Inclusion of Authorization Object
Hi friends,
I want to include a standars SAP authorization object in a standard transaction type. The authorization object is originally not there in the transaction. Do we need to enhance the standard code for calling the additional authorization check or there is some other way to do this?
Regards,
Deb.
Hi Manuel,
In Opportunity transaction I want to give authorization to the Text Types. E.g. The person with manager role shall be able to edit all the text types but the person with role Sales Rep should only be able to view it.
I added the authorization object 'CRM_TXT_ID' to the transaction but i'm still not able to achieve the functionality. Could you guide me how to go ahead regarding this?
Regards,
Deb
Similar Messages
-
Authorization object P_APPL
Hi experts,
How should I use authorization object P_APPL in order to give access to all infotypes except for one concrete?
Is there any way I can only specify which the user should not have access instead of specify to which it should?
Thanks,
mformanHi,
SAP security works by inclusion rule, i.e. you have to specify access that user has, rather that should not have.
Object P_APPL has following fields:
Authorization Field, Long Text
INFTY, Infotype - here you specify access to infotypes, if you want to exclude use ranges. For example, you want to exclude IT 0006, then assign value 0000-0005 and 0007-9999
SUBTY, Subtype, - here you specify accessible subtype, if you don't want to control access to subtypes just put *
AUTHC, Authorization Level - here you specify type of access: R - read, W - Write, * - all
PERSA, Personnel Area - here you specify for what personnel areas access is granted
APGRP, Applicant Group - for what applicant groups, if you don't want to limit access by this parameter just put *
APTYP, Applicant Range - for what applicant range, if you don't want to limit access by this parameter just put *
VDSK1, Organizational Key - this field is used if you have specific access requirements, e.g. by cost center, legal person, etc. If you don't need it just put *
RESRF, Responsible Personnel Officer - here you specify officer.
More information you can find on SAP help site: http://help.sap.com/saphelp_47x200/helpdata/en/42/b7b83b5b831f3be10000000a114084/content.htm
Cheers -
How to assign authorization objects to a cube
Hello,
My cube includes 0profit_ctr which is marked as authorization relevant. Still in RSSM my cube is not included in the list of infocubes for an authorization object (zprofit) linked to 0profit_ctr. I'm therefore not able to enable that authorization object for my cube. I have a few ODSs which are included in the list. Why is my cube missing? Is there something I must do to include it, or is it a bug?
When checking the infocube for authorization objects in RSSM this list is empty as well. I don't see any option to add authorization objects in that list.
I have read the following document:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b849e690-0201-0010-9b88-c00cca40736f
I'm using BW 3.5.
Regards,
ChristofferHi Christoffer,
In RSSM you will find a button "Update Check Status ( Authorization Objects, Info providers) ". After this update you should find your cube in the list.
Jaya -
How to get all authorization objects for a certain authorization profile
Hi ABAP experts,
I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
So:
- where are these values stored (dictionary table)?
- is there already a FM or a report to read all authoriation values for a certain authorization profile?
Thanks in advance.
Best regards,
OliverHi,
check the following it might useful for you:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
if helpful reward points are appreciated -
Mass update to FILENAME field in S_DATASET authorization object
We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value. I'd like to do this programmatically if possible.
What I've learned so far is that I need to update the value in table USR12, but the value is encoded. When I look at the table in SE16, I do not see the encoded value field. The value does show in UST12, but I'm told this is an unreliable table.
So I'd like to know..
1. How can I look at the value if not in SE16?
2. Is there an API I can use to encode/decode the value? If not, where is the specification on how to build it?
If this is better addressed in a different forum, which one should I try next?
Thanks,
DanHi there,
Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
But the behaviour as you have described:
>
> Path Saveflag Fs_noread Fs_nowrite Fs_Brgru
> =============================================================
> * X X DUMY
> /temp/FI/.. X X DUMY
> /temp/FI X FIFI
>
... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
> Caution:
> - If you enter paths generically in the table SPTH, the most precise specification counts.
> - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
So, the only check which is effective to protect the path, is:
Path Saveflag Fs_noread Fs_nowrite Fs_Brgru
=============================================================
/temp/FI X FIFI
... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
form CHECK_PERMISSION using ISPTH_HEAD type SPTH
MODE type CLIKE
SUBRC type SY-SUBRC.
data: ACTIVITY like AUTHB-ACTVT.
SUBRC = 0.
case MODE.
when 'R'.
ACTIVITY = '03'.
when 'W'.
ACTIVITY = '02'.
when 'D'.
ACTIVITY = '02'.
endcase.
if ISPTH_HEAD-FS_BRGRU <> SPACE. "Here it is... for BEGRU checks there must be a value...
authority-check object 'S_PATH'
id 'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
id 'ACTVT' field ACTIVITY.
if SY-SUBRC <> 0.
SUBRC = 3.
endif.
endif.
endform.
Cheers,
Julius -
Authorization Object is not working when report is modified.
Hi BW Guru's
We have Company Code as Authorization Object .and we have 3 company Codes (xxxx,yyyy,zzzz).where the users under Company code xxxx are not supposed to view company code yyyy,zzzz data etc.
I modified an existing Report and transported to production.But the Authorization Object is not working for that report.The Report is defaultly displaying all the company codes data(xxxx,yyyy) for all the users.But for the other reports its(company code ) is working fine.
What could be the problem?Is theproblem in transporting the objects.But i transported all the objects inluding auhorization object.
Please send me the solution as it is very much urgent.
The solution will be def. awarded with full points.
Regards
Sanjayhi Sanjay,
please don't post the same question again, check and response back from your previous thread
Re: Authorization Object is not working when report is Modified.
hope this helps.
would be nice if you reward for helpful answers to all of your previous postings, e.g
docs related to RRI -
Report to check authorization object used in customized programs
Hi Guys,
An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
Edited by: Jarod Tan on Nov 25, 2010 9:42 AMNote that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
Code review is an art form!
Cheers,
Julius -
hi all,
in me52n transaction, in account assignment tab there is field called costcenter. its field name is kostl and strucutre is cobl. now i have requirement to create an authorization object on this costcenter. that is for example , if i try to make any changes in the cost center field it should allow me to do it. but if some others are using it should not allow them to make any changes. plz let me know the solution how to do step by step. points will be awarded . this is urgent requirement. plz reply fast.
thanking u in advance,
a.srinivasHi deniz,
Use this to set up the autherisation object
AUTHORITY-CHECK OBJECT '<objectname>'
ID 'ID FIELD SY-UNAME.
IF SY-SUBRC NE 0.
MESSAGE S999 WITH 'You are not Authorised to change entries'.
EXIT.
ENDIF.
Inform the Basis team to assign the role only to ur id...so that no other person wil u autherized
Award points if useful
Regards
Gowri -
Analysis Authorization Object not working
Hi Gurus,
I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
I have followed the below steps but still the report shows all data instead of restricted one.
1)RSECADMIN -> Maintenance ->zz_div ->Create
2) Add 0DIVISION in Auth structure , and in details
I EQ 32
I EQ 33
3) Add 0TCAIPROV with I EQ 0SD_C03
4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID, this having details as
I CP *
5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
Following are the authorization object in that user's Role (Reporting Only)
S_RFC
S_TCODE
S_GUI
S_BDS_D
S_BDS_DS
S_OC_SEND
S_RS_AUTH - only having zz_div
S_RS_COMP
S_RS_COMP1
S_RS_ICUBE
S_RS_RSTT
S_RS_TOOLS
S_RS_PARAM
I have surfed lots of thread for this issue but not getting a solution
Tell me what i m missing in above or any additional setting need before creating analysis authorization
Edited by: Sonal Patel on Apr 18, 2009 8:10 AMHi
Thanks a Ton for ur reply
I have checked in SPRO : Analysis Authorization
where the authorization mode is " OLD obsolete Concept With RSR Authorization Objects "
We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
Thanks
Sonal.... -
Authorization object for running a report in background
Good day experts,
I tried running a report in background, I choose immediately so that it doesn't have to be scheduled. But when I checked it in my own jobs, It remains at scheduled status. When I tried it on my admin account, It works and with status finished. It seems to be an authorization problem. What object could I be missing with my user account? I tried S_TCODE SMX and SP02 but still not working.
Thanks in advance!Hi karshbax,
What you're looking for is authorization object S_BTCH_JOB. You need authorization for field JOBACTION = RELE.
In future use transaction SU53. It shows last error authorization error, so if this is authorization problem then after try of manual releasing of job you'll find in SU53 precise info what went wrong.
Best Regards
Marcin Cholewczuk -
MRS - authorization objects (Multi Resource Scheduling)
Hello,
We are implementing MRS for a customer who does not have proper structural authorizations in place, and they would like to avoid using evaluation paths for the authorization check.
Is there a way to use cost centers to limit user access in MRS? We tried to use cost centers in auth. object MRSS/PB1, but it does not work.
Is it possible to modify the default MRS auth. objects and add some extra auth. fields? Would that auth. check work in planning board?
Is there any other way to limit user access in MRS planning board rather than using evaluation paths?
Thank you
SimonHi Simon,
I have checked the authorization objects related to MRSS in SU24 where I can see based on the T code. Did you find a way how to get relevant for SAP MRS only like the Resource Planner etc authorizations he need if you have found something like that please share.
Thank you -
How to restrict provide to a single account(by authorization object)
Hello, i have two types of accounts.
Account range 1: 10000000 -19999999
Account range 2: 20000000 - 29999999
For range 1 i have assigned authorization group AUT1.
For range 2 i have assigned authorization group AUT2 (by transaction OB_GLACC12).
So the general idea is some users will have access only to group 1 , etc. i have used autorization object F_BKPF_BES in the role btw.
I have created 4 roles:
1) RANGE1_ALL (means user can create / modify delete GL from range 1)
2) RANGE1_DISP(means user can only disp GL from range 1)
3) RANGE2_ALL(means user can create / modify delete GL from range 2)
4) RANGE2_DISP(means user can only disp GL from range 1)
If i give RANGE1_ALL + RANGE2_DISP to the user, he can create/modify/delete for range1 and only display GLS from range2.
Now the problem is if i want user to create/modify/delete for range1 but only display a specific account from range 2 ; say GL 29999000.
Which authorization object can i use to specify the range 2 GL account directly?thx.Hi,
The only option for you is to have a different authorisation object for that GL alone and assign it to the user. You dont assign RANGE2-DISPLAY object to that user.
From FS00, you have to change the Auth group of that specific GL.
Regards,
Mike -
BI authorization objects not appearing in RAR, error while generating role
Hi
I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
(a) In Risk Analysis and Remediation (RAR) component, I am creating Functions and
Risks for Business Intelligence (BI) module. For that I have downloaded the
descriptive text and authorization object data from BI development system and
uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
authorization objects for the actions in them.
(b) In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
in DBI 100 and I put the BI transaction codes in authorization data , I get the
authorization objects . Risk analysis is also being done successfully. But at the time
of Role generation in background mode , it is giving an error message :
Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
I am thus unable to generate any role in DBI 100.
(c) In Compliance User Provisioning (CUP), I have imported a standard role from DBI
100. Then I have added Functional Area, Business Process, Subprocess and
Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
gives an error Error creating request. But requests are getting created and roles are
being assigned to users in ECC development systems using the same Initiator, CAD, stage
and path.
Can anyone please help me ?-
-
Error while generation of the Authorization object (
Hi Gurus,
I have created a Authorization object Z_CCTR3 for 0costcenter authorization.
but getting following error while generation of the Authorization object (type is Flat authorization)
"Error occurred when reading the data from DataStore object Z_CCTR3"
Any inputs will helpful...
Sonal.....Hello everybody,
my problem is solved.For the UDConnect, whatever DATA SOURCES you create gets registered in a FUNCTION MODULE which has a capacity of only 99 enties, so to increase it implement the SAP NOTE 876340 - UDC Error available on SERVICE MARKET PLACE.
This problem occurs with BW version 3.5 level 17 or below.
Regards,
Priyanka
Edited by: Priyanka Joshi on Jun 10, 2008 11:03 AM -
Hi basis guys........
i am not able to give print request.its showing authorization error
"no authorization for LOCAL PRINTER" and "output could not be issued"
i checked su53 screen. and i assigned that activity in authorization object.
even then its showing authorization problem.
Is there any object to add to get printing ?
and what is "s_gui" object ? is that works?
Please tell me your suggestions
Regards........nagendra.Hi
Check whether for the user a printer is assigned or not. Only the printer which is assigned to the user in SU01 can be used by the user.
What u can try is assign the Local Printer in default printer for that particular user.
Also if you have assigned the authorization object that was missing then there should not be a problem.
Regards
Sumit Jain
[reward with points if the answer is useful]
Maybe you are looking for
-
Separating business logic from presentation
Hi, I'm not sure if this is even the right forum for my question..but here it goes: I have a device that is throwing out data into some kind of a storage device/server. Now, I have an application that reads the data from that storage and charts it. L
-
Hi! Sorry if this is the wrong place to post this. I wonder if anyone has used The Sims Complete Collection on an Intel Mac Mini? If so, how does it run? Is there a universal out? If not, how does it run under Rosetta? Thanks in advance!
-
How to add config changes in Transport Request
Hi Experts, We did some config changes in Logistics - General=>Material Master=>Configuring the Material Master=>Define structure of Data screen for screen sequence / Assign Secondary sequence / Maintain Order of Main and Additional Screens. But whil
-
Exposure inconsistent relative to PS
Some images look way brighter in bridge than they open in PS, some darker, some the same. I can't make heads or tails of it, I'm not seeing a pattern yet, I just know not to expect a shot viewed in bridge to look the same in PS. And I'm talking about
-
Deactivating inspection for movement type 633
Hi All... Please clarify.....In our scenario.. client do consignment selling.. first he will move the stock from factory to party through sales order(Mvt type 631-cons lending), where we r doing PDI (10) insp. its working ....... But, when party sell