Prompt for Authorization Object

Dear Experts,
I would like to have control on certain authorization objects which are common among the roles while creating them.
Is it possible that while maintaining or creating a role, if by mistake the administrator does not block the object OR add an entry which we do not authorize, the system should alert the administrator as a popup or alert message?
I am aware about the report "RSUSR008_009_NEW" for maintaing critical authorizations, however, running a report and giving a prompt are two different things.
Any possibility of an alert?
Thanks and Regards,

Hi J K
I take the following approach with SU24:
Complete Proposal - completely maintain an authorisation proposal when that values applies for any situation in PFCG role build. E.g. transaction FB03 for object F_BKPF_BUK has fields ACTVT and BUKRS. You can allow the value as ACTVT = 03 and BURKS = $BUKRS (org value) or each scenario
Partial Proposal - only maintain some of the fields where it will be consistent. E.g transaction OB52 for posting periods and S_TABU_DIS with field ACTVT and DIBERCLS. You leave ACTVT blank as sometimes you want change whilst DIBERCLS for auth group is static so you can enter a value there
Empty Proposal - leave the proposal values completely blank as the requirement will depend on the scenario. E.g transaction SM30 you might leave S_TABU_DIS empty as it will depend on the role for both fields.
If you take this approach, you minimise the need for deactivating object, copying/changing and manual objects in PFCG. You maximise role authorisation under status of Standard or Maintained.
Now if we set the proposals in su24, it will be applicable for other new roles as well for which we DO want the proposals to exist.
Yes if you change SU24 you should clean up all impacted roles but before you build roles you should review
At the end of the day your need to have competent security administrators who know what a display activity is and have attention to detail/meticulous enough to build the role with appropriate restrictions (i.e. do not put change access in a display role).
How can we avoid the "new authorizaiton objects" to be added to this display role.
To avoid this you are trying to avoid using SU24 integration. If you are tying to build a SAP display all role then you might as well copy SAP_ALL and go through and deactivate/remove any display access from the role. In this case you would not use the role menu.
Not all solutions are technical. It's why you need to have a clearly defined process that is adhered to.
My trick of display roles - I got the AGR_1251 role and look at the entire contents of the role and scan this list of objects and what's in the role. However, I do this as I know the objects relatively well and can identify the specific objects that are change/display  but do not use ACTVT field (e.g. PLOG/P_ORGIN/P_PERNR)
Wonder why SAP prompts warning and errors messages doing a business/financial transaction and not security.
Exactly what would you want the system to prompt? How would SAP know what a display role is?
We noted that every time we add a t-code, the authorization object added is marked as "new" in the list. we jsut disable those and generate it
If you take this approach you cannot guarantee the transaction code will work. The user may need the underlying values and that is why SU24 has them marked as proposal.
My summary - defined your process to include a quality check after building a role and hire security administrators who know more than how to tick and click buttons in PFCG (i.e. they understand security objects and why some are sensitive).
Regards
Colleen

Similar Messages

  • Prompted for authorization even though it's already authorized

    I just bought a new song in iTunes. Whenever I try to play it, I'm prompted to authorize my computer. When I authorize it, it tells me that my computer is already authorized. It does it again every time I try to play the song. It only happens for this song. Help?

    If you are in a country where re-downloading is possible (check this with iTunes in the Cloud and iTunes Match Availability by Country - http://support.apple.com/kb/HT5085), delete the track (and the original file) and download again (Downloading [using iOS or computer] past purchases from the App Store, iBookstore, and iTunes Store - http://support.apple.com/kb/ht2519).  See tips on downloading in https://discussions.apple.com/message/19097773, especially unchecking the "Allow Simultaneous Downloads" box in the downloads tab of iTunes.
    Select the store on the left side of iTunes.
    Click on Purchased on the right side under Quick Links.
    You can re-download your available previous purchases.
    If you cannot download a second time, contact iTunes Store support staff through the report a problem links in your account history or,
    iTunes Customer Service Contact - http://www.apple.com/support/itunes/contact.html > Get iTunes support via Express Lane > iTunes > iTunes Store

  • Prompted for authorization to play songs

    I am constantly getting prompted to authorize computer when I play a song

    Is that happening for any song you've purchased from the Store? Or just some songs off a particular album (and other songs on the album play fine)?

  • Missing authorizations for authorization object UIU_COMP

    I have generated the pfcg role for a business role using report CRMD_UI_ROLE_PREPARE and assigned the pfcg role to a user.
    The user is apparently able to perform navigation as required. However, when a ST01 trace is run for the user, there are few missing authorizations for UIU_COMP. Could anyone please explain the reason for this? No changes have been made to object UIU_COMP  i.e. only values generated by the report is present there. Should the missing authorizations be added manually to the role?

    I would recomend that you define for component UIU_COMP in your pfcg role full access (all set to *), because this authorization object is used for access to web ui components. Even thou if you define this object to full access users will still see just components defined in business role.
    Regards.

  • Translate Object class (for authorization objects)

    I wonder where I can translate the objects class (SU21 - auth objects). I manages to find where I can translate the authorization objects in SE63.
    What what is the object type for the objects class in order to translate it.

    SAP itself told me there is no way to do so. They recommend to directly edit the corresponding text table.

  • Table for authorization objects

    Hi All,
    What is the table where all authorizations for a user for a particular authorization object is maintained?
    Thanks,
    Neelima.

    hi friend
    usr04 -User master authorizations alone
    usr07 - it will display all the authorisation object field name.
    if its helpful reward for the same
    regards
    vijay

  • Field Validation for Authorization Object field on selection screen

    Hi Experts,
    We have included a new field u2018Authorization Objectu2019 in the selection screen which should be reflected in the field Authorization Object of the spool property. Please let us know how we can provide F4 help for this field and also validate it in the code.
    The data element "RSPOAUTH" is used for the field on selection screen parameter. However, as there is no value table attached to the domain, we are unable to provide any F4 help and hence cannot validate the field in the code.
    Looking forward for your valuable reply.
    Thanks in advance.
    --Warm Regards,
      Prajakta Kanitkar.

    Hi Prajakta,
       You can refer the following code for getting F4 help.
    TYPES: BEGIN OF stru_btc,
             zesgbtc TYPE zhr_del_btc,
           END OF stru_btc.
    DATA: it_btc TYPE STANDARD TABLE OF stru_btc
    SELECT-OPTIONS: s_zzbtc FOR pa0001-zzbtc NO INTERVALS.
    AT SELECTION-SCREEN ON VALUE-REQUEST FOR s_zzbtc-low.
      SELECT * FROM zbtc INTO CORRESPONDING FIELDS OF TABLE it_btc.
      CALL FUNCTION 'F4IF_INT_TABLE_VALUE_REQUEST'
        EXPORTING
          retfield        = 'BTC'
          dynpprog        = sy-repid
          dynpnr          = sy-dynnr
          dynprofield     = 'S_ZZBTC'
          value_org       = 'S'
        TABLES
          value_tab       = it_btc
        EXCEPTIONS
          parameter_error = 1
          no_values_found = 2
          OTHERS          = 3.
      IF sy-subrc <> 0.
    MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
            WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
      ENDIF.
    Hope this will help you.
    Thanks & Regards.
    Aniruddha

  • Check for Authorization object

    Hi All,
    I have a report which will authorize the person running the report.
    I have been given a requirement which is to not accept some users and accept some users.
    Now I know this is possible with authorization object but as I never worked with it so I exactly kind of getting in confusion as to how to go about it.
    Could some one let me know how to go about it. I have few questions.
    1. what is the exact use of authorization object.
    2. I can build in the logic but what all should one start with before going for before implementing authorization object for the report.
    3. I know there is some basis work involved in this but what is that ?
    Thanks,
    Mahen

    Hi,
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC <> 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    Reward points if useful
    Regards
    Anji

  • Role Maintenance - Automatically generated names for authorization objects

    Hello NG,
    I've got a question concerning the mentioned subject.
    Currently I am maintaining the roles/authorizations of a customers system (Rel. 3.0) which has moved to Rel. 7.0.
    When I add an authorization object to a role, the technical name is generated automatically. How can I set up the naming conventions for the authorization objects?
    Thank you very much.
    Regards ..

    Hi SUNIL L,
    I refered to 3.0 but I think that the release version has no relevance for my problem. I think I should try to explain my problem once more:
    When I add an authorization object to a role, a technical name is generated automatically and assigned to it. Is it possible to set any naming conventions for this?
    Regards..

  • Table Name - For Authorization objects and fields.

    Hi
    Could any  one let me Know In which Table Authorization Objects and Authorization fields are stored.
    Thanks N Regards.
    Priya

    hi,
    TOBJ ---> Authorisation Objects
    Refer to the link.
    http://saptechnicalinfo.blogspot.com/2008/07/sap-authorization-objects-tables.html
    Regards
    Sumit Agarwal

  • How to uncheck infoobjects for authorization objects

    how to uncheck infoobjects for a specific authorization objects

    That would be a list of InfoProviders from the system and those with a check makr indicate that this auth object is turned on for the checked cube. So yes, you would have to uncheck the InfoProvider here also before you can delete the auth object.
    Hope this helps...

  • Update the authorization object value for more than 1000 role

    I need to remove one of the activity value (06) from authorization object S_SCD0.
    I do a search and found out that there are more than 1000 roles which having the activity value = 06 for authorization object S_SCD0.
    However, I don't think I can create a SCAT script to update all these 1000 roles and I believe its going to be a very tedious if I am going to manually change it one-by-one. Hence, I am wondering is there any standard program/function which I can use to automate the above changes for all these 1000 over roles.
    Kindly advise.
    Thanks

    Direct update the table is the easiest way, but should be discourage for the obvious reason.
    Should take a step back, take a long term view, when you need to update 1000 roles, maybe a role redesign might be needed. For example, if you can change the role model to derive role model, once update to the parent role will take care of all the child role.
    Thanks,
    Lye

  • Authorization object for Command Button

    Hi all,
    How can I create the Authorization object for command button which is on application server.
    if you do not have auth when you click on that command button, it should be say 'you dont have auth'.
    please help me in this.
    regards,
    Ajay reddy

    Hi,
    Tcode for Authorization Objects are,
    su20----> for defineing authorization field ,
    su21-----> for authorization class,
    su22------> for assignement authorization object
    To create an authorization object:
    1) Execute transaction SU21
    2) Double-click an Object Class to select a class that should contain
    your new auth object
    3) Click on CREATE (F5)
    4) (If creating custom field) - Click the 'Field Maintenance' button -->
    Click on CREATE (Shift+F1)
    5) Enter the Name for the New Authorization field and the corresponding
    Data Element and SAVE
    6) Confirm the Change Request data for the new Authorization Field
    7) Go back two screens (F3-->F3)
    8) Enter the Authorization field name and document the object:
    9) SAVE and ACTIVATE the documentation
    10) Save the new Authorization Object
    11) Confirm the change request data for the Authorization Object and
    EXIT SU21
    12) Finally, the SAP_ALL profile must be re-generated
    Regards,
    hema.

  • Authorization object for "add approver" in contracts

    Hello, Experts,
      I am looking for authorization object for adding approver in contracts.
    But without adding authorization for changing contracts.
      Regards,
        Rami Kleiman - HP

    1. you can try to restrict  the authorization object ( Manager Role-- /SAPSRM/MANAGER) for contracts to display ( remove the change).
    2. you can also change the personalization object key "BBP_WFL_SECURITY" to None ( but i, think this will affect all the objects like shopping carts purchase orders etc..)
    Thanks
    velu

  • Activate standard badi - prompts for Object Key?

    In SE19 when trying to activate an SAP delivered implementation of a badi I'm prompted for an object key for the implementation class.   
    fyi  Running ECC6 on Basis 7 kb14.
    Go to SE19
    Display badi FIAA_BW_DELTA_UPDATE
    Go to environment menu, choose activate.
    Notice that the activate option is greyed out?
    Go back and change the FIAA_BW_DELETA_UPDATE badi implementation.      Go to environment menu, choose activate. You'll be prompted for an object key for the implementing class -  CL_IM_FIAA_BW_DELTA_UPDATE.
    Is this correct behavior?   We don't want to change the class - just activate it.    Could I get around this by copying the class changing the implementation class to a ZCL_IM_FIAA_BW_DELTA_UPDATE?
    Thanks in advance for any help on this topic.

    Hi Ryan.
    You need to apply an OSS note for this
    Please check the extract below..it will solve the problem
    check the following Notes.
    Check these OSS Notes - 828240, 688477 and 590034,599896
    Note Pasted below :
    When you load the delta-enabled InfoSources of asset accounting, no time stamp information is updated in the OLTP system if you have selected "Simulation of the delta process initialization" (initialization without data transfer; technical mode 'S') as the update mode.
    This affects the InfoSources:
    1. 0ASSET_ATTR_TEXT
    2. 0ASSET_AFAB_ATTR
    3. 0FI_AA_11
    4. 0FI_AA_12
    As a result of the error, you cannot start delta extraction after the initialization without data transfer because the delta extractor does not find any time stamp information it can use.
    Other terms
    RSA3, BWOM2_TIMEST, delta, DeltaInit, BWFIT, 0FI_GL_4, BWFIT_GET_TIMESTAMPS, BWFIT_RESET_TIMESTAMPS, BWFIT_UPDATE_TIMESTAMPS
    Reason and Prerequisites
    a) The problem is caused by a program error.
    b) The 'FIAA_BW_DELTA_UPDATE' BADI is not active.
    Solution
    For a: Implement the source code corrections to create a correct time stamp for the initialization without data transfer.
    For b: For a data extraction to the BW system according to the delta method, the 'FIAA_BW_DELTA_UPDATE' BADI must be active. When assets are changed, this BADI writes the corresponding change entries which are read by the extractors to determine the delta values. If this BADI is not active, the extraction terminates with error BWFIAA 001 (BAdI implementation FIAA_BW_DELTA_UPDATE inactive in source system). During a DeltaInit extraction with data transfer, the system flags the data request as incorrect or canceled in the monitor and issues the error message. However, during the DeltaInit extraction without data transfer, the system does not issue an error in the BW system even though the extractor triggered an error message and the termination of the extraction in the OLTP system. The data request in the BW system has the status 'successful' and the user cannot see that an error has occurred. However, a time stamp is not created in these cases since the following delta extractions would cause inconsistencies because the BADI would not be able to log all changes that have occurred since the last extraction.
    Regards
    Byju

Maybe you are looking for

  • New imac and a buzzing noise - is it normal because it's irritating?

    Hello peeps, I got my new imac delivered today. Most things are fab, but I'm a bit disappointed with a buzzing noise that only happens when I reduce the brightness of the screen using the slider in the display icon under system preferences. If I keep

  • Dragging to the timeline doesn't work

    Hi, I've been using Premiere for 15 years now, and with the new cc I can't see, to drag footage from the project window to the timeline. What am I doing wrong? I've tried a native avi a jpeg and a wav created in audition with no luck. I just get the

  • Is it advisable to create a document in Indesign, export to PDF, then export to Word?

    I've been asked to create several documents in Word format because the people who would be using them won't have access to InDesign or Acrobat Pro to edit and change them as needed. Since Word is so quirky IMO and I don't know it as well as InDesign,

  • Video on iphone4s copied to laptop with vista but no videos can be played from laptop

    I have transferred all my videos & pictures from our iphone(s) 4S to our laptop running windows vista.  I have no probelm viewing the photos however.... I can see the video file(s) in Windows photo gallery -- but when you click on the file it say "th

  • Converting Character Styles

    In my FrameMaker files, I have several graphics that contain callouts, and I have assigned a Character Style to the callouts. When I created RoboHelp files from the FrameMaker files, the callouts are visible in the graphics but they did not retain th