Merge Authorization Object

Similar Messages

• Mass maintenance of authorization objects

  Is there a SAP transaction available to mass maintain authorization objects?
  Let's say that I have 120 roles, in all of which I want to change the value of field Y of authorization object X.  For example, object S_TABU_DIS. I want to exclude an authorization group in all available roles. How can I do this for all roles which have this object?
  Modifying each role separately in PFCG is rather time consuming (and pretty unpleasant).

  Actually, SAP does provide a solution to promote and demote fields to org. levels. There are reports for this (use them and not the table maintenance transactions!) because they automatically adjust your roles as well - otherwise you end up with inconsistencies.
  But I agree with you, that org-levels is not a natural solution for this specific problem and although retrofitting security is the most expensive option, one cannot foresee all requirements from the start and Go-Live project pressure can be a factor as well to use * values for fields which on their own appear to be harmless...
  You could try to write an adjustment tool for PFCG, but with "only" 120 roles I think you will be faster and safer with doing it manually. I think that less than 1 day's work should fix it. However, if you are willing to invest 2 or 3 days more, you can also consider restoring the values from the SU24 proposals. Particularly if one group of transactions are in many of the roles and you can isolate the common transaction (the "guilty one...) then you can do it more centrally in future as well.
  However if you have not used the "Read old merge new" function in PFCG's expert mode, then you should be carefull with this as other objects might "correct" themselves as well. Particularly if you have been deleting standard authorizations in roles! (Why that button even exists, I don't know. No good can come of it...
  Cheers,
  Julius

• Issue with authorization objects

  Hi,
  We are running on ECC 6 . There is an issue while adding t-codes to a role.
  When we add a transaction code in the Menu tab, for eg, a Z transaction code, it throws up a whole lot of open authorization objects under the authorization tab (open authorizations under FI, MM, so on). The open values proposed are all the default values in SU24. This happens even if we use the 'Read old status and merge with the new'. Our check indicator maintenance for all t-codes seem to be fine. Pls advise.
  Cheers!!

  > The default values (SU24 values) are once again populated if they were not maintained during the earlier maintenance.
  They are populated again if they were deleted during the earlier maintenance or are in a changed status of the original authorization where new values in SU24 are proposing something different.
  That is why you should never delete standard or maintained authorizations and try to avoid the copy & change strategy by maintaining SU24 to meet your needs.
  It shounds like SU24 is not as "fine" as you have stated before hand.
  Cheers,
  Julius

• Red Light with Authorization Object in PFCG

  Hello All - I have a question with authorization objects, there are three roles with red lights 'ON' in authorization object screen in our PRD. However users who are using these roles have no auth issues, standard procedure is to make all lights green in PFCG by maintaining these auth objects.
  Big question is "what is the down fall by leaving these objects RED, I need to support my theory when I say all lights green with auth objects.
  Why best practise says maintain all lights to green?
  Please suggest, appreciate your suggestions.
  Thanks.
  Edited by: AJ on May 12, 2009 9:44 PM

  Hi,
  > "What will be the difference between leaving that red lights 'ON' vs "disabling" these red objects? (I am bit confused on this).
  Red Object: As you know that authorization Objects comprises of Authorization fields. There are certain fields, which are known as "Organization Level" fields and need to be maintained Centrally. If you miss this fields, then the traffic light icon is RED. For all other authorization fields, light will be Yellow if you miss any blank field to maintain. During check, these fields will provide missing authorization (but you may not get error if same object is present in the role with all fields maintained status).
  Disabled Object: If you make any Object Disable, then during check, this Object will not be treated for checking Authorizations. But profile generator will keep this in mind, so you don't get Standard Objects repeatedly (if already present in Deactivated status also) whenever you go to "..Merge with New Data".
  You all other questions are very nicely answered already.
  Regards,
  Dipanjan

• New Authorization Objects for latest releases

  Dear Colleagues,
  Do you happen to know how to find out the objects that should be added when using a role from a previous SAP version in a new one. That is, we have imported a role from a previous SAP version into our system and would like to update it with the latest objects. How should I find out which are the new objects?.
  Thanks in advance for your help.
  Best regards,
  CMPT

  Charles,
  If you role has transactions in the menu the new authorization objects will be pulled in when you go to change the authorizations (select read old and merge with new under expert mode).
  If the transactions are not in the menu you will need to do a compare of the usobt_c and usobx_c between the old and the new system.
  During new auth objects analysis is performed via transaction SU25.
  Cheers,
  Ben

• New Authorization objects When Adding New tcodes

  Hi Guys
  I have two Identical R3 Productiosn Systems One is Called Prd and the Othe RPP.
  When Going into Pfcg on PRD and adding A tocde I.e Mi02. It  already has mi01 and mi03.the authorization tab chnages from green to Yellow,.When Going into The Authorization Tab,( option change authoirazation tab), there aer new authoiration object that has a yellwo status and needs to be filled in.
  When doing the same i.e go into Pfcg on RPP and adding A tocde I.e Mi02. It  already has mi01 and mi03.the authorization tab chnages from green to Yellow,.But when  Going into The Authorization Tab,( option change authoirazation tab), there are no new authorization object that has a yellwo status They are all greeen, but there are some with status updated.This looks right.
  Am I doing anything wrong,.I have not tried to go into the authorizatin tab with the expert option.
  Pls advise

  Hi Moods,
  Did you check the objects before adding MI02?
  Check with SU24 for objects in PRD and RPP if you have same objects then check as below.
  Check what new objects are comming up in PRD.
  Check for the Additional T-codes which are having the new objects which are populating in PRD.  if you have additional T-codes in PRD, then their may be chances of new objects populating
  If you check in authorization tab options with expert mode and choose merge with new data this might reslove the issue.
  Cheers
  Soma

• Maximum number of field values for an Authorization object

  Hello Experts,
  What is the maximum number of field values can be put into the role, Is there any restriction for number of values in any authorization field?
  I have put 326 values for field OBJTYPE in authorization object S_DEVELOP but not able to generate the role it is showing error.
  I know I can split the values in two or more instance but wanted to know if there any other way out for this (without creating more instances)
  Thanks
  DK

  If the values for OBJTYPE are not uniquely the same, then the system will not merge them - so nothing will be lost.
  Here is another trick for you: Choose one of the transactions in the role (or create a "symbolic" one for it") where you want to have the OBJTYPE proposed automatically from. Now maintain one or two of them in SU24 and then download it to your PC. Now from the F4 value range of the OBJTYPE, add all of those values you want via copy&paste into the file and then upload into SU24 again. A read old / merge new in PFCG will then swing all the values in for you.
  Single values are always better, as you do not know what else is hidden in the range or might be added in future. It is however common to see FROM / TO ranging around values such as DEBUG and FUGR although all aspects of S_DEVELOP are dangerous - even in display mode.
  Cheers,
  Julius

• How to assign authorization objects to a cube

  Hello,
  My cube includes 0profit_ctr which is marked as authorization relevant. Still in RSSM my cube is not included in the list of infocubes for an authorization object (zprofit) linked to 0profit_ctr. I'm therefore not able to enable that authorization object for my cube. I have a few ODSs which are included in the list. Why is my cube missing? Is there something I must do to include it, or is it a bug?
  When checking the infocube for authorization objects in RSSM this list is empty as well. I don't see any option to add authorization objects in that list.
  I have read the following document:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b849e690-0201-0010-9b88-c00cca40736f
  I'm using BW 3.5.
  Regards,
  Christoffer

  Hi Christoffer,
  In RSSM  you will find a button  "Update Check Status ( Authorization Objects, Info providers) ". After this update you should find your cube in the list.
  Jaya

• How to get all authorization objects for a certain authorization profile

  Hi ABAP experts,
  I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
  So:
  - where are these values stored (dictionary table)?
  - is there already a FM or a report to read all authoriation values for a certain authorization profile?
  Thanks in advance.
  Best regards,
  Oliver

  Hi,
  check the following it might useful for you:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
  if helpful reward points are appreciated

• Mass update to FILENAME field in S_DATASET authorization object

  We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value.  I'd like to do this programmatically if possible.
  What I've learned so far is that I need to update the value in table USR12, but the value is encoded.  When I look at the table in SE16, I do not see the encoded value field.  The value does show in UST12, but I'm told this is an unreliable table.
  So I'd like to know..
  1. How can I look at the value if not in SE16?
  2. Is there an API I can use to encode/decode the value?  If not, where is the specification on how to build it?
  If this is better addressed in a different forum, which one should I try next?
  Thanks,
  Dan

  Hi there,
  Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
  But the behaviour as you have described:
  >
  > Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
  > =============================================================
  > *                                 X         X            DUMY
  > /temp/FI/..                       X         X            DUMY
  > /temp/FI               X                                 FIFI
  >
  ... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
  > Caution:
  > - If you enter paths generically in the table SPTH, the most precise specification counts.
  > - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
  So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
  So, the only check which is effective to protect the path, is:
  Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
  =============================================================
  /temp/FI               X                                           FIFI
  ... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
  Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
  form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                              MODE       type CLIKE
                              SUBRC      type SY-SUBRC.
  data: ACTIVITY like AUTHB-ACTVT.
     SUBRC = 0.
     case MODE.
       when 'R'.
            ACTIVITY = '03'.
       when 'W'.
            ACTIVITY = '02'.
       when 'D'.
            ACTIVITY = '02'.
     endcase.
     if ISPTH_HEAD-FS_BRGRU <> SPACE.  "Here it is... for BEGRU checks there must be a value...
        authority-check object 'S_PATH'
            id  'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
            id  'ACTVT'    field ACTIVITY.
         if SY-SUBRC <> 0.
            SUBRC = 3.
         endif.
     endif.
  endform.
  Cheers,
  Julius

• Authorization Object is not working when report is modified.

  Hi BW Guru's
  We have Company Code as Authorization Object .and we have 3 company Codes (xxxx,yyyy,zzzz).where the users under Company code xxxx are not supposed to view company code yyyy,zzzz data etc.
  I modified an existing Report and transported to production.But the Authorization Object is not working for that report.The Report is defaultly displaying all the company codes data(xxxx,yyyy) for all the users.But for the other reports its(company code ) is working fine.
  What could be the problem?Is theproblem in transporting the objects.But i transported all the objects inluding auhorization object.
  Please send me the solution as it is very much urgent.
  The solution will be def. awarded with full points.
  Regards
  Sanjay

  hi Sanjay,
  please don't post the same question again, check and response back from your previous thread
  Re: Authorization Object is not working when report is Modified.
  hope this helps.
  would be nice if you reward for helpful answers to all of your previous postings, e.g
  docs related to RRI

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• Issue on authorization object

  hi all,
    in me52n transaction, in account assignment tab there is field called costcenter. its  field name is kostl and strucutre is cobl. now i have requirement to create an authorization object on this costcenter. that is for example , if i try to make any changes in the cost center field it should allow me to do it. but if some others are using it should not allow them to make any changes. plz let me know the solution how to do step by step. points will be awarded . this is urgent requirement. plz reply fast.
  thanking u in advance,
  a.srinivas

  Hi deniz,
  Use this to set up the autherisation object
        AUTHORITY-CHECK OBJECT '<objectname>'
                        ID 'ID FIELD SY-UNAME.
        IF SY-SUBRC NE 0.
          MESSAGE S999 WITH 'You are not Authorised to change entries'.
          EXIT.
        ENDIF.
  Inform the Basis team to assign the role only to ur id...so that no other person wil u autherized
  Award points if useful
  Regards
  Gowri

• Analysis Authorization Object not working

  Hi Gurus,
  I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
  For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
  I have followed the below steps but still the report shows all data instead of restricted one.
  1)RSECADMIN -> Maintenance ->zz_div ->Create
  2) Add 0DIVISION in Auth structure , and in details 
  I     EQ     32
  I     EQ     33
  3) Add 0TCAIPROV with I     EQ     0SD_C03
  4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
  I     CP     *
  5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
  6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
  Following are the authorization object in that user's Role (Reporting Only)
  S_RFC 
  S_TCODE
  S_GUI
  S_BDS_D  
  S_BDS_DS 
  S_OC_SEND
  S_RS_AUTH - only having zz_div
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  S_RS_RSTT
  S_RS_TOOLS
  S_RS_PARAM
  I have surfed lots of thread for this issue but not getting a solution
  Tell me what i m missing in above or any additional setting need before creating analysis authorization
  Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

  Hi
  Thanks a Ton for ur reply
  I have checked in SPRO : Analysis Authorization
  where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
  We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
  Thanks
  Sonal....

• Authorization object for running a report in background

  Good day experts,
  I tried running a report in background, I choose immediately so that it doesn't have to be scheduled. But when I checked it in my own jobs, It remains at scheduled status. When I tried it on my admin account, It works and with status finished. It seems to be an authorization problem. What object could I be missing with my user account? I tried S_TCODE SMX and SP02 but still not working.
  Thanks in advance!

  Hi karshbax,
  What you're looking for is authorization object S_BTCH_JOB. You need authorization for field JOBACTION = RELE.
  In future use transaction SU53. It shows last error authorization error, so if this is authorization problem then after try of manual releasing of job you'll find in SU53 precise info what went wrong.
  Best Regards
  Marcin Cholewczuk