Link users - positions - roles - authorization objects
Hi guys,
I want to write a report that would link USERS to POSITIONS to ROLES and finally to AUTHORIZATION OBJECTS. The user would enter the SAP username in the selection screen and the report should extract all the information listed above.
I am able to link the following:
+ Users to positions via function module RH_BRANCH_GET
+ Users to roles via table AGR_USERS
+ Roles to authorization objects via function module PRGN_1251_READ_FIELD_VALUES
Unfortunately, I dont know how to link positions to roles
Does anyone know how to do that?
Also, is there a more efficient way, than the approach highlighted above, to complete this requirement
Thanks for your time
-TR
Hi,
you can find a link between role and HR object in table HRP1001. The field SOBID contains name of the role. You need to find way how to convert object ID into position role. Be careful about additional fields from that table.
Cheers
Similar Messages
-
Function module to find users for given authorization object
Hi Experts,
I have to develop new report which display all the users who has authorization object which is given by us. i need some function modules to make my program simple.
Please help me on this..
Thanks and regards,
RajaHi
check the fun modules
SUSR_BAPI_USER_PROFS_GET
or check the tables
AGR_USERS
AGR_1252
UST12
AGR_PROF
AGR_TCODES
check the transactions PFCG and SSUIm and SU53 etc
Regards
Anji -
Org Level Roles / Authorization Object Roles
Hi board,
I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".
The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.
My questions are:
- Is it technically feasible (for a large-scale company)?
- What is your experience?
- Drawbacks?
Kind regards and many thanks for your help,
RichardRichard Hösl wrote:
> Hi there,
>
> that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.
>
> Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
>
> Kind regards,
>
> Richard
Hi Richard,
It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.
A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions. That bucket invariably contains more authorisations than the transactions require. Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........
If you have organisational complexity then you should look elsewhere to simplify.
By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).
Put the effort in the design stage and it will pay dividends later on down the line.
Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.
Cheers
Alex -
Hi,
I am building a cusom security report which will have user id, roles, authorization objects, and info objects inside the authorization object(s). I have been able to get users and their roles with tables (usrefus, usr21, adrp, usr02, agr_users) but am having problems finding the following -
Can someone tell me the table names? Any additional info would be appreciated.
Thank.Hi Clark
Check this Click for authorizations in reporting
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/55/2bb33b90131e73e10000000a11402f/frameset.htm
Regards
Jagadish -
Role creation and authorization objects in sap
Hi
i want to know the full relationship between creation of roles , authorization objects ,authorizations in web as abap
Please explain the process in detail the use of PFCG and all its options and how to create Z rolesAlthough, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
- Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
- The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
For e.g. If a user wants to create a PO we can restrict him on:
u2022 Activity : Create/Change/Display
u2022 Org elements like Company Code, Plant, Purchase Organization etc
u2022 Document type etc.
- Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
- Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
- An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
- Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
- Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM -
Authorization objects to avoid users to access workbook design mode
Hi all,
Does anyone knows an authorization object that stops the user to enter workbooks design mode?
We use workbook protection but this disables most of the workbook properties.
Many thanks,
MazzzHi..
see this thread.. hope it helps..
How to prevent workbook users from saving workbooks
You must set up security to control who can save workbooks, where they can be saved, and which workbooks appear in the BEx Browser for a specific user.
Workbooks can also be created in the BEx Analyzer. After executing a query, choose Save u2192 Save as new workbook.
Securing Workbooks
In order to save a workbook, a user needs two authorization objects. The two objects listed below are the minimum authorizations a user needs to save workbooks.
S_GUI: Authorization for GUI activities
S_BDS_DS: Authorizations for document set
Using both S_GUI and S_BDS_DS will enable a user to save workbooks to their Favorites folder.
The authorization object S_GUI has one field, Activity. The activity field must be set to 60. For S_BDS_DS, the user needs activities 03 and 30. The Class Type field should be set to OT.
Saving Workbooks to Roles
If a user wants to save aworkbook to a location where it can be easily accessed by others, they need to save to a Role rather than saving the workbook in their own Favorites folder. Saving to a Role means saving to a security role.
You may want to set up roles specifically for saving workbooks. You can then assign the role to all parties who need to share workbooks.
Another option is to not allow users to save workbooks, but rather only allow power users to save workbooks. This is done to maintain the roles and to ensure that the workbooks are manageable. This also prevents users from changing workbooks saved by other users.
In order to save workbooks to roles, a user needs:
S_USER_AGR: Authorizations: Role check
S_USER_TCD: Transactions in roles
The authorization object S_USER_AGR has two fields:
Activity and Role Name.
Activity field -Must have at least values 01, 02 and If the user can delete workbooks, they will also need value 06.
Role Name, you should enter the specific roles you have created for saving
workbooks. Use proper naming convention for roles so that the roles can be restricted pretty easily. The role name is the name of a role that will be used to hold workbooks. Saving a workbook to a role actually updates the Menu portion of a role, so object S_USER_AGR is a required object.
Authorization object S_USER_TCD has one field
Transaction Code. The user needs value RRMX in this field.
Once a workbooks is saved, the data and the layout is saved in the workbook. For security reasons, we recommend that users save workbooks without the data. To save the workbook without the data, the users selects from following menu path from the BEx Analyzer: Tools > All queries in Workbooks > Delete results
Sathya
Edited by: sathya prasad anumolu on Jul 30, 2008 4:58 PM -
Authorization objects for transaction, one to view, and one to maintain
Hi all,
My requrement is to create two authorization objects for transaction, one to view, and one to maintain.
I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
Please suggest how to create object where i can asign activity codes.
regards
manishThe Authorization Concept
R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
Do check this link as well.
http://articles.techrepublic.com.com/5100-10878_11-5110893.html -
Table for Role & Authorization group
Hi Gurus,
I am looking for a table or FM to get all roles for Authorization group.
I tried in SUIM tcode but could not able to find exact DB table for these.
Giri
P.S.: To Moderator:
My earlier thread was locked for the same question, I was searching in SDN and google from last 3 days and could not able to find enough information on it. AGR_USERS, TBRG, TACT are the tables i found. But still there is a link missed between Role & Authorization Group.Thomas,
My report have selection screen with Auth group and user.
If user provides Auth. Group then need to find all roles linked to auth group and users assigned to that role.
In my investigation, there is link between Auth. Group <--> Auth. object.
Also Auth. Object <--> Role.
but still there is a fine link missing between Auth Group <--> Role.
For Eg: Auth Object S_TABU_DIS will be associated to all Auth. Groups but assigned to only limited roles.
I tried to debug the SUIM transaction multiple times but couldn't find the tables to find the link and not able to find the FM's.
if anybody have any idea to find that link between Auth. Group & Role then it will be helpful....
Giri -
Authorization object P_ASRCONT
Hi Experts,
I want to assign authorization object P_ASRCONT to one user. Also I need to check the particular user has this authorization object P_ASRCONT or not.
Can anybody help me on this?
Thanks,
Helps will be appreciated.Hi,
Procedure for checking authorization object assigned to user:-
T-code: SUIM --> roles -->roles by authrorization object
Enter authorization object --> Execute
Double click on roles --> Click on user
Regards
Sudheer -
Authorization Object and Authorization...!!!
Hi BW Experts,
Could anyone plz tell me what is the difference between Authorization Object and Authorization..!!!
Thanks in Advance.
Regards,
Giftedbrain.Giftedbrain,
Authorization Object:
An authorization object groups up to ten fields that are related by AND.
An authorization object allows complex tests of an authorization for multiple conditions. Authorizations allow users to execute actions within the system. For an authorization check to be successful, all field values of the authorization object must be appropriately maintained in the user master.
Authorization objects are divided into classes for comprehensibility. An object class is a logical combination of authorization objects and corresponds, for example, to an application (financial accounting, human resources, and so on). The line of the authorization object class is colored orange in the profile generator.
For information about maintaining the authorization values, double click an authorization object.
The line of the authorization object is colored green in the profile generator.
Authorization:
Definition of an authorization object, that is, a combination of permissible values in each authorization field of an authorization object.
An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
Authorizations allow you to specify any number of single values or value ranges for a field of an authorization object. You can also allow all values, or allow an empty field as a permissible value.
If you change authorizations, all users whose authorization profile contains these authorizations are affected.
As a system administrator, you can change authorizations in the following ways:
· You can extend and change the SAP defaults with role maintenance.
· You can change authorizations manually. These changes take effect for the relevant users as soon as you activate the authorization.
The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user has sufficient authorization for a particular activity. To do this, it compares the field values specified in the program with the values contained in the authorizations of the user master record.
The line of the authorization is colored yellow in the profile generator.
-Doodle -
Hi All,
I have an authorization object with following fields.
ACTVT = 02
WERKS = 1001
RANGE_FROM = 0
RANGE_TO = 999,999.00
I want to validate whether the user enters a value in between these two RANGE_FROM and RANGE_TO. How can i achieve this.
Also is there any way by which i can read the values maintained in the profile of the user for this authorization object. If this is possible then i can read the RANGE_FROM And RANGE_TO and then put a logic to validate.
Please let me know if any of the ways are possible.
ThanksHi Pankaj,
This is an example taken from the SAP Documentation:
Here, M_EINF_WRK is the object name, whilst ACTVT andWERKS are authorization fields. For example, a user with theauthorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and MaterialsManagement areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
Hope it helps.
Regards,
Gilberto Li -
FM that retrieve the inner authorization object BBP_ROLE using user's role
Hi Experts!
Do you know what Function Module can be use to retreive the inner authorization object BBP_ROLE using the user's role
e.g. BUYER : YT:PU:XXXX:BUYERROLE
Object : BBP_ROLE SRM: User function / Role
field name : BBP_ROLE SRM: User function / Role
Activities
Sel Activity Text
x EMP Employee
x OPP Operational Purchaser
......etc
Thanks!Hi
Execute Txn S_BCE_68001414 in debug mode, and figure out how system takes the inner authorizations through the flow of this program
Regards
Virender Singh -
What FM retrieve inner authorization object BBP_ROLE using the user's role
Hi Experts!
Do you know what Function Module can be use to retreive the inner authorization object BBP_ROLE using the user's role
e.g. BUYER : YT:PU:XXXX:BUYERROLE
Object : BBP_ROLE SRM: User function / Role
field name : BBP_ROLE SRM: User function / Role
Activities
Sel Activity Text
x EMP Employee
x OPP Operational Purchaser
......etc
Thanks!Hi
Execute Txn S_BCE_68001414 in debug mode, and figure out how system takes the inner authorizations through the flow of this program
Regards
Virender Singh -
Authorization object in procurement that checks user role
Hi Experts,
Please let me know if we have any standard authorization objects in the transactions PO or PR that checks the SAP User role. Authorization check can be done by sap role, we are not botherd checking on company code, purchase group and so on, Is there any standard procedure to find out that or any function module available to check that by passing user role. << removed >>
Cheers
Mohan
Edited by: Rob Burbank on Feb 19, 2010 12:24 PMeasiest way to find all authorization objects is to execute SU24.
There you enter the transaction code for which you want find the authorization objects. -
Authorization Object for Webclient UI BI-Links
Hello,
i created my first two BI-Reports for CRM Service and added them over navigationbar-profile to my businessrole.
No i have the issue that i can see and process this new to BI-Links (authorization SAP_ALL and SAP_NEW).
But i have an testuser which has the same authorization as our service users. With this testuser i can´t see the links.
Does anybody know which authorization object i need to add to PFCG-role to see the links?
Thank you
Best regards
ManfredHello Robert,
it must have to do with authorization.
The buisnessrole is the same for both users "ZSRVHELPDESK".
Authorization in BW is done for both users.
But the user without CRM authorization SAP_ALL and SAP_NEW can´t see the two links to custom BW-Reports.
Another idea?
Thank you.
Best regards
Manfred
Maybe you are looking for
-
Has anyone noticed that songs which were previously in the genius list could not longer be used to created a genius play list? Songs like "The Gambler" by Kenny Rogers or a Beach Boy song can no longer be recognized to create a genius play list.
-
MS word document is not opening in front of one of the application window
Hi All, we have application which is for creating proposals for business, in that application we have a Key/tab that is "generate proposal" when we click on that key it will create the poroposal in MS word format, now our issue is that when we click
-
How to config in this architecture to achive load balance?
We have a XI which has a dialog instance.now we use the XI to connect to R3 system using abap proxy and to a no-sap system using JDBC. no-sap sys(DB2)->JDBC adapter<-xi(CI+Di)->r3 The question is how to achive load balance,using web-dispatcher or oth
-
IDOC processing inbound in receiver system , transaction WE57
Hello, possibly a simple question for those who are familar with IDOC processing. In transaction WE57 you can add function modules for processing IDOCs e.g. inbound IDOCs. Now I see in our system that there are two function modules added to the same
-
What is the correct way to set up artwork for a Billboard?
I need to set up photoshop artwork (which consists of about 5 layers) for a 6m x 3m billboard. I set up my whole billboard in Illustrator (at 3m x 1,5m - half of actual size) and placed the psd image in. I set up my photoshop artwork at a third of ac