Limit Security by Excluding Authorization Groups for S_TABU_DIS
Is it possible to assign security for object S_TABU_DIS by excluding authorization groups in lieu of including all authorization groups for which security is to be assigned.
Thanks,
Barbara
Yes, some fields have cross-object relationships. For org. levels it is much the same.
There are limits to these fields - you can over-ride them or bypass the checks, but it is no guarantee that it will work.
There are many "tools" ouside of PFCG which do this... without respecting the limits.
Do not be surprised if it does not work, or you have perforamce problems, or strange user experiences....
Cheers,
Julius
Edited by: Julius Bussche on Oct 5, 2009 10:53 PM
Similar Messages
-
Creating Authorization groups for material types
Hi All,
I have a requirement to create Authorization groups for different material types we have in our company. Basically these are intended to restric the users from accessing the material master. Different material types needs to be assigned to differnt group of users.
So if we can create couple of Authorization groups, then I am thinking of assigning the material types to these groups.
I went to SPRO---Logistics general ---Material master -
Tools --- Maintain authorization and authorization profiles. TCODE : PFCG
Is this the right path?
Please advise
ShaneHi All,
I don't think SPRO---Logistics general -Material master- Tools --- Maintain authorization and authorization profiles is the right path to create new authorization groups.
Can anyone explain how to create new authorization groups for different material types. The purpose is to create a role and assign this auth. group to this role and provide that security role to specific users.
Regards
Shane -
Authorization Group for G/L Account
Hi,
What?
- I wish to restrict the 'posting' of a G/L account to be done by certain users only
How?
- What I have done was...
a) From FS00, I have added a free-text (BANK) into the Authorization Group for a G/L account
b) From PFCG, a new role was created to allow these 2 Authorization Objects, F_BKPF_BES and F_SKA1_BES
c) 'BANK' was entered for the Authorization Group for both these 2 Authorization Objects
d) From there, I have assigned this new role to the user that I wish to allow Posting of the G/L account
Problem?
- Other users still can do Posting for this G/L account
- Any steps which I have missed out here or done wrongly?
Thanks,
BrandonHi,
Some other roles of the users may override and cause the users to post against this GL account.
Check all the roles relevant for the restricted users.
Use SUIM t-code to find if the auth object mentioned above is included in any other role.
If it be, restrict that again.
Generally if one role as no restriction against this auth and not all, this issue tends to happen.
Regards,
Sridevi -
How to create authorization groups for G/L Accounting
Hi:
I have a problem with authorizations groups in FI, I hope you could help me.
We want to control access to accounting in FI by authorization group so user only can work with some G/L accounts.
I have seen in transaction FS00, in control data tab, a field called Auth. Group, but I really donu2019t know if this is the right field.
Do you know how I can control access to G/L Accounts by Authorization Groups? Perhaps must I to create a new Authorization Group by roles? We have 4.6c.
Please, any help is welcome.
Thanks in advance.Hi
Update the authorization group field in the GL master with any user defined value and then include the same in the respective user roles against the authorization object - F_BKPF_BES-BRGRU in PFCG
Ensure you have updated 'Authorization group' for the GL accounts in your chart of accounts
Thank You, -
I want to create a authorization group for cic0 tcode.
i want to create a authorization group for cic0 tcode.
in detail...
in cic0 tcode i will enter business partner name
and press enter it gives me list of same names..
i want to restrict as per the region..there...
for exapmle....
if i enter name as raja
it gives me a list of raja in all region
but i want for a particular region....
how to create a authori object.....................
Regards
Anbuhttps://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
If you start SU21, find the authorization object and double click on it you should be able to see who the author is.
Or you can findout through SUIM -
Authorization Group for /KJRTAX01/A03
Hi Sap Gurus,
A user in our project has requested access to tcode /KJRTAX01/A03.
This tcode pulls in the object S_TABU_DIS to the role when added with the DICBERLS(Auth. Group) as &NC&.
Now giving access to this value will give access to lot of unwanted tables and hence we wanted to restrict the access.
When I tried to find out the tables which this tcodes affect I am unable to find out. Can anyone suggest which tables will get affected because of this tcode /KJRTAX01/A03
Thanks,
ArjunArjun,
First thing I would do is to ask the user for list of the tables he want to update or display.
Once you have the list of tables, you can confirm what authorization group they belong to.
Maintain the transaction code in SU24 as not to pull &NC& or maintain the field values in PFCG itself (it may give you issues every time you open the role in expert mode or every time you enter the transaction code in new role.)
If the list of tables asked belongs to &NC&, then you can explore the possibility of creating a new authorization group and reassign all the tables to this new authorization group.
If the user can not provide you the list, then as Martin mentioned, ask the user to check all tables while trace is on.
Regards,
Shivraj -
Security error: Cannot authorize operation for invalid non-ASCII URL
I have an error that popped up with Flash Player 10.1.85.3 or 10.1.82.76.
In our application, we load users' avatars with their original filename. Some filenames have non-ASCII characters (i.e. Hebrew, accents, or umlauts) and I can no longer load those files from a different subdomain.
For example, I'm trying to load this image (with the Loader class and a LoaderContext):
http://photos.myawesomedomain.com/images/awesöme.jpg (o with umlaut)
It comes to me encoded in UTF-8:
http://photos.myawesomedomain.com/images/awes%C3%B6me.jpg (umlaut converted to %C3%B6)
When I try to load the file from http://myawesomedomain.com/myawesome.swf, I get this error:
*** Security Sandbox Violation ***
Connection to http://photos.myawesomedomain.com/images/awesöme.jpg halted - not permitted from http://myawesomedomain.com/myawesome.swf
Error: Cannot authorize operation for invalid non-ASCII URL http://photos.myawesomedomain.com/images/awesöme.jpg
If I try this with a player earlier than 10.1.82.76, it works. It also works if I move the file to the same domain as the SWF (http://myawesomedomain.com/images/awesöme.jpg) -- but that's not an option for me. Files without unusual characters work regardless of the player version.
The error occurs when I try to access the bitmap data of the loaded image. I've tried encoding the URL differently, but Flash always reports it as "http://photos.myawesomedomain.com/images/awesöme.jpg" - with the umlaut converted to strange characters. The cross domain file allow-access-from "*.myawesomedomain.com"
Has anyone run into this? Is there a way I can fix it without renaming the users' photos (we have tens of thousands of these)?
I feel like I must be missing something obvious; hardly anything comes up in Google for this, but I don't think it would be an uncommon problem. I believe https://bugs.adobe.com/jira/browse/FP-5580 is related.
Thanks!The problem is based on the player version, not the browser.
The problem showed up in Chrome first because it auto-updates the player; when Firefox users installed the updated player, they started having the problem, too. -
Material/Material Type in Material Authorization group for QM
Hi All,
I am unable to find out the Material or the Material Type that is linked with a material authorization group (QMATAUTH).
Do we have a table where I can find the Material Types or the Materials contained in each material Authorization Group (Q_MATERIAL -> QMATAUTH).
Thanks!> I am unable to find out the Material or the Material Type that is linked with a material authorization group (QMATAUTH).
>
> Do we have a table where I can find the Material Types or the Materials contained in each material Authorization Group (Q_MATERIAL -> QMATAUTH).
You can get teh details on QM authorization group through table TQ01D. YOu can go through the following post for list of QM tables and tcodes.
QM Tables and T codes
Thanks.
Anjan -
Authorization group for table maintenance view
I need to create table maintenence view for a custom table, client provide name for auth. group, but no clue how to create auth. group.
can someone provide the steps to do this?Hi,
Follow below steps to create table maintenance for a table and to assign authorization group to a table:
step1: Go to SE11 enter the table name
step2: In the standard toolbar you will find UTILITIES
Go to UTILITIES -> TABLE MAINTENANCE GENERATOR
You will go to first screen of Table maint. gen.
Here you will find to enter authorization group.
Thanks and Regards,
Shravan G. -
Field Authorization Groups for partners and texts
Hello,
We would like to use the Field Authorization Groups in the customer master to restrict update of specific fields. One problem we face is that we can't seem to find a way to restrict the authorization on the partners and texts. Has anyone come across this issue and found a solution? If so, could you please share it with us?
Thanks,
ChristineHi,
For the text this is clearly not possible.
Text is an additional component above of the transaction. It is not fully integrated. So there are some limitations
For the partners. I guess you mean partner functions of a customer.
I'm a bit surprise. The fields below should be customizable
KNVP-DEFPA
KNVP-KNREF
KNVP-KUNN2
KNVP-LIFNR
KNVP-PARNR
KNVP-PARVW
KNVP-PERNR
Hope this helps
Alain -
Security permission to user Group for menuitem in ax 2012
Hi experts,I have a query,
Query is that i want to give menu item level permission to user group,for e.g i want to show accounts Payable
all set up parameter to Finance Group,so how it can be done? i don't want to use Roles--->Duties------->Privileges method,
I want to just create two groups for one ACount Payable set up parameters will be showed on main ,and for
other group it was disable?
is that possible with out creating new roles ,duties and then privileges procedure?Hi Munsifuv. You might get more help on this and your other AX questions on an AX-specific forum. We can help with connecting Power Query to data sources, but aren't necessarily experts on configuring those sources.
Thanks,
Ehren -
How to Create Authorization Group for SAP Standard Tables
All,
I have 10 standard tables which are required to maintain by the user in Production environment.
Is there any way to create a custom auth group for the standard table?
Is it possible to assign same table in two different auth groups?
Please advice
Thanks,
KoteshMultiple tables can be linked to an auth group, but one table can be linked to only one auth group.
You cannot link one table to more than one auth group.
It is always advised to try to find an existing auth group having tables of same functinality and criticality, before creating a new auth group.
In case you don't have any such auth group, I feel you can create a Z auth group using se16->tbrg.
You can also create auth group using tcode se54. -
Which table could i find 'Authorization Group' used for Material master?
Hi experts,
Is there any table available could i find all 'Authorization Group' list as used by material master data.
OR in SPRO, anywhere could i find 'Define authorization group' for material master data specific??
Thanks.Hi
Authorization group in the material master are maintained at the material type level.
SPRO->IMG-> Logistics - General-> Material Master-> Basic Settings-> Material Types-> Define Attributes of Material Types
List of authorization roups can be found in table T134-Material Types
this filed is a free defined 4 charcter field.
Thanks & Regards
Kishore -
How to transport Authorize Function Group for a table
Hi, Expert,
I created a customize table ZF304 with Authorization Group ZFIG in development environment. Somehow, the ZFIG did not transprot to QA. The Authorization Group for table ZF034 in QA show: &NC&
I need retransport the ZF304 table with ZFIG to QA. When I use the SE54 > Utilities > Total Transport, the ZFIG did not show in the object list.
Is it necessay that the ZFIG need specific in the transport? or it is already include int eh ZF304 transport?
In other word, how to make the QA Authorization Group show 'ZFIG' in stead of '&NC&'. How to do the transport in RD0 to make this happen.
Thanks,
HelenHi,
Check if you have an entry in the transport request as depicted below:
Definition of a Maintenance and Transport Object R3TR TOBJ ZF304 Object Locked
If not then please add it in your task.
KR Jaideep, -
Hi,
We want to limit users to only seeing movements for a custom material type ZRSA. . There are 5 storage locations currently that we have for Maintenance and that authorization object M_MSEG_LGO is set to those types.
I went in transaction SU24 (maintain the assignments of authorization objects) and set the
check indicator to include object M_MATE_MAR (Material Master: Material
Types ) for MB51 meaning an authorization check will be carred out against this
object in MB51. This was needed to limit users with this role to
seeing only ZRSA material types. How and where do we create the Authorization group for BEGRU to bec checked in auth object M_MATE_MAR? Is this even possible.
Also how can you create an entry into table TMBG (Material Master authorization groups)?
Thank you so much,
Jennie WinnJennie, unfortunately it is a wrong forum. Try it in Security related forum.
Regards,
Prateek
Maybe you are looking for
-
Hi I'm not very computer literate so pls be gentle! I bought an iPad air two days ago and synch my photos using iTunes just fine. Today for some reason I noticed all these white thumbnails on my laptop in the photos section. Stupidly I deleted all 60
-
How to start service & connect with database in network
Dear friends, I have created a Database and tried to connect it from remote computer. I have configured Database name and host name in the remote client computer. But when i net start oracleservice(db name) its not connected. showing Tns error. I sta
-
Accessing KM Global Services through KM API
Hello all I am currently trying to access KM Global Services from KM Java API, And I have not any way to access this service to handle Property Groups in KM (Configuration -> Content Management -> Global Services -> Property Structures -> Property
-
I have an iMac (circa Fall 2007) running OS 10.6.8 and whenever I am in a Google platform (or Yahoo also) it runs fine for a while then it suddenly turns dark and the screen is filled with parallel lines and crashes. The only way to get it up and ru
-
How to find where iWeb is saving the files?
greetings. i used iweb last year to make a couple web pages... i normally just edit html directly and don't use this kind of software... i cannot find where it is saving the pages i've updated... the location in ~/Site that has the files from last ye