Is it possible to assgin authorization object to business object

Similar Messages

• Assign Authorization Object dynamically

  Hi,
  I just want to know through coding is it possible to assign authorization object to user based on some condition dynamically.
  Its related to BP and in CRM 6.0
  Pls provide some approach if its possible.
  Thanks a lot.
  Regards,
  Shobhit

  Shobhit,
  Displaying authorization details would not be much of a problem. We can add a flag in the customer master and fetch the customers with the flag in the search result. I believe there is BADI to do that.
  Once the customers are retrieved navigating to the account details should be standard procedure. It should make use of standard events to go to the BPHeadOverview screen.
  But, the concern is whether or not there is authorization failure when we are trying to save the activity created using these flagged customers.
  Regards
  Prasenjit

• Is it possible to use a multiply authorization objects to one infocube?

  Hello!
  BPS-BW implementation required to use security on several CHAR including hierarchies for one infocube. What the right way to implement this requirement?
  I created (RSSM) several authorization objects: one per CHAR, and assigned it to infocube. Then I created a role and included the craeted objects. But cube data didn't display in a queries or planing folders. But, when I created the auth object for the required CHARs and assigned it to role the cube data displayed accordance setted values.
  What's wrong?

  Hi,
  I think u have checked the check box for authorization relevant in the maintanance screen of chraracteristics ,thats the reason.
  Regards-
  Siddhu

• Mass update to FILENAME field in S_DATASET authorization object

  We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value.  I'd like to do this programmatically if possible.
  What I've learned so far is that I need to update the value in table USR12, but the value is encoded.  When I look at the table in SE16, I do not see the encoded value field.  The value does show in UST12, but I'm told this is an unreliable table.
  So I'd like to know..
  1. How can I look at the value if not in SE16?
  2. Is there an API I can use to encode/decode the value?  If not, where is the specification on how to build it?
  If this is better addressed in a different forum, which one should I try next?
  Thanks,
  Dan

  Hi there,
  Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
  But the behaviour as you have described:
  >
  > Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
  > =============================================================
  > *                                 X         X            DUMY
  > /temp/FI/..                       X         X            DUMY
  > /temp/FI               X                                 FIFI
  >
  ... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
  > Caution:
  > - If you enter paths generically in the table SPTH, the most precise specification counts.
  > - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
  So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
  So, the only check which is effective to protect the path, is:
  Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
  =============================================================
  /temp/FI               X                                           FIFI
  ... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
  Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
  form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                              MODE       type CLIKE
                              SUBRC      type SY-SUBRC.
  data: ACTIVITY like AUTHB-ACTVT.
     SUBRC = 0.
     case MODE.
       when 'R'.
            ACTIVITY = '03'.
       when 'W'.
            ACTIVITY = '02'.
       when 'D'.
            ACTIVITY = '02'.
     endcase.
     if ISPTH_HEAD-FS_BRGRU <> SPACE.  "Here it is... for BEGRU checks there must be a value...
        authority-check object 'S_PATH'
            id  'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
            id  'ACTVT'    field ACTIVITY.
         if SY-SUBRC <> 0.
            SUBRC = 3.
         endif.
     endif.
  endform.
  Cheers,
  Julius

• MRS - authorization objects (Multi Resource Scheduling)

  Hello,
  We are implementing MRS for a customer who does not have proper structural authorizations in place, and they would like to avoid using evaluation paths for the authorization check.
  Is there a way to use cost centers to limit user access in MRS? We tried to use cost centers in auth. object MRSS/PB1, but it does not work.
  Is it possible to modify the default MRS auth. objects and add some extra auth. fields? Would that auth. check work in planning board?
  Is there any other way to limit user access in MRS planning board rather than using evaluation paths?
  Thank you
  Simon

  Hi Simon,
  I have checked the authorization objects related to MRSS in SU24 where I can see based on the T code. Did you find a way how to get relevant for SAP MRS only like the Resource Planner  etc authorizations he need if you have found something like that please share.
  Thank you

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan

• BAPI for creation of Authorization Objects in BI 7.0

  Hi BW Gurus,
  Greetings!!!
  Is there any BAPI Available for creation of Authorization Objects in BI 7.0.
  The data will be transferred through flatfiles.
  Kindly provide me the info as earliest as possible.
  Best Regards,
  Priya

  Got the Workaround...
  Priya

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• Authorization object for additional data of material

  Hi,
  in our Authorization there some user they can use MM01/MM02 only for specific
  Maintenance Statuses - object M_MATE_STA (say L - Storage, X - Plant stocks, Z - Storage location stocks).
  We also want, that this user are not allowed to change some additional data, but i don't know, if there
  is some Authorization object.
  Has anyone an idiea?
  thanks.
  Regards, Dieter

  Have a look at M_MATE_MAN. Help text below:
  Definition
  This object determines whether a user is authorized to maintain material master data at client level.
  Data at client level includes fields that cannot be maintained for each organizational unit (for example, for each plant or sales organization). It includes the following data in particular:
  Material descriptions
  Long texts (except sales texts and the material memo)
  Units of measure
  EANs
  However, it does not include the objects of other applications that you can assign to a material when maintaining the material master record (for example, document assignment or classification) since separate authorizations can be given for objects of this kind.
  Note
  Even if a user does not have the authorization to display data at client level, the following data is still displayed for the material nevertheless:
  Material descriptions and base unit of measure
  Deletion flag on the initial Flag Material for Deletion screen
  Defined fields
  Fields Possible values Meaning
  ACTVT 01 User may create data.
  02 User may change data.
  03 User may display data.
  06 User may change deletion flags.
  Edited by: Nick WW on May 27, 2011 9:27 AM

• How to add authorization field to a standard authorization object

  Hi All,
  I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
  But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
  How to limit user to can only create & change X order type and only display the rest of order type?
  I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
  regards,
  Andre

  Hi,
  your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
  The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
  Cheers

• Can we reuse the Authorization objects in MM01 for  Custom TCODE  ZMM01

  Hi all,
  We need to create screens  or transaction code ZMM01 which will have all views in the form of a tab like sales data will have a tab to input sales information like plant data as its own tab to input plant specific data
  ceating material  masters  entries in Ztables like ZMARA,ZMARC,ZMVKE.
  Now my question is can we use the same authorization objects which are being used for standrard MM01 transaction code because same users who use MM01 will use ZMM01.
  If this is possible how can I know what are the authorization objects which I need to program for my ZMM01 Tcode.
  All replies are rewarded.
  Regards
  Martin.

  hi yes
  it is possible go to transaction SU21
  and search MM_G object class you can reuse the same for ur Z transaction
  also u will have to use SU22 to assing tcode to the obejct class
  Harish

• How to use authorization object P_PERNR ?

  Hi, Gurus~
  In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
  So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
  Authorization level:  W,S,D,E
  Infotype: 0008
  Interpretation of assignment personnel number: E
  Subtype: *
  and then, i maintain her master data 0105's subtype 0001-system user name as 00041
  i think she shouldn't maintain her own 0008 now ,but she still can maintain it
  i want to know why and how to solve it, did i do it in the right way?
  Thank you in advance!

  P_PERNR   HR: Master Data - Personnel Number Check
  You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
  The following values are possible for the PSIGN field:
  I   =          Authorization for personnel number assigned, that is for own personnel number
  E  =          Authorization for all personnel numbers excluding own personnel number
  You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
  This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
  Example of Personnel Number Check P_PERNR
  The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
  The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
  PSIGN = I
  INFTY = *
  SUBTY = * AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0008
  SUBTY = *
  In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
  The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
  As the following examples illustrate, inconsistent authorizations can be granted.
  Example 1:
  AUTHC = *
  PSIGN = I
  INFTY = 0014
  SUBTY = M* AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0014
  SUBTY = *
  The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
  The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
  The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
  Example 2:
  AUTHC = *
  PSIGN = *
  INFTY = *
  SUBTY = *
  This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
  As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
  Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
  If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
  P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.

• HR custom authorization objects

  Is it possible to have more than one custom HR authorization object active at the same time? For example if I need 2 custom variations of P_ORGINCON (I  have some very complex requirements),  is that possible, or am I limited to just 1? Having more than 1 seems to present a problem when I run RPUACG00 to generate include MPAUTCON. It overlys the code generated fo the first cusom object with code for the second object, therefore only allowing cgenerated code to exist for 1 of the objects.
  And one additional question - when I create a custom HR object (one which contains infotype, subtype, persg, persk etc), am  I limitied to only using fields from PA0001 in that object?  If I include some other field that does not exist on PA0001, when I run RPUACG00 it gives me the error "Field xxx is not allowed  in authorization object Z_xxx".
  Many thanks,
      Mike

  One example of a  requiremnet I have is for a manager to have 3 different types  of authority based on when a position was in his org structure. So if a position is currently in his org structure he might have WRITE access to their infotype 2,6,8... for positions that were in his org strucure between 1 and 60 days ago (but are not in his structure as of today) he might have WRITE access to their infotype 2 and 6 and READ access to other infotypes, and for people that were in his structure 61-9999 days ago, he might have only READ  access to all the position's infotype data.
  I was thinking of using 3 disctinct HR authorization objects to cover each of these 3 scenarios, but ran into the issue mentioned above with the generation program RPUACG00.

• Adding authorization objects to Report Painter reports

  Hello Everyone,
  Is there way to add authorization objects to report painter reports ? I know it is possible to add auth group at the header level but I need to limit access at run time to specific objects, say for example, Cost Center. Is this possible ?
  I have seen the Get_Reporter.pdf document and it seems to discusses adding auth group but not auth objects.
  Thanks in advance.
  Dorothy

  hi
  good
  use this tcode to create authorization
  SU21  Maintain Authorization Objects
  this link ll give you idea to create the authorization object for the report painter.
  http://www.virtuosollc.com/PDF/Get_Reporter.pdf
  Award points if helpful.
  thanks
  mrutyun

• RSSM: Checks Authorization Objects for Infoprovider are not activ

  Hello,
  we have BW 3.5 and we use RSSM Authorization Objects.
  When we create a new cube with an Infoobject that is authorization relevant, in our development-system in rssm the flags for the checks are automatically activ.
  When we transport the new cube to our production-system, the flags in RSSM for the authorization object are not activ.
  Sometimes the new infoprovider is not in the list of the infoprovider in rssm, so we have to "update check status" with the appropriate icon.
  My question:
  It is possible, that when we import the new cube in our production-system, that all authorization objects are activ??

  Hi,
  Normally system would check all the authorization relevant objects whenever a new Info cube is imported and in case if you want to transport these changes to Production system manually then follow the below listed steps:
  1) In Development system, check or un-check the authorization relevancy using the transaction RSSM on a given Info provider
  2) These changes are stored in table RSSTOBJDIR
  3) Create a manuall transport request and include these entries covering the required Authorization objects manually. 
  R3TR TABU RSSTOBJDIR
  Ex: If Info object 'A' is authorization relevant in Development system but not in Production system and you want to transport this change to Production system then include object 'A' table entries manually.
  Hope this helps.
  Cheers
  Bala Koppuravuri