Identify duplicated authorization objects in a role

Similar Messages

• Cannot modify an authorization object in pfcg role for a business role

  Hi Experts,
  I have created two z pfcg roles from the standard business role CRM_UIU_SRV_PROFESSIONAL  lets say by names zagent and zmanager. My requirement is actually to map these two pfcg roles two a service professional agent and service professional manager custom business roles respectively( I have created these custome business roles from standard business role servicepro) . I have identified an authorization object by name CRM_CO_SE which is basically used to check whether the user is authorized to create service contract transactions. So, in the agent pfcg role, I need to de activate or deselect this particular authorization object so that the agent will not be able to create service contract. (This is not a real time requirement, but an internal assignment). When I change this object in the pfcg by deselecting 'Allow' check box and try to generate, it is not getting generated. I have selected all the options from the 'Expert mode for the profile generation' and still the traffic indicator for that authorization object is yellow.  Am I doing anything wrong?
  Please help me.
  Thanks
  Ajith C

  Hi Leon,
  Thanks for helping me, I have restricted the unauthorized user from creating a new order by disabling the 'New' button by checking the business role in  the code. The pfcg configuration, I am skipping it for now.  I have one mnore requirement. When one clicks on any items in the search result for the Service Contracts, it opens the details of that service contract with an 'edit' button. I can disable this button using do_output_preparation method for the some business roles. However, I want to disable this after checking a condition. The condition is that, edit button should be active, only if that service order was created by the employee who has currently logged on. I am relatively new to CRM and I could not figure how I can check it during run time. Could any one please help me with this?
  Thanks,
  Ajith

• Is there a Limit on number of authorization objects in a role?

  Hi all,
     Is there a Limit on number of authorization objects in a role because I am getting the following error.
  Authorization is full. Please enter fewer values
  Message no. 01262
  Diagnosis
  You have included too many values in an authorization.
  Procedure
  Please distribute the data to at least two authorizations and combine them in a profile.
  Thanks.

  Hello Neha,
  Message no. 01262 refers to the entered values in an authorization, not to the objects listed in the profile!
  So this message tells you, that you have to split the authorization, as the authorization contains too many values. It is not a quesiton of that you have entered too many different objects to the profile!
  Please refer also to:
  [SAP Note 410993|https://service.sap.com/sap/support/notes/410993]
  and
  [SAP Note 943796|https://service.sap.com/sap/support/notes/943796]
  b.rgds, Bernhard

• How we can remove  one authorization object from multiplt roles

  How we can remove one authorization object from multiplt roles

  > Correct me if I am wrong !!
  O.K., Here I go
  > But if the object is maintained in SU24 and if you use Expert mode for generation of the role then again those objects may be pulled.(make sure you never use expert mode once you delete the objects)
  Actually using expert mode and choosing 'edit old status' is the only way to avoid objects being 'pulled in' after menu changes.
  > As jurjen said, you may download the tables and instead of deleting the object from the excel sheet, change the value of the object in column "DELETED" = X, by doing this only the objects get inactivated(but remain in PFCG).
  I am not speaking of downloading tables but about downloading roles from PFCG. This will not get you a spreadsheet but a flat textfile. If you whish to set the object status to deleted you'll have to swap the space on position 207, right behind the 'U, S, G' flag,  with an 'X' for all corresponding lines.
  Jurjen

• Mass change of authorization objects in several roles

  Hello,
  we have to change a authorization object in almost 200 roles. Is there any possibility for mass change of authorization objects in several roles? We don't use the central SAP user administration.
  Best Regards
  Andreas Walter

  > at the moment all entries has the value "*". We want to change this value into "0001".
  Good!
  Here comes:
  1- download all relevant roles in once from PFCG. Make sure you use an appropriate codepage so you don't loose special characters in the role and menu texts.
  2- copy and backup the download file
  3- in the download file (is a text file)  look for all lines starting with AGR_1251 and conatining M_MATE_WGR and the field you want to change
  4- take out the star and two spaces and replace by 001. This file is a set of fixed record length table exports and keeping the original length is very important.
  5- upload the edited file and generate the profiles.
  As you may see this is not SAP standard and completely at your own risk. Best try in a sandbox client first.
  Good luck!
  Jurjen

• Trouble when adding / modifying authorization objects in a role through ERM

  Hi everyone!!!
  We're having some issues when configuring ERM, we followed the Post-Installation guides and we are done with the config part, but when we try to do an example creating a role, we're getting an error message when attempt to add the authorization data.
  When we look at the log, we find this message:  /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
  This is the last log...
  2010-11-05 17:03:42,515 [SAPEngine_Application_Thread[impl:3]_30] ERROR /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
  java.lang.Throwable: /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
       at com.virsa.re.service.sap.dao.SAPRoleTimestampDAO.getRoleChangedDetails(SAPRoleTimestampDAO.java:136)
       at com.virsa.re.bo.impl.ConcurrentAccessRoleBO.isRoleChangedInPFCG(ConcurrentAccessRoleBO.java:228)
       at com.virsa.re.role.actions.AuthAuthorizationDataAction.pageLoad(AuthAuthorizationDataAction.java:6865)
       at com.virsa.re.role.actions.AuthAuthorizationDataAction.execute(AuthAuthorizationDataAction.java:213)
       at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
       at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
       at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Plz help us, we can't find any information about this error.
  Regards
  Connie

  Hi,
  Settings need to be checked-
  1. Connectors must be identical for all components for a particular system and test connection should be successful.
  2. Unicode should be checked for RAR connector.
  3. Patch Level should be same on GRC and Backend and all backend post-installation activites must be completed  - (BC set activation, Program etc)
  4. RAR Objects Import must be done.
  5. ERM Background jobs must be completed before doing Role Creation- Transaction/Object/Field sync, Org Value sync and activity sync.
  If above activities are done, no issues should occur in tcode/Object assignment in role.
  Regards,
  Sabita

• Elements of WebUI by authorization object in user roles?

  Hi all,
  we are currently setting up a SNC scenario with SCM 5.1. I have some information about how to change the WebUI for the Responsive Replenishment, but by now I can only change it for all users. I would like to link certain Web buttons and screens to user authorization roles, so some users get buttons others can't see, depending on their roles.
  Has anyone a clue for me if this is possible, and how I can implement this, or where I can documentation about it?
  Thanks for any help.
  Best regards,
  Timo

  Hi Timo,
  If you are intending to change a few elements in the WebUI programatically, then you could restrict the changes on the basis of the role. (is for a supplier or a customer)
  I do believe that you might to be needing to do the changes in the corresponding ICH Data matrix model business logic class.
  Here
  The attribute P_DATAICHDM->S_CBINFO-APPDATAID holds the value corresponding to the application and the role thats accessing the screen.
  I do believe , in your situation, the appdataid for a customer would be 'RPLRRC' and for a suppler would be 'RPLRRS'. However, you would need to cross verify this.
  All you need to do now, is to check the value of these attributes which have been set and code for the UI Changes accordingly.
  There could be other simpler approaches , by means of configuring too, depending on the nature of your change. I am not really sure. I just suggested one thing that worked in my case.
  Cheers,
  Rashmi.

• Org Level Roles / Authorization Object Roles

  Hi board,
  I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".
  The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.
  My questions are:
  - Is it technically feasible (for a large-scale company)?
  - What is your experience?
  - Drawbacks?
  Kind regards and many thanks for your help,
  Richard

  Richard Hösl wrote:
  > Hi there,
  >
  > that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful. 
  >
  > Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
  >
  > Kind regards,
  >
  > Richard
  Hi Richard,
  It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.
  A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions.  That bucket invariably contains more authorisations than the transactions require.  Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........
  If you have organisational complexity then you should look elsewhere to simplify. 
  By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).
  Put the effort in the design stage and it will pay dividends later on down the line. 
  Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.
  Cheers
  Alex

• New Authorization Object within Role

  hi everybody,
  does anyone know how can i get New Authorization Objects for any Role for the new release that did not exist in the same Role from former release?
  tables AGR_1250 and AGR_1251 do not show if object is new for this role. they only show if object is new itself.
  thanks a lot,
  javier rubio

  pandu,
  se54 is not related with this topic.
  thank you very much for your answer, very hepful

• Copying values of a singular authorization object between roles?

  Suppose I have an authorization object assigned to a role and its fields hold a large amount of data (say S_TCODE with a lot of transaction codes specified via ranges). Suppose further that I want to have this same object with this same data in another role. The other objects of the two roles are different and I'd rather not type the large amount of data into the authorization object again.
  Is there a way to copy/paste just one authorization object between two roles?
  I know how to make a copy of an authorization object and its values within the same role, but I haven't found a way to copy between roles.
  ursa

  Hi Ursa,
  I havent come across any export object kinda thing...
  This may help you in practical situation...
  Let us consider your particular requirement related to s_tcode.
  for that go to suim -
  transactions -> executable for role .
  Give the role name get the list of transaction codes.
  Download into excel file. then copy from there and paste into your new role menu or in s_tcode object.
  Mostly we dont get that much list for other objects.
  One more thing you can do.
  click on display tab beside the object in your source role, you get the list window.
  type ctrl + Y and then copy the 7-8 lines and paste it in the object of new role.
  Cheers.
  Shamish
  Message was edited by:
          Shamish Lele

• Role Maintenance - Automatically generated names for authorization objects

  Hello NG,
  I've got a question concerning the mentioned subject.
  Currently I am maintaining the roles/authorizations of a customers system (Rel. 3.0) which has moved to Rel. 7.0.
  When I add an authorization object to a role, the technical name is generated automatically. How can I set up the naming conventions for the authorization objects?
  Thank you very much.
  Regards ..

  Hi SUNIL L,
  I refered to 3.0 but I think that the release version has no relevance for my problem. I think I should try to explain my problem once more:
  When I add an authorization object to a role, a technical name is generated automatically and assigned to it. Is it possible to set any naming conventions for this?
  Regards..

• Manually added Authorization object

  All ,
  What is the impact for manually added authorization objects in the roles after the system upgrade??

  My 2 cents, since I don't see any replies.
  I try to avoid manual auth objects on a role as much as possible.  One problem with manually auth object is in PFCG, it will not give a reference to what transaction the auth object came from.  Unless thoroughly documented this can be an audit issue. 
  In regards to upgrades, I don't this it will have any affect.  It is usually the tcodes that are affected.

• List of Authorization Object with Transaction Code

  Dear All ,
      Does SAP provide  any report to list all the Authorization Object ? and which object is belong to which transaction code ?
  Thanks .

  hi olrang ,
  STEP BY STEP TO CREATE AUTHORIZATION OBJECT:
  STEP1:  goto  SU21 transaction and create a new Authorization Object
  Object Name:  Z.....
  Text:  ...........
  ClassL  SD (YOUR MODULE)
  AUTHOR:  YOUR ID
  STEP2:  Give authorizatin fields as
  ACTION - Action of the Authorization
  Activity -  Document Destribution.
  STEP3:  Basis will create a role using transaction  PFCG and assign this authorization object to that role.
  STEP4:  Call the AUTHORITY-CHECK Object in your code.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  IF sy-subrc 0.
  MESSAGE e000(zzpp) WITH 'No Authorization'.
  ENDIF.
  and it belongs to  SU24 transaction code
  Saurabh Goel

• Authorizations objects in IP

  Hi  Guru,
  I'm new at IP . I've created agregation level , filters but when i tryed to create function, system gave me know that i have not Authorization to do it.
  So , i suppouse i need include some  Authorizations objects in my role
  But what kind of Authorizations objects i need to decide my problem ?
  Thank you .

  Hi
  There are delivered authorization templates for Integrated Planning:
  1. S_RS_PL_ADMIN Planning Administrator
  2. S_RS_PL_PLANNER Planner
  3. S_RS_PL_PLANMOD_D Planning Modeler
  Plz check whether you have the above authorizations assigned in your role.
  Regards
  Sadeesh

• Authorization object for Profit Center in BW 3.5

  Hi,
        I have question regarding BW security. I want to restrict users access based on profit center ie i mean to ask is there any authorization object in BW, where i can specify Profit Center values and create role, where i can further assign this role ans restrict authorization to that particulat profit center.
      I already have authorization on profit center hierarchy which is old. Now we have new hierarchy, how can I use those authorization object, profiles, and roles to this new hierarchy. If there is quick work around please advise or can tell me how to create authorization object in BW, where i can specify Profit Center values and create role.
  Thanks in Advance
  Robert Courtney.
  Edited by: Robert Courtney on Apr 22, 2009 9:25 PM
  Hi,
      Some one can help to change my old hierarchy to new hierarchy in the authorization.
  Thanks
  Robert Courtney
  Edited by: Robert Courtney on Apr 22, 2009 10:07 PM

  Hi Robert,
  Check the link below, hope this will resolve ur issue.
  [Re: Authorization to new hierarchy node (Profit center) in 3.5 Transaction code]
  Regards,
  Praveen