Pfcg Authorization for ois2

Similar Messages

• PFCG authorization sync job has been running for over a day?

  We have installed GRC10 with NWBC and are attempting to run the initial PFCG authorization synchrozniation using transaction GRAC_AUTH_SYNC.  It was set to run first followed by the Repository object sync for users, profiles and roles however the initial PFCG authorization synchrozniation is still running over a day later. 
  There has been no error yet but wanted to check with everyone how long it should take, if there are any known errors and if the process followed in the SAP GUIDE below is correct.
  Synchronize PFCG Authorization Data
  1. Execute transaction GRAC_AUTH_SYNC.
  2. Select a variant (optional) and click Execute.
  3. Enter the system connector ID to execute the User Master Data synchronization.
  4. Enter the connector language.
  Thanks

  You can check the background process running in SM50 transaction.
  Time for running this job depends upon the selected varian/systems and data (SAP Auths/Fields) present in the backend system
  Regards
  Rajan Arora

• Authorization for material type and material views

  Hello all,
  I would need to restrict a user group, in creation (MM01) and modification of material master, based of type material and material views.
  The authorization, for each user should be:
  - view, modify and create of all views, except accounting (B) for type material ZFER;
  - view, modify and create of all views for type material ZOFF.
  I tried to create 2 roles in PFCG with the following authorization objects:
  1) M_MATE_MAR (Material Master: Material Types)  ACTVT = *, BEGRU = ZFER and M_MATE_STA (Maintenance Statuses) ACTVT = *, STATM = A,C, D, E, F, G,K, L, P, Q, S, V, X, Z (excluding B)
  2) ) M_MATE_MAR  ACTVT = *, BEGRU = ZFER and M_MATE_STA ACTVT = *, STATM = B
  but the effect is to be authorized, to all view for material type ZFER and ZOFF.
  I have already updated the authorization group of the type materials (OMS2).
  Is there a solution for this problem?
  (component version SAP ECC 6.0)
  Thanks.
  Regards,
  Luca

  I tried to create 2 roles in PFCG with the following authorization objects: 1) M_MATE_MAR (Material Master: Material Types) ACTVT = *, BEGRU = ZFER and M_MATE_STA (Maintenance Statuses) ACTVT = *, STATM = A,C, D, E, F, G,K, L, P, Q, S, V, X, Z (excluding B) 2) ) M_MATE_MAR ACTVT = *, BEGRU = ZFER and M_MATE_STA ACTVT = *, STATM = B
  - Are both these roles assigned to the same user? then your purpose is not solved, It is more or less like giving full authorization.
  - One role should be
  M_MATE_MAR (Material Master: Material Types) ACTVT = *, BEGRU = ZFER and M_MATE_STA (Maintenance Statuses) ACTVT = *, STATM = A,C, D, E, F, G,K, L, P, Q, S, V, X, Z (excluding B) for view, modify and create of all views, except accounting (B) for type material ZFER. This should be assigned to one user
  - Second role should be
  M_MATE_MAR ACTVT = *, BEGRU = ZOFF and M_MATE_STA ACTVT = *, STATM = * for view, modify and create of all views for type material ZOFF. This role should be assigned to the second user.
  Regards,
  Subbu

• Authorizations for Hierarchies in BW-BEx

  Hello, Experts!
  I am having some problems in order to give specific access for specific nodes on the hierarchy on the profiles creation. For example, we need to give permission to the profile "Profile_one" (that can be viewed on the PFCG transaction) to access only the node "Node_one" of our hierarchy ("E_ERP01" - object 0city_code) and we need to give this authorization to a range of users.
  We have studied some options like the one suggested on RSSM transaction and we have already tried creating an authorization object named "ZHIER". But the problem found on this transaction is that we have to create a profile authorization for EACH user that is mentioned on the range of authorization and then we need to link it on the transaction PFCG. But the users assigned on PFCG transaction don't receive all the same profile authorization (ZHIER), only the one that was mentioned on RSSM transaction.
  Could you please help us to find a way to assign specific nodes of a hierarchy to a specific range of users? We have already searched and studied some notes without success.
  Many thanks for your help.
  Best regards,
  Isabela.

  If the account type keep changing every month , you must have to maintain that field out side the cube though.
  I guess you can use the hierarchies (or) add the flag as an attribute to the GL account master data,then you can filter on this field in reports.
  But hierarchies gives more visibility on data/navigation.
  Hope this helps.
  cheers
  Martin

• Restrict authorizations for payment item transaction

  Hi All,
  This is regarding authorizations for a banking system.
  The requirement is the users need to be restricted for the following transaction based on the Bank Posting Area or the contract managing unit.
  BCA_PAYMITEM_CREATE
  When the user goes to create payment item the user should be allowed to enter an account which has been created with the contract managing Unit ZSUM007 or Bank Posting area ZSUM. The user should not be allowed to go in for any other values of contract managing unit and Bank Posting Area
  BCA_PAYMITEM_MAINTN
  The user should be allowed to enter an account which has been created with the contract managing Unit ZSUM007 or Bank Posting area ZSUM .The user should not be allowed to go in for any other values of contract managing unit and Bank Posting Area.
  I checked the transactions in SU24 and found only authorization object S_TCODE associated with the transcations BCA_PAYMITEM_CREATE and BCA_PAYMITEM_MAINTN.
  Can someone please suggest a way to acheive this.
  Regards,
  Thamarai.

  Hi Shiva,
  I tried assigning the org unit using PFCG ORGFIELD CREATE.
  Now the org unit in pfcg shows Org. level Contract-Managing Organizational Unit (Encrypted) but there is no coresponding field in the authorization objects in the role.
  Can you please help since the project is very critical.
  Regards,
  Thamarai.

• Data model 0G: No authorization for entity type Account (Company Code) - activity Display

  Hello Expert,
  I have a problem with authorization in MDG-F.
  I want to create Account with Collective processing. After, entered Entity type, Edition and Chart of account,  Blocking message "Data model 0G: No authorization for entity type Account (Company Code) - activity Display" is displayed.
  But, i checked in PFCG transaction, for this user profil, activity are : create or generate, Change and display. So, for me , it is correct.
  Please, check screen shot below :
  Blocking message :
  and in PFCG transaction
  Could you help me to solve this point?
  Kind regards,
  Heri RAOELISON

  Hi Heri,
  the system behavior is correct. The account in company code consists of three entity types:
  1) COA - Chart of Accounts (Type 3)
  2) ACCOUNT - Account (A-Segment, related to ECC table SKA1, Type 1)
  3) ACCCCDET - Account in Company Code (B-Segment, releated to ECC table SKB1, Type 1).
  3) includes 1) and 2) whereas 2) includes 1). If you grant authorization only for 3) but not for 1) and 2), you cannot do anything.
  Best regards
  Michael

• Customizing Authorization for Controlling

  Hello, Experts,
    I need to create a role with authorization for SPRO but only for the Controling branch.
  How do I do it ?
  Thank you !
  Rami Kleiman - HP

  Hi,
  DSK-  How do create configuration project ?
  Anil - Can you be more specific ? PFCG is transaction for creating roles.
  When I add SPRO to the role, it DOES NOT add all the authorization for
  the SPRO options.
  Thank you,
  Rami

• To restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.

  Hi,
  We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
  Presently we can restrict authorization at Purchasing organization level but not at Plant level.
  Any pointer please!
  Regards,
  Chetan

  First of all, this is not the right forum to post such a question.  Coming to the requirement, this can be achieved by creating a role in PFCG where you can restrict plant and assign this role to each user id.  Your basis team can do this.
  thanks
  G. Lakshmipathi

• Auth Group for Accounting Doc and Account authorization for  Vendors

  Hi guys,
  I have question regarding Accounting Doc for Vendor and G/l Account.  I have a security client whree I build my business roles for end user but we we configuration client where all the functional focus wokring and doing configuration.  My questiion when I start creating business roles  and start going  into these authorization objects and filling up the field values (F_BKPF_BEK, F_BKPF_BES,  F_BKPF_BLA).
  I won't  see auth group that will be c reated by functional  cocus because they are working on configuration Client and they probably create auth group for above authorization objects in Config lcient and I'm building Roles in my security client. 
  If it is true what would be the best way to create business role.  I'm in realization face of the project  Should I build my roles in Config client?   Please advise.
  Thanks in advance
  Faisal

  What is the benefit of a "security client" in DEV? I don't get it...
  You anyway need to protect the namespace... and the authorizations for role development (SU24) and admin (PFCG).
  Anyway, you have closed your question so we can only lick our wounds now
  Cheers and good luck on your project (let is know how it goes if you stick around for long enough to experience a release upgrade...
  Julius

• User x has no RFC authorization for function group SYST.

  When call .NET BAPI functions. A exception was raised with above message.
  Where and how to assign such authorization for a user?
  Thanks.

  Hi,
  you have to use authorization object S_RFC, with these least parameters:
  RFC_TYPE = FUGR
  RFC_NAME = SYST
  ACTVT = 16
  You have to create authorization to this authorization object and assign it to an authorization profile, either existing or new one.
  Another option is to use transaction PFCG and create a role with this authorization.
  Dawood.

• BPS You have no authorization for the requested data

  We are implementing Hierarchy node based security for our BPS.
  When the user tries to display the planning layout, they get the error message "You have no authorization for the requested data "
  I have given authorization to the relavant Infocubes, also checked the all the Authorization Relavant Info Objects and added theses Info Object to the custom authorization created in RSECADMIN.
  Also added the info objects 0TCAACTVT, 0TCAIPROV, 0TCAVALID to the custom authorization.
  In pfcg, this authorization has been added to S_RS_AUTH. I have also given activity 02, 03, 16 values and a * to planning areas, functions, packages, groups, levels, folders, ... to the objects R_AREA
  R_BUNDLE
  R_METHOD
  R_PACKAGE
  R_PARAM
  R_PLEVEL
  R_PM_NAME
  R_PROFILE
  But still we get the same error.
  Has anyone encountered this problem? Can you please provide me some clues to resolve this issue

  Thank you very much Grevaz, but that template does not help.
  I did run both ST01 trace and BI RSECADMIN trace.  RSECADMIN Trace shows the below authorization failure
  Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    No Check for Aggregation Authorization Required  
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Quantity 
  Characteristic  Contents 
  0FUNDS_CTR
  0TCAACTVT
  SQL Format:
  FUNDS_CTR BETWEEN '4012001000'
  AND '4012001999'
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0FUNDS_CTR  Node 1 I EQ #
  I EQ :
  0TCAACTVT  I EQ 02
  I EQ 03
  Partially Authorized (Average)   Characteristic  Contents 
  0FUNDS_CTR
  0TCAACTVT
  SQL Format:
  FUNDS_CTR > '4012001000'
  AND FUNDS_CTR <= '4012001999'
  AND NOT FUNDS_CTR IN ('4012001001','4012001002','4012001003','4012001004','4012001005','4012001006','4012001007','4012001008','4012001009','4012001010')
  AND TCAACTVT = '03'
  Value selection partially authorized. Check of remainder at end
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Quantity 
  Characteristic  Contents 
  0FUNDS_CTR
  0TCAACTVT
  SQL Format:
  FUNDS_CTR > '4012001000'
  AND FUNDS_CTR <= '4012001999'
  AND NOT FUNDS_CTR IN ('4012001001','4012001002','4012001003','4012001004','4012001005','4012001006','4012001007','4012001008','4012001009','4012001010')
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0FUNDS_CTR  Node 1 I EQ #
  I EQ :
  0TCAACTVT  I EQ 02
  I EQ 03
  Not Authorized   
  All Authorizations Tested
    Message EYE007: You do not have sufficient authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  206 ( 0FUNDS_CTR )
    Authorization Check Complete  
  We have created custom authorization and trying to restrict based on hierarchy node.
  One point I observed is, when I give access to all nodes with a wildcard * in the custom authorization, then the error disappears and the layout is visble. But our point here is to try to restrict based on the nodes and we cannot give display access to all nodes.

• No authorization for printer "LOCL"

  Hi ,
  I have Support role for my USER.
  Iam trying to schedule a process chain in Background. so it will ask for  "OutPut Device name" . i given LOCL
  Then its given a message : No authorization for printer "LOCL" .
  then i run the SU53 TCODE to see the log details :
  Authorization check failed
  Auth. Obj.S_SPO_DEV Spool: Device authorizations
  Object Class BC_A Basis: Administration
  can anybody tell me why this has happened.
  Thanks,
  Agni

  Hi ,
  From SU01 find out user profile attached to the user .
  Goto PFCG -> Put user profile there -> Change authorization data -> Include object manually -> Put S_SPO_DEV and put enter->Here specify printer user can access . Save profile .
  Hope that helps.
  Regards
  Mr Kapadia

• No authorization for printer "LP01"

  Hi All,
  i wish to archive the data in BW.
  for that i had created archive object also.
  now when i schedule the write job it is giving me the error as following
  No authorization for printer "LP01".
  i had checked the user authorizations and i had assigned SAP_ALL & SAP_NEW authoriztaion profiles as well.
  even i changed out put device to bt by creating new out put device using spad tcode.
  what could be the problem?
  Ravi

  hello Ravi,
  >Go to PFCG. Create a test role named test. Then go to Authorizations tab. Choose expert mode for profile generation.
  A pop up would come up asking you to choose a template. Close it. Do CTRLSHIFTF9 or in the application tool bar choose the option manually.
  In the resulting pop up give s_spo_dev as input and press enter.
  Now expand the yellow node and give the value as LP01.
  Generate the role profile and come out of the role. Assign this role to your user id and then after log out and relogin try agai n.
  Hope it helps.
  Please award points for useful info.
  Regards.
  Ruchit.

• ECC6: Authorizations for GOS

  In ECC6, I should give two different levels authorization into generic object services Toolbox.
  I have two type of users:
  1. Administrator
  2. Accountant
  The Administrator should be able to create, edit, display and delete notes.
  The Accountant should be able just to create and display notes.
  Administrator users were given the S_OC_ROLE athorization object .
  Accountant users were given the S_GOS_ATT authorization object, though this doesnu2019t work since the accountant users are still able to edit and delete notes.
  My question is: how can I remove the edit and delete authorizations for accountant users?
  Thanks,
  Kind Regards

  A concrete scenario I have to deal with:
  The scope for all business partners and transactions should be limited to central Europe.
  The relevant field for this authorization is the id (number range) respectively the business partner grouping.
  - I would use ACE rules to filter the relevant business partners by their ID or grouping and relevant transactions by their account-assignment
  - I would set up ACE rights to limit access for the actions read, write and delete
  - to handle the create authorization, I have to define a PFCG role and limit access to certain CRM components
  The user should be allowed to read Corporate Accounts,
  to read, edit, create Contacts,
  is not allowed to deal with Opportunities,
  is allowed to create, read all activities and to read, edit, delete own activities (if he is the creator),
  is not allowed to deal with any report or pipeline performance.
  - ACE role/right to read Corporate Accounts
  - PFCG role to restrict create access for the BP_HEAD component
  - (ACE role/right to limit search results for opportunities)
  - PFCG role to restrict create, search, overview access for the BT111M component
  - Business role without Work Centers or Logical Links to opportunities
  - ACE role to limit access to read activities
  - ACE role to limit access to read, edit, delete activities which the user has created
  - PFCG role to restrict access to all pipeline performance components
  - remove PFCG roles for report access (e.g. SAP_CRM_OR_USER)

• Authorization for super user

  I want to create a super user on the production server who can create and save the queries only (no other authorization). He can save queries only under $TMP.
  For that I have already created role for super user in the transaction PFCG and in business content S_RS_COMP and S_RS_COMP1 I have given all authorization.
  Now User is able to create the query, but when He is going to save it the Error message is coming- 'No authorization for create and change'.
  Please suggest what I am missing.
  Regards,
  Dheeraj

  Hi Dheeraj,
  Have you given auth as per http://help.sap.com/saphelp_nw04/helpdata/en/41/05453caff4f703e10000000a114084/content.htm : Analyst3?