Issue with context specific authorization object P_ORGINCON.

Similar Messages

• User List for a specific Authorization Object

  Hi all,
  i am looking for a way to get a list of all users assigned to a specific Authorization Object with specific values. The FM 'authority_check' is the other way arround and not that what i need. Do someone have an idea.
  Many thanks in advance.
  Ali

  Hi,
  Try this FM
  SUSR_USER_AUTH_FOR_OBJ_GET
  Check this FM
  AUTHORIZATION_DATA_READ_SELOBJ
  Rgds,
  Prakash
  Message was edited by: Prakashsingh Mehra

• Querying roles containing specific Authorization Object

  Hello!
  We're using BI7 with new considerations about security. I want to get all roles that contains a specific Authorization Object, I've tried using TX SUIM, but had no success.
  Is there any report, transaction or something else where to find this info?
  I hope you can help!
  Regards!
  Bernardo

  Bernardo,
  If "new security model authorization objects" means analysis authorizations (SAP's official naming for objects mantained by RSECAUTH), those used in roles can be retrieved again using tcode SE16: just query AGR_1251 but this time providing S_RS_AUTH for field OBJECT. The result set shows roles that contain analysis authorizations. If you want only the roles which have specífic analysis authorization, just provide its name for field LOW. Be sure to fill in this field with all capital letters.
  On the other hand table RSECVAL keeps the values defined for analysis authorizations.
  Hope this helps.
  Regards,
  Fernando

• The scope of the customer-specific authorization object

  Dears,
  Could someone please feedback about the scope of the customer-specific authorization object; e.g. if we are to create a customer-specific authorization object to replace authorization object P_ORGIN in the HR module, to be able to add an extra authorization field to the newly created authorization object, the scope of the newly create authorization object (which will have a new validation code generated by report RPUACG00) will be the whole ERP system ? 
  The worry is caused by the fact that P_ORGIN is already used in several authorization roles granted to users in the different ERP modules (i.e. FI, SD, MM, CS), so the replacement would affect these modules.
  Thanks.
  Reda

  Hello Reddy,
  We are about to implement the HCM module (We are now in the testing
  phase), on the same client as that of our SAP ERP implementation.
  We need to authorize on the personnel number grouped by 'Payroll Area'
  in transactions PA30, PA40
  In authorization object P_ORGIN, the field VDSK1 is already used to
  authorize on an attribute : cost center (organizational key) for each
  organizational unit, so we can't configure it to authorize on other
  fields from info type 0001 (e.g. Payroll Area).
  We need to continue using the conventional / general authorization and
  not the structural authorization, to stay in compliance with our
  authorization schema already implemented in our FI, MM, SD & CS modules.
  ( Also, as per thread : Steps for creating structural authorization profile using trans. OOSP
  the structural authorization cannot be used to authorize on Payroll Area.)
  We need to go through the HR module implementation without any changes
  in the ABAP code.
  So, the last way out is the custom-specific authorization object, and as I mentioned before, the authorization object P_ORGIN was already used in other ERP modules; e.g. FI, MM, SD & CS,
  ( Note : I haven't started yet implementing this solution.)
  Thanks.
  Reda

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• SAP BI 7.0 Transport issue with HR Structural Authorization DSO

  Hi,
  I am trying to transport HR Structural Authorization DSO Objects in  BI 7.0  from Dev to QA system. The Data sources are 0PA_DS02 and 0PA_DS03. ( I am sure that there are lots of changes in Authrorization concept in BI 7.0),.
  1. Please suggest me if I need to make any changes and tests before moving these authorization objects to QA system.
  2. Also, do I need to take any pre-cautions while activating business content objects 0TCTAUTH  and 0TCTAUTH_T (Datasources look like are from 3.x) as I am getting issue with the activation of the transfer structure for these objects?
  Thanks a lot for your valuable inputs.
  Regards
  Paramesh
  Edited by: paramesh kumar on May 5, 2009 12:45 AM

  Hi Paramesh.
  You can use the DSOs 0PA_DS02 and 0PA_DS03 in BI7.0 as well. You just need to use the new generation of analysis authorizations in transaction RSECADMIN.
  You can use 0TCTAUTH and 0TCTAUTH_T in BI7.0, however we have experienced som problems with the 0TCTAUTH_T extractor, which dumped because of a poorly designed SELECT statement that was unable to cope with 10000 records. We have replaced it with a generic data source that uses table RSECTEXT directly.
  Regards,
  Lars

• New Airport Network - issues with some specific features

  Hello,
  I have just changed my wifi system for an Airport Network, with one AirPort Extreme and 2 AirPort Express. The goal was to extend the wifi network to the entire house. Everything is fine, all my computers are able to connect to the network and are able to access the internet. The AirPort Network is connected to the internet with the PPPoE procedure.
  The issue is very specific here.
  1. I use Outlook 2007 to handle my e-mails. Since I have shifted to the AirPort Network, Outlook is not able to connect to pop server anymore for 4 of my 5 accounts. Hotmail (pop) is functionning alright but Gmail is blocked !
  2. Windows Update is also unable to connect to the appropriate server.
  Maybe there is more but it's all I have noticed so far. I have not changed a single parameter by myself on my computers and both are affected the same way.
  I first thought it was a firewall issue but disabling my software firewall (Bullguard) did not change anything. Vista Firewall is not active. Maybe is it the internal firewall of the AirPort Extreme ? But that would not explain why Outlook can send messages (smtp works fine).
  Any idea or similar experience ? Thank you in advance.
  Best regards,
  AdG

  Maybe my problem is just bad luck ! I might have shifted to my new network
  the wrong day. One day earlier, I would not have seen any difficulty... if this is it.
  Quakes slow cyber connections
  By Zhu Shenshen | 2009-8-18 | NEWSPAPER EDITION
  SHANGHAI'S international Internet connections slowed significantly yesterday after earthquakes rocked Taiwan and southern Japan. It was unclear last night how long repairs might take. Millions of Chinese Netizens were unable to connect to overseas Websites or use popular online chat tools yesterday afternoon.
  About 15 million MSN instant message users in Shanghai and other parts of China were affected as the main servers are in the United States. Connections to most overseas Websites including those run by Yahoo and the New York Times were also clogged.
  The chain of events that led to the service disruption had its origin in Typhoon Morakot, which struck Taiwan on August 7 and led to a later breakdown in an undersea telecommunications cable system.
  Local Internet traffic was not influenced because transmissions were routed to a backup channel. But that cable failed yesterday near Busan, South Korea, apparently the victim of the earthquakes, according to China Unicom.
  The failure affected Asian communications to the US and Europe.
  The epicenter of the first quake, which struck at 8:05am yesterday, was about 188 kilometers southeast of Hualien on Taiwan's east coast at a depth of 11km, the island's weather bureau said. The US Geological Survey put the magnitude at 6.7.
  The second quake, which was centered close to the first at a depth of 20km and struck at 6:10pm, measured 6.1, the Taiwan weather bureau said. It was also felt in Japan's Ishigaki Island.
  "We've sent a team to repair the broken cable, but we can't give a detailed timetable for when it will be completed," said Song Guixiang, a public relations official for China Telecom.
  The schedule will depend heavily on weather conditions, Song said.
  Repairs are handled by a team comprising the carriers that use the cable.
  In most cases it takes one to two months to fully repair damaged undersea cables. In the meantime, telecom operators will try to reroute traffic to operating cables and satellite systems.
  Domestic Internet connections and international call services were normal yesterday, the carriers said.

• Issue with language specific characters combined with AD-Logon to BO platform and client tools

  We are using SSO via Win AD to logon to BO-Launchpad. Generally this is working which means for Launch Pad no manual log on is needed. But  this is not working for users which have language specific letters in their AD name (e.g. öäüéèê...).
  What we have tried up to now:
  If the AD-User name is Test-BÖ the log on is working with the user name Test-BO with logon type AD
  If the logon Type "SAP" is used than it is possible to use the name Test-BÖ as the username
  Generally it is no problem in AD to use language specific letters (which means it is possible to e.g. log on to Windows with the user Test-BÖ)
  It is possible to read out the AD attributes from BO side and add them to the user. Which means in the user attributes the AD name Test-BÖ is shown via automatic import from AD. So it's not the problem that the character does not reach BO.
  I have opened a ticket concerning that. SAP 1th level support is telling me that this is not a BO problem. They say it is a problem of Tomcat. I don't believe that because the log on with authentification type SAP is working.
  I have set up the same combination (AD User Test-BÖ with SAP User Test-BÖ) as a single sign on authentification in SAP BW and there it is working without problems.
  Which leads me to the conlusion: It is not a problem of AD. It is something which is connected to the BO platform but only combined with logon type AD because SAP Logon is working with language specific characters.

  I have found this article with BO support:
  You cannot add a user name or an object name that only differs by a character with a diacritic mark
  Basically this means AD stores the country specific letters as a base letter internally. Which means that if you have created a user with a country specific letter in the name you can also logon with the Base letter to Windows.
  SAP-GUI and Windows are maybe replacing the country specific letters by the base letter. Due to that SSO is working. BO seems not to be able to do that. Up to now the supporter from BO is telling me that this is not a BO problem.
  Seems to be magic that the colleagues of SAP-GUI are able to to it.

• Issue with Planning sequence authorization in WAD

  Hi,
  There is a planning sequence which I can execute through Modeler without any issue. However I am not able to execute the same from WAD. It says 'You are not authorized to execute planning sequence....'
  Please advise.
  Regards,
  SSC

  hI,
  You need to create one role in which add planning related authorization object ie
  S_RS_PLSE     Planning Function
  S_RS_PLSQ     Planning Sequence
  S_RS_PLST     Planning Service Type
  S_RS_PPM     Authorization Object for BI Planning Process Management etc....
  and attach to your id.
  I think you do not have authorization for S_RS_PLSQ.
  try this.
  Regards,
  Ganesh

• Enroll Learner Issue with a specific Operator Id

  In ELM, under Enterprise Learning> Enroll Learner, when try to add more than one learner log in with a specific user, session terminates without any error message.
  But when copy the user profile for same user, then multiple leaner added.
  By trace, I found the below code not getting executed.
  problem is to execute the "&selLrnrRowSet.InsertRow(&selLrnrRowSetCount);" code when select 2nd check box.
  Please see the attached file with error.
  Please share your inputs to resolve the issue.

  Looks like You totally misunderstand the IN() clause.
  In your scenario resulting query looks like
  ... in ( '24,25,29' ) - that's why You will never get result if two or more values comes from function.
  Two solutions:
  1) You can put values in the temporary table or table pl/sql and rewrite query appropriate way:
  ... in (select value from my_temp_table)
  ... in (select value from table(my_plsql_table))
  2) While using 10g, You can format regexp pattern instead of 'val1,val2,val3' and use
  ... regexp_like(FUNCTION_ACTIVITY_ID, PATTERN)
  regexp docs: http://download-uk.oracle.com/docs/cd/B19306_01/server.102/b14200/conditions007.htm#SQLRF00501

• Issues with shockwave flash player object

  Why at some sites it has shockwave flash object it doesn't open it at all and it bring me window to download some files(See picture bellow).
  I have already installed adobe flash player & shockwave flash player with not solve this issue.
  Here is an example of these windows.
  http://postimg.org/image/6sw590trp

  You can try these steps in case of issues with web pages:
  Reload web page(s) and bypass the cache to refresh possibly outdated or corrupted files.
  *Hold down the Shift key and left-click the Reload button
  *Press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
  *Press "Command + Shift + R" (Mac)
  Clear the cache and cookies only from websites that cause problems.
  "Clear the Cache":
  *Firefox/Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
  "Remove Cookies" from sites causing problems:
  *Firefox/Tools > Options > Privacy > Cookies: "Show Cookies"
  Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions (Firefox/Tools > Add-ons > Extensions) or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance).
  *Do NOT click the Reset button on the Safe Mode start window.
  *https://support.mozilla.org/kb/Safe+Mode
  *https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes

• Creation of a user with a particular authorization object (Very Urgent)

  Hi,
  There is a requirement in my project to create a user who can only reset his password. So for this I think a authorization object should be created and assign it to a profile which displays only the tab for reseting the password which is( Logon in SU01). I want to know two things in this regard.
  1. The whole process of creating customised authorization object and assigning it to a profile and
  2. Any other way to achieve the needed scenario.
  Thanks & Regards,
  Sujith
  Edited by: Sujith K on Feb 4, 2008 1:26 PM

  In transaction pfcg ,
  give single/composite role name
  give profile name and description in authorization tab, save it
  enter into change authorization data
  select manually tab
  give authorization objects name (creating auth. objects)
  fields will automatically come inside it
  enter the field values
  save and generate profiles (Profiles created)
  go to su01,
  create users (fill address, logon data, roles )
  In pfcg,
  select the role you created and click on the user comparison for giving the authorization to access.
  award points if useful

• Authorization Issue with Custom Pending Value Object and Anonymous Users

  Hi,
  I am just converting my demo from version 7.1 to 7.2. I am not doing upgrade. The demo uses a custom pending value object USER_REQUEST. The idea is that new employee goes to Java AS as anonymous user and enters her details and store where she will work. After submitting request there is an approval process using custom entry type USER_REQUEST. If the request is approved then IdM converts USER_REQUEST into MX_PERSON entry. This works nice in 7.1 but I am having problems with replicating this in 7.2. I created new UI task accessible by anonymous that creates new USER_REQUEST entry. I also assigned role idm.anonymous with UME action idm_anonymous to UME built in group Anonymous users.
  My problem is with the field STORE. This field is a reference field to another custom entry type STORE (this entry type will be used in context based assignment). Every new employee must selects a store where she will work. The problem is when user clicks on button "Select". Web dynpro terminates and returns authorization error. I also tested this with entry type MX_ROLE. I added attribute MXREF_MX_ROLE and same issue. So it seems that just assigning UME action idm_anonymous is not enough to list objects from identity store. I found a workaround for this issue. When I assign also UME action idm_authenticated to Anonymous users then it does not dump and I get a pop up window where I can search for store. It does not seem right to assign idm_authenticated to anonymous users.
  Another issue is with display task for entry type USER_REQUEST. I assigned a display task to entry STORE and I set that Anonymous have access to this task in Access control tab. I assigned default value to the field store. So when a user opens page she can see a hyper link to display already assigned store. When user clicks on this hyper link it opens a new pop up window and user must authenticate against Java AS. After successful authentication the display task for entry STORE is displayed. I would assume that anonymous user can display it without authentication.
  So to me it seems like authorization checks have been changed in 7.2 versions and are more strict for anonymous tasks. Hence my question is how can I implement my scenario. Am I missing some configuration or what's the proper solution to my two issues? I don't count assigning idm_authenticated to Anonymous users as a solution. This workaround does not solve my second issue.
  Thanks

  Some of the folks from Trondheim labs check, but rather infrequently.  There's another person who I guess is in consulting that also checks from time to time.
  Sorry I can't help you with your main question...
  Matt

• Issue with Brazil specific Free of Charge Delivery

  Hello Experts,
  I worked with one of our Client called ManRoland. They have their business in Brazil and so Brazil specific tax calculation and Nota Fiscal etc are come into picture.
  Recently we got an issue (ticket) from Manroland Brazil related to Notafiscal.
  The issue is that for Free of Charge orders when they are creating Invoice documents with Zero value, corresponding Notafiscal is generated without any accounting documents being created.
  However the Brazil specific tax values should flow to a specific GL automatically. The automatic posting of tax values (IPVA, ICMS etc) to a specific GL is not happening and they have to post that values manually after the Zero value invoice is created, which they do not want to continue any more.
  We have down loaded one document from SAP and in that document it is mentioned that you have to use one standard Sales Order type ORB and some standard Item Category and also Notafiscal Type which are not there in the system right now.
  We have also created one OSS message 776303 / 2011 in which you can get all the related communication I had with the consultant Ruy Castro. He has suggested some links to get some more suggestions/documents from SAP.
  Could you please reply to us if you already have some solutions for this issue.
  Regards,
  Sadhan.

  No idea on this but I am not sure whether you have checked the following note which may help you.
  Note 664676 - Brazil: Free of charge items for exempt customers
  G. Lakshmipathi

• Issue with internal table in object oriented ABAP.

  Hello Gurus,
  I am having trouble defining internal table in Object oriented ABAP. for following:
  DATA: BEGIN OF IT_TAB OCCURS 0.
          INCLUDE STRUCTURE ZCUSTOM.
  DATA    tot_sum   TYPE char40.
  DATA END OF IT_TAB.
  Can someone help ?
  Regards,
  Jainam.
  Edited by: Jainam Shah on Feb 5, 2010 8:33 PM
  Edited by: Jainam Shah on Feb 5, 2010 8:33 PM
  Moderator message - Please post in the correct forum. You can easily find out for yourself by looking at SAP help for internal tables using OOP - thread locked
  Edited by: Rob Burbank on Feb 5, 2010 2:49 PM

  No, you can not declare internal table with header line in OO context. You have to declare the work are/header line separately
  Example:
  TYPES: BEGIN OF ty_it_tab.
          INCLUDE STRUCTURE mara.
  TYPES:  tot_sum TYPE char40.
  TYPES: END OF ty_it_tab.
  DATA: it_tab TYPE STANDARD TABLE  OF ty_it_tab.
  DATA: wk_tab TYPE ty_it_tab.
  LOOP AT it_tab INTO wk_tab.
  ENDLOOP.
  Edited by: Dean Q on Feb 5, 2010 8:50 PM