Organization level authorization restrictions

Similar Messages

• DIR Authorization by Organizational Level

  Hi fellows!
  I would like to know if it is possible restrict access of DIR by organizational levels?
  Example: I need that if User A from plant 1234, creates a DIR type AAA number 0001, the User B from plant 4567 shouldn't have to access this DIR type AAA number 0001. I want that the users only can access the DIRs created by the plant which they have access.
  In the master roles of DMS I didn't find any object to help me in this scenario. I dont want to use the ACL to restrict the access of the documents. I want that this restriction has to be done by authorizations rules as in other areas.
  Can someone help me with some idea or case about this?
  Best Regards!
  Daniel
  Edited by: D Quintal on Nov 25, 2010 5:43 PM

  Hi Daniel,
  Its quite possible to achieve your requirement.
  There is a field called 'Authorization group' in a DIR if you have observed.This enables you to restrict authorization at Document level in addition to authorizations at Document Type and Status level.Suggest you create Authorization Groups like Plant1234,Plant4567 and so on with the help of your ABAPer.Now assign the required users to these Authorization groups.
  Once implemented,whenever a DIR is created and specific Authorization group is assigned, only those users part of this Authorization group will be able to process/access this DIR.Hope this addresses your requirement.
  For details on implementing Authorization group in DMS,refer link,
  http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
  Regards,
  Pradeepkumar Haragoldavar

• Authorizations....Sales organization level

  Hi all
  I want to create the authorizations for the sales organization level. I have made the Sales Organization Object authorization relevant. After that i created an authorization object based on the Sales org object. I created a roles and created a profile based on the authorization object which i created. i assigned the role to the user.
  Now when i execute my query in web it is saying that
  'No Authorization (Or Everything is Filtered Out)'
  On the top of the query execution it is giving me a message as
  'You do not have authorizations for component 0CRM_OPMO_Q001'
  Now i would like to know, when we create profile in the role, do we need to add any other authorization objects apart from the one which we created. If so, what options do i need to give.
  And second when we create a test user for the authorizations testing, what roles we need to give him, one would be the one which we generated. And what are the other roles the user will have.
  Please help
  answers would be rewarded
  regards
  vijaykumar

  If sounds like you have another authorization object
  "checked" on the infocube/ODS.
  To check this, you have two options.
  (1)RSSMQ, with the user id. Execute the query, then back up (using the green arrow). One page on the back up operation with give you what authorization objects are checked.
  (2) Go to transaction: RSSM and enter the infoprovider. Uncheck the authorizations you don't want to have verified.
  Also, you on the variable for the authorization object (query) you must enter a value here if you do not have an "*" object.
  Cheers!
  /smw

• Basic Information about Organizational Level & Org. level value.

  Hello Experts,
    I am new to the field of SAP and security. I have the following questions:
  1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
  2. What is a derived role and what is its usage?
  I appreciate your help regarding this. If you could point me to some documentation regarding this that will be very helpful.
  Regards, Ben

  Ben,
  I am new to the field of SAP and security. I have the following questions:
  1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
  if you want to restrict on region vice (best use org level & values (plant,company code, sales org)
  In role u will notice them in red color
  2. What is a derived role and what is its usage?
  Derived role inherits menu struture and the function from the parent role. Derived role do not differ in their functionalities(identical menu & trans) but have different characterticts with regard to Org levels.
  Eg1; Master role
  PFCG -> role name -> create->menu->enter tcodes-.Auth tab->export mode->read old status and merge with new data->Pop for org levels (give a full access)->see to that everything is green->generate it.
  http://e-mory.blogspot.com/2007/12/sap-pfcg-create-role.html
  Eg2: Derived role
  pfcg->role name->create->in describtion  tab towards right  enter the master role name->Auth tab->export mode->read old status and merge with new data->you will get a pop for org levels (here you can restrict on plant lvel,purchasing group,company code....)
  ->let say for plant : 1000 ->generated / user comparssion
  Once the role is added to the user. User will be albe to see only those plant related details (1000) (i.e he will have access to only plant 1000)
  suppose if the user enters 2000,he will get a error message saying no access to 2000
  NOTE: Any changes to the role should be done in master role (like adding tcodes)
  .http://www.rssfeeddirectory.org/directory/items/346239.aspx
  https://cw.sdn.sap.com/cw/docs/DOC-12021
  http://help.sap.com/saphelp_wp/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm
  Re: Authorization error after transport
  Thanks,
  Sri

• Posting authorization restriction in t-code F-02

  I have created a scenario for park/post for special GL entries. for that I will be using f-02 to hold the invoice and fb11 to post the invoice.
  I need to restrict the authorization of posting in F-02 so that the user can only held the invoices. any possibility to restrict the posting rights? I dont want to go on screen variants? cant it be done from second level authorization?
  Looking forward for the feedback!

  @Vinod Vemuru
  I have checked, system is still allowing to post the document.
  I have trace the system for authorization check in ST01, I can see system has checked just the activity as 01 to post the document.
  @Obaid Javed
  I don't think it can be possible through any standard authorization object. You may have to go for your own custom authorization object or you may go for the exit or badi to restrict that.

• TEMPLATE FOR ORGANIZATION LEVEL ROLE

  HI.
  I HAVE MYSAP ERP VER 5.1 . BUT I DONT HAVE HR OR IDM IN MY SYSTEM.
  I  CREATED A ROLE FOR TRANSACTION FK01 AND FK02. IN THE AUTHORIZATION OBJECTS PUT VALUES 01 AND 02 FOR ACTIVITIES FIELDS AND ORGANIZATION LEVEL WERE LEFT WITH BLANKS.
  I CREATED OTHER ROLE WITH THE SAME AUTHORIZATION OBJECTS CREATED MANUALLY WITH ORG LEVEL IVALUES IN THE AUTHORIZATION OBJECT AND NO VALUES IN ACTIVITIES FIELD
  THE OBJETIVE IS MERGE BOTH ROLES WITH ADDITIVE EFFECT IN A USER ACCOUNT TO REDUCE THE NUMBER OF DERIVED ROLES.
  BUT THIS DESIGN IS NOT WORKING PROPERLY. I NEED TO NOW WHY?

  Hi,
  As per your query you create a new role and assign to these objects value in the new one.
  Anil

• Need organization level object

  HI,
  I am want to insert organization level in this S_ALR_87012294 report,
  but in PFCG->Authorization->authorization change show no organization level,
  is there any authorization object for giving organization level.
  Best Regards
  Dilip Pasila

  The note says that you can apply it as a "download" via SNOTE ahead of the Support Pack (level), or apply the whole Support Packs up to that level (which will include the "corrections), or you can install a brand new ERP system on the highest current release and SP stack.... but in all cases the checks are not performed against these objects until you modify the code in a SAP standard include program to activate the check.
  I can understand backward compatibility with existing role concepts, however a "normal" procedure to not perform such new checks is an approach something like the default values of PRGN_CUST are used for, where you can activate the checks via customizing views (for each of the three objects independently) when you need them or discover the gap. Then in some higher release you can switch the defaults to "ON" if the requirement / opportunity is there.
  It also makes it easier to implement, transport and perform cross system comparisons of settings.
  Forcing customers to make a modification to the standard system at each installation to close a security hole is about as elegant a software logistics solution as a frontal lobotomy is to peace of mind...
  I will add this to the [Security Functionality Wishlist in the Wiki|https://wiki.sdn.sap.com/wiki/display/Security/SecurityFunctionalityWishlist-Topics] and suggest you check your systems to see whether your F_BKPF_BE* object security has a hole in the bottom of the bucket.
  For me it is self-explanatory that this should be changed, but the inventors of it wanted to know whether it is just me or possibly a whole mob out there wanting it (and possibly not knowing about it either).
  Cheers,
  Julius

• Adding the organization level to one Role

  Hi Experts,
                  I have one role in PFCG, this role contains
  some authorizations.
  These role maintain the role.organization level values also.
  now i want to include one organization level  to this role
  for example
                     company code----
  > *
                     purchasing group------> *
                     division----
  > *
    now i want to add "Work center"        
  how can i include? is there any option is there?
  Thanks is advance
  sundar.c

  Thanks for the Doc. This will be my Plan B.
  I am still researching on How to Directly publish to Portal. I was able to do that from Query Designer using Publish to Portal and the report shows up as an iview in a PCD folder in the Portal. The Endusers have only Business Explorer Role and all they can see is the the Busineess Explorer tab of the Portal. So, I need to figure out a way to assign the iview to End user role.
  In one of the threads,
  Prakash Darji suggested
  "The "publish into Role" from WAD saves to BI Roles which doesn't help you in web deployment, so I typically don't use this. I usually "Publish to Portal" and then will add my iView on the portal to a portal role that users are assigned to. This would make these iViews available to users on the portal. "
  I am going to assign points for your suggestion though.

• Object level authorization for SLT Configuration schema in HANA DB

  Hi All,
  We have connected SLT with HANA DB (& ECC as source system).
  Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
  With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
  Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
  Regards,
  Kumar

  Hi Santosh,
  You can find more info about SLT Roles and Authorization from below security guide.
  http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
  Regards,
  V Srinivasan

• Field Level Authorization

  Hi Gurus,
  Can you explain me how to proceed forward inrelation to Field Level Authorizations in SAP HR. For instance I want to restrict roles of individuals based on Field for example restrict users based on Field Workschedule in IT 0007 ( Planned Working Time).
  Regards,
  Happy

      AUTHORITY-CHECK OBJECT 'S_TABU_LIN'
        ID 'ORG_CRIT' FIELD 'MOLGA'
        ID 'ACTVT' FIELD '03'
        ID 'ORG_FIELD1' FIELD '10'
        ID 'ORG_FIELD2' FIELD '*'
        ID 'ORG_FIELD3' FIELD '*'
        ID 'ORG_FIELD4' FIELD '*'
        ID 'ORG_FIELD5' FIELD '*'
        ID 'ORG_FIELD6' FIELD '*'
        ID 'ORG_FIELD7' FIELD '*'
        ID 'ORG_FIELD8' FIELD '*'.
      IF sy-subrc NE 0 .
        MESSAGE e000 WITH 'No Authorization for area' v_text.
      ENDIF.
  Use S_TABU_LIN authority object for field level authorizations.

• Organization level

  Hi gurus
  How can I get that an authorization object appear like an organization level?
  Christian.

  Hi Pole Li
  Thanks for your help, I manged to create program to fetch from Organization level , Is that possible to see the description for Authorization-low and Authorization-high from any tables
  As you wrote ,v  can get description of Org Level from USVART , Like that if we need the same for Authorzation-low and High resp .
  Regards
  Piroz

• 0PLANT Level Authorizations

  Hi Guru's,
         I have a query regarding Object level Authorizations i.e i have created one query with variable Plant now i need to rollout to single query to all plants and respective person only can able to view their plant values....so i need to create 0plant as Auth relavent for that i use RSSM t.code but there i am not able to see the 0plant object .....please for Object level authorizations how can i proceed ...
  Regards
  Jagadeesh.M

  Hi Anil,
      I did following steps please go through it once and suggest me
  1. Change 0Plant to Auth Relavent in Object.
  2. RSSM tcode create a Z_plant and select 0plant and infocube and query objects and save it.
  3. then back to rssm and check the infoprovider
  4. create a Auth variable in bex
  5.assign that query to user role and in that role select the Auth object and mention the plant and cube and query name.
  6.generaet the roles.
  then execute using that user but it can executing for all plants but i need to restrict for single.
  Please treat it as urgent and give me if any missing steps...
  thanque anil...
  Reagrds
  Jagadeesh.m

• Plant level authorization control for Internal Order

  Dear Sir,
  We create Internal Order using tcode KO01 and  being a multi plant scenario , we want to have an authorization control on Internal Order creation/change so that plant or profit-center level authorization rights can be given to the users .
  We request you to Kindly guide us about the steps to be followed for addressing such requirement .
  With thanks and Regards
  Sonia Agarwala

  Sonia-
  It can be done. You have two options.
  1. SAP security - when your security person can limit a user by plant, profit center etc using authorization objects.
  2. Validations - Here you can create a validation where you define you logic. In your logic you can restrict set of users who can access a set of fields (profit center, plant etc). If he deviates, the system can issue error messages which is maintained in validations. Use transaction GGB0 to create validations.
  Hope this helps.
  Shail

• SAP CRM Authorizations - restrictions on viewing BP from specific country

  Hi
  We have a requirement that says that it should only be possible to view customers that belongs to the same country as the employee and it should ony be possible for the employee to create activities for these customers.
  We have set filters on organizational level(Sales group, Sales office) on the role in PFCG.
  However, this does only apply for sales orders, and it is now possible to only search for orders from their own country.
  Does someone know what restrictions we should set on the role in PFCG to fullfill this requirement?
  Should not the organizational filters cover this?
  BR
  Johan

  This can not be achived with pfcg role. You have to options:
  - implement badi BADI_CRM_BP_UIU_AUTHORITY
  - implement ACE

• "Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run se

  Team,
  I am trying to Install Exchange on my Lab, getting below error
  message.
  The Schema Role is installed on Root Domain and trying to install
  exchange on Child domain.
  1 Root Domain - 1 Child domain. both are located on single site.
  “Setup encountered a problem while validating
  the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter and wait for
  replication to complete.”
  Followed below articles:
  http://support.risualblogs.com/blog/2012/02/21/exchange-2010-sp2-upgrade-issue-exchange-organization-level-objects-have-not-been-created-and-setup-cannot-create-them-because-the-local-computer-is-not-in-the-same-domain-and-site-as-the-sche/
  http://www.petenetlive.com/KB/Article/0000793.htm
  transferred the schema roles to different server on root domain, still no luck.
  can someone please help me.
  regards
  Srinivasa k
  Srinivasa K

  Hi Srinivasa,
  I guess, you didn't completed the initial setup schemaprep and adprep before starting the installation. You can do it as follows:
  1. Open command Prompt as administrator and browse to the root of installation cd and run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
  After finishing this,
  2. Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms
  3. To prepare all domains within the forest run Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms. If you want to prepare a specific domain run Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms
  4. Once you complete all of the 3 steps, install the pre-requisities for Exchange 2013
  5. Finally, run the setup program
  Hope this will help you
  Regards from Visit ExchangeOnline |
  Visit WindowsAdmin