PM Role - Order - Authorization Data
Hello,
I create a role, can define notifications' attributes as i want. But i could not define orders'.
For example, my order is Z001 and my user will change and display but not create the order.
From pfcg --> Change Authorization Data i couldn't find the correct node for this.
could you help?
thanks in advance.
We have a similar scenario where we limit certain users to certain order types. We have a role for production supervisors to create emergency orders (only) and the maintenance planner can create, change, display all types of orders.
WIthin IW31/IW32, there is an auth.object: I_AUART which can be used to control access to orders. For example, our Prod.Spvr has I_AUART:
Order type: Z001
Mtnc Plan.Plant 0001
but our Mtnc Planner has a 2nd role with I_AUART:
Order type: *
Mtnc Plan.Plant 0001
If your basis team can limit this to the order type you want for each role (one for key user, one for operator) for your mtnc planning plant. Look at SU24 for the transaction to make sure this auth. object is checked. The user will get an error saying they are not authorized for this order type in this planning plant. We did not have any user exits to make this work.
Similar Messages
-
Authorization data is updated after adding transaction in role menu
Hi Experts,
When we add transaction in the menu of a role, the objects and organization levels related to the transaction are not getting reflected in the authorization data. Only object S_TCODE is coming. As an example if we add transactions MM01, MM02, MM03 in the role menu, under authorization data only object S_TCODE is coming. No other authorization object or org level are coming.
This is only happening in one system. Kindly suggest.
Thanks and Regards,
Amit Jana.Hi Jurjen,
Thanks a million for your reply. The customer tables has been filled up from su25 and this has solved the issue.
Thanks and Regards
Amit Jana. -
Get authorization data by passing user role
Hi All,
Can anybody please tel me to retrieve user authorization data if i pass user role i want to get whole authorization data for that role.
Thanks,I am not sure about the authorization objects/values for a given role, but you can get that for a user using the FM SUSR_USER_AUTH_FOR_OBJ_GET.
-
Great Gurus
Related to authorization
1) how we can authorization Sales Order Type Level, Like we create sales order in Va01. and there are different sales order type with same Org. structure
2) How we can do. . Sales Rejection authorization ( even the user will have the va02 rights) .
3) Sales Order Delete authorizaiton ( restriction even the user will have the va02 rights)Dear Adnan,
First of all you have to Create a Roles, specific to your requirement in
T. Code: PFCG
Create Roles:
1. Profile for role Z:AL_SD_Sales Order_OR*
2. Profile for role Z:AL_SD_Sales Order_SO*
so on, so forth.
*Here, OR - Standard Order, and
So - Rush Order etc...
Afterwards, in
T. Code: SU01
Assign these Roles in to User-Profiles, as reqd.
Say,
User: XYZ with Profile for role Z:AL_SD_Sales Order_OR*
and
User: PQR with Profile for role Z:AL_SD_Sales Order_SO*
Best Regards,
Amit
Note: You have to tell to your Basis-Admin to "Maintain Authorization Data" for every role for every user-profile.
Path: SU01 --> User --> Change --> Roles (select Role) --> Authorization --> Display Authorization Data --> Sales and Distribution --> Maintained Sales Document: Authorization for Sales Document Types
--> Activity (Here, you may restrict activities like, Delete, Reject etc..)
--> Sales Document Type (Here, you can maintain Sales Doc type for particular role)
Once, you explain your requirement to your Basis-Admin and if he reads this post (which, he must be knowing in advance), immediately he will do the needful; else post the subsequent query, if any. -
Function Tab is missing under Authorization Data in ERM
Hi,
After Uploading roles to the ERM, the functions tab under authorization data is missing.
In the QA the same role has all 4 tabs (including the functions tab)
I've made sure that the "This option allows you to add a function to an authorization" is set to "yes".
Can anyone tell me why is that?
Thank you,
DroritHi,
Ensure that the user ID you are using has sufficient authorization (Eg: Actions: view authorization data etc...).
Regards,
Rama -
Purchase order Confirmation data from SRM to MM
Hi,
I am trying to send Purchase order Confirmation data from SRM to MM via PI. In SRM portal i am able to see that the data has been send successfully. But i am not able to receive any data in PI nor iam able to any messages going from SRM in SXMB_MONI.
Please help me.
Thanks & Regards
Kasturika PhukanHi,
In SRM check in sxmb_moni is there any queue is blocked.
If not then,
Check your proxy settings.Select Go To and check connection Test.
Go to sm59 and check H type RFC destination is maintained.
Go to sxmb_adm check the Global setting value,
Application system,dest://RFC destination is maintained.
In XI,
Go to SLD.
Check Technical system (client with logical system) maintained.
Check Business System maintained with role of application system,Related integration engine
maintained.
Regards,
Prakasu.M -
Difference between Change Authorization Data / Display Authorization Data
Hello,
My question is wrt to implementation of "principle of treble control" i.e three SAP administrators i.e.
1. Authorization data administrator
2. Authorization profile administrator
3. User Administrator
I have created a role & added a transaction to it e.g. "FAGLL03" or "FF67".
No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile. Even when I save the profile with the proposed name, it status still says "No authorization data exists". Since no authorization data is available, administrator 2 is unable to generate profile. If administrator 1 has to generate profile then why is administrator 2 required.
Definition of Administrator 1 is:
The authorization data administrator creates the roles, selects transactions and
maintains the authorization data. He or she simply saves the data in the Profile
Generator since he does not have the necessary authorization for generating the
profile. He or she accepts the proposed profile name T-.... The authorization data
administrator may not change users, nor generate profiles.
Definition of Administrator 2 is:
The authorization profile administrator starts transaction SUPC and chooses All
Roles. He or she then restricts his selection, for example by entering the ID of the
role to be edited. On the next screen, he or she chooses Display Profile to check
the data. If all the data is correct, he or she generates the authorization profile. The
authorization profile administrator may not change users, change the data for roles,
nor generate profiles containing authorization objects beginning with S_USER*.
Thanks.Hasan Saeed Khan wrote:
Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.
On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."
It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:
Create role
Add transactions to menu
Edit profile, org levels & authroization data.
Hit 'save'.
Accept proposed profile name.
Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')
And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"
So it should be possible to maintain roles and profiles separately. -
What Roles and Authorization Req
Hi All,
I am getting the Error in SOAP to RFC Sync secnario.
User using one URL through that URL he is trying the send the data to before sending the req user have the USER ID and Password. what are the Roles and Authorization req for that user id and password. Are they service user id ?
RegardsThis user ID have roles similar to Service user PIAPPLUSER or XIAPPLUSER. However, it is recommended not to provide this user detail directly to sender system. Instead create a new user and provide that to your partner.
Regards,
Prateek -
Roles and authorizations in BI content
Hi experts,
I'm trying to define a very simple scheme of roles and authorizations for my queries.
So, i'm trying to limit the acess by infocube and DSO, but I'm missing the authorizations objects for Cube and DSO.
I know that authorization object for queries it's S_RS_COMP.
So my roles would be something like
BI_ROLE_FI
Authorization Object Autorization Object Value
Acess query (S_RS_COMP) NA
Infoobject (whats the object???) 0FIGL_C01
DSO (whats the object???) 0FIGL_O14
BI_ROLE_PUR
Authorization Object Autorization Object Value
Acess query (S_RS_COMP) NA
Infoobject (whats the object???) 0PUR_C01
Can you help me find out whats the missing information
Thanks and regards
JoanaHi,
Iu2019ve gave authorization to the object youu2019ve mentioned, but itu2019s still not working.
Basically what I have is the following:
One role that allows me to execute queries, workbooks, etc.
A second role, dependent on the area of work, that should allow me only to have access to queries from cubes/MP/DSO that are specific to users area.
I will then give each user role 1 + the adequate role 2, depending on their work area.
For role 1 I have got:
S_RFC
Activity: 16
Name of RFC to be protected: *
Name of RFC object to be protected: *
S_TCODE
Transaction code: RRMX
S_GUI
Activity: 16
S_USER_AGR
Activity: 01, 02, 03
Role Name: ANLG_BI_01
S_USER_TCD
Transaction code: RRMX
S_RS_AUTH
BI Analysis Authorization: BI_ALL
S_RS_COMP
Activity: 03, 16
InfoArea:*
InfoCube: *
Name (ID) of a reporting component: *
Type of a reporting component: *
S_RS_COMP1
Activity: 03, 16, 22
Name (ID) of a reporting component: *
Type of a reporting component: *
Owner (Person Responsible) for a reporting Component: *
S_RS_TOOLS
Logical Command Name: THEMES
Iu2019ve tested this role, and it works u2013 they can access queries, create workbooks, create permanent model workbooks
For role 2 u2013 Finance I have
S_USER_AGR
Activity: 01, 02, 03
Role Name: ROLE2
S_RS_ADMWB
Activity: 03,66
Data warehousing workbench Object: INFOAREA
S_RS_ODSO
Activity: 03
Infoarea: 0FIGL_ERP
DataStore Object: 0FIGL_014
SubObject for ODS Object: *
S_RS_ICUBE
Activity: 03, 66
Infocube SubObject: *
Infoarea: 0FIAP
InfoCube: 0FIAP_C02
S_RS_MPRO
Activity: 03
Infoarea: 0FIN_REP_SIMPL_1_ERP
MultiProvider: 0FIAP_M20, 0FIAP_M30
MultiProvider SubObject: *
I then gave to my test user this 2 roles, and with that user I can still see every infoarea, and access all reports.
I will have more specific roles u2013 to other areas (SCM, TV, etc), but I chose this one has an example.
First question I have: can I manage my requirement in 2 different roles: one for action that can be performed (role 1) and other for areas that they can access data from (role 2)?
What objects/restrictions am I missing in role 2?
Many thanks
Joana -
ERM - "Unhandled error; n/a" error in Authorization Data section
Hi experts,
We are implementing ERM 5.3 with support package (SP 5 patch 1). We run all synchronization background jobs (org values, tran/obj/field, activity) and apparently they all finished successfully.
We have imported all SAP backend roles to ERM through the "mass role import" feature, and the job ended successfully for every role. However, we have found that for some particular roles, when trying to view in ERM the authorization data imported for that roles (clicking on the "authorization data" button inside the role), the screen shows no data and comes up with the error "Unhandled error; n/a".
We tried re-importing those roles (again the job history shows "imported successfully" for every role) but the error is still there when trying to view the role authorization data.
Any ideas of why this is happening for this roles giving that they all got imported successfully?
Any thoughts on this will be very much appreciated!
Regards,
PabloTwo things i can think of without actually looking at the logs:
1. Configuration > Miscellaneous settings need to be rechecked.
2. Role Management > Mass Maintenance needs some attention.
If you can send me the log saying "roles successfully imported" that would help me in troubleshooting this.
Thanks & Regards,
Amol Bharti
amudee.com -
Rebuild Authorizational data (User Buffer) Dynamically
We want to rebuild the authorizational data in a user's buffer by adding additional authorizations (auth obj with field values) during the logon procedure (user exit) (by executing a function module which will read a custom table) - however this has to be dynamic, that is we do not want the user to have to logoff.
Anyhelp is welcomed !
Mushtaq Mahmood
Saudi AramcoI would be very carefull of this.
Buffers, like caching, can become invalidated or corrupt so there are mechanisms to refresh or correct them after logon or a period of time has elapsed. This can be as little as 2 minutes appart as far as I know, depending on the memory area.
Additionally, saving of a change in SU01 etc or the import of a role which IS already assigned to a user will refresh the buffers as well and possibly wipe your dynamic buffer away if it thinks that you have also removed the role (or profile) when saving.
Depending on how you code this, it might even write the dynamic buffer data to the database, making it permanent and "stranded" data, which you might only be able to remove by synchronizing the tables again and resetting the buffers. If you do that while all your other dynamicly authorized users are logged on, it will cause a mess when they suddenly loose their access.
I would keep the USRBF3 mechanism and consider scheduling report RSUSR405 regularly to simulate a change incase there is something wrong...
Being a large organization with many orgs and users to administrate over a possibly large number of different systems, perhaps it is worth your while to take a look into an IdM (Identity Management System).
I am sure you will find one which is more supported and sustainable than a reconstructed user buffer...
Cheers,
Julius
Edited by: Julius Bussche on May 11, 2009 2:20 PM -
About roles and authorizations
hai friends,
who will create roles and authorizations plz
thanks in advance
suitable answer will be given suitabel points
kumariRoles and authorizations have to be done with Basis team and HR team together, because they are not the usual roles that other modules use. For instance, HR authorizations have different objects for PA, PY, Clusters, BM and CM. For OM and PD, you use transaction OOSP for authorization profiles.
For my personal experience, when the consulting team ask the basis team to deal with authorizations for HR, they become paralized when they find Structural Authorizations Profiles, Period of responsibility, etc., because they don't know (and it is not their responsibility) about HR objects and concepts handled in txn OOSP.
In order to avoid this problems, take an extra time for this in your implementation project. Roles and authorizations in HR, when done correctly, takes more time than other modules. -
How to create SCATT to Create and generate Role with Authorisation Data.
Helo Guru's
Please advice ..How to generate Roles using SCAT sript.
I created scat script to create Role and add tcodes ..But not able to generate Profles using SUPC...
Is it possible to create Authorisation Data using scat scripts ....or we need to do it Manually
ThanksHi,
You can't use CATT scripts to create roles and populate authorization data, since the organization values/authorization objects/ and field values differs from one to the other role.
However, you may use CATT scripts till creating the role, and adding the transaction codes, but every role should be maintained individually.
Hope this clarifies!
Regards,
Raghu -
Maintaining BW authorization data in R/3
Hi,
I am faced with a new problem now. My client wants to maintain BW authorization data in R/3 for ease of maintainence. I have used two ODS template for data (value) and (hierarchy) - (0TCT_DS01 and 0TCT_DS02) and have created two data targets for filling in the data and using CSV file for proofing of the concept. My assumption is that if data load from CSV file can execute thte functionality, I can achieve the same thing by extracting data from R/3 also. While generating the profile using RSSM it says that complete authorization data is not maintained. Probably I am not filling in the relevant fields with correct data.
Can anyone help me with the steps involved in doing this and the fields for which entries are mandatory ? Would highly appreciate the help extended with points.
AbhishekMy reqmt says I have to restrict viwewing of data at node level. Let me elaborate more.... Users of sales region EAST and users of region WEST may have same profiles but EAST user should be able to see east data and WEST user should be able t0 see only west data. I am able to do this by using RSSM and restricting the view at report level but client wants to do this at a common place and the table needs to be maintained in R/3 ?
Is my reqmt clear ?
Abhishek -
How to extract authorization data to standart BW DSO's from SAP R/3 system
Hi All,
Does anyone have any experience about this topic? I want to use SAP R/3 as a source system and after i extracted the data to business content DSO's in BW ,i will generate authorization objects from DSO 's.
I am using standar BC DSO 's
0TCA_DS01 Authorization data - Values
• 0TCA_DS02 Authorization data - Hierarchies
• 0TCA_DS03 Descriptive Text Authorizations
• 0TCA_DS04 Assignment User Authorizations
• 0TCA_DS05 Generate users for Authorizations
I have deep research but cant find anything.
Best Regards
OzanHi Ozan,
You can go though thread provided by Suman, These DSO's will help to maintain Analysis Authorizations in BW automatically In-short you don't need to maintain it, it will come from R/3 and same will be configured in BW.
Regards,
Ganesh
Maybe you are looking for
-
i cant seem to sign in to facetime,ive put my email add in and my password but it just keeps going back to sign in ???
-
Issue in population of Ship to party house number in Sales Order
Hi Experts, I have created a program that creates an IDOC from the input file and then it uses IDOC_INPUT_ORDERS to create sales order from the IDOC. Now, the input file has Ship to party that is different from the Sale to party. So, I created the ID
-
Why are some of my photos in my Photo Library doubled?
Wondering why, when I synced my photos, my photos have been doubled. I can't seem to find a way to fix this. I also can only select "All folders" and not "Selected Folders" now.
-
HD vs. 4K Video resolution questions
I was taking some still photos with my iPhone at 3264 x 2448 for a PP project and it had me thinking. HD video is only 1920 x 1080, which is much less resolution than a basic still shot from an iPhone. 1. Why is 1920 x 1080 HD resolution the high qua
-
Photoshop Menus Gray out.. again dispite 12.0.4 update
Hello, There was a big issue with a photoshop gray out bug awhile back, where by all menu items went gray and the only alternative was to restart. This was fixed with Photoshop's 12.0.1 update but I switched to a new computer and had to download the