Manual authorization in PFCG

Similar Messages

• FM for manual authorization of credit cards via VA02

  Hello experts,
  I am looking for a function module or a BAPI with the functionality of the manual authorization button in the VA02 transaction.
  I want to create a program which automatically executes the manual authorization process at night for a specific order with a specific credit card number. Batch Input is no option...
  Hope one of you can help me...
  Best regards,
  Danny

  Authorization Function Module
  SAP can provide solutions for transmitting card data to many major clearing houses and other
  financial institutions.
  The standard system includes the function module CCARD_AUTH_SIMULATION that is used to
  test the authorization process before obtaining software from our clearing house, or writing our
  own. SAP also provides the testing function CCARD_SETTLEMENT_SIMULATION for Financial
  Accounting (FI).
  When the authorization function module is triggered, the system accesses the logical destination
  that has been specified in Customizing. This is either an SAP internal system, or an external
  program (RFC). Choose Sales and Distribution àBillingàPayment cardsà Authorization
  and settlementà Maintain clearing house àSet authorization/settlement control per
  account in Customizing to set the function module for authorization.
  If this function module (CCARD_AUTH_SIMULATION) is not customized then, system only
  simulates authorization, even in a Live system.

• Payment Card processing- Manual Authorization

  Hi Experts,
  We are on CRM 4.0.
  Wanted to have an input on the Manual Authorization process for Payment card processing.
  Can someone guide as to how this can be achieved?
  thanks
  Yash

  df

• Mass Upload of Authorization in pfcg

  Hello Everyone,
  We have a requirement to add 600+ authorization objects manually in a role using PFCG
  I wish  to know is there a way to add everything in one shot.
  Please let me know
  Appreciate your quick response
  Thanks & Regards,
  Vadi

  Dear All,
  Thanks a lot for all your replies.
  We have recently performed segregation of duties for finanace module.
  I have created a role and added the required tcodes as per the SOD document.
  But many of the tcodes are not working as expected and many reports are giving different value when its downloaded to excel
  I have requested for su53 screen shot and added the missing authrorization from few users.
  However the end users are not happy with the way of providing SU53 everytime when ever authorization error occurs.
  Hence we decided to find out the authorization objects which are relavant to the tcode and add everything.
  We have compared SU24 dump and AGR_1251 table dump to take out the missing objects whic resulted in 600+ objects
  I understand this is not the right way to do but not sure on how to go about it.
  Please suggest if you have any solution to this
  Thanks in advance
  Regards,
  Vadivambal

• Manual Authorization of Credit card in Sales Order

  Hi All.
  can some one let me know , how can I manually authorise a credit card in Sales order.
  Thank u.
  Regards
  madhu.

  Hi Madhu
  I think this can help u.Please go through once.
  6.4 Maintain Credit card types
  Background
  In this configuration the basic card types are defined.
  Standard system contains three card types and their function
  modules for checking.
   American Express
   Master Card
   Visa
  Letu2019s see the configuration predefined in system for these
  categories.
  Instructions
  Follow Menu Path: IMG  Sales and Distribution  Billing 
  Payment Cards Maintain Card Types
  1. Click
  For maintaining new card type click on .
  Following are fields explained:
  Field Name Field Description and Value
  Card Type Key for Card Type, predefined entries exist
  for AMEX, MC & VISA.
  Description Description of the card type
  Check Function, which carries out the check for
  card numbers. This check is in first check
  in system before authorization from
  Clearing houses.
  Four standard function are provided in
  system:
  CCARD_CHECK_LUHN_MOD_TEN - Runs a
  general check of the card number, for
  example, for a valid length and
  combination of digits. This is the industry
  standard check.
  CCARD_CHECK_MC - Checks MasterCard
  numbers for a valid leading digit. The
  system also carries out the
  LUHN_MOD_TEN check.
  CCARD_CHECK_VISA - Checks Visa card
  numbers for a valid leading digit. The
  system also carries out the
  LUHN_MOD_TEN check.
  CCARD_CHECK_AMEX - Checks American
  Express card numbers for a valid leading
  digit. The system also carries out the
  LUHN_MOD_TEN check.
  Additional functions can be created in
  system in customizing.
  Date Type Valid from & to date period is controlled
  here, options include Day or Month.
  Virtual Card Specifies if card is virtual card, used over
  internet.
  Click and .

• Authorization questions PFCG...

  Hi Guys
  A Couple of questions...
  We are upgrading from an older version of CRM without WEB UI to 7.0, we have composite roles on all our user, i.e. more than 1 role per user. As I have understood it you only have the possibility to assign on PFCG ROLE ID to a specific Business Role in the WEBGUI.
  I know how to set up the business roles etc, these questions are more "how did they intend it to work"...
  1. Overall Question, How should we use this PFCG role?  
  2. I have heard that you can leave it blank, what does this mean, that it the users authorization is as before i.e. as defined with the multiple composite roles stored directly on the user?
  3. How does this PFCG Role on the Business Role work together with the PFCG Roles you have on the users directly? What is the  meaning of the PFCG ROLE on the business role in relation to the ones on the user?
  4. Should we delete the roles on the users and add them directly on the business role, we might have a problem there as many users work as "SALESPRO" but they have different authorizations, some are more senior than others. Would we then have to have several busines roles (SALESPROJR,SALESPROSR etc) as we can only have 1:1 between business role and pfcg role id.
  5. What we would like to have basically is 2 or 3 Business roles that sets the layout and basic worksets, the authorization should behave as before per user not per business role. 
  Any relevant input on these questions will be greatly rewarded.
  /Jabba

  UGLY for some reason there are no line breaks... I will try to fix it so it is readable after lunch....
  Thanks,  Very Grateful for your comments but I think we have to be abit more specific. I will try to clarify
  I understand how the standard roles work together with the standard PFCG ROLE IDs assigned to them. However we already have a structure for our authorization roles that is on user level via su01 and each user has several composite roles. To merge these roles into one PFCG role and assign it to a business role is unrealistic, this will create too many business roles for the user as there can be only a 1:1 relation between a Business role and PFCG ROLE assigned to the business role.
  With that said I have been recommended to leave the PFCG ROLE id on the business role blank, this will lead to that the authorization on the user level kicks in.  
  However this raises some additional questions...
  1 The authorizations in our old CRM system could not possibly cover the authorizations in the WEB GUI as we don't have a   WEBGUI today so are there any special authorizations we need to setup for the WEBGUI itself. Example: Lets say that in the old CRM system the user had authorization to create a service order. If the user keeps this authorization on su01 do we need to add any additional authorizations on the user or to the business role so he can access the workset and trigger create service order from the WEBGUI?
  2 IF we had both a PFCG ROLE ID assigned to the Business Role and Composite roles directly on the user which one will actually be used? Will they both be used? What happens if the authorization on the Business role says "NO" and the authorization on su01 says "YES" Or is it really as it is stated above answer that if we specify a PFCG ROLE ID on the business role this will be used and nothing else?
  3  What about our own authorization objects, is there a way to scan these and see if they are valid for CRM 7.0? How should we go about verifying our old authorizations in the new 7.0 system? Is there a report you can run? I guess also that some authorizations are not valid anymore, or how does the authorizations per transaction work. I mean we have in our roles added certain transactions, people will no longer use CRMD_ORDER how does this translate to the webgui?
  4 We are using the salesorg structure today and the plan is based on what we know so far to assign business roles to the positions and not to assign a PFCG ROLE id at all to business role. Can anyone see any problems with this?
  5 What is UIU_COMP is that a new auth object? What new auth objects are delivered in webgui?
  Again thanks for any input on the above. Perhaps more people will be interested if we make this investigation thorough.
  BTW I found this post Re: Reg: Business Role but it still leaves some questions unanswered.
  Edited by: jabba hut on Nov 10, 2009 1:52 PM

• Do i have to manually authorize for every song in my itunes library?

  I just transfered my itunes library (some purchased and some ripped from my cds) to my new macbook.
  I tried to play a song and it told me I had to authorize the computer to play the song. I authorized it and a message came on to tell me that I had authorized 2 out of 5 computers. When I tired to play another song it gave me the same error message "this computer is not authorized." I had to go into the folder, find the artist, the album, and the song, then it had me type in my password again. A message popped up saying I had now authorized 3 out of 5 computers....
  It's the same computer!!
  Am I really going to have to go through each and every one of my over 1,800 songs and go through this process?
  I'm also worried to keep going because it is going to tell me that I have authorized another computer even though it's the same machine.
  Isn't there a way to authorize my entire library at once?

  Ok, so I don't want anyone to mess up their itunes library on account of my advice, so I would recommend getting in person help from someone who knows what they are doing.... but for what it's worth, here's what the guy in the apple store did for me.
  He erased all the content (music/ video) in my itunes program, NOT the music in my itunes folder. We checked a few times to make sure that all the music in my itunes folder was really there. He explained it to me like the itunes music folder is where my music collection lives, and the itunes program is just the catalogue that lets me organize it and pick what I want to play. Erasing the itunes program content did clear out all of my personal playlists so that's kind of a bummer, but I can create those over again.
  Once he had cleared out the itunes program (the whole list was just blank) he went into the itunes folder and selected everything and then dragged it and dropped it into the blank itunes list. It took a LONG time to copy over, but everything seems to be working fine now.
  Again, I would recommend going to see someone, because I know I would be ****** if I erased all of my music on accident trying to follow some novice's description.

• Authorization Object (pfcg transaction) versus Funds center group

  Hi,
  I would like to know how i can by u201Cauthorization objectu201D in PFCG transaction to allow that some user can access the funds center group (created in FM_SETS_FICTR1 transaction). Is there u201Cauthorization objectu201D to funds center group ?
  On the other hand, I need that one user access just all Funds Centers of the especific funds center group using u201Cauthorization objectu201D.
  Kind regards in advance.
  Claudio

  Hi Alex,
  Your ideia is good, but unfortunaly my Funds center doesn´t have its code starting with the same character. Ex..._BQ000020 is a Funds center group_ of Funds center  ET000030, BF000043 and CJ000031.
  thanks a lot
  Claudio

• Authorization object (pfcg transaction) x funds center group

  Hi,
  I would like to know how i can by u201Cauthorization objectu201D in PFCG transaction to allow that some user can access the funds center group (created in FM_SETS_FICTR1 transaction). Is there u201Cauthorization objectu201D to funds center group ?
  On the other hand, I need that one user access just all Funds Centers of the especific funds center group using u201Cauthorization objectu201D.
  Kind regards in advance.
  Claudio

  Hi Mauri,
  the transaction SU24 for  FM_SETS_FICTR1 transaction just show the object F_FICA_FCG and this object only open the fields: FM_AUTHACT and FM_FIKRS for this object.
  I solved the this problem applying the Alex´s idea bellow:
  Hi, if Fund centers from FC groups doesn't across (i mean that one FC can include just to one FC group), then you can       upload FC from groups and maintain Auth group via LSMW.
  Ex. maintain for all FC from FC group BQ000020 auth. group=BQ02 etc
  thanks a lot
  Claudio

• PFCG manually created Authorizations synchronized to Menu

  Hello Colleagues,
  one question please regarding role creations under PFCG.
  The normal way is first under "Menu Tab" to create the user menu.
  The authorization objects related to your design at Menu Tab will automatic create under Authorization Tab.
  But what about if create first your manually authorizations (objects) under Authorizations Tab and afterwards you will have your manually created authorizations und Menu Tap?
  Is there a synchronizing passable
  After I finalize my manually authorization design at Authorization Tab and I create afterward some objects under Menu Tab this will update (destroy) my manually design under Authorization Tab.
  What is the best practice way here please?
  Maybe sufficient documentation are available for this point?
  Many thanks in advance!
  Regards,
  Jochen

  Hi,
  I would suggest to ask this question on security forum. You'll get much better feedback there. The best practice is to not use manually created objects. You should always associate them to transaction or something else. It won't update your manually inserted objects because PFCG does not know their relation to transaction.
  Cheers

• Help regarding BI Authorization

  Hi Experts,
  I am working for first time on BI analysis authorization and I am having below queries to be clarified. Can you all please clarify my queries and help me.
  1. In the project, we will not use HR and will therefore have to do local maintenance of authorizations in each system (for data access, we will also use a central identity management system). This will for sure affect the possibility of the automatic generation of authorizations. My first question is: can it still be used at all (can we load some data via flat-file or maintain some master data in BI)?
  2. Is the concept of having queries linked to PFCG roles to be used at all in BI 7 (according to SAP standard), or is the thought that InfoProvider authorization should be used instead via 0TCAIPROV?
  3. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
  - Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
  - Activate the technical content for analysis authorizations: 0TCA*
  - Create authorizations in RSECADMIN, where we link a authorization object to a characteristic value (for instance, assign object: "XY" to characteristic=0comp_code with value=1010)
  - Link the authorizations just created to PFCG roles (for instance create a PFCG role "XY access" which gives access to company code 1010).
  - Create PFCG roles for "Report User" and "BW Developer" which have access to read respective create/change/delete rights of queries.
  - Create PFCG roles with certain queries linked to them.
  - Assign the PFCG roles to BW Users.
  4. Does the BI 7 authorization concept enable the use of user groups, or should authorizations be assigned on a user to user basis?
  5. What happens if I make a characteristic authorization relevant and then include this characteristic in a query and do not do any restriction on this characteristic (i.e. I do not provide any auth values to the system), will I then get an authorization error?
  6. If automatic generation of user authorizations is used together with for instance SAP HR and loaded daily, does this mean that any other manual authorization assignments will be deleted/reset upon the next automatic generation?
  7. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
  - Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
  - Activate the technical content for analysis authorizations: 0TCA*
  - Create authorizations in RSECADMIN, basically one object that has a restriction for each of the authorization relevant characteristics and that uses different customer exit variables to determine which values to use. This customer exit then reads some table (which we maintain manually in BI) to find the values for each user based on user name.
  - Link the authorization just created to a PFCG role.
  - Give all reporting users this PFCG role.
  - Create PFCG roles with certain queries linked to them.
  - Assign the PFCG query roles to users.
  Thank you very much in advance for helping.
  Thanks & Regards,
  Sharath

  Sharath,
  Here are some insights/replies to the list of questions you supplied. BW Security can be complicated but the trick is NOT to allow the requirements to allow it to be complicated.
  1) Are you sure you dont mean the IdM system will assist with role-based access assignments? If that is the question then, yes. For the data access (linked to roles via S_RS_AUTH : Analysis Authorizations) you could employee a flat-file load to DSOs and variable security on the authorizaiton relevant charactistics.
  2) Yes, you will need to have authorizations to queries/reports via S_RS_COMP/S_RS_COMP1 still maintained in the roles. The InfoProvider (data access) will be maintained in the Analysis Authorization (S_RS_AUTH). You need to have both in order to successfully pass the auth checks from query/report to data.
  3) Fundimentally (BW Security 101) sounds correct but again it typcially depends on the implementation and requirements on how you setup the anaylsis authoriations along with the roles.
  4) No sure what you mean about "user groups" Analysis Authorizations can be assigned to "Users" or "Roles".  You could always assign roles to user groups via SU10 or via IdM solution.
  5) Depends on how its used in the query. If the query is dependant on a value to render the report (included in intial SQL stmt) then you will get "No Authoriation". If its setup as a free characteristic or drill-down, then you wont get authorization error until a statment checks values for authorization.
  6) Depends on how it was implemented. refer to #3
  Hope that helps a little.
  Thanks,
  Matt

• Authorization Object for PD infotype

  Hi everyone,
  Currently my user's authorization only allows him to have a display view of infotype 0025 (Appraisal) in PA30/PA20.
  However, he now needs to be able to Create and Change the infotype in PA30.
  What are the authorization objects that i need to manually insert in PFCG?
  Note that this only applies for this infotype in PA30.
  Thanks in advance!!!

  the auth object P_ORGIN

• Prompt for Authorization Object

  Dear Experts,
  I would like to have control on certain authorization objects which are common among the roles while creating them.
  Is it possible that while maintaining or creating a role, if by mistake the administrator does not block the object OR add an entry which we do not authorize, the system should alert the administrator as a popup or alert message?
  I am aware about the report "RSUSR008_009_NEW" for maintaing critical authorizations, however, running a report and giving a prompt are two different things.
  Any possibility of an alert?
  Thanks and Regards,

  Hi J K
  I take the following approach with SU24:
  Complete Proposal - completely maintain an authorisation proposal when that values applies for any situation in PFCG role build. E.g. transaction FB03 for object F_BKPF_BUK has fields ACTVT and BUKRS. You can allow the value as ACTVT = 03 and BURKS = $BUKRS (org value) or each scenario
  Partial Proposal - only maintain some of the fields where it will be consistent. E.g transaction OB52 for posting periods and S_TABU_DIS with field ACTVT and DIBERCLS. You leave ACTVT blank as sometimes you want change whilst DIBERCLS for auth group is static so you can enter a value there
  Empty Proposal - leave the proposal values completely blank as the requirement will depend on the scenario. E.g transaction SM30 you might leave S_TABU_DIS empty as it will depend on the role for both fields.
  If you take this approach, you minimise the need for deactivating object, copying/changing and manual objects in PFCG. You maximise role authorisation under status of Standard or Maintained.
  Now if we set the proposals in su24, it will be applicable for other new roles as well for which we DO want the proposals to exist.
  Yes if you change SU24 you should clean up all impacted roles but before you build roles you should review
  At the end of the day your need to have competent security administrators who know what a display activity is and have attention to detail/meticulous enough to build the role with appropriate restrictions (i.e. do not put change access in a display role).
  How can we avoid the "new authorizaiton objects" to be added to this display role.
  To avoid this you are trying to avoid using SU24 integration. If you are tying to build a SAP display all role then you might as well copy SAP_ALL and go through and deactivate/remove any display access from the role. In this case you would not use the role menu.
  Not all solutions are technical. It's why you need to have a clearly defined process that is adhered to.
  My trick of display roles - I got the AGR_1251 role and look at the entire contents of the role and scan this list of objects and what's in the role. However, I do this as I know the objects relatively well and can identify the specific objects that are change/display  but do not use ACTVT field (e.g. PLOG/P_ORGIN/P_PERNR)
  Wonder why SAP prompts warning and errors messages doing a business/financial transaction and not security.
  Exactly what would you want the system to prompt? How would SAP know what a display role is?
  We noted that every time we add a t-code, the authorization object added is marked as "new" in the list. we jsut disable those and generate it
  If you take this approach you cannot guarantee the transaction code will work. The user may need the underlying values and that is why SU24 has them marked as proposal.
  My summary - defined your process to include a quality check after building a role and hire security administrators who know more than how to tick and click buttons in PFCG (i.e. they understand security objects and why some are sensitive).
  Regards
  Colleen

• Limit to UIU authorization

  Hello Experts,
  I faced a issue recently where I am not able to include any more UIU_comp authorizations. The error that pop up is "All authorizations beyond the maximum number are ignored" . Is there a way where we can increase the limit of authorization objects in a given PFCG?
  Thanks!
  Neha

  Hi Neha,
  This problem usually happens due to bad role design. The error message
  description is most likely the following:
  Message no. 5@026
  Diagnosis
  The maximum number of 100 authorizations per object was exceeded.
  System Response
  All authorizations beyond the maximum number are ignored.
  Procedure
  Additional authorizations can only be included if you first delete a
  corresponding number of existing authorizations. Note that deleting
  authorizations with the status "Standard" or "Maintained" can lead to
  the inclusion of new default authorizations at the next merging of the
  authorization data. Avoid the maintenance associated with this by
  removing only changed or manual authorizations.
  Probably you have a role that has among other authorization objects,
  more than 100 occurrances for authorization object UIU_COMP. This is
  more than the recommended, as the system limit of 100. You can confirm
  that by selecting the role in question and reviewing this object in
  table AGR_1251.
  So, in order to overcome the problem, all you have to do is to
  approach your Security expert and ask for a redesign on this role. It
  will be most likely needed to split your authorization data in more
  than one role, to avoid trespassing the expected limit.
  ==================================================
  Hoping that above is helpful.
  Best regards - Christophe

• Cretaion of custom BW Authorization

  Hello BW/BI Gurus,
  I have facing one problem while creating Custom BW Authorization.
  Steps followed for the same:-
  1-Define the ZRISKLVL InfoObject as Authorization Relevant
  2-Create a reporting authorization object for this InfoObject -This would be done through transaction RSSM
  3-Assign the authorization object to the relevant InfoProviders.
  4-Now, Go to PFCG Create roleassign manually Authorization (ZRISKLVL), but the values are not coming Master data ID field
  Please help me to resolve this problem.
  Thanks in advance!!!!!!!!!
  Thanks and Regards,
  Jagat

  Hello Sahu,
  Nothing is coming or available in SU53.
  If I am right SU53 is used to find missing Authorization, here in BW I am creating new Authorization.
  Thanks and Regards,
  Jagat