Mass change of authorization objects in several roles

Hello,
we have to change a authorization object in almost 200 roles. Is there any possibility for mass change of authorization objects in several roles? We don't use the central SAP user administration.
Best Regards
Andreas Walter

> at the moment all entries has the value "*". We want to change this value into "0001".
Good!
Here comes:
1- download all relevant roles in once from PFCG. Make sure you use an appropriate codepage so you don't loose special characters in the role and menu texts.
2- copy and backup the download file
3- in the download file (is a text file)  look for all lines starting with AGR_1251 and conatining M_MATE_WGR and the field you want to change
4- take out the star and two spaces and replace by 001. This file is a set of fixed record length table exports and keeping the original length is very important.
5- upload the edited file and generate the profiles.
As you may see this is not SAP standard and completely at your own risk. Best try in a sandbox client first.
Good luck!
Jurjen

Similar Messages

  • How we can remove  one authorization object from multiplt roles

    How we can remove one authorization object from multiplt roles

    > Correct me if I am wrong !!
    O.K., Here I go
    > But if the object is maintained in SU24 and if you use Expert mode for generation of the role then again those objects may be pulled.(make sure you never use expert mode once you delete the objects)
    Actually using expert mode and choosing 'edit old status' is the only way to avoid objects being 'pulled in' after menu changes.
    > As jurjen said, you may download the tables and instead of deleting the object from the excel sheet, change the value of the object in column "DELETED" = X, by doing this only the objects get inactivated(but remain in PFCG).
    I am not speaking of downloading tables but about downloading roles from PFCG. This will not get you a spreadsheet but a flat textfile. If you whish to set the object status to deleted you'll have to swap the space on position 207, right behind the 'U, S, G' flag,  with an 'X' for all corresponding lines.
    Jurjen

  • Is there a Limit on number of authorization objects in a role?

    Hi all,
       Is there a Limit on number of authorization objects in a role because I am getting the following error.
    Authorization is full. Please enter fewer values
    Message no. 01262
    Diagnosis
    You have included too many values in an authorization.
    Procedure
    Please distribute the data to at least two authorizations and combine them in a profile.
    Thanks.

    Hello Neha,
    Message no. 01262 refers to the entered values in an authorization, not to the objects listed in the profile!
    So this message tells you, that you have to split the authorization, as the authorization contains too many values. It is not a quesiton of that you have entered too many different objects to the profile!
    Please refer also to:
    [SAP Note 410993|https://service.sap.com/sap/support/notes/410993]
    and
    [SAP Note 943796|https://service.sap.com/sap/support/notes/943796]
    b.rgds, Bernhard

  • Mass changing for accrual object assignments part of the field profit_ctr

    Hi Experts,
    Does any one know about mass changing for accrual object assignments part of the field profit_ctr (profit center).
    How can we do this?
    Best Regarts.

    Hi,
    I have equal problem. How did you save him?
    Regards,Irena

  • Mass maintenance of authorization objects

    Is there a SAP transaction available to mass maintain authorization objects?
    Let's say that I have 120 roles, in all of which I want to change the value of field Y of authorization object X.  For example, object S_TABU_DIS. I want to exclude an authorization group in all available roles. How can I do this for all roles which have this object?
    Modifying each role separately in PFCG is rather time consuming (and pretty unpleasant).

    Actually, SAP does provide a solution to promote and demote fields to org. levels. There are reports for this (use them and not the table maintenance transactions!) because they automatically adjust your roles as well - otherwise you end up with inconsistencies.
    But I agree with you, that org-levels is not a natural solution for this specific problem and although retrofitting security is the most expensive option, one cannot foresee all requirements from the start and Go-Live project pressure can be a factor as well to use * values for fields which on their own appear to be harmless...
    You could try to write an adjustment tool for PFCG, but with "only" 120 roles I think you will be faster and safer with doing it manually. I think that less than 1 day's work should fix it. However, if you are willing to invest 2 or 3 days more, you can also consider restoring the values from the SU24 proposals. Particularly if one group of transactions are in many of the roles and you can isolate the common transaction (the "guilty one...) then you can do it more centrally in future as well.
    However if you have not used the "Read old merge new" function in PFCG's expert mode, then you should be carefull with this as other objects might "correct" themselves as well. Particularly if you have been deleting standard authorizations in roles! (Why that button even exists, I don't know. No good can come of it...
    Cheers,
    Julius

  • Cannot modify an authorization object in pfcg role for a business role

    Hi Experts,
    I have created two z pfcg roles from the standard business role CRM_UIU_SRV_PROFESSIONAL  lets say by names zagent and zmanager. My requirement is actually to map these two pfcg roles two a service professional agent and service professional manager custom business roles respectively( I have created these custome business roles from standard business role servicepro) . I have identified an authorization object by name CRM_CO_SE which is basically used to check whether the user is authorized to create service contract transactions. So, in the agent pfcg role, I need to de activate or deselect this particular authorization object so that the agent will not be able to create service contract. (This is not a real time requirement, but an internal assignment). When I change this object in the pfcg by deselecting 'Allow' check box and try to generate, it is not getting generated. I have selected all the options from the 'Expert mode for the profile generation' and still the traffic indicator for that authorization object is yellow.  Am I doing anything wrong?
    Please help me.
    Thanks
    Ajith C

    Hi Leon,
    Thanks for helping me, I have restricted the unauthorized user from creating a new order by disabling the 'New' button by checking the business role in  the code. The pfcg configuration, I am skipping it for now.  I have one mnore requirement. When one clicks on any items in the search result for the Service Contracts, it opens the details of that service contract with an 'edit' button. I can disable this button using do_output_preparation method for the some business roles. However, I want to disable this after checking a condition. The condition is that, edit button should be active, only if that service order was created by the employee who has currently logged on. I am relatively new to CRM and I could not figure how I can check it during run time. Could any one please help me with this?
    Thanks,
    Ajith

  • Mass change rule authorization

    Dear experts,
    I want to allow for several users to allow to create and release substitutions on asset master data. But when user release a worklist, warning message appears:
    <i><b>"No administrator found for the task"
    "Message no. 5W141"</b></i>
    What should I do, what parameter is missing on user profile? We definitely want to grant to some users rights to create and release substitutions, so do we need to grant System Administrator rights?

    Hi Marius,
    I would suggest that once you get the below error execute transaction SU53. You will find which authorization object are missing and forward the same to your Basis Team to create/ assign role appropriately.
    Hope this helps.
    Pls assign points as way to say thanks

  • Trouble when adding / modifying authorization objects in a role through ERM

    Hi everyone!!!
    We're having some issues when configuring ERM, we followed the Post-Installation guides and we are done with the config part, but when we try to do an example creating a role, we're getting an error message when attempt to add the authorization data.
    When we look at the log, we find this message:  /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
    This is the last log...
    2010-11-05 17:03:42,515 [SAPEngine_Application_Thread[impl:3]_30] ERROR /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
    java.lang.Throwable: /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
         at com.virsa.re.service.sap.dao.SAPRoleTimestampDAO.getRoleChangedDetails(SAPRoleTimestampDAO.java:136)
         at com.virsa.re.bo.impl.ConcurrentAccessRoleBO.isRoleChangedInPFCG(ConcurrentAccessRoleBO.java:228)
         at com.virsa.re.role.actions.AuthAuthorizationDataAction.pageLoad(AuthAuthorizationDataAction.java:6865)
         at com.virsa.re.role.actions.AuthAuthorizationDataAction.execute(AuthAuthorizationDataAction.java:213)
         at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
         at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
         at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Plz help us, we can't find any information about this error.
    Regards
    Connie

    Hi,
    Settings need to be checked-
    1. Connectors must be identical for all components for a particular system and test connection should be successful.
    2. Unicode should be checked for RAR connector.
    3. Patch Level should be same on GRC and Backend and all backend post-installation activites must be completed  - (BC set activation, Program etc)
    4. RAR Objects Import must be done.
    5. ERM Background jobs must be completed before doing Role Creation- Transaction/Object/Field sync, Org Value sync and activity sync.
    If above activities are done, no issues should occur in tcode/Object assignment in role.
    Regards,
    Sabita

  • Identify duplicated authorization objects in a role

    Hi,
    We built some roles manually by drag and drop transaction through the menu tab. In some roles, we have duplicated authorization object
    For example, in PM : Maintenance Plant (object I_SWREK), we have 2 profiles with SWERK=* and TCD = (list of transactions).
    I'd like to generate a new role with only one profile which contains SWERK=* and a list of transactions in TCD
    The pb is i don't know at first which authorization objects or profiles are concerned by this duplicated objects
    Is there a program, trans code or function module i can run to get this information ?
    Thanks
    Guillaume

    Hi Guillaume,
    I would say, that there will be not much difference.
    The auth.-check scans one authorzation (not profile!!!) after the other for the requested values.
    So for example:
    check for TCD = IE03
    first hit is successful for both scenarios, as both list IE03 at first place.
    Scenario 1:
    SWERK=* and TCD = IE03, IL03, IP06, IQS1, IQS2, IQS3, IW3D
    Scenario2:
    SWERK=* and TCD = IE03, IL03, IP06
    SWERK=* and TCD = IQS1, IQS2, IQS3, IW3D
    second example:
    check for TCD=IW3D
    Scenario 1: the first authorization is loaded and verified, last value gives success.
    Scenario 2: no success for the first authorization, second auth. has to be loaded for analyzis and gives success with the last value.
    So scenario 2 could even be less performant....
    did you realize already some differencies???? Would be interesting...
    thx, Bernhard

  • Elements of WebUI by authorization object in user roles?

    Hi all,
    we are currently setting up a SNC scenario with SCM 5.1. I have some information about how to change the WebUI for the Responsive Replenishment, but by now I can only change it for all users. I would like to link certain Web buttons and screens to user authorization roles, so some users get buttons others can't see, depending on their roles.
    Has anyone a clue for me if this is possible, and how I can implement this, or where I can documentation about it?
    Thanks for any help.
    Best regards,
    Timo

    Hi Timo,
    If you are intending to change a few elements in the WebUI programatically, then you could restrict the changes on the basis of the role. (is for a supplier or a customer)
    I do believe that you might to be needing to do the changes in the corresponding ICH Data matrix model business logic class.
    Here
    The attribute P_DATAICHDM->S_CBINFO-APPDATAID holds the value corresponding to the application and the role thats accessing the screen.
    I do believe , in your situation, the appdataid for a customer would be 'RPLRRC' and for a suppler would be 'RPLRRS'. However, you would need to cross verify this.
    All you need to do now, is to check the value of these attributes which have been set and code for the UI Changes accordingly.
    There could be other simpler approaches , by means of configuring too, depending on the nature of your change. I am not really sure. I just suggested one thing that worked in my case.
    Cheers,
    Rashmi.

  • Sales Order Change (VA02) Authorization Object

    Hi Experts,
    Please suggest me, what is authorization object for availability check in VA02.
    From
    Ramesh Kumar

    Hi Kapil,
    Thanks for your reply.
    I have already checked it. But i am not finding this object.
    Basically, I want to restrict a user for change in delivery schedule dates. So please suggest me, how to restrict a user for that.
    From
    Ramesh Kumar

  • Color change in authorization object in maintained, partially ,unmaintained

    hi gurus,
       In PFCG once we get into authorization and display, some are in red and some in yellow and green. It is based on maintained, partially ,unmaintained authorizations. But, when a red changes to green  and yellow change to green and green change to red. Hope u understood my question. pls help me in this.
    Moderator message: not directly related to ABAP development, please have a look in the Netweaver Security forum.
    Edited by: Thomas Zloch on Dec 2, 2010 4:47 PM

    Hi ,
    Please check this code i have used this to show a icons accoring to the values tat iam getting from the bapi.
    create object lr_image.
      lr_image->set_source_fieldname( 'RISK_CRITICALITY' ).
      lr_column->set_cell_editor( lr_image ).
      loop at lt_projhealth assigning <fs_risk>.
        if <fs_risk>-criticality_desc eq 'VERY HIGH'.
          <fs_risk>-risk_criticality = 'ICON_STATUS_CRITICAL'.
        elseif <fs_risk>-criticality_desc eq 'HIGH'.
          <fs_risk>-risk_criticality = 'ICON_STATUS_ALERT'.
        elseif <fs_risk>-criticality_desc eq 'MODERATE'.
          <fs_risk>-risk_criticality = 'ICON_LED_YELLOW'.
        elseif <fs_risk>-criticality_desc eq 'LOW'.
          <fs_risk>-risk_criticality = 'ICON_STATUS_BEST'.
        elseif <fs_risk>-criticality_desc eq 'VERY LOW'.
          <fs_risk>-risk_criticality = 'ICON_LED_GREEN'.
        endif.
    Regards,
    Muneesh Gitta.

  • Programmatically assigning Authorization Objects to roles

    Hi there,
    I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
    What I want to do is the following:
    There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
    In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
    Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
    I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
    Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
    Thank you very much,
    Gregor
    Edited by: Gregor Bender on Mar 11, 2008 8:41 AM

    >
    Gregor Bender wrote:
    > I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
    Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
    For mass regenerating profiles there's transaction SUPC.
    For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
    If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.

  • Org Level Roles / Authorization Object Roles

    Hi board,
    I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".
    The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.
    My questions are:
    - Is it technically feasible (for a large-scale company)?
    - What is your experience?
    - Drawbacks?
    Kind regards and many thanks for your help,
    Richard

    Richard Hösl wrote:
    > Hi there,
    >
    > that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful. 
    >
    > Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
    >
    > Kind regards,
    >
    > Richard
    Hi Richard,
    It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.
    A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions.  That bucket invariably contains more authorisations than the transactions require.  Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........
    If you have organisational complexity then you should look elsewhere to simplify. 
    By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).
    Put the effort in the design stage and it will pay dividends later on down the line. 
    Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.
    Cheers
    Alex

  • New Authorization Object within Role

    hi everybody,
    does anyone know how can i get New Authorization Objects for any Role for the new release that did not exist in the same Role from former release?
    tables AGR_1250 and AGR_1251 do not show if object is new for this role. they only show if object is new itself.
    thanks a lot,
    javier rubio

    pandu,
    se54 is not related with this topic.
    thank you very much for your answer, very hepful

Maybe you are looking for