Populating auth object of a BW field

Similar Messages

• Query field, Auth object (characteristic variable)

  Please bare with me as I am a little new to this and dont really know what im asking. I have been asked to populate an Auth object for a BW query field via a user exit. Basically when you add a field to the row section of the query designer, say i add 'Grant' you then get a number of characteristics, one of which is Grant(Auth), which you can set to be processing by 'Customer exit'. I have been given the user exit but am a little unsure how i would go about populating this auth object field. Any help would be much appreciated
  Regards
  Martin

  hi Mart,
  check if helps
  http://help.sap.com/saphelp_nw04/helpdata/en/6d/58f438114ee836e10000000a114084/frameset.htm
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/696affac-0701-0010-f7b5-cc431fc9365d

• Is there a listing of all Auth.Objects for SAP and the discription for them

  I would like to know if there is a listing of all the Auth.Objects  for SAP out there somewhere??
  Thank you,
  Robert

  > Auth.Objects  for SAP out there somewhere??
  You want all the customer objects as well in all SAP systems?
  (Or just those in your TOBJ?)
  PS: Please try the F1 key on fields to find their tables (or structures) and give the search a try as well...
  Cheers,
  Julius

• S_PROJECTS auth object

  I am trying to create a role for IMG display access only
  I made ACTVT in all the Auth objects "03" or "display"
  but in S_PROJECTS auth object, in "activity" there is no "display" , how do I make ACTVT in S_PROJECTS object "display"
  Thanks
  Message was edited by:
          Jackofalltrades

  Hi,
  First of all all activities dont apply to all auth objects.(for example generate activity might not be applicable for all auth objects)
  So SAP proposed what activities might be relevant to a particular Auth Object.
  This information is in TACTZ Tables.
  So perhaps u can verfiy the table and u would find that the entries displayed in ur Activity for S_PROJECTS would be the same values as are in S_PROJECTS values in TACTZ table.
  HoweverYou can maintain 03 for this object too.
  Select the pencil button for the activity field.
  It will take u to a dialog box which contains activity fields.
  Now if u dont find the 03 field there. Then right click on the screen and select more values option.
  It would display all the activities.
  However if the 03 field is not mentioned as a proposed activity for that Object by SAP (u can see this info in TACTZ) then make sure that u actually need this object for doing any display activites.
  Hope this helps
  Manohar

• Deletion of auth objects Corresponding to tcodes

  Q1.
  If a transaction is deleted from the menu wthr the Corresponding authorization objects are deleted.
  Q2.Eg
  What if the tcode MM02 is deleted from the role which has MM01/MM02/MM60/MM03 transaction codes, In this case some of the auth objects of MM02 are same as the other tcode auth objects, then how does deletion of MM02 from role ensure that only the corresponding object--> values are removed.?
  Rakesh

  Q1.
  If a transaction is deleted from the menu wthr the Corresponding authorization objects are deleted.
  It depends..
  If the auth object's status is 'standard' and it is coming from only one t-code which is being removed, then it gets removed. If the status is 'changed', then it doesn't get removed.
  Q2.Eg
  What if the tcode MM02 is deleted from the role which has MM01/MM02/MM60/MM03 transaction codes, In this case some of the auth objects of MM02 are same as the other tcode auth objects, then how does deletion of MM02 from role ensure that only the corresponding object--> values are removed.?
  No, the auth object won't get removed as that is coming from su24 from other t-codes also.
  If different t-codes are bringing different field combination values, then the instance which is coming from MM02(if it is being deleted) will get removed, again assuming that the instance is standard and not changed.

• Error "Inconsistancy in the auth object P_ORGIN"

  Hello Gurus,
  I have to add a tcode which involves auth object P_ORGIN. When I add the tcode and go to authorization tab then it gives the error as "Inconsistancy in the auth object P_Orgin"
  Please let me know how should I add the tcode now. Thank you !
  Regards,
  MA

  PLease provide tcode
  The reason why the profile generator cannot correctly insert the
  default values of these transactions is due to a data inconsistency in
  table USOBT_C (default values for customers). The table does not
  contain an entry for field BTRTL of authorization object P_Orgin.
  You can immediately correct the incomplete data in your customer table
  USOBT_C using the following steps:
  Step 1 Execute transaction SU24
  Step 2 Enter the transaction affected by this error ie XXXX
  Step 3 "Change check indicator" (F6) in the application toolbar.
  Step 4 With "Display field values" (F7) you check the default values of
  P_Orgin. Please document the values.
  Step 5 Go back to the previous screen and set the check indicator from
  "Check/maintain" to "Check" for P_Orgin.
  Step 6 Set the indicator for P_Orgin back to "Check/maintain".
  Step 7 Choose the function "Change field values" (F6) and insert the
  formerly documented values for AUTHC in object P_Orgin.
  Now you see also the field BTRTL being presented.
  Save the changes.
  Repeat steps 3-7 for each of the transactions affected.
  Hope you are clear with the steps.
  Thanks,
  Prasant
  Edited by: Prasant K Paichha on Mar 3, 2010 3:01 PM

• Authorization object with no authorization field

  Hi Experts,
  I have created authorization object with no field checking.
  This is possible? Because i want to create this auth object for conversion only, and its not needed field checking.
  Please advice.

  Hi
  See this and do accordingly
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Regards
  Anji

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• Same Auth Objects CM in su24

  Hi All –
  In SU24 for a Tcode SU01 in “S_TCODE” the following auth objects are CM.
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  & for Tcode PFCG
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  I am developing a role initially with SU01 Tcode. For the auth object S_USER_AGR, I am giving 01,02,03,06 field values.
  Later I add PFCG Tcode for same role “P_TCODE”. For the auth object S_USER_AGR , I am giving 22,21 field values.
  My question is if the role is assigned to a user
  1.     will he be able to create, change, display, & delete roles using PFCG ????
  2.     What is the best way to restrict the user’s in create, change, display, & delete???
  3.     For PFCG Tcode none of the Auth. Obj’s (the objects that are added by adding SU01 or PFCG Tcode VIA MENU)are maintained in the role what would be the implication??
  Thanks,
  VJ

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• Check performed on an Auth Object?

  Hi All,
  Consider an object in role with 5 fields.Suppose We maintain 2 fields and leave 3 field unmaintained.
  How would the check be done? Will the check be done only for the maintained field values in object and the umaintained fields  will be ignored in check?
  Or is the check performed Object dependent?
  Thankyou,
  Ajit

  Hi Ajit,
  >
  Ajit Nadkarni wrote:
  > Hi All,
  >
  > Consider an object in role with 5 fields.Suppose We maintain 2 fields and leave 3 field unmaintained.
  I think you mean five instances of the the same object.
  An object will have only fixed fields, irrespective the number of times you pull it.
  > How would the check be done? Will the check be done only for the maintained field values in object and the umaintained fields  will be ignored in check?
  > Or is the check performed Object dependent?
  > Ajit
  Take any object as an example... say S_TABU_DIS, you have five instances of it, each with different values. and one with unmaintained or open. You genereate the profile. Now the checks in SAP happen in an AND operation for one instance.
  so if you have S_TABU_DIS as 02, and auth group 'SS'
  and in the second instance as 03 adn 'VS', then they are checked in an AND operation. Only activity 02 will be given to 'SS' . They dont cross-poliinate. hence this will not result in 03 for auth group 'SS'. Open authorizations provide no extra authorization, unless explicitly checked for DUMMY / ' ' . (Julius, I remember you )
  Once the user logs in SAP, the user buffer is loaded and the first successful check is returned with RC=0, else if not found ...it will fail
  Hope this clarifies
  Abhishek
  Edited by: Abhishek Belokar on Sep 23, 2008 6:44 PM

• SU24 on M_EINK_FRG auth object

  Hello Gurs,
  Requirement
  To make the release code/group to Org filed . Currently is not a Org filed.
  What I have done:
  The auth object is  M_EINK_FRG.
  Before I make it org field, I was cleaning up some tcodes  for eg : Me35 ,ME35K and ME28 to deactivate the object in SU24 ( meaning NO in the proposal u201Ctabu201D  as no users are assigned to this tcode in production.
  Question:
  After capturing in transport I am getting pop up with " Data automatically corrected " message and changes are getting reflected in SU24 once I click on this pop green check mark button. no sure why
  I have problem with this object only not which other auth object
  Please suggestion or did you experience any of this sort
  Damodar

  I think he only wants the proposal flag as 'No', but then SU24 automatically corrects the value based on TSTCA.
  See How to handle unwanted SU24 proposals which are automatically "corrected"? and the post by Keerti Vemulapali, which points to SAP note 1404093.
  PS: What would be very usefull for an "automatic correction" would be in the case of report type transactions to check whether the submitted report has been assigned to an S_PROGRAM group, and fill that with p_action SUBMIT. Any chances..? 
  Cheers,
  Julius

• Help need in creation of auth object

  Hi all,
  can anyone assist me in creating an auth object to restrict users based on plant.
  I would appreciate i anyone of you could send me screen shots of the procedure.
  My email id is
  <b><removed by moderator></b>
  Thanks
  Venki

  Hi,
  Basically you can use derived role and restric users based on plant...
  Other than standard objects do you want to create auth objects.
  For more information on you can follow link. info on objects
  http://help.sap.com/saphelp_47x200/helpdata/en/ea/e9b0054c7211d189520000e829fbbd/frameset.htm
  Cheers
  Soma

• How to add the Match code object for the requisitioner field in TCODE ME51N

  Hi,
  How to add the search help (Match code object) for the requisitioner field in transaction ME51N.
  Please  do the needful to me.
  Regards
  Rajesh

  don't you think that posting your question to a microsoft developer site would be more efficient?
  regards,
  anton

• How to know corresponding info object for R/3 field and viceversa

  Hi....
  How to know corresponding object for a filed in r/3 data source and viceversa..While defining transformations.
  We can't do mapping of all objects to fields with the definition......!!!
  In 'rsosfieldmap'' what information we should give to know the proper tranformation...?
  thank u.....

  Hi,
  There are two ways to know the corresponding info objects in R/3 fields:
  1)  goto se11 t-code, enter RSOSFIELDMAP and enter display button. in the next screen click contents and give the field name or info object name as per your requirement, and excute.
  2)  first go through the field description in r/3 and identify the similar description in BI. For your easy understanding use excel sheet , in that you can copy the data source fields and target info objects ( master data or transaction data ). then it will be easy to identify the similar description.
  Thank you.

• BW Authorizations/Report. Auth Object/KF's vs. Calc. KF's

  We implemented a custom/reporting auth. object to protect key figures (1KYFNM) and it works well. The issue is that our user community never ceases to come up with new and even more creative requirements.
  Let me illustrate the latest requirement:
  I have locked-down access to certain key figures (let's call them 'KF A' and 'KF B') and therefore subsequently secure all combinations involving either one of the two meaning calc. KF D (KF A plus KF C) is locked down as well. I also need to mention that users are supposed to be able to create their own ad-hoc queries, which eliminates the option of limiting them to a query or set of queries that accomplish the following requirement.
  There are certain totals, which are calc. KF's that the users are allowed/required to see even though they are not supposed to see what makes up these numbers (they should see calc. KF K which is made up of KF A, KF B, and KF H, etc. but not KF A and KF B).
  Without the option of providing the users with rather static queries, I see another option as calculating 'KF K' (from the previous example) at the time of the load and just making it another key figure in the cube which then can be excluded from the auth. check previously mentioned based on the naming convention. The problem with that is that this will make reporting rather inflexible, increase load times as this calculation is rather complicated, and it will also create redundant information in an environment that is already experiencing substantial growth and volume.
  Does anyone see any other solution?
  Thanks,
  Joerg

  Jeorg,
  I'm afraid that there's no special authorization handling for calculated key figures. To my best knowledge, the approach to create another key figure at data load time via transfer rules or update rules would be the only one can work. While this approach may not be flexible, but the load time should not increase significantly if you just add two key figure values into a new one.
  If you find this is approach is unacceptable or it is a common requirement among BW community, you might consider submit such requirement through ASUG BI Group or via OSS development request.
  Thank you for your question and patience.
  Regards,
  Amelia Lo
  SAP NetWeaver RIG, US
  SAP Labs, LLC