maurizio

    > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
    >
    No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
    So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
    Regards,
    Dipanjan

  • Custom authorization object

    Hi all,
    I have created a custom authorization object to define a data security based on the Company code field.
    These are the steps I did:
    - I create a new authorization object containing the Company code field (BUKRS).
    - I create a new role with this authorization object, and I have assigned a specific value to the Company code field.
    - The role contains also the standard authorization object HR Master data which contains the field: infotype, personnel area...
    - I have assigned the new role to a user and I have executed a report, but I had not the expected result.
    - I had assigned the custom authorization object to the report transaction through SU24 and SU22, but I had not the expected result.
    As expected result I was expecting that the data are filtered based on the Company code I put in the authorization field.
    Any idea about the problem?
    thx!

    Please check that you have followed all of the steps listed here when creating your object:
    <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm">http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm</a>
    - April

  • Custom authorization object and check logic

    Hi gurus,
    we need to apply additional authorization check in our custom reports.
    so i created a custom fields & object, and put the statement
          AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                   ID 'ZROLEID' FIELD '03'
                   ID 'ZSOBID'  FIELD zzdwbm.
    in a abap class method centrally, so it could be called by many reports.
    but the test show that the sy-subrc always set to 0, even for users without any authorization.
    what i missed for adding custom auth check?
    for this case, do i need to maintain authorization check indicator in SU24?
    what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
    thanks and best regards.
    Jun

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
    but still it is taking the P_ORGIN object.

  • Custom Authorization Object for HR

    Hi,
    As per our Company's internal needs I have created a Custom Authorization Object for HR named ZP_ORGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction & do a trace on it, the object ZP_ORGIN is never checked (for a user having this object in his/her User Master). Only P_ORGIN object is checked instead.
    I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell  which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked.
    Your help will be appreciated.
    Thanks,
    Mandeep Virk

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
    but still it is taking the P_ORGIN object.

  • HR Authorization : Custom Authorization Object  for P_ORGIN

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    but still it is taking the P_ORGIN object

    Online Help
    <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a>

  • BW Custom Authorization Objects

    We are in need of enabling authorization checking on several characteristics in BW.  I have enabled authorization on the characteristic and created authorization objects for them.  When I add them to a role and try to add values, I get a message SA303 saying that table /BI0/M**** (eg. SALES_OFF) does not exist.  I have narrowed this to occuring only on characteristics that do not have attributes.
    Is it possible to use a text only characteristic as a authorization object?  If so, how do I get past the message during creation/maintenace of the role.  I tried just typing in the values.  The system accepts them, but does not appear to execute the check correctly.
    Thanks in advance for your assistance.
    Regards,
    Kevin

    Hi Kevin,
    please have a look at the documentation on authorizations for master data:
    http://help.sap.com/saphelp_nw04s/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
    regards,
    Tanja

  • How to use CRM authorization object.

    Hi All,
    I have a specific requirement to restrict user while he/she tries to save a record. It appears that if that restrictions are implemented the save logic for an entity has to be changed because there are some validation regarding relationship management in SAP system. SO I need to bypass that validation to allow some users of specific(Marketting) role to save the entity record bypassing that validation. here I am planning to use the CRM authorization objects. But dont know how to use these and which authorization object to refer.
    Please let me know if you guys have any idea.
    Regards,
    Bikramjit.

    Hi Bikramjit.,
    You might need to create a Custom authorization object and then use it. Else you can create one Z table and maintain the User ID of all users. The mainatin one field with flag and set it to X for the user that are aloowed to save the transaction.
    Also once you maintain the table, generate the table maintenance so that it becomes easier for future use.
    Hope this helps

  • HR custom authorization issues/BADI to be used for some customization

    We can develop custom authorization object in HR and run RPUACG00 to generate include MPAUTCON.Is it possible to include some customizations to the MPAUTCON program to accomplish some of our requirements.
    If not can you please suggest me a BADI/User exit which can be used to develop some customization on a specific field, which can be called at the times the HR Master data is being changed/displayed/created.
    Thanks in adavnce for the answers.

    Hi Kiranm,
    the MPPAUTCON program (or MPPAUTZZ in non-contextual mode) is automatically generated by the RPUACG00 report.
    But you can modify it to add custom controls.
    Best regards.

  • Transporting authorization object (RSSM)

    Hi,
    I am having problem transporting my BW Custom authorization object over to the Quality system.
    I have successfully transported the table contents RSSTOBJDIR to the Quality system. However, when I search for the authorization object in RSSM in Quality after the transport , it complained saying u201Cobject is not available. Create?u201D
    How can I transport the authorization object?
    Thanks for your time.
    Regards,
    Raja

    Yes you can transport an authorization object.
    It should give you an option to create a TR which creation of the auth obj in RSSM. If you have not done that then try to make a small change and see if it requests you to create a TR. If still you are not able to do it, then try adding the objec of typr R3TR - SUSO and give your authorization object name in SE03.
    Regards,
    Gaurav

  • User Exits tied to Authorization Objects

    Hello all,
    Are there any User Exits available that are tied to authorization objects?  We are talking about creating a custom authorization object for use in MM01 & MM02, and we are looking for somewhere to call the custom authorization object.
    Thanks,
    Chuck

    We were not able to find a User Exit that met our requirements.  We needed to Block the Basic Data view for certain Material Types from MM01 and MM02 for certain users.
    We ended up doing it by modifying the screen sequence for those screens and blocking it for users who who had been given a certain role in SAP.

  • Reg: Transporting Authorization Objects

    Hi,
    If a custom authorization object has been created, can someone please guide on it to be transported across landscape.
    Regards,

    Hi,
    Yes. create a workbench request and open it in change mode.
    Now you will have table with editable fields with 3 fields.
    1. In programID field enter R3TR
    2. In object type field enter SUSO
    3. In Object name field enter the respective Z authorization object.
    You also need to make sure that the respectie class is available in the target systems. if not, repeat the above procedure with object type as SUSC.
    Regards,
    Gowrinadh

  • Change Authorization object to add another InfoOjbect

    Hi All,
    We have Custom Authorization Object developed in BW system which is successfully moved to Production. Now new requirement has come up to add new InfoObject in that
    Existing Custom Authorization Object. Is it possible?
    If yes can you please let me know the required steps?
    Thanks,
    Samir

    you can add the new infoobject in the BW system and after doing this you can transport the request related to this change from the  BW system to the production server but for this you need help from the Basis consultant.
    i hope this answer is of some use to u...if yes pla assign some points.
    Edited by: Denella  D'souza on Jan 30, 2008 10:49 AM

  • Transport of Authorization Object

    Hi ,
    I have created an Custome authorization Object in dev Box .
    can you tell me how to transport it to QA Box ?
    Thanks
    Pankaj

    Hello Pankaj.
    On RSSM transaction enter your authorization object, Select Transport object and Hierarchies button.
    Which prompts a screen,there select your object and select continue.
    In the next screen a list will display cancel that screen, now it would prompt you for a transport request.
    Enter the type of request you wish to create as "Workbench Request" then provide you request name else create it.
    Thus would be available in SE09 screen.
    Assign points if helpful.
    Regards

  • Authorization Object for Account Assignment field

    HI all,
    We wanted to restrict the users from creation of PO (in ME21N) against the specific Internal Orders (Account assignment KNTTP='F'). So that user can use Internal orders assigned to his Business Area only.
    Which authorization object i can use to restrict the user to use specific Internal order during PO creation and change. ??? I tried to check authorization object listed under t code ME21n but none of them restrict Internal order.
    Is there any std. object available, if not then what I need to do while creation of customized authorization object (in SU21), how system will call this authorization object in ME21N while using Acc. Assignment u201CFu201D. more detailed answers will be more useful.
    Thanks...

    Hi frnd...
    i think you want to allow all users to use acct. ***. "F",
    but you want to stop the user from using ir-relevant internal orders.
    For this, i think you can create a "Z" table having fields:
    1)User ID - (key field)
    2)Internal Orders - (key field)
    3)Access.
    Make the entries of the users against the internal orders. (if you  want any user to access all the internal orders, then make entry (*) in the field access. 
    While creating GRN check these entries, if the entry exist, let user use that internal order, if not give the error as you are not authorized.
    To do all these, you have to use user - exit. which one i dont  know...
    kindly let me know, if you use any.
    njoy SAP...
    njoy Lyf...
    Regards,
    Amit P Hiran

Maybe you are looking for

  • Unable to shipping sys objects in logical standby

    Dear Friends, I read in oracle.com, that sys objects(tables,index..etc)., won't reflect in the logical standby. Is there any way to reflect these objects.... Please help me...

  • Windows 7, 64 bit won't allow me to set Adobe Reader X as default for PDF file

    By right clicking a pdf file I can choose Adobe Reader as opposed to MS word, but the box to set default won't accept check mark to set this for all pdf. Therefore, when I click a pdf without saving to documents first and using open with, the click n

  • Standard report that will allow monitoring of purchasing procedures

    Hello SAP Gurus, I am looking for any reports that will allow monitoring of our purchasing procedures for example: Reports identifying date of invoice v's date of order / requisition Thanks

  • WAAS experiencing high CPU utilization

    We are monitoring WAAS devices for CPU utilization in our Network.Currently we have set the threshold for 70%. At this threshold we see a large number of alerts from WAAS crossing 70% CPU utilization. I guess 70% CPU utilization is normal for WAAS. A

  • July CPU - 2007 Patch

    While applying July 2007 CPU patch - As per the README file, We have to set the owner of the file $ORACLE_HOME/bin/dbsnmp as root, Can anybody please tell me why do we need to set the owner as root for this file, Regards, Ratan