P_ORIGIN authorization object.

Hi
We are encountering one problem in production.We  have one role giving Authorization to PA51 and PA61 tcodes it is working fine and the user assigned to that role is able to execute those tcodes with the help of that role upto last month. Now  he is not able to execute PA61 and even PA51 also . There is no changes transported to production for that role.
User is trying to create IT2005 records
SU53 screen is telling for P_ ORIGIN object
AUTHC = u2018Eu2019
INFTY = 2005
PERSA = <Dummy>
PERSG = <Dummy>
PERSK = <Dummy>
SUBTY = u2018u2019
VDSK1 = <Dummy>
Current authorization he is having for P_ORIGIN
AUTHC = M, R,W
INFTY = 2005
PERSA = JTCW
PERSG = *
PERSK = *
SUBTY = *
VDSK1 = ESS.
I am not even able to simulate in QA or in DEV the same error. In QA and DEV the role if working fine when assigned to some test ID. According to AUTHC he is having authorization for writing the record, but why system is looking for E.
I did usercomapre again, reset user buffer through SU53, still he is not able to execute.
Any idea on what to do? Any suggestions

Hi Bernhard,
Thanks for the input and sorry for not responding fast. Even I dont have access to production system as I am HR consultant. I will  work according to your sugegstion with our Basis.
Just want to be clear, The role is working fine even last month also and user is able to enter overtime records of his staff . But this month When he tried to key in overtime records, system didnt allow him to do so.Even the header information of the staff when execute the PA61 tcode is missing. But when he keyed in his employee number he is able to see all the header information. But when trying to view his staff he is not able to see header information this month only. But Personnel number check authorization object is not included in the role. Any suggestions?
Thanks
Sasi.

Similar Messages

  • Custom authorization object and check logic

    Hi gurus,
    we need to apply additional authorization check in our custom reports.
    so i created a custom fields & object, and put the statement
          AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                   ID 'ZROLEID' FIELD '03'
                   ID 'ZSOBID'  FIELD zzdwbm.
    in a abap class method centrally, so it could be called by many reports.
    but the test show that the sy-subrc always set to 0, even for users without any authorization.
    what i missed for adding custom auth check?
    for this case, do i need to maintain authorization check indicator in SU24?
    what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
    thanks and best regards.
    Jun

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
    but still it is taking the P_ORGIN object.

  • Custom Authorization Object for HR

    Hi,
    As per our Company's internal needs I have created a Custom Authorization Object for HR named ZP_ORGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction & do a trace on it, the object ZP_ORGIN is never checked (for a user having this object in his/her User Master). Only P_ORGIN object is checked instead.
    I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell  which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked.
    Your help will be appreciated.
    Thanks,
    Mandeep Virk

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
    but still it is taking the P_ORGIN object.

  • HR Authorization : Custom Authorization Object  for P_ORGIN

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    but still it is taking the P_ORGIN object

    Online Help
    <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a>

  • Authorization Objects in HR

    Hi,
    I have an interface which modifies the HRP1000 Objects & other HRP Infotypes.
    I need to check the Authorizations for this.
    Like S_TABULIN, P_PERNR, P_ORIGIN for PERNR, do we have any authorization object for these HRP data?
    Please suggest.
    Thanks,
    Suryakiran

    the sample code for PLOG check
    MAIN PROCESSING
      CLEAR: subrc,
             infty,
             otype.
      DESCRIBE TABLE i_plog LINES v_lines.
      IF v_lines IS INITIAL.
        EXIT.
      ENDIF.
      SORT i_plog.
      DELETE ADJACENT DUPLICATES FROM i_plog COMPARING ALL FIELDS.
      LOOP AT i_plog.
        IF i_plog-plvar IS INITIAL.
          i_plog-plvar = c_01.
        ENDIF.
        IF i_plog-istat IS INITIAL.
          i_plog-istat = c_1.
        ENDIF.
        IF i_plog-ppfcode IS INITIAL.
          i_plog-ppfcode = c_disp.
        ENDIF.
        IF NOT i_plog-subty is INITIAL.
    *-- Check Authority using subtypes along with infotypes
          AUTHORITY-CHECK OBJECT 'PLOG'
             ID 'PLVAR'   FIELD i_plog-plvar
             ID 'OTYPE'   FIELD i_plog-otype
             ID 'INFOTYP' FIELD i_plog-infotyp
             ID 'SUBTYP'  FIELD i_plog-subty
             ID 'ISTAT'   FIELD i_plog-istat
             ID 'PPFCODE' FIELD i_plog-ppfcode.
            MOVE sy-subrc to subrc.
            IF subrc <> 0.
              infty = i_plog-infotyp.
              otype = i_plog-otype.
              EXIT.
            ENDIF.
        ELSE.
          AUTHORITY-CHECK OBJECT 'PLOG'
             ID 'PLVAR'   FIELD i_plog-plvar
             ID 'OTYPE'   FIELD i_plog-otype
             ID 'INFOTYP' FIELD i_plog-infotyp
             ID 'SUBTYP'  DUMMY
             ID 'ISTAT'   FIELD i_plog-istat
             ID 'PPFCODE' FIELD i_plog-ppfcode.
            MOVE sy-subrc to subrc.
            IF subrc <> 0.
              infty = i_plog-infotyp.
              otype = i_plog-otype.
              EXIT.
            ENDIF.
        ENDIF.
      ENDLOOP.

  • How to assign authorization objects to a cube

    Hello,
    My cube includes 0profit_ctr which is marked as authorization relevant. Still in RSSM my cube is not included in the list of infocubes for an authorization object (zprofit) linked to 0profit_ctr. I'm therefore not able to enable that authorization object for my cube. I have a few ODSs which are included in the list. Why is my cube missing? Is there something I must do to include it, or is it a bug?
    When checking the infocube for authorization objects in RSSM this list is empty as well. I don't see any option to add authorization objects in that list.
    I have read the following document:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b849e690-0201-0010-9b88-c00cca40736f
    I'm using BW 3.5.
    Regards,
    Christoffer

    Hi Christoffer,
    In RSSM  you will find a button  "Update Check Status ( Authorization Objects, Info providers) ". After this update you should find your cube in the list.
    Jaya

  • How to get all authorization objects for a certain authorization profile

    Hi ABAP experts,
    I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
    So:
    - where are these values stored (dictionary table)?
    - is there already a FM or a report to read all authoriation values for a certain authorization profile?
    Thanks in advance.
    Best regards,
    Oliver

    Hi,
    check the following it might useful for you:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
    if helpful reward points are appreciated

  • Mass update to FILENAME field in S_DATASET authorization object

    We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value.  I'd like to do this programmatically if possible.
    What I've learned so far is that I need to update the value in table USR12, but the value is encoded.  When I look at the table in SE16, I do not see the encoded value field.  The value does show in UST12, but I'm told this is an unreliable table.
    So I'd like to know..
    1. How can I look at the value if not in SE16?
    2. Is there an API I can use to encode/decode the value?  If not, where is the specification on how to build it?
    If this is better addressed in a different forum, which one should I try next?
    Thanks,
    Dan

    Hi there,
    Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
    But the behaviour as you have described:
    >
    > Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
    > =============================================================
    > *                                 X         X            DUMY
    > /temp/FI/..                       X         X            DUMY
    > /temp/FI               X                                 FIFI
    >
    ... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
    > Caution:
    > - If you enter paths generically in the table SPTH, the most precise specification counts.
    > - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
    So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
    So, the only check which is effective to protect the path, is:
    Path                   Saveflag  Fs_noread Fs_nowrite Fs_Brgru
    =============================================================
    /temp/FI               X                                           FIFI
    ... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
    Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
    form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                                MODE       type CLIKE
                                SUBRC      type SY-SUBRC.
    data: ACTIVITY like AUTHB-ACTVT.
       SUBRC = 0.
       case MODE.
         when 'R'.
              ACTIVITY = '03'.
         when 'W'.
              ACTIVITY = '02'.
         when 'D'.
              ACTIVITY = '02'.
       endcase.
       if ISPTH_HEAD-FS_BRGRU <> SPACE.  "Here it is... for BEGRU checks there must be a value...
          authority-check object 'S_PATH'
              id  'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
              id  'ACTVT'    field ACTIVITY.
           if SY-SUBRC <> 0.
              SUBRC = 3.
           endif.
       endif.
    endform.
    Cheers,
    Julius

  • Authorization Object is not working when report is modified.

    Hi BW Guru's
    We have Company Code as Authorization Object .and we have 3 company Codes (xxxx,yyyy,zzzz).where the users under Company code xxxx are not supposed to view company code yyyy,zzzz data etc.
    I modified an existing Report and transported to production.But the Authorization Object is not working for that report.The Report is defaultly displaying all the company codes data(xxxx,yyyy) for all the users.But for the other reports its(company code ) is working fine.
    What could be the problem?Is theproblem in transporting the objects.But i transported all the objects inluding auhorization object.
    Please send me the solution as it is very much urgent.
    The solution will be def. awarded with full points.
    Regards
    Sanjay

    hi Sanjay,
    please don't post the same question again, check and response back from your previous thread
    Re: Authorization Object is not working when report is Modified.
    hope this helps.
    would be nice if you reward for helpful answers to all of your previous postings, e.g
    docs related to RRI

  • Report to check authorization object used in customized programs

    Hi Guys,
    An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
    Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

    Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
    To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
    Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
    Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
    Code review is an art form!
    Cheers,
    Julius

  • Issue on authorization object

    hi all,
      in me52n transaction, in account assignment tab there is field called costcenter. its  field name is kostl and strucutre is cobl. now i have requirement to create an authorization object on this costcenter. that is for example , if i try to make any changes in the cost center field it should allow me to do it. but if some others are using it should not allow them to make any changes. plz let me know the solution how to do step by step. points will be awarded . this is urgent requirement. plz reply fast.
    thanking u in advance,
    a.srinivas

    Hi deniz,
    Use this to set up the autherisation object
          AUTHORITY-CHECK OBJECT '<objectname>'
                          ID 'ID FIELD SY-UNAME.
          IF SY-SUBRC NE 0.
            MESSAGE S999 WITH 'You are not Authorised to change entries'.
            EXIT.
          ENDIF.
    Inform the Basis team to assign the role only to ur id...so that no other person wil u autherized
    Award points if useful
    Regards
    Gowri

  • Analysis Authorization Object not working

    Hi Gurus,
    I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
    For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
    I have followed the below steps but still the report shows all data instead of restricted one.
    1)RSECADMIN -> Maintenance ->zz_div ->Create
    2) Add 0DIVISION in Auth structure , and in details 
    I     EQ     32
    I     EQ     33
    3) Add 0TCAIPROV with I     EQ     0SD_C03
    4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
    I     CP     *
    5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
    6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
    Following are the authorization object in that user's Role (Reporting Only)
    S_RFC 
    S_TCODE
    S_GUI
    S_BDS_D  
    S_BDS_DS 
    S_OC_SEND
    S_RS_AUTH - only having zz_div
    S_RS_COMP
    S_RS_COMP1
    S_RS_ICUBE
    S_RS_RSTT
    S_RS_TOOLS
    S_RS_PARAM
    I have surfed lots of thread for this issue but not getting a solution
    Tell me what i m missing in above or any additional setting need before creating analysis authorization
    Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

    Hi
    Thanks a Ton for ur reply
    I have checked in SPRO : Analysis Authorization
    where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
    We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
    Thanks
    Sonal....

  • Authorization object for running a report in background

    Good day experts,
    I tried running a report in background, I choose immediately so that it doesn't have to be scheduled. But when I checked it in my own jobs, It remains at scheduled status. When I tried it on my admin account, It works and with status finished. It seems to be an authorization problem. What object could I be missing with my user account? I tried S_TCODE SMX and SP02 but still not working.
    Thanks in advance!

    Hi karshbax,
    What you're looking for is authorization object S_BTCH_JOB. You need authorization for field JOBACTION = RELE.
    In future use transaction SU53. It shows last error authorization error, so if this is authorization problem then after try of manual releasing of job you'll find in SU53 precise info what went wrong.
    Best Regards
    Marcin Cholewczuk

  • MRS - authorization objects (Multi Resource Scheduling)

    Hello,
    We are implementing MRS for a customer who does not have proper structural authorizations in place, and they would like to avoid using evaluation paths for the authorization check.
    Is there a way to use cost centers to limit user access in MRS? We tried to use cost centers in auth. object MRSS/PB1, but it does not work.
    Is it possible to modify the default MRS auth. objects and add some extra auth. fields? Would that auth. check work in planning board?
    Is there any other way to limit user access in MRS planning board rather than using evaluation paths?
    Thank you
    Simon

    Hi Simon,
    I have checked the authorization objects related to MRSS in SU24 where I can see based on the T code. Did you find a way how to get relevant for SAP MRS only like the Resource Planner  etc authorizations he need if you have found something like that please share.
    Thank you

  • How to restrict provide to a single account(by authorization object)

    Hello, i have two types of accounts.
    Account range 1: 10000000 -19999999
    Account range 2: 20000000 - 29999999
    For range 1 i have assigned authorization group AUT1.
    For range 2 i have assigned authorization group AUT2 (by transaction OB_GLACC12).
    So the general idea is some users will have access only to group 1 , etc. i have used autorization object F_BKPF_BES in  the role btw.
    I have created 4 roles:
    1) RANGE1_ALL (means user can create / modify delete GL from range 1)
    2) RANGE1_DISP(means user can only disp  GL from range 1)
    3) RANGE2_ALL(means user can create / modify delete GL from range 2)
    4) RANGE2_DISP(means user can only disp  GL from range 1)
    If i give RANGE1_ALL + RANGE2_DISP to the user, he can create/modify/delete for range1 and only display GLS from range2.
    Now the problem is if i want user to create/modify/delete for range1 but only display a specific account from range 2 ; say GL 29999000.
    Which authorization object can i use to specify the range 2 GL account directly?thx.

    Hi,
    The only option for you is to have a different authorisation object for that GL alone and assign it to the user. You dont assign RANGE2-DISPLAY object to that user.
    From FS00, you have to change the Auth group of that specific GL.
    Regards,
    Mike

Maybe you are looking for

  • Upload data from excel file -URGENT

    Hi All, Advanced thanks to ur reply How to upload data from excel sheet to itab what are the functional modules we are using for that Please help me i look forward to ur reply Regards Raja Sekhar.T

  • Trying to make the switch from PC to Mac

    Hi, I just graduated from high school and I'm off to college so I've been doing some research on what kind of laptop to get. I'm heavily leaning towards the Mac but I'm looking for that extra nudge that makes me a believer after a life on PC. I tend

  • New Functionality in ECC 6.0

    Hi All, Can any one guide me about the new functionality of "Work Center for Purchasing Documents" in ECC 6.0? Regards Edited by: sapsarang on Jan 12, 2011 7:15 AM

  • Groupwise 2012 Remote Web Access Calendar

    I think we have run into a bug that we are not sure how to fix, hopefully someone out there has an answer. We are experiencing that when you have recurring appointments in the calendar, remote web access calendar will not display any appointments. If

  • SMARTFORM - Coloring boxes

    Hi All, I have a requirement where I need to display the boxes in a different color on a smartform. The outline of the box has to a different color. Is there any way we can do this? If so please give me the steps to do so. I know that the color of th