Level of authorization to Tcode

Similar Messages

• To restrict authorization of tcode MEK1,MEK2,MEK3,MEK4 at plant level

  Hi,
  We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
  Presently we can restrict authorization at Purchasing organization level but not at Plant level.
  Any pointer please!
  Regards,
  Chetan

  Hi,
  You can restrict the users for the authorization of these T-Codes on their  User ID. Take help of  Basis who controls Roles & Profiles. (T-Code PFCG)
  Hope this helps,
  Best regards
  Amit Bakshi

• To restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.

  Hi,
  We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
  Presently we can restrict authorization at Purchasing organization level but not at Plant level.
  Any pointer please!
  Regards,
  Chetan

  First of all, this is not the right forum to post such a question.  Coming to the requirement, this can be achieved by creating a role in PFCG where you can restrict plant and assign this role to each user id.  Your basis team can do this.
  thanks
  G. Lakshmipathi

• Remove authorization for Tcode: ME21 and ME22 from certain users

  Hi Guys,
  I'm new to BASIS.
  My requirement is to: Remove authorization to Tcodes ME21/ME22 from a list of users.
  How do I acheive this? We run on SAP 4.0B version.
  Hoping to get this resolved as soon as possible.
  Thanks
  SAPUser

  dear friend,
  1.
  run SU01
  goto Information-Information system
  select node Roles-By Transaction Assignment
  type ME21, ME22
  execute report
  see the roles displayed
  2.
  then find user who have these roles (usually company uses z-roles copied from standard)
  just highlight the role and hit user assignment (Cntrl-Shift-F9)
  you see all users who have this role. that means they are able to run these transactions.
  3.
  let's remove the role(s) we found.
  open second session, run SU01 type one of the user , goto Roles tab and delete the particular role you found.
  save user and test it (ask hem/her to log in sap and run ME21 and ME22). if needed adjust it again (may be another role to be deleted)
  say, fix completely one user/test it and then do the same things for other. test them.
  good luck!

• Open and close posting period authorization control TCODE: S_ALR_87003642

  HI All,
  Is there any chance to control the user to open and close another company code posting period variant in TCODE: S_ALR_87003642.
  In our system we are using the same client for different countries. So user can able to change the other country company code posting periods.
  We would like to control either on the country (or) organizational unit(company code) (or) posting period variant so that user can only open/close  their country / company code posting periods.
  Our present authorization role for open and close posting period contain the auth.Obj. : S_TABU_DIS.
  Please share your knowledge if you come across this problem..
  Thanks in advance..

  Hey Sandhya,
  Congratz, this can be done using linbe item authorization with the object S_TABU_LIN.
  Field ORG_CRIT - Value 02
  Field ORG_FIeld1 - Value ZT001B
  We have successfully done it in our client.
  You need to contact your BASIS consultant for this.
  Thanks,
  Nitish

• Authorizations for Tcode Execution

  Hi. 
  I understand that users assigned a particular Tcode eg. PFCG might not be able to execute this Tcode if he is not assigned the corresponding Authorization object and related activity field values for the PFCG transaction to work.
  One tedious method of verifying that the user does indeed have authorization is to require the user to login and execute the transaction PFCG itself.
  Is there a faster way for the Administrator to check if the end-users does have the relevant authorizations/authorization_objects to support the execution of a tcode PFCG? This applies to all other tcodes.
  Thank you very much.

  Hi Chong,
  SAP delivers the tables USOBX and USOBT.
  Table USOBX defines which authorization checks are to be performed within a
  transaction and which not. This table also determines which authorization checks are maintained in the Profile Generator.
  Table USOBT defines for each transaction and for each authorization object which
  default values an authorization created from the authorization object should have
  in the Profile Generator.
  The tables are maintained in transaction <b>SU24</b>. This transaction displays the check indicators of a transaction. Check indicators determine if an authorization check will run within the transaction or not. Any object with CM(Check/Maintain) status will be pulled into PFCG when you add a transaction.
  To check this:
  Enter transaction SU24-->Enter any transaction which you want to check in "Transaction Code"->execute->Display check indicator-->Display field values.
  This would show you the authorzation objects along with there field values which will be pulled into a role when you add a transaction.
  Hope it helps.
  Please award points if it is useful.
  Thanks & Regards,
  Santosh

• Query Level Analysis Authorization

  Experts,
  I have a requirement to provide Analysis Authorizations at a QUERY level.  For example, I have two analysis authorizations: (1) Org Unit and (2) Material Number.  I populate each of these Analysis Authorizations using a BEx Variable (through RSECAUTH) and customer exit "EXIT_SAPLRRS0_001".  In the user exit I look up what authorizations the user has for each field in a custom table.  For example, User A has access to Org Unit ORG1 and Materials M1, M2, M3.  User B has access to Org Unit ORG2 and Materials M4, M6, M8.  The Analysis Authorizations are assigned to the users via S_RS_AUTH object and it works perfectly.
  However,  we now have a new report, where we would like continue restricting the user to ORG1 but allow them to see ALL Materials.  But this requirement is only for a couple of reports. All other reports should continue to enforce BOTH restrictions.
  I don't see a way to determine which query the user is running.  In the user exit for normal variable exits, I can reference the field i_s_rkb1d-compid which has the query technical name.  But when filling the authorization variable in I_STEP = 0, that field is not populated.
  Has anyone experienced a way to create authorizations at a query level?  Is there an SAP InfoObject like 0TCAACTVT where I can specify a query name?  Your help is greatly appreciated.  Thanks!
  J

  Hi,
  SAP BW Authorization is definitely different from R/3 authorization. Why? Well, first, R/3 authorization usually involves up to the transaction code level. But for SAP BW, the mostly used transaction is "RSA1" and "RRMX". Therefore, authorization based on transaction code alone, is definitely not sufficient.
  So how do we design authorization in SAP BW? There's a few authorization objects that relates to SAP BW.
  For reporting, you will most probably use the following SAP BW authorization object:
  S_RS_COMP - Reporting Component, here is where you control the query authorization blah blah.
  S_RS_COMP1 - Reporting Component Owner, you can control users to only be able to access report created by Power Users, here.
  S_RS_FOLD - Disable/Enable the 'InfoAreas' button.
  Besides that, you will also need to configure the following authorizations:
  S_RS_ICUBE - Infocube authorization
  S_RS_ODSO - ODS Objects
  S_RS_HIER - Hierarchy Authorization
  For SAP BW administration purposes, aside from the above, you also need to configure the following authorization objects:
  S_RS_ADMWB - Administrator Workbench
  S_RS_IOBJ - Info Objects authorization
  S_RS_ISOURCE - Transaction Infosource
  S_RS_ISRCM - Master Data Infosource
  There that's what you need for authorization. Anyway, to achieve "field level" authorization like those in R/3, you can create a customize object, select the infoobject that has been set "authorization relevant", and add it in the authorization matrix, and walla, you got "field level" authorization.
  and refer the below link,
  Re: BI 7.0 Analysis authorization- How to control
  Hope it helps you,
  Regards,
  Ravindra.

• Org Level Roles / Authorization Object Roles

  Hi board,
  I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".
  The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.
  My questions are:
  - Is it technically feasible (for a large-scale company)?
  - What is your experience?
  - Drawbacks?
  Kind regards and many thanks for your help,
  Richard

  Richard Hösl wrote:
  > Hi there,
  >
  > that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful. 
  >
  > Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
  >
  > Kind regards,
  >
  > Richard
  Hi Richard,
  It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.
  A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions.  That bucket invariably contains more authorisations than the transactions require.  Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........
  If you have organisational complexity then you should look elsewhere to simplify. 
  By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).
  Put the effort in the design stage and it will pay dividends later on down the line. 
  Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.
  Cheers
  Alex

• Level 15 authorization on Cisco ASA

  I use tacacs+ for AAA in my Enterprise. On my ACSv4.1, I have created a user with privilege level 15. On every Switch in my enterpirse the user on authentication, directly goes to privilege mode (because he is level 15). But on ASA (ver 8.0) he is always prompted for an enable password.
  Is there any method to directly go to the privilege mode on the ASA?
  I could not find any aaa authorization commands to do this in an ASA.
  Thanks in advance.

  Jenny, this is how the ASA works. This feature was never implemented on the ASA in the same way it was done on the IOS platform.
  Regards
  Farrukh

• Check authorization at TCode Z...

  Hi All,
  I have a problem with authorization, please help me !
  I have Tcode for customize report (HR). With user A, for one or two standart tcode, he has aut with Per. Area (10,20,30), but in cust. tcode Z... , he has only one aut in Per. Area (20). I used SU24 to assign aut. object (P_ORGIN) to Tcode Z... to check Personal Area and assign to it P.Area(20). But it not effect. How to do it ! Thanks for all idea !

  Hi
  Add the auth.object in your coding. Use 'Pattern' in ABAP Editor (SE38) for 'AUTHORITY CHECK'. After manage the error message with the purpose that user know that he or she must run tcode SU53.
  Regards
  Eduardo
  Edited by: E_Hinojosa on Nov 22, 2011 9:20 AM

• Authorization of Tcodes PT01,PT02 in Production server

  Hi Folks,
  I have a scenario wherein the client need to generate workschudules at the beginning of ever year using PT01 and make changes using PT02 whenever required.
  Those these tcodes are authorized in the respective roles. SAP is not alllowing changes as the clisnt is locked for SPRO access.
  Tell me how this is address in general.
  regards,
  Santhosh

  Santhosh:
  You would like to have these transactions PT01 AND PT02 to be executed for the user. Hence first thing we need to check is which roles support for the above transactions. To check the same, go to SUIM transaction in SAP, select -- Role -- by Transaction Assignment. Give the transaction PT01 and execute. This will display the role which has the PT01 AND pt02 transaction.
  This role need to be added to the user who executes using SU01 --> Roles or by PFCG making comparision. Once these roles are available, he can able to execute.
  Regards
  Team Member.

• Selection screen's  variant (global level) - what is the tcode for this

  Hi all,
  I need to know what is the transaction code that maintains ABAP program's selection screen variants at global level.
  More information : the transaction code that maintain program's selection screen variants at global level.
  Thanks.
  William Wilstroth
  Message was edited by:
          william wilstroth
  Message was edited by:
          william wilstroth

  Hi William,
  If you mean program variants, they are maintained in SE38 - enter the program name and then select the "Variants" radio button. If you mean transaction variants, the transaction code is SHD0.
  MJ

• Authorization of TCODE

  hello guyz!
  My question is if a particular user is not authorized for some trnx, how the user would request for authorization to the basis guyz. What I know is u gotta type in su53 trnx and then, it goes to the basis guyz through express document service. If any body could help me out in getting the step by step wizard in getting access for trnx in a automated SAP system, I would appreciate that.
  Thanks
  Shane

  Hello Shane
  The information about missing transactions authorizations should be sent to an authorization team (rather than SAP basis team) because they have to identify the roles in which these transactions are used.
  Assuming that your company is working with a <b>role-based</b> authorization concept the next step is whether the user is entitled to have these additional roles or not. If you are using the CUA (central user administration) then the authorization team can assign the new roles to the user (after approval) and distribute the assignments.
  The whole process can be supported either using SAP workflow or external workflow tools.
  I hope that you do not have <b>user-centric</b> SAP roles because sooner or later you will loose control over the authorizations within your SAP systems.
  Regards
    Uwe

• Ristrict sales order creation at plant level through authorizations

  Hi  ,
  I want to ristrict users to create sales orders for specific plants . Can anyone please tell me how to do it through authorizations.
  I am not able to find any authorization object for plant in VA01 and i have tried to  add object from other module like MM or PP and maintain plant values but still it is not ristrict users to create  sales order for that plant.
  any other object for plant.
  Thanks & regards ,
  Nitin Patki

  Generally we control parameters like Sales Organization, Distribution channel, division, sales document type, billing document type  etc through roles in SD but if you want to block the creation of sales order based on plant, then take the help of FI/MM people because if they will not give the authorization for Profit centre (in case you have taken that plant as a profit centre), The user will not be able to proceed further without profit centre.
  Reward points if it helps,
  Regards,
  N

• How to Control authorization for users with certain status for level 2 WBS Element

  Dear All,
  Is there any standard way or enhancement available to control authorization for users with certain status for WBS Element i.e. for example
  Pre-requisite:
  There is only 2 level of project i.e.
  Lev_ WBSE_______Description
  1___ 7-14.E_______summay outage controller
  2___ 7-14.E.2310__ Plant/unit # 2310
  2___ 7-14.E.2310__ Plant/unit # 2220
  Project Controller  (authorization role assigned "Z_PS_OP7_OTGCON_C") have all project level authorization
  Plant/Unit Controller (authorization role assigned "Z_PS_OP7_PLNTOTG_C_2310") have only level 2 authorization with enhancement that we did in system by Z table.
  User ID_ Plant #
  123345_ 2310
  122455_ 2220
  Issue:
  After System Status released and User Status approved the WBS basic date for Plant/Units should be restricted from updating/changing by Plant/Unit Controller level and only project controller should have this authority.
  Solution required: 
  Can any one tell how to control this scenario either by standard or enhancement available to control authorization
  BR
  Saqib Usman   

  Hi,
  Did you explore SAP Enhancement CNEX0002 Using Transaction CMOD?
  Thank you and regards,
  Varshal Kachole
  The SCN Rules of Engagement