Object level authorizations for deffirent user restrictions
Hi
i have 1 object, this object have only 3 values?
i need authorizations for this object at report level?
rsa1- i keep authorization relevant?
rsecadmin i can include this object , here i need give from value and to value? i have 3 values only? suppose user 1 want only 1 value? user 2 need 2 and 3 value? how can i restrict like this ? ple let em know
Hi Suneel,
Go to RSECADMIN.
Here, in maintain authorizations, create authorization for your characteristics along with the special characteristics.
i.e. in your case, create authorization(assume 0plant is marked as authorization relevant)
0PLANT
0TCAACTVT
0TCAIPROV
0TCAVALID
Double click on each characteristic to assign them the authorized value set.
Thus, you will create two authorizations
Z_PLANT_1
0PLANT...................I..EQ..............1
0TCAACTVT.............I...EQ..............3
0TCAIPROV.............I...EQ..........ZPROVIDER
0TCAVALID..............I...EQ...........*
Z_PLANT_2&3
0PLANT...................I..EQ..............2
..............................I..EQ..............3
0TCAACTVT.............I...EQ..............3
0TCAIPROV.............I...EQ..........ZPROVIDER
0TCAVALID..............I...EQ...........*
Go to RSECADMIN again in user tab in assignment, assign these authorizations created to the respective users.
Like assign User1 -
>Z_PLANT_1
................User2 -
>Z_PLANT_2&3
Refer the link below for more information
[Analysis Authorization|http://help.sap.com/saphelp_nw70/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm]
Hope this helps,
Best regards,
Sunmit.
Similar Messages
-
Object level authorization for SLT Configuration schema in HANA DB
Hi All,
We have connected SLT with HANA DB (& ECC as source system).
Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
Regards,
KumarHi Santosh,
You can find more info about SLT Roles and Authorization from below security guide.
http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
Regards,
V Srinivasan -
Object level authorizations for reports
HI
I have 20 charactesr in cube , around 15 have navigational attributes.
i need to give authorizations for 5 objects only .( navigational attributes).
i have 10 reports, i need 2 reports only authorizations relavant.
if i restrict 5 objects authorizations , its effect all queris? in this scenerio i need to create 2 cubes?
ple let me knowhi suneel,
As you said you require authorization for 2 reports, you can restrict those Infoobjects with the authorization variables and in the other 3reports use that object but do not restrict to the authorization variables..
So, the user will be able to see whole data for 3 reports where authorization is not used.
Hope it is clear.
Thanks
Lavanya -
"Low-level" authorizations for accessing BW reports - add users to role
Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.Hi!
i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
with regards
ashwin
<i>PS n: Assigning point to the helpful answers is the way of saying thanks in SDN. you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.</i> -
No authorization for activating user status PLIM
Dear Gurus,
I'm a newbie to SAP. Currently i'm facing the problem with Tcode KO01 while i'mtrying to create Internal Order. I can initialize the program but after i entered the Order type and pressed enter. Error msg "No authorization for activationg user status PLIM" pop-up. Pls help on this urgently.
Thanks.Dear Payal,
I checked /nSU53 just after i got the error msg. It said authorization check failed. Authorizaton object B_USERST_T status management: Set/Delete User Status using Transaction.
Activity:01
Authorization key: <Dummy>
Object Catagory: ORC
Status Profile: 00000002
What should i do after this??? -
Authorizations for background user
Hi everyone,
Is it ok to assign the user(system user) sap_all profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program in the background job.
Thanks.
Neha.> Is it ok to assign the user(system user) sap_all profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program in the background job.
>
Hi Neha,
You don't need to provide SAP_ALL for any system user id for daily Business you create. And of course it is against Audit policies to provide such access to Background user. This user id should be of type System.
The authorizations for such user ids should be:
SBTCH_NAM Background Processing: Background User Name_
BTCUNAME = <respestive user name that are going to be authorized for Batch Job execution>
SBTCH_JOB Background Processing: Operations on Background Jobs_
JOBACTION = *
JOBGROUP = *
S_BTCH_ADM Background Processing: Background Administrator
This is required for the administrator administering background Jobs.
Also check the following note: Note 101146 - [Batch: authorization object S_BTCH_JOB, S_BTCH_NAM|https://service.sap.com/sap/support/notes/101146]
Also the user needs access to following Authorizations:
S_ADMI_FCD System Authorizations
S_CTS_ADMI Administration Functions in the Change and Transport System
S_LOG_COM Authorization to execute logical operating system commands
S_RZL_ADM CCMS: System Administration
Regards,
Dipanjan
Edited by: Dipanjan Sanpui on Jul 9, 2009 2:21 PM -
Hello,
We are working for authorizations for SNC users.
Currently we have issue wherein SOH and Unresticted stock info is not displayed on WEB UI?
What authorization object we are missing?
We have SNC5.1 customer collaboration.
ThanksHallo,
Display mode for objects C_LIME_SI & C_LIME_LOC.
Regards
Martin -
Authentication and authorization for AD users in UCM11g
Hi all
we are using webcenter content server 11g. I read some where that for 11g users authentication is done in weblogic server environment, mean content server for 11g in now managed by weblogic server only, am i right?. we have successfully integrated Active Directory with weblogic sever and user of AD are able to log-in UCM but they don't have any role like contributor or Admin. How to do this role mapping for AD user in UCM i.e. authorization for these users. Please provide any guidence on this issue any doc or blog, we are new to webcenter suite.
Thanks
SomeshAs you already have weblogic integrated with AD, remains only role mapping and Single Sign-On integration. For authorization, AD must contain groups with exact names as roles in the Content Server. Those groups should be where Group Base parameter in the weblogic ActiveDirectoryAuthenticator point (like OU=Roles,OU=Oracle,DC=example,DC=com). Assigning AD user to the AD group named contributor, will add contributor role to logged Content Server user.
As for SSO, refer to the:
http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm
and
http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#autoId21
Procedure steps are:
Create a user account for the hostname of the web server machine in Active Directory
Create krb5.ini file, and locate it in the C:\Windows directory at both machines (Domain Controller and WLS host)
Generate the keytab file
Create a JAAS Login File named krb5Login.conf
Put both keytab and krb5Login.conf files to …/user_domains/domains/my_domain/
Configure the Identity Assertion Provider
Adjust Weblogic Server startup arguments for Kerberos authentication
Redeploy CS (and optionally other servers) server with the documentation given deployment plan
Check web browser configuration (IE and Firefox only)
Take a deep breath and test
If successful have a cake and cup of coffee else goto step one
Regards,
Boris -
Global object Services ( GOS ) for service users
Hi,
It is possible to have GOS ( Global object services ) ability for Service user type?
As far as I know only Dialog users has that ability.
Thanks,
Krishna.it is not possible for service-users. never was.
-
Data Level security for specific Users
Hi,
Can you please suggest some ideas on by-passing the Data Level security for specific users or specific group?
Currently, we have data level security defined on a group permissions for one group and for people belonging to another group, the security should not apply and they should see entire data.
But, key thing here is that, the user belongs to both the groups.
Any ideas helps.
Thanks,
Chandu.So you are saying you want a user to belong to a group with data-level security filters, but you don't want the filters to apply to that user?
Why are they in the group then?
Are the data filter defined with variables or are the hard-coded?
If variables, you may be able to put logic in initialization block to set the variable appropriately for specific users.
I'd rethink the security model - when I define data level security filters, I tend to force users to only belong to a single group/role. -
Check package/procedure level privileges for a user
hi gurus,
how to check the package/procedure level privileges for a user? like dba_tab_privs for tables.
for eg: grant execute on dbms_scheduler to user1.
now, i need to verify that user1 has execute privilege on dbms_scheduler or not.
what's the view for this?
thanks in advance,
charlesSQL> select privilege, count(*) from dba_tab_privs group by privilege order by 1;
PRIVILEGE COUNT(*)
ALTER 19
DEBUG 256
DELETE 131
DEQUEUE 3
EXECUTE 19315
FLASHBACK 52
INDEX 14
INSERT 137
MERGE VIEW 36
ON COMMIT REFRESH 52
QUERY REWRITE 52
PRIVILEGE COUNT(*)
READ 7
REFERENCES 54
SELECT 3752
UNDER 3
UPDATE 111
WRITE 5
17 rows selected.DBA_TAB_PRIVS is for more than just tables. -
MIR4 Invoice - Restrict POST Authorization for Some Users
Hi Experts,
We are doing Invoice Release Workflow (MIR7) With 3 level Approval. When the document goes for approval in EDIT mode (MIR4) to multiple Levels anyone can change the document but the post authorization should be given only to the manager.
We created a Role with authorization object M_RECH_WRK and enabled only (3 Display and 77 Pre-Enter) still post button could not be disabled for some users. Kindly suggest a way to disable POST Option in MIR4 only for certain Users.
Regards,
DheepakHi Dheepak,
Refer to these thread:
[Disable post option in MIR7|Disable post option in MIR7;
[ POSTING ISSUE|MIR7 posting issue;
Hope you find these useful.
Reetesh -
Plant level authorization for Notification Change
Hi All
We have 7 plants and person belong to one plant is able to open and change the notification of other plants.
In the role we have given restriction for the plant for the Tcode IW 22 and for the object SWERK .In the Notification only Workcenter and Plant fields are mandatory.
How can we restrict for a user belong to a particular plant can only change his plant notifications using IW22 only ---not IW28
Thanks in advance
gangsDear gangs,
Check in all the roles of that user in orgnozation levels maintenance plant and planning plant.
It may happen in one role you have ristricted for that user, but in other roles it may be having the t.code authorization for IW22 and with other plant also.
Check that also.
Regards,
Praveen. -
Authorization for different user
HI i want send a message to one user using abap code. on this process i have to restrict message sending to AUTHORITY CHECK OBJECT.
we have option for self(sy-uname) AUTHORITY CHECK OBJECT useing following way.
AUTHORITY CHECK OBJECT Object_name
ID fieldname1 FIELD fieldvalue1
ID fieldname2 FIELD fieldvalue2
If sy-subrc eq 0. "Authorization exists
Endif.
Is there any way to find differnt user having the AUTHORITY CHECK OBJECT ..
Regards,
S.Srinivasulu Reddy.Hello Srinivasulu,
if you're working on SAP ECC 6.00 / SAP Netweaver, you can use the following ABAP keyword extension:
AUTHORITY-CHECK OBJECT <object> FOR USER <user-id>
This comes up, when using the online keyword help.
If you're working on an SAP release below ECC 6.00, you can use the following function module instead:
CALL FUNCTION 'AUTHORITY_CHECK'
EXPORTING
USER = <user-ID>
OBJECT = OBJECT
FIELD1 = ...
VALUE1 = ...
FIELD2 = ...
VALUE2 = ...
EXCEPTIONS
USER_DONT_EXIST = 1
USER_IS_AUTHORIZED = 2
USER_NOT_AUTHORIZED = 3
USER_IS_LOCKED = 4
OTHERS = 5.
@surjith: The thread specified regards the difference between lock objects and authorization objects.
@Agrhadip: Sending eMails to authorization roles?? ? When the question is about an ABAP statement?
@srinivasulu: Questions about ABAP Statements are better posted in the ABAP forums.
Best wishes,
Florin -
Object level checking for some of the basis tcodes(internal audit)
Hi masters,
in our company every month we check access controls for some of basis tcodes,i am giving it below,is the selection for Tcode and object level values combinations are correct or is there any modifications please notify.
Tcodes Imp Auth Objects Auth fields Auth values
SCC1 S_CLNT_IMP Actvt 21,60
S_TABU_CLI CLIIDMAINT X
SCC4 S_TABU_CLI CLIIDMAINT X
S_TABU_DIS Authorization Group *
Actvt 01,02
SCC5 S_CLNT_IMP Actvt 21,60
S_TABU_CLI CLIIDMAINT X
SCC7 S_TRANSPRT Request type *
Actvt 43,60,75
S_CLNT_IMP Actvt 21,60
SCC8 S_DATASET PROGRAM *
Actvt 06,34,A7
S_TRANSPRT Request type *
Actvt 43,60,75
SCC9 S_TABU_CLI CLIIDMAINT X
S_CLNT_IMP Actvt 21,60
SCCL S_TABU_CLI CLIIDMAINT X
S_CLNT_IMP Actvt 21,60
SCU0 S_TABU_DIS Authorization Group SS
Actvt 01,02
S_TABU_RFC Actvt 3
OBR1
SM01 S_ADMI_FCD TLCK
SM04 S_ADMI_FCD PADM
SM12 S_ENQUE S_ENQ_ACT DPFU,DLOU
SM13 S_ADMI_FCD UADM,UMON
SM50 S_ADMI_FCD PADM
SM54 S_ADMI_FCD NADM
SM55 S_ADMI_FCD NADM
SM56
SM59 S_ADMI_FCD NADM
RFCA
SMLT S_LANG_ADM Actvt 02,16,61
Table *
SPAD S_SPO_DEV SPODEVICE *
SP01 S_SPO_DEV SPODEVICE *
S_ADMI_FCD SP01,SP0R
ST01 S_ADMI_FCD ST0M,ST0R
ST05 S_ADMI_FCD ST0M,ST0R
RZ04 S_RZL_ADM Actvt 1
RZ06 S_RZL_ADM Actvt 1
RZ10 S_RZL_ADM Actvt 1
RZ21 S_RZL_ADM Actvt 1
S_BTCH_JOB JOBGROUP *
JOBACTION DELE,RELE
SM49 S_LOG_COM Command *
Opsystem *
Host *
S_RZL_ADM Actvt 1
SM69 S_RZL_ADM Actvt 1
SM63 S_RZL_ADM Actvt 1
SMLG S_RZL_ADM Actvt 1
SE16 S_TABU_DIS Authorization Group *
Actvt 01,02
SM30 S_TABU_DIS Authorization Group *
Actvt 01,02
SM31 S_TABU_DIS Authorization Group *
Actvt 01,02
SPRO S_PROJECT PROJECT_ID *
APPL_COMP *
PROJ_CONF *
Actvt 02,06
S_DOKU_AUT DOKU_ACT MAINTAIN
DOKU_DEVCL *
DOKU_MODE *
SPRO_ADMIN S_PROJECTS APPL_COMP *
PRCLASS *
Actvt 01,70
S_PROJECT PROJECT_ID *
APPL_COMP *
PROJ_CONF *
Actvt 02,06
PFCG S_USER_AGR ACT_GROUP *
Actvt 01,02
S_USER_PRO Actvt 01,02
PROFILE *
SM19 S_ADMI_FCD AUDA,AUDD
SU01 S_USER_AGR *
01,02
S_USER_GRP Class *
Actvt 01,02
SU02 S_USER_PRO Profile *
Actvt 01,02
SU03 S_USER_AUT OBJECT *
AUTH *
Actvt 01,02
S_USER_PRO Profile *
Actvt 01,02
SU05
SU10 S_USER_GRP Class *
Actvt 01,02
SU12 S_USER_GRP Class *
Actvt 01,02
SU20 S_DEVELOP DevClass *
ObjectType SUSO
ObjectName *
P_Group *
Actvt 01,02
SU21 S_DEVELOP DevClass *
ObjectType SUSO
ObjectName *
P_Group *
Actvt 01,02
SU22 S_DEVELOP DevClass *
ObjectType SUST
ObjectName *
P_Group *
Actvt 01,02
CMOD S_DEVELOP DevClass *
ObjectType CMOD
ObjectName *
P_Group *
Actvt 01,02
SA38 S_PROGRAM P_Action SUBMIT,BTCSUBMIT
P_Group *
SD11 S_DEVELOP DevClass T,Y,Z*
ObjectType UDMO,UENO
ObjectName *
P_Group *
Actvt 01,02
SE11 S_DEVELOP DevClass T,Y,Z*
ObjectType DOMA,DTEL.ENQU
ObjectName *
P_Group *
Actvt 01,02
SE12 S_DEVELOP DevClass T,Y,Z*
ObjectType DOMA,DTEL.ENQU
ObjectName *
P_Group *
Actvt 01,02
SE13
SE14 S_DEVELOP DevClass T,Y,Z*
ObjectType INDX.MCID,TABL
ObjectName *
P_Group *
Actvt 01,02
SE15 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 3
SE37
SE38 S_DEVELOP DevClass T,Y,Z*
ObjectType FUGR,PROG
ObjectName *
P_Group *
Actvt 01,02
SE93 S_DEVELOP DevClass T,Y,Z*
ObjectType TRAN
ObjectName *
P_Group *
Actvt 01,02
SE41 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE43 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 3
SE43N S_DEVELOP DevClass '
ObjectType '
ObjectName '
P_Group '
Actvt 01,02
SE51 S_DEVELOP DevClass T,Y,Z*
ObjectType FUGR,PROG,DYNP
ObjectName *
P_Group *
Actvt 01,02
SE80 S_DEVELOP DevClass T,Y,Z*
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE81 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE82 S_DEVELOP DevClass Y,Z
ObjectType APPLTREE
ObjectName *
P_Group *
Actvt 01,02
SE91
SE92
SE92N
SNRO S_NUMBER NROBJ *
Actvt 02,17,11
SQ00 S_QUERY Actvt 02,23
SQ01 S_QUERY Actvt 02,23
SQ02 S_QUERY Actvt 02,23
SQ03 S_QUERY Actvt 23
SQVI
SM35 S_BDC_MONI BDCAKTI ABTC,AONL,DELE
SM35P S_BDC_MONI BDCAKTI ANAL
SM36 S_BTCH_ADM BTCADMIN Y
SM37 S_BTCH_JOB Jobaction PROT,SHOW
Jobgroup *
SM39
SM62
SM64 S_BTCH_ADM BTCADMIN Y
SE01 S_CTS_ADMI CTS_ADMFCT EPS1,EPS2,PROJ
S_TRANSPRT Actvt *
Ttype *
SE06 S_C_FUNCT PROGRAM SAPLSTRF,SAPLSTRI
CFUNCNAME SYSTEM
ACTVT 16
S_TRANSPRT Actvt 43,60,65
Ttype *
SE09 S_TRANSPRT Actvt 43,60,65
Ttype *
S_CTS_ADMI CTS_ADMFCT EPS1,EPS2,PROJ
SE10 S_TRANSPRT Actvt 43,60,65
Ttype *
S_CTS_ADMI CTS_ADMFCT *
SPAM S_CTS_ADMI CTS_ADMFCT IMPA,IMPS
S_TRANSPRT Actvt 43,60,65
Ttype PATC,PIEC
STMS S_CTS_ADMI CTS_ADMFCT *
S_RFC Actvt 16
RFC_NAME EPSF,STPA
RFC_TYPE FUGR
Edited by: rameshbabu muddana on Mar 2, 2009 10:56 AMhi,thanks for reply "you should not care about the transaction start s_tcode at all - only check the object required"
It has made manditory policy to check for users and roles every month with given criteria of Tcode and object,now i have been given the task to check the combination of Tcode and object value combination are correct or not,please validate the combinations and suggest,we are using ECC 5.0,i had gone through wild card use (#) when we check in SUIM,i am getting confused that when i give # followed by value, data i am getting different from without #.please provide an example for SE16 with S_TABU_DIS
how to check?
i am checking in this way
S_TCODE SE16
S_TABU_DIS
Activity
Value 01or 02
Authorization Group
Value #&NC&
Maybe you are looking for
-
I remember it working the same way on my personal laptop and somehow I found a setting to change it but I can't find the setting now.
-
Hi Friends, I am running ALV list in background. Output is coming , but some of the columns are getting truncated in output. which mean it was not showing all the out put. i am having 16 columns, but it is showing only 12 fields in full
-
I have installed Oracle RAC on VM Ware . I am facing problem during database connection after shutting down any node . It takes 7-8 minutes for making new connection after any node down. Please find below crs_stat -t output Name Type Target State Hos
-
Post Quality refresh activity in SRM
Dear Experts, We are nearing to quality refresh in SRM7.02. I need to know the details on Post Quality refresh activity in SRM 7.02. like configuration in quality after refresh etc. Please suggest. If you have any such documents ready please send it
-
Error when activating Order Data Type ORDR
Hi all We were activating all the ODM components acc to note 1178483 and got the following error when trying to activate Order Data Type ORDR: Parameter CONFSTAT in access path TSTP of order data type ORDR unknown (/SCMB/ODM_ORDTYPE043) Do any of you