PFCG authorization objects vs SU53 checks

Similar Messages

• BW 3.5 which authorization objects available rssm (checks for infoprovider)

  Hi all,
  How does SAP generates the list of authorization objects in RSSM when you enter a specific infoprovider (checks for infoprovider)? Are only the authorization object related to this infoprovider listed?
  Is there any documentation about the purpose in RSSM for the button 'update check status (Authorization objects, infoprovider).
  thanks for your help.

  Based on which criteria?
  Is there somwhere detailed documentation available about the RSSM part in BW authorizations? It seems hard to find any...
  Thanks,

• PFCG: Authorization object S_TCODE with *

  Hello SAP fans
  When creating a new role via PFCG and assiging "all transactions" to S_TCODE ("*"), will the role automatically create a "SAP ALL" authorization?
  Thanks for any hint
  Regards
  BEO

  Hi,
  No SAP_ALL authorization will not be automatically created however this role will be almost equivalent to that as the user can himself add SAP_ALL authorization to his profile using transaction SU01. So its better to assign all transaction but for DISPLAY only ;).
  Navesh

• Custom authorization object and check logic

  Hi gurus,
  we need to apply additional authorization check in our custom reports.
  so i created a custom fields & object, and put the statement
        AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                 ID 'ZROLEID' FIELD '03'
                 ID 'ZSOBID'  FIELD zzdwbm.
  in a abap class method centrally, so it could be called by many reports.
  but the test show that the sy-subrc always set to 0, even for users without any authorization.
  what i missed for adding custom auth check?
  for this case, do i need to maintain authorization check indicator in SU24?
  what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
  thanks and best regards.
  Jun

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• How to check and maintain authorization objects

  Hi  Alll            
  Let me knowhow to check and maintain authorization objects  in SU24 ECC 6.0.
  Thanks
  sathies

  Hi Sathies,
  the old check flags
  U
  Unmaintained
  No indicator set. The check for corresponding authorization object is always executed. Field values are not displayed in the Profile Generator.
  N
  No check
  Check disabled. Field values are not displayed in the Profile Generator. This indicator cannot be set for HR and Basis authorization objects.
  C
  Check
  Check always executed. Field values are not displayed in the Profile Generator. For example: Printer authorizations.
  CM
  Check/maintain
  Check always executed. Field values are displayed for changing in the Profile Generator (yellow light).
  Have been divided now in
  Checkindicator : Check/NoCheck
  and
  Proposal: Yes/No.
  If defaults=yes, then you can modify them after clicking on the apropriate button.
  Please refer to the online help for SU24 too.
  Although the look of su24 has been changed significantly, the technique behind it is still the same.
  Once you have pressed the 'edit'-button on the top left corner, additional editing options will appear in the right-top-frame.
  b.rgds,
  Bernhard

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan

• Authorization object coding in ABAP report

  Hi,
  I am working on a report. The output of the report is details regarding vendor based on purchasing organization. When user executes the reports, they should be only able to see details if they are authorized to (create, change and display) for the purchasing org of vendor.
  The authrorization object by SAP security team is 'M_LFM1_EKO' for standard access to vendors (via MK01, MK02 AND MK03).
  How can I use same authorization object to do check in my program for the user in ABAP so that if user is not authroized he will not be able to see details during output for those vendor.
  Regards,
  Tgshah.

  Hi ,
  Basically you need to call Authority-check using the pattern option and then pass the object name and field name .If the user has been assigned that object in his profile sy-subrc will succed otherwise fail .
  AUTHORITY-CHECK OBJECT 'M_LFM1_EKO'
           ID 'ACTVT' FIELD '1/2/3'
           ID 'EKORG' FIELD 'value of purchase organization'.
  IF sy-subrc eq 0 .
  WRITE :'authorization' .
  ELSE .
    WRITE 'no authorization' .
  ENDIF.
  The below lonk explains it more ...
  [http://help.sap.com/saphelp_40b/helpdata/fr/d4/e02c7dd435d1118b3f0060b03ca329/content.htm]
  Thank you .
  Anjaneya .

• How to add authorization field to a standard authorization object

  Hi All,
  I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
  But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
  How to limit user to can only create & change X order type and only display the rest of order type?
  I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
  regards,
  Andre

  Hi,
  your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
  The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
  Cheers

• Custom Authorization Object for HR

  Hi,
  As per our Company's internal needs I have created a Custom Authorization Object for HR named ZP_ORGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction & do a trace on it, the object ZP_ORGIN is never checked (for a user having this object in his/her User Master). Only P_ORGIN object is checked instead.
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell  which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked.
  Your help will be appreciated.
  Thanks,
  Mandeep Virk

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• Why authorization object M_MSEG_LGO for MB1B (MTy 301) is not symmetrical?

  When transfer posting (MB1B, MTy 301) from storage location 3030 in plant 1000 to storage
  location 8000 in plant 1910, authorization object M_MSEG_LGO is checked. The activity is 01,
  movement type is 301, storage location is 3030, and plant is 1000. But when transfer posting
  (MB1B, MTy 301) from storage location 8000 in plant 1910 to storage location 3030 in plant
  1000, the fields of M_MSEG_LGO are also need to be set 01 for activity, 301 for movement
  type, 3030 for storage location and 1000 for plant. Why not 8000 for storage location and
  1910 for plant? If I set 8000 for storage location and 1910 for plant and do transfer
  posting (MB1B, MTy 301) from storage location 8000 in plant 1910 to storage location 3030 in
  plant 1000, the system says "You do not have authorization for this transaction in storage
  location 3030".

  Thank you.
  I know the reason now. In SAP standard the authorization for storage locations is not active. We activate the authorization for storage location 3030, but not activate authorization for 8000.
  the menu path is:
  Customizing(IMG)
  - Materials Management
  - Inventory Management and Physical Inventory
  - Authorization Management
  - Authorization Check for Storage Locations

• Transport Of Authorization Objects

  Hi,
  I have created the authorization objects in Development server. After creating we have selected the Infocubes from the option 'Check for infocubes'. This is working properly.
  Same I have transported to Quality. My reports are working but the authorisation objects has no impact.
  I have transported only the info-objects and the auth objects. Please let me know do I need to transport the Infocubes which I have selected at the time of creating the auth objects. Because When I am viewing the auth objects in quality, no infocubes are seen (Check for infocubes option)
  Please advise.
  Thanks & Regards
  Ramesh Ganji

  hi
  u need to transport the infocubes as well.
  because rssm u link that authorization object with infocube.if u do not do this,your authorization object is not checked in queries for that infocube.
  so u need to transport them and then tick them in rssm
  hope this helps

• Sales Order Change (VA02) Authorization Object

  Hi Experts,
  Please suggest me, what is authorization object for availability check in VA02.
  From
  Ramesh Kumar

  Hi Kapil,
  Thanks for your reply.
  I have already checked it. But i am not finding this object.
  Basically, I want to restrict a user for change in delivery schedule dates. So please suggest me, how to restrict a user for that.
  From
  Ramesh Kumar

• Hi what is Authorization Object in SE93 tcode

  Hi can anybody tell me
  what is the Authorization Object filed in the SE93 Transaction code.
  what exactly it will take.
  thanks in advance
  KP

  Hi,
  An authorization object combines up to 10 authorization fields, which are checked using the AND connective.
  Authorizations are checked against objects in the system. Authorization objects enable complex checks (linked to several conditions) of an authorization. For the authorization check to be successful, the user must pass the check for each field contained in the object.
  Regards
  Kannaiah

• Authorizations in CRM 2007 - How to check missing authorization objects?

  Hi,
  In our project we are currently busy with the set up of authorizations.
  I did create the necessary PFCG and Business roles.
  For the PFCG roles, I did create all of them by copy of the standard SAP_CRM_UIU_FRAMEWORK so that the user can  access to the web layout.
  Now I need to give authorizations for other CRM objects, my question is: How can I see which objects are missing to displaying or creating activities in the new WEB Layout?
  In the old days we used the SU53 to check the authorization objects that were missing, how can we do it now in this new release? I tried it and didn't worked out.
  Thx
  Regards
  Hugo

  Hi,
  For report CRMD_UI_ROLE_PREPARE you have to input a business role - not a PFCG role. Are you doing that?
  Are you getting no results at all in ST01 or are all results just with return code 0?
  You have to remember to set a filter for your user in ST01 before activating the trace. Another thing to check is if you are using several application servers. I would imagine the trace has to be activated on the same application server as the Web UI. You can change the application sever in SM51.
  /Anders

• Red Light with Authorization Object in PFCG

  Hello All - I have a question with authorization objects, there are three roles with red lights 'ON' in authorization object screen in our PRD. However users who are using these roles have no auth issues, standard procedure is to make all lights green in PFCG by maintaining these auth objects.
  Big question is "what is the down fall by leaving these objects RED, I need to support my theory when I say all lights green with auth objects.
  Why best practise says maintain all lights to green?
  Please suggest, appreciate your suggestions.
  Thanks.
  Edited by: AJ on May 12, 2009 9:44 PM

  Hi,
  > "What will be the difference between leaving that red lights 'ON' vs "disabling" these red objects? (I am bit confused on this).
  Red Object: As you know that authorization Objects comprises of Authorization fields. There are certain fields, which are known as "Organization Level" fields and need to be maintained Centrally. If you miss this fields, then the traffic light icon is RED. For all other authorization fields, light will be Yellow if you miss any blank field to maintain. During check, these fields will provide missing authorization (but you may not get error if same object is present in the role with all fields maintained status).
  Disabled Object: If you make any Object Disable, then during check, this Object will not be treated for checking Authorizations. But profile generator will keep this in mind, so you don't get Standard Objects repeatedly (if already present in Deactivated status also) whenever you go to "..Merge with New Data".
  You all other questions are very nicely answered already.
  Regards,
  Dipanjan