No authorization to change authorization data

Similar Messages

• Difference between Change Authorization Data / Display Authorization Data

  Hello,
  My question is wrt to implementation of "principle of treble control" i.e three SAP administrators i.e.
  1. Authorization data administrator
  2. Authorization profile administrator
  3. User Administrator
  I have created a role & added a transaction to it e.g. "FAGLL03" or "FF67".
  No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile. Even when I save the profile with the proposed name, it status still says "No authorization data exists". Since no authorization data is available, administrator 2 is unable to generate profile. If administrator 1 has to generate profile then why is administrator 2 required.
  Definition of Administrator 1 is:
  The authorization data administrator creates the roles, selects transactions and
  maintains the authorization data. He or she simply saves the data in the Profile
  Generator since he does not have the necessary authorization for generating the
  profile. He or she accepts the proposed profile name “T-...”. The authorization data
  administrator may not change users, nor generate profiles.
  Definition of Administrator 2 is:
  The authorization profile administrator starts transaction “SUPC” and chooses All
  Roles. He or she then restricts his selection, for example by entering the ID of the
  role to be edited. On the next screen, he or she chooses Display Profile to check
  the data. If all the data is correct, he or she generates the authorization profile. The
  authorization profile administrator may not change users, change the data for roles,
  nor generate profiles containing authorization objects beginning with S_USER*.
  Thanks.

  Hasan Saeed Khan wrote:
  Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
  I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.
  On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."
  It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:
  Create role
  Add transactions to menu
  Edit profile, org levels & authroization data.
  Hit 'save'.
  Accept proposed profile name.
  Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')
  And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"
  So it should be possible to maintain roles and profiles separately.

• [ProjectServer 2013] Resource authorization data lost on PSI Resource Update

  Hi,
  as the title says I noticed that sometimes resource authorization data of a resource/user is lost in ProjectServer 2013 on a PSI resource update. Since it did not happen every time for every resource (user) I tried to investigate this issue in more detail.
  I found out that it is related to a change in the resource availabilities. A resource/user loses its resource authorization data on a UpdateResources PSI call when the following criteria are fulfilled:
  - "Earliest available" or "Latest available" date is set
  - Resource/user has more than one ResourceAvailablities row
  - Max units are changed for one of the rows
  Since this is a quite complicated and specific issue here are some simple steps to reproduce it on a PWA instance:
  1. Create new resource/user.
  2. Enter any date in the "Earliest available" field and assign the user to some security groups.
  3. Programmatically change the max. units of any ResourceAvailablityRow and update the resource via the UpdateResources PSI call.
  4. Open the user in PWA. The security group associations will not be there any more.
  I have successfully reproduced this issue on two different PWA instances on two different servers.
  Did i miss anything obvious or is this a well known issue?
  If yes are there any workarounds?
  Did anybody else run into this issue?
  Thanks in advance for you help,
  Michael

  I created a Fiddler trace (see link at the end of the post) but i could not find anything suspicious in there.
  If it helps here is the code that i use to reproduce the issue:
  var singleResDs = resourceClient.ReadResource(resUid);
  var maxUnitsRow = singleResDs.ResourceAvailabilities.First();
  maxUnitsRow.RES_AVAIL_UNITS = maxUnitsRow.RES_AVAIL_UNITS + 1;
  resourceClient.CheckOutResources(new Guid[] { resUid });
  resourceClient.UpdateResources(singleResDs, false, false);
  resourceClient.CheckInResources(new Guid[] { resUid }, false);
  As you can see there is nothing special about it.
  I also checked the patch level on one of the servers and its 15.0.4569.1506 which corresponds to SP1 (April 2014). I can definitely try to install the newest CU and check if that fixes the issue.
  Fiddler trace:
  http://bit.ly/1DvaWsZ
  EDIT:
  I have now installed the March 2015 CU (15.0.4701.1001) and the issue is still existing.

• BIP Authorization data entry vs reporting

  Hi experts,
  there are two planers entering data on the same level, expect, that one enters data for Version V1 and the other planner enters data for Version V2. Since they are supposed to enter the data subsequently (first planer V1 should enter his data, save and release and then Planner V2 should enter his data, save and release), how do you enable both to see the data entered by the other - expecially enable planner V2 to see (but not change!) data entered by planer V1.
  What is the way to
  If you do not want to use BPS Status and Trackingsystem, how can you ensure that planer V1 has to enter his data (save and release) and then Planer V2 should be able to enter the data? Is there a way to link this information with BEx Broadcasting so that planer V2 is informed after Planer V1 has entered and released his data?
  Thank you for your advice,
  Angie

  Hi there,
  Yes I can help you...
  The issue between ZSALEG_GRP_P and ZSALEG_GRP_R is the 0TCAIPROV = *;
  SAP with the new authorization concept MERGE the authorization values based on the 0TCAIPROV characteristic. So if you're saying that a user has with ZSALEG_GRP_P 0SALES_GRP = 115 for all InfoProviders, but in other hands you're saying that the same user has with ZSALEG_GRP_R 0SALES_GRP = *, you're actually saying that the user has in fact authorization for 0SALES_GRP = 115 Unified with 0SALES_GRP = *, and the same happens with 0TCAACTVT = 2 Unified  with 0TCAACTVT = 3.
  So to separate the two authorizations you need to separate the InfoProviders.
  Therefore for the authorization ZSALEG_GRP_P leave  0TCAIPROV = InfoProviderNameWherePlannedQueryIsBuilt;
  For the authorization ZSALEG_GRP_R leave  0TCAIPROV = InfoProviderNameWhereReportingQueryIsBuilt;
  Try again, you'll see it works.
  Diogo.

• Rebuild Authorizational data (User Buffer) Dynamically

  We want to rebuild the authorizational data in a user's buffer by adding additional authorizations (auth obj with field values) during the logon procedure (user exit) (by executing a function module which will read a custom table) - however this has to be dynamic, that is we do not want the user to have to logoff.
  Anyhelp is welcomed !
  Mushtaq Mahmood
  Saudi Aramco

  I would be very carefull of this.
  Buffers, like caching, can become invalidated or corrupt so there are mechanisms to refresh or correct them after logon or a period of time has elapsed. This can be as little as 2 minutes appart as far as I know, depending on the memory area.
  Additionally, saving of a change in SU01 etc or the import of a role which IS already assigned to a user will refresh the buffers as well and possibly wipe your dynamic buffer away if it thinks that you have also removed the role (or profile) when saving.
  Depending on how you code this, it might even write the dynamic buffer data to the database, making it permanent and "stranded" data, which you might only be able to remove by synchronizing the tables again and resetting the buffers. If you do that while all your other dynamicly authorized users are logged on, it will cause a mess when they suddenly loose their access.
  I would keep the USRBF3 mechanism and consider scheduling report RSUSR405 regularly to simulate a change incase there is something wrong...
  Being a large organization with many orgs and users to administrate over a possibly large number of different systems, perhaps it is worth your while to take a look into an IdM (Identity Management System).
  I am sure you will find one which is more supported and sustainable than a reconstructed user buffer...
  Cheers,
  Julius
  Edited by: Julius Bussche on May 11, 2009 2:20 PM

• PM Role - Order - Authorization Data

  Hello,
  I create a role, can define notifications' attributes as i want. But i could not define orders'.
  For example, my order is Z001 and my user will change and display but not create the order.
  From pfcg --> Change Authorization Data i couldn't find the correct node for this.
  could you help?
  thanks in advance.

  We have a similar scenario where we limit certain users to certain order types. We have a role for production supervisors to create emergency orders (only) and the maintenance planner can create, change, display all types of orders.
  WIthin IW31/IW32, there is an auth.object:   I_AUART which can be used to control access to orders.  For example, our Prod.Spvr has I_AUART:
  Order type:  Z001
  Mtnc Plan.Plant 0001
  but our Mtnc Planner has a 2nd role with I_AUART:
  Order type:   *
  Mtnc Plan.Plant 0001
  If your basis team can limit this to the order type you want for each role (one for key user, one for operator) for your mtnc planning plant.  Look at SU24 for the transaction to make sure this auth. object is checked.  The user will get an error saying they are not authorized for this order type in this planning plant.  We did not have any user exits to make this work.

• Maintaining BW authorization data in R/3

  Hi,
  I am faced with a new problem now. My client wants to maintain BW authorization data in R/3 for ease of maintainence. I have used two ODS template for data (value) and (hierarchy) - (0TCT_DS01 and 0TCT_DS02) and have created two data targets for filling in the data and using CSV file for proofing of the concept. My assumption is that if data load from CSV file can execute thte functionality, I can achieve the same thing by extracting data from R/3 also. While generating the profile using RSSM it says that complete authorization data is not maintained. Probably I am not filling in the relevant fields with correct data.
  Can anyone help me with the steps involved in doing this and the fields for which entries are mandatory ? Would highly appreciate the help extended with points.
  Abhishek

  My reqmt says I have to restrict viwewing of data at node level. Let me elaborate more.... Users of sales region EAST and users of region WEST may have same profiles but EAST user should be able to see east data and WEST user should be able t0 see only west data. I am able to do this by using RSSM and restricting the view at report level but client wants to do this at a common place and the table needs to be maintained in R/3 ?
  Is my reqmt clear ?
  Abhishek

• How to extract authorization data to standart BW DSO's  from  SAP R/3 system

  Hi All,
  Does anyone have any experience about this topic? I want to use SAP R/3 as a source system and after i extracted the data to business content DSO's in BW  ,i will generate authorization objects from DSO 's.
  I am using standar BC DSO 's
  0TCA_DS01 Authorization data - Values
  • 0TCA_DS02 Authorization data - Hierarchies
  • 0TCA_DS03 Descriptive Text Authorizations
  • 0TCA_DS04 Assignment User Authorizations
  • 0TCA_DS05 Generate users for Authorizations
  I have deep research but cant find anything.
  Best Regards
  Ozan

  Hi Ozan,
  You can go though thread provided by Suman, These DSO's will help to maintain Analysis Authorizations in BW automatically In-short you don't need to maintain it, it will come from R/3 and same will be configured in BW.
  Regards,
  Ganesh

• Function Tab is missing under Authorization Data in ERM

  Hi,
  After Uploading roles to the ERM, the functions tab under authorization data is missing.
  In the QA the same role has all 4 tabs (including the functions tab)
  I've made sure that the "This option allows you to add a function to an authorization" is set to "yes".
  Can anyone tell me why is that?
  Thank you,
  Drorit

  Hi,
  Ensure that the user ID you are using has sufficient authorization (Eg: Actions: view authorization data etc...).
  Regards,
  Rama

• ERM - "Unhandled error; n/a" error in Authorization Data section

  Hi experts,
  We are implementing ERM 5.3 with support package (SP 5 patch 1). We run all synchronization background jobs (org values, tran/obj/field, activity) and apparently they all finished successfully.
  We have imported all SAP backend roles to ERM through the "mass role import" feature, and the job ended successfully for every role. However, we have found that for some particular roles, when trying to view in ERM the authorization data imported for that roles (clicking on the "authorization data" button inside the role), the screen shows no data and comes up with the error "Unhandled error; n/a".
  We tried re-importing those roles (again the job history shows "imported successfully" for every role) but the error is still there when trying to view the role authorization data.
  Any ideas of why this is happening for this roles giving that they all got imported successfully?
  Any thoughts on this will be very much appreciated!
  Regards,
  Pablo

  Two things i can think of without actually looking at the logs:
  1. Configuration > Miscellaneous settings need to be rechecked.
  2. Role Management > Mass Maintenance needs some attention.
  If you can send me the log saying "roles successfully imported" that would help me in troubleshooting this.
  Thanks & Regards,
  Amol Bharti
  amudee.com

• Authorization data is updated after adding transaction in role menu

  Hi Experts,
  When we add transaction in the menu of a role, the objects and organization levels related to the transaction are not getting reflected in the authorization data. Only object S_TCODE is coming. As an example if we add transactions MM01, MM02, MM03 in the role menu, under authorization data only object S_TCODE is coming. No other authorization object or org level are coming.
  This is only happening in one system. Kindly suggest.
  Thanks and Regards,
  Amit Jana.

  Hi Jurjen,
  Thanks a million for your reply. The customer tables has been filled up from su25 and this has solved the issue.
  Thanks and Regards
  Amit Jana.

• Get authorization data by passing user role

  Hi All,
  Can anybody please tel me to retrieve user authorization data if i  pass user role i want to get whole authorization data for that role.
  Thanks,

  I am not sure about the authorization objects/values for a given role, but you can get that for a user using the FM SUSR_USER_AUTH_FOR_OBJ_GET.

• Autorization for Photo Display in change on data of ESS

  Hi All,
  I need your help regarding Photo Display in Portal ESS applications like who's who and change on data.
  For the same Authorization at ECC side required.If i use sap_all authorization, the pheto displayed at the portal side.
  But only using ess authorization , the photo is not displayed. Could you please give me the solution for the same??
  Thanks,
  Anumit

  done myself
  I added the below object
  S_WFAR_OBJ
  S_RFC
  PLOG

• Changing Administrative data in Layout set (SE71)

  Hi All,
  I have copied another system layout set extract & uploaded into my system by changing user name in the extract.
  But i got few fields wrongly updated in Adminitstrative data. I have already made some changes to layout set. so i can't upload again.
  Now i want to change fields: Created On, By, Release: & Changed on, By, Release:
  fields in the Administrative data tab in header data of layout set(SE71).
  Can anybody tell me how can i change this data!
  Thanks,
  Deep.

  Hi,
  If you have authorizations to open the layout in Change mode then you can change the fields names as well as Values  By knowing the correct field names.

• Difference between "change auth data " and "expert mode" in pfcg

  Gurus ,
  i need to know , what is the difference between
  "change  authorization data "
  and
  "expert mode for profile generation" in PFCG .
  and what is the significance of the three options that we get when we choose expert mode ?

  Hi Susin,
  To change the authorization data for the transactions assigned to the role, choose Change Authorization Data or Expert Mode for Profile Generation.
  If you are generating the profile for the first time, there is no difference between the two modes.
  When you change a role, you must regenerate the authorization profile. In this case, the status of the profile generation is displayed red or yellow at the top of the Authorizations tab page.
  If the status display is red, you must perform an authorization data comparison, since the menu was changed since the last profile generation or no authorization data exists.
  If the display is yellow, the authorization data for the role was changed and saved after the last generation. The generated profile is no longer current. You need to regenerate it.
  The significance of the three options that we get when we choose expert mode is as follows:
  Choose one of the options to maintain the authorization values (in normal mode, the correct option is automatically set):
  1> Delete and recreate profile and authorizations
  All authorizations are recreated. Values which had previously been maintained, changed or entered manually are lost. Only the maintained values for organizational levels remain.
  2> Edit old status
  The last saved authorization data for the role is displayed. This is not useful, if transactions in the role menu have been changed.
  3> Read old status and compare with new data
  If you change transactions in the role menu, this option is the preconfigured. The profile generator compares the existing authorization data with the authorization default values for the menu transactions. If new authorizations are added during this process, they receive the status New. Authorizations that already existed receive the status Old.
  Note the following during the comparison:
  Values for organizational levels that are no longer required are deleted, all others are retained. If new organizational levels are added, you need to maintain them.
  The standard authorization for the object S_TCODE is always automatically filled with the current transactions from the role menu. It cannot be copied or manually changed, only deactivated.
  Thanks,
  Saby..