Mass maintenance of authorization objects

Is there a SAP transaction available to mass maintain authorization objects?
Let's say that I have 120 roles, in all of which I want to change the value of field Y of authorization object X. For example, object S_TABU_DIS. I want to exclude an authorization group in all available roles. How can I do this for all roles which have this object?
Modifying each role separately in PFCG is rather time consuming (and pretty unpleasant).

Actually, SAP does provide a solution to promote and demote fields to org. levels. There are reports for this (use them and not the table maintenance transactions!) because they automatically adjust your roles as well - otherwise you end up with inconsistencies.
But I agree with you, that org-levels is not a natural solution for this specific problem and although retrofitting security is the most expensive option, one cannot foresee all requirements from the start and Go-Live project pressure can be a factor as well to use * values for fields which on their own appear to be harmless...
You could try to write an adjustment tool for PFCG, but with "only" 120 roles I think you will be faster and safer with doing it manually. I think that less than 1 day's work should fix it. However, if you are willing to invest 2 or 3 days more, you can also consider restoring the values from the SU24 proposals. Particularly if one group of transactions are in many of the roles and you can isolate the common transaction (the "guilty one...) then you can do it more centrally in future as well.
However if you have not used the "Read old merge new" function in PFCG's expert mode, then you should be carefull with this as other objects might "correct" themselves as well. Particularly if you have been deleting standard authorizations in roles! (Why that button even exists, I don't know. No good can come of it...
Cheers,
Julius

Similar Messages

Mass change of authorization objects in several roles

Hello,
we have to change a authorization object in almost 200 roles. Is there any possibility for mass change of authorization objects in several roles? We don't use the central SAP user administration.
Best Regards
Andreas Walter

> at the moment all entries has the value "*". We want to change this value into "0001".
Good!
Here comes:
1- download all relevant roles in once from PFCG. Make sure you use an appropriate codepage so you don't loose special characters in the role and menu texts.
2- copy and backup the download file
3- in the download file (is a text file) look for all lines starting with AGR_1251 and conatining M_MATE_WGR and the field you want to change
4- take out the star and two spaces and replace by 001. This file is a set of fixed record length table exports and keeping the original length is very important.
5- upload the edited file and generate the profiles.
As you may see this is not SAP standard and completely at your own risk. Best try in a sandbox client first.
Good luck!
Jurjen

Restrict change authorization for MM17 (Material master mass maintenance)

Hi,
Apologies if I have posted this in the wrong forum. I want to know if it is possible to use the mass maintenance transaction MM17 (indus. material) to display data only istead of change/create. Is there some setting at the basis object level which can enable this? There are currently a lot of custom abap reports and queries in our system for viewing material master data, these can all be replaced by MM17. Basically we want to use MM17 as a reporting tool to display data only. Is a solution possible? Help is appreciated, thanks.
Regards

Have you tried the MM Information System node in the SAP Easy Access menu? There are a bunch of standard reports with navigation options there, for the user who has the correct authorization to display only.
Alternately, you may want to take a look into transaction MASS and use the B_MASSMAIN object, depending on your requirements - but test it well.
Cheers,
Julius

Analysis Authorization mass maintenance

Hi All,
During the migration, due to Complexity of our complex BW 3.5 authorization setup we are end up in BI 7 New Design where we have to maintain new Cube to more than 150 Analysis Authorizations each time when we have new Cubes comes.
Do you guys know any method where you can update the new cube to large no of Analysis Authorization (for ex 150) instead of doing manually? Due to complexity of the old design itu2019s very difficult for us to change the new design.
Looking forward for expert opinion.
BR,
Deepak

Hi,
As per my knowledge, it is always recommended to maintain the Analysis authorizations individually. However, you may refer the below thread:
Analysis Authorization Mass Maintenance
and also the below link:
http://help.sap.com/saphelp_nw73/helpdata/en/c4/057a2de519451faf1819dba4092887/content.htm
Hope this helps!!
Rgds,
Raghu

SRM 7.0 authorization objects for table maintenance

Hi guys,
I wanted to know how authorization objects work in SRM.
I created a custom table which key filed is company code (BUKRS). And in the table maintenance view I have to add an authorization object based on the company code.
Is it possible to do that in SRM?
Thanks!!

Hi,
Authorization concept is same for all ABAP based application. Do you have any issue in SRM?
Regards,
Masa

SNUM - Object - MASS - Mass maintenance log

Hi All
I have to extend the number ranges for Object - MASS - Mass maintenance log in SNUM. Currently the number ranges are starts from 000001 to 999999.
If, I have add another interval as 02 and enter from 000001 to 999999, system says the number ranges are over lapping.
Please give some views to proceed.
Thanks
Aras

Hi
Sorry for the late reply.
I am not sure about the problem. But we can see the number ranges for MASS Maintenance Log, is nearing to the end. So i have contacted SAP and told to reset in MSL2. But his mass maintenance is not updated once we do mass PO changes. And i am not sure when this is got update.
Thanks
Aras

Mass update to FILENAME field in S_DATASET authorization object

We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value. I'd like to do this programmatically if possible.
What I've learned so far is that I need to update the value in table USR12, but the value is encoded. When I look at the table in SE16, I do not see the encoded value field. The value does show in UST12, but I'm told this is an unreliable table.
So I'd like to know..
1. How can I look at the value if not in SE16?
2. Is there an API I can use to encode/decode the value? If not, where is the specification on how to build it?
If this is better addressed in a different forum, which one should I try next?
Thanks,
Dan

Hi there,
Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
But the behaviour as you have described:
>
> Path                   Saveflag Fs_noread Fs_nowrite Fs_Brgru
> =============================================================
> *                                 X         X            DUMY
> /temp/FI/..                       X         X            DUMY
> /temp/FI               X                                 FIFI
>
... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
> Caution:
> - If you enter paths generically in the table SPTH, the most precise specification counts.
> - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
So, the only check which is effective to protect the path, is:
Path                   Saveflag Fs_noread Fs_nowrite Fs_Brgru
=============================================================
/temp/FI               X                                           FIFI
... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                            MODE       type CLIKE
                            SUBRC      type SY-SUBRC.
data: ACTIVITY like AUTHB-ACTVT.
   SUBRC = 0.
   case MODE.
     when 'R'.
          ACTIVITY = '03'.
     when 'W'.
          ACTIVITY = '02'.
     when 'D'.
          ACTIVITY = '02'.
   endcase.
   if ISPTH_HEAD-FS_BRGRU <> SPACE. "Here it is... for BEGRU checks there must be a value...
      authority-check object 'S_PATH'
          id 'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
          id 'ACTVT'    field ACTIVITY.
       if SY-SUBRC <> 0.
          SUBRC = 3.
       endif.
   endif.
endform.
Cheers,
Julius

Role Maintenance - Automatically generated names for authorization objects

Hello NG,
I've got a question concerning the mentioned subject.
Currently I am maintaining the roles/authorizations of a customers system (Rel. 3.0) which has moved to Rel. 7.0.
When I add an authorization object to a role, the technical name is generated automatically. How can I set up the naming conventions for the authorization objects?
Thank you very much.
Regards ..

Hi SUNIL L,
I refered to 3.0 but I think that the release version has no relevance for my problem. I think I should try to explain my problem once more:
When I add an authorization object to a role, a technical name is generated automatically and assigned to it. Is it possible to set any naming conventions for this?
Regards..

Analysis Authorization Object not working

Hi Gurus,
I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
I have followed the below steps but still the report shows all data instead of restricted one.
1)RSECADMIN -> Maintenance ->zz_div ->Create
2) Add 0DIVISION in Auth structure , and in details
I     EQ     32
I     EQ     33
3) Add 0TCAIPROV with I     EQ     0SD_C03
4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID, this having details as
I     CP     *
5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
Following are the authorization object in that user's Role (Reporting Only)
S_RFC
S_TCODE
S_GUI
S_BDS_D
S_BDS_DS
S_OC_SEND
S_RS_AUTH - only having zz_div
S_RS_COMP
S_RS_COMP1
S_RS_ICUBE
S_RS_RSTT
S_RS_TOOLS
S_RS_PARAM
I have surfed lots of thread for this issue but not getting a solution
Tell me what i m missing in above or any additional setting need before creating analysis authorization
Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

Hi
Thanks a Ton for ur reply
I have checked in SPRO : Analysis Authorization
where the authorization mode is " OLD obsolete Concept With RSR Authorization Objects "
We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
Thanks
Sonal....

How to use CRM authorization object.

Hi All,
I have a specific requirement to restrict user while he/she tries to save a record. It appears that if that restrictions are implemented the save logic for an entity has to be changed because there are some validation regarding relationship management in SAP system. SO I need to bypass that validation to allow some users of specific(Marketting) role to save the entity record bypassing that validation. here I am planning to use the CRM authorization objects. But dont know how to use these and which authorization object to refer.
Please let me know if you guys have any idea.
Regards,
Bikramjit.

Hi Bikramjit.,
You might need to create a Custom authorization object and then use it. Else you can create one Z table and maintain the User ID of all users. The mainatin one field with flag and set it to X for the user that are aloowed to save the transaction.
Also once you maintain the table, generate the table maintenance so that it becomes easier for future use.
Hope this helps

Mass Maintenance of Maintenance Plans

http://help.sap.com/erp2005_ehp_03/helpdata/EN/a1/5959394ba2cd4ae10000000a114084/frameset.htm
Procedure
If you want to change maintenance plans with the mass maintenance function, proceed as follows:
1. Choose Logistics ®
2. Plant Maintenance ® Planned Maintenance ® Maintenance Planning ® Maintenance Plans ® Mass Maintenance for Maint. Plans ® Mass Maintenance for Maint. Plans or use the transaction code mch01 and choose Enter. The Mass Changes for Maintenance Plans screen appears.
3. Enter an appropriate variant name or your selection data in the areas of the screen called Maintenance plan selection, Maintenance item selection, Hierarchy or Work scheduling/task list data.
Note
If you want to make similar changes to data often, you can create a variant to ease data entry.
4. Choose Execute.
The Mass Maintenance: Table View screen appears.
(The Mass Maintenance: Field View dialog box appears if you choose Execute field view from the Mass Changes for Maintenance Plans screen).
5. Choose the appropriate tab page according to whether you want to make changes to the maintenance plans, maintenance cycles or the maintenance items.
6. Select the objects that you want to change.
You can select the fields that you want to change using the Select fields function.
7. You can check your changes by using the Test changes function.
8. Your changes are saved to the database when you choose Save.
9. The system displays all the changes you have made and any errors that may have occurred in a log. You can save this log if you wish.
Result
Your changes have an immediate effect on all the selected objects.
I have a need to enable this program which was delivered in one of the enhancement packs. We have thousands of maintenance plans that need to be modified.
A couple of questions:
1) how do I activate as little as possible to allow me to use this program
2) With this enhancement activated, am I going to be putting myself on a new support pack line.

hi,
I just know go to transaction SFW5 to check whether all components required for the operation of system are activated (switched on). But I do not know exactly which component is affected for this function.
Hope it helps.

Creation of a new Authorization object

Hi ,
I need to create a new Authorization group and add three existing tables to it.
Kindly suggest a way.
Regards.

Authorization Field
Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the database table TACT and the customer-specific table TACTZ.
Maintenance using transaction SU20.
Authorization Object
Repository object that forms the basis for authorizations. An authorization object comprises up to 10 authorization fields. The combination of authorization fields, which represent data and activities, is used for authorization assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
Maintenance using transaction SU21.
Authorization
Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
Maintenance in transaction SU03 or generation from transaction PFCG (profile generator for role maintenance).
Authorization Profile
Grouping of several individual authorizations or further authorization profiles. Can be entered in the user master record instead of individual authorizations. An authorization can be assigned to authorization profiles as often as you wish.
Maintenance in transaction SU02 or generation from transaction PFCG (profile generator for role maintenance).

Creation of Authorization Object

Dear All,
Can anyone of you guide me on how to create Authorization Object?
My Knowledge on this concept:-
1) Mark required object as Authorization Relevant
2) Use of T-code RSSM
3) Select marked Authorization Object
4) Assign fields to it, for authorization.
thats all i know.
There are few more additional settings we need to do for it.
Request you to provide with step by step procedure for the same.
Thanks & Rgds,
Anup

hi
To create an authorization object:
1) Execute transaction SU21
2) Double-click an Object Class to select a class that should contain
your new auth object
3) Click on CREATE (F5)
4) (If creating custom field) - Click the 'Field Maintenance' button -->
Click on CREATE (Shift+F1)
5) Enter the Name for the New Authorization field and the corresponding
Data Element and SAVE
6) Confirm the Change Request data for the new Authorization Field
7) Go back two screens (F3-->F3)
8) Enter the Authorization field name and document the object:
9) SAVE and ACTIVATE the documentation
10) Save the new Authorization Object
11) Confirm the change request data for the Authorization Object and
EXIT SU21
12) Finally, the SAP_ALL profile must be re-generated
the following link will be helpful
http://209.85.175.104/search?q=cache:BigTSV4_olEJ:www.gingle.com/glenaccess%255CsdnAuthorizationObjectsimple.docHowtocreatauthorisation+object&hl=en&ct=clnk&cd=10&gl=in
http://aroundsap.blogspot.com/2008/02/sap-bw-70bi-70-new-authorization.html
Use of T-code RSSM
Through BIW Authorizations (TCode RSSM)
Authorization check log. This gives information on
missing authorizations for reading data.

Mass maintenance and BDC Recodring of custom fields added in PO header.

Hello Experts,
I have created a custom fields in PO header and used Structure for BADI implementation to update the header with values enterd in custom table.
My requirement is for some selected PO i want to fix the value of one of my custom field at header level.
I have tried both the options Mass maintenance and BDC recording but the issue i'm facing is when i go for mass maintenance it is giving me the ERROR and it seems that we can only do the mass maintenance for sap-standard fields only.
When i go for BDC recording i'm facing the issue that when i do SHDB and start recording for ME22N my custom field is coming grayed out and i'm not able to input the desired value in custom field and complete my recording.
Let me know your valuable inputs .
Thanks,
Naveen

Hello,
Instead of BDC i'm doing it through the BAPI   "BAPI_PO_CHANGE" by populating the structure extensionin but here i'm facing the error as below:-
W     ME     887     Error transferring ExtensionIn data for enhancement CI_EKKODB
E     BAPI     003     Instance 4500001544 of object type PurchaseOrder could not be changed
below is my code:-
ls_extensionin-structure = 'BAPI_TE_MEPOHEADER'.
    ls_extensionin-valuepart1+0(10) = wa_po-ebeln.
    ls_extensionin-valuepart1+14(3) = no.
    append ls_extensionin to lt_extensionin.
    clear:ls_bapi_te_bg,ls_extensionin.
    ls_extensionin-structure = 'BAPI_TE_MEPOHEADERX'.
    ls_extensionin-valuepart1+0(10) = wa_po-ebeln.
    ls_extensionin-valuepart1+10(1) = 'X'.
    append ls_extensionin to lt_extensionin.
    clear:ls_bapi_te_bg,ls_extensionin.
    call function 'BAPI_PO_CHANGE'
        exporting
          purchaseorder                = wa_po-ebeln
        tables
          return                       = it_bapireturn
          extensionin                  = lt_extensionin
    if it_bapireturn[] is initial.
      call function 'BAPI_TRANSACTION_COMMIT'
        exporting
          wait   = ' '
        importing
          return = it_bapireturn.
    endif.
    refresh lt_extensionin[].
endloop.
Please let me know if there is any way to achieve this.
Thanks,
naveen

Authorization object for additional data of material

Hi,
in our Authorization there some user they can use MM01/MM02 only for specific
Maintenance Statuses - object M_MATE_STA (say L - Storage, X - Plant stocks, Z - Storage location stocks).
We also want, that this user are not allowed to change some additional data, but i don't know, if there
is some Authorization object.
Has anyone an idiea?
thanks.
Regards, Dieter

Have a look at M_MATE_MAN. Help text below:
Definition
This object determines whether a user is authorized to maintain material master data at client level.
Data at client level includes fields that cannot be maintained for each organizational unit (for example, for each plant or sales organization). It includes the following data in particular:
Material descriptions
Long texts (except sales texts and the material memo)
Units of measure
EANs
However, it does not include the objects of other applications that you can assign to a material when maintaining the material master record (for example, document assignment or classification) since separate authorizations can be given for objects of this kind.
Note
Even if a user does not have the authorization to display data at client level, the following data is still displayed for the material nevertheless:
Material descriptions and base unit of measure
Deletion flag on the initial Flag Material for Deletion screen
Defined fields
Fields Possible values Meaning
ACTVT 01 User may create data.
02 User may change data.
03 User may display data.
06 User may change deletion flags.
Edited by: Nick WW on May 27, 2011 9:27 AM

Mass maintenance of authorization objects

Similar Messages

Maybe you are looking for