Mass change of authorization objects in several roles
Hello,
we have to change a authorization object in almost 200 roles. Is there any possibility for mass change of authorization objects in several roles? We don't use the central SAP user administration.
Best Regards
Andreas Walter
> at the moment all entries has the value "*". We want to change this value into "0001".
Good!
Here comes:
1- download all relevant roles in once from PFCG. Make sure you use an appropriate codepage so you don't loose special characters in the role and menu texts.
2- copy and backup the download file
3- in the download file (is a text file) look for all lines starting with AGR_1251 and conatining M_MATE_WGR and the field you want to change
4- take out the star and two spaces and replace by 001. This file is a set of fixed record length table exports and keeping the original length is very important.
5- upload the edited file and generate the profiles.
As you may see this is not SAP standard and completely at your own risk. Best try in a sandbox client first.
Good luck!
Jurjen
Similar Messages
-
How we can remove one authorization object from multiplt roles
How we can remove one authorization object from multiplt roles
> Correct me if I am wrong !!
O.K., Here I go
> But if the object is maintained in SU24 and if you use Expert mode for generation of the role then again those objects may be pulled.(make sure you never use expert mode once you delete the objects)
Actually using expert mode and choosing 'edit old status' is the only way to avoid objects being 'pulled in' after menu changes.
> As jurjen said, you may download the tables and instead of deleting the object from the excel sheet, change the value of the object in column "DELETED" = X, by doing this only the objects get inactivated(but remain in PFCG).
I am not speaking of downloading tables but about downloading roles from PFCG. This will not get you a spreadsheet but a flat textfile. If you whish to set the object status to deleted you'll have to swap the space on position 207, right behind the 'U, S, G' flag, with an 'X' for all corresponding lines.
Jurjen -
Is there a Limit on number of authorization objects in a role?
Hi all,
Is there a Limit on number of authorization objects in a role because I am getting the following error.
Authorization is full. Please enter fewer values
Message no. 01262
Diagnosis
You have included too many values in an authorization.
Procedure
Please distribute the data to at least two authorizations and combine them in a profile.
Thanks.Hello Neha,
Message no. 01262 refers to the entered values in an authorization, not to the objects listed in the profile!
So this message tells you, that you have to split the authorization, as the authorization contains too many values. It is not a quesiton of that you have entered too many different objects to the profile!
Please refer also to:
[SAP Note 410993|https://service.sap.com/sap/support/notes/410993]
and
[SAP Note 943796|https://service.sap.com/sap/support/notes/943796]
b.rgds, Bernhard -
Mass changing for accrual object assignments part of the field profit_ctr
Hi Experts,
Does any one know about mass changing for accrual object assignments part of the field profit_ctr (profit center).
How can we do this?
Best Regarts.Hi,
I have equal problem. How did you save him?
Regards,Irena -
Mass maintenance of authorization objects
Is there a SAP transaction available to mass maintain authorization objects?
Let's say that I have 120 roles, in all of which I want to change the value of field Y of authorization object X. For example, object S_TABU_DIS. I want to exclude an authorization group in all available roles. How can I do this for all roles which have this object?
Modifying each role separately in PFCG is rather time consuming (and pretty unpleasant).Actually, SAP does provide a solution to promote and demote fields to org. levels. There are reports for this (use them and not the table maintenance transactions!) because they automatically adjust your roles as well - otherwise you end up with inconsistencies.
But I agree with you, that org-levels is not a natural solution for this specific problem and although retrofitting security is the most expensive option, one cannot foresee all requirements from the start and Go-Live project pressure can be a factor as well to use * values for fields which on their own appear to be harmless...
You could try to write an adjustment tool for PFCG, but with "only" 120 roles I think you will be faster and safer with doing it manually. I think that less than 1 day's work should fix it. However, if you are willing to invest 2 or 3 days more, you can also consider restoring the values from the SU24 proposals. Particularly if one group of transactions are in many of the roles and you can isolate the common transaction (the "guilty one...) then you can do it more centrally in future as well.
However if you have not used the "Read old merge new" function in PFCG's expert mode, then you should be carefull with this as other objects might "correct" themselves as well. Particularly if you have been deleting standard authorizations in roles! (Why that button even exists, I don't know. No good can come of it...
Cheers,
Julius -
Cannot modify an authorization object in pfcg role for a business role
Hi Experts,
I have created two z pfcg roles from the standard business role CRM_UIU_SRV_PROFESSIONAL lets say by names zagent and zmanager. My requirement is actually to map these two pfcg roles two a service professional agent and service professional manager custom business roles respectively( I have created these custome business roles from standard business role servicepro) . I have identified an authorization object by name CRM_CO_SE which is basically used to check whether the user is authorized to create service contract transactions. So, in the agent pfcg role, I need to de activate or deselect this particular authorization object so that the agent will not be able to create service contract. (This is not a real time requirement, but an internal assignment). When I change this object in the pfcg by deselecting 'Allow' check box and try to generate, it is not getting generated. I have selected all the options from the 'Expert mode for the profile generation' and still the traffic indicator for that authorization object is yellow. Am I doing anything wrong?
Please help me.
Thanks
Ajith CHi Leon,
Thanks for helping me, I have restricted the unauthorized user from creating a new order by disabling the 'New' button by checking the business role in the code. The pfcg configuration, I am skipping it for now. I have one mnore requirement. When one clicks on any items in the search result for the Service Contracts, it opens the details of that service contract with an 'edit' button. I can disable this button using do_output_preparation method for the some business roles. However, I want to disable this after checking a condition. The condition is that, edit button should be active, only if that service order was created by the employee who has currently logged on. I am relatively new to CRM and I could not figure how I can check it during run time. Could any one please help me with this?
Thanks,
Ajith -
Mass change rule authorization
Dear experts,
I want to allow for several users to allow to create and release substitutions on asset master data. But when user release a worklist, warning message appears:
<i><b>"No administrator found for the task"
"Message no. 5W141"</b></i>
What should I do, what parameter is missing on user profile? We definitely want to grant to some users rights to create and release substitutions, so do we need to grant System Administrator rights?Hi Marius,
I would suggest that once you get the below error execute transaction SU53. You will find which authorization object are missing and forward the same to your Basis Team to create/ assign role appropriately.
Hope this helps.
Pls assign points as way to say thanks -
Trouble when adding / modifying authorization objects in a role through ERM
Hi everyone!!!
We're having some issues when configuring ERM, we followed the Post-Installation guides and we are done with the config part, but when we try to do an example creating a role, we're getting an error message when attempt to add the authorization data.
When we look at the log, we find this message: /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
This is the last log...
2010-11-05 17:03:42,515 [SAPEngine_Application_Thread[impl:3]_30] ERROR /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
java.lang.Throwable: /VIRSA/GET_ACTGROUP_TIMESTAMP function template not found on RD1
at com.virsa.re.service.sap.dao.SAPRoleTimestampDAO.getRoleChangedDetails(SAPRoleTimestampDAO.java:136)
at com.virsa.re.bo.impl.ConcurrentAccessRoleBO.isRoleChangedInPFCG(ConcurrentAccessRoleBO.java:228)
at com.virsa.re.role.actions.AuthAuthorizationDataAction.pageLoad(AuthAuthorizationDataAction.java:6865)
at com.virsa.re.role.actions.AuthAuthorizationDataAction.execute(AuthAuthorizationDataAction.java:213)
at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Plz help us, we can't find any information about this error.
Regards
ConnieHi,
Settings need to be checked-
1. Connectors must be identical for all components for a particular system and test connection should be successful.
2. Unicode should be checked for RAR connector.
3. Patch Level should be same on GRC and Backend and all backend post-installation activites must be completed - (BC set activation, Program etc)
4. RAR Objects Import must be done.
5. ERM Background jobs must be completed before doing Role Creation- Transaction/Object/Field sync, Org Value sync and activity sync.
If above activities are done, no issues should occur in tcode/Object assignment in role.
Regards,
Sabita -
Identify duplicated authorization objects in a role
Hi,
We built some roles manually by drag and drop transaction through the menu tab. In some roles, we have duplicated authorization object
For example, in PM : Maintenance Plant (object I_SWREK), we have 2 profiles with SWERK=* and TCD = (list of transactions).
I'd like to generate a new role with only one profile which contains SWERK=* and a list of transactions in TCD
The pb is i don't know at first which authorization objects or profiles are concerned by this duplicated objects
Is there a program, trans code or function module i can run to get this information ?
Thanks
GuillaumeHi Guillaume,
I would say, that there will be not much difference.
The auth.-check scans one authorzation (not profile!!!) after the other for the requested values.
So for example:
check for TCD = IE03
first hit is successful for both scenarios, as both list IE03 at first place.
Scenario 1:
SWERK=* and TCD = IE03, IL03, IP06, IQS1, IQS2, IQS3, IW3D
Scenario2:
SWERK=* and TCD = IE03, IL03, IP06
SWERK=* and TCD = IQS1, IQS2, IQS3, IW3D
second example:
check for TCD=IW3D
Scenario 1: the first authorization is loaded and verified, last value gives success.
Scenario 2: no success for the first authorization, second auth. has to be loaded for analyzis and gives success with the last value.
So scenario 2 could even be less performant....
did you realize already some differencies???? Would be interesting...
thx, Bernhard -
Elements of WebUI by authorization object in user roles?
Hi all,
we are currently setting up a SNC scenario with SCM 5.1. I have some information about how to change the WebUI for the Responsive Replenishment, but by now I can only change it for all users. I would like to link certain Web buttons and screens to user authorization roles, so some users get buttons others can't see, depending on their roles.
Has anyone a clue for me if this is possible, and how I can implement this, or where I can documentation about it?
Thanks for any help.
Best regards,
TimoHi Timo,
If you are intending to change a few elements in the WebUI programatically, then you could restrict the changes on the basis of the role. (is for a supplier or a customer)
I do believe that you might to be needing to do the changes in the corresponding ICH Data matrix model business logic class.
Here
The attribute P_DATAICHDM->S_CBINFO-APPDATAID holds the value corresponding to the application and the role thats accessing the screen.
I do believe , in your situation, the appdataid for a customer would be 'RPLRRC' and for a suppler would be 'RPLRRS'. However, you would need to cross verify this.
All you need to do now, is to check the value of these attributes which have been set and code for the UI Changes accordingly.
There could be other simpler approaches , by means of configuring too, depending on the nature of your change. I am not really sure. I just suggested one thing that worked in my case.
Cheers,
Rashmi. -
Sales Order Change (VA02) Authorization Object
Hi Experts,
Please suggest me, what is authorization object for availability check in VA02.
From
Ramesh KumarHi Kapil,
Thanks for your reply.
I have already checked it. But i am not finding this object.
Basically, I want to restrict a user for change in delivery schedule dates. So please suggest me, how to restrict a user for that.
From
Ramesh Kumar -
Color change in authorization object in maintained, partially ,unmaintained
hi gurus,
In PFCG once we get into authorization and display, some are in red and some in yellow and green. It is based on maintained, partially ,unmaintained authorizations. But, when a red changes to green and yellow change to green and green change to red. Hope u understood my question. pls help me in this.
Moderator message: not directly related to ABAP development, please have a look in the Netweaver Security forum.
Edited by: Thomas Zloch on Dec 2, 2010 4:47 PMHi ,
Please check this code i have used this to show a icons accoring to the values tat iam getting from the bapi.
create object lr_image.
lr_image->set_source_fieldname( 'RISK_CRITICALITY' ).
lr_column->set_cell_editor( lr_image ).
loop at lt_projhealth assigning <fs_risk>.
if <fs_risk>-criticality_desc eq 'VERY HIGH'.
<fs_risk>-risk_criticality = 'ICON_STATUS_CRITICAL'.
elseif <fs_risk>-criticality_desc eq 'HIGH'.
<fs_risk>-risk_criticality = 'ICON_STATUS_ALERT'.
elseif <fs_risk>-criticality_desc eq 'MODERATE'.
<fs_risk>-risk_criticality = 'ICON_LED_YELLOW'.
elseif <fs_risk>-criticality_desc eq 'LOW'.
<fs_risk>-risk_criticality = 'ICON_STATUS_BEST'.
elseif <fs_risk>-criticality_desc eq 'VERY LOW'.
<fs_risk>-risk_criticality = 'ICON_LED_GREEN'.
endif.
Regards,
Muneesh Gitta. -
Programmatically assigning Authorization Objects to roles
Hi there,
I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
What I want to do is the following:
There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
Thank you very much,
Gregor
Edited by: Gregor Bender on Mar 11, 2008 8:41 AM>
Gregor Bender wrote:
> I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
For mass regenerating profiles there's transaction SUPC.
For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users. -
Org Level Roles / Authorization Object Roles
Hi board,
I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".
The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.
My questions are:
- Is it technically feasible (for a large-scale company)?
- What is your experience?
- Drawbacks?
Kind regards and many thanks for your help,
RichardRichard Hösl wrote:
> Hi there,
>
> that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.
>
> Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
>
> Kind regards,
>
> Richard
Hi Richard,
It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.
A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions. That bucket invariably contains more authorisations than the transactions require. Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........
If you have organisational complexity then you should look elsewhere to simplify.
By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).
Put the effort in the design stage and it will pay dividends later on down the line.
Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.
Cheers
Alex -
New Authorization Object within Role
hi everybody,
does anyone know how can i get New Authorization Objects for any Role for the new release that did not exist in the same Role from former release?
tables AGR_1250 and AGR_1251 do not show if object is new for this role. they only show if object is new itself.
thanks a lot,
javier rubiopandu,
se54 is not related with this topic.
thank you very much for your answer, very hepful
Maybe you are looking for
-
For example, our dogs bark every time the Video Chat notification sounds because they think the doorbell is ringing. It would be great to be able to have a selection of tones for the various notifications.
-
Can we schedule steps in Job Chain to run at a particular time of the Day.
Hi , We have created a Job chain for 3 steps.our requirement is we want to step 1 to run as per the schedule of Job chain but we want step2 to run on fri 2 gmt and step 3 to run on saturday 1 gmt. is ther any setting in Job chain so that we can sche
-
MY SCREEN IS BLINKING BRIGHT WHITE LINES
my screen is suddenly blinking white verticle lines help
-
How do it get my contacts into the cloud contacts for siri to recognize
I've looked through the Siri help stuff, and there' slots of things that tell me to put my info/contact into Siri at Settings / Siri / My Info. Great, but when I select that, I get an "All icloud" contact list. Since I have mself, wife, colleagues
-
Many of the songs in my library only play for 53 seconds. Why?
many of the songs in my music library will only play for 53 seconds. hoe can i fix this?