Querying roles containing specific Authorization Object

Similar Messages

• Issue with context specific authorization object P_ORGINCON.

  Hello Experts,
  The context specific authorization object doesn't evaluate the
  structural profile it is assigned to when more than one structural
  authorization is assigned to a user.
  Please read the below scenario for issue description as follows:
  User ZHR_ACT13 is assigned two roles namely ZHR_HRD and ZHR_DEPT_HEAD.
  He is the manager for employee ID 167 and is not the manager of employee ID 17.
  Role ZHR_HRD has no read/write authorization for Infotype 6. ZHR_HRD is also assigned to structural authorization ALL which is meant for viewing all the objects with no restriction of any relationship.
  Role ZHR_DEPT_HEAD has read authorization for infotypes 6 for only the subordinates i.e. the structural authorization ZDEPT_HEAD of viewing only the subordinates data is assigned to this role. Also this structural authorization ZDEPT_HEAD is assigned to infotype 6 using
  authorization object P_ORGINCON.
  But now the manager ZHR_ACT13 is able to read infotype 6 data for employee ID 17 who is not his subordinate even though only structural authorization ZDEPT_HEAD is assigned to infotype 6 using P_ORGINCON. We
  expect that user ZHR_ACT13 must be able to read infotype 6 data only for employee ID 167 and not for employee ID 17.
  Please kindly help resolve this issue.
  Thanks & Regards,
  Roshan.

  This has been resolved.

• The scope of the customer-specific authorization object

  Dears,
  Could someone please feedback about the scope of the customer-specific authorization object; e.g. if we are to create a customer-specific authorization object to replace authorization object P_ORGIN in the HR module, to be able to add an extra authorization field to the newly created authorization object, the scope of the newly create authorization object (which will have a new validation code generated by report RPUACG00) will be the whole ERP system ? 
  The worry is caused by the fact that P_ORGIN is already used in several authorization roles granted to users in the different ERP modules (i.e. FI, SD, MM, CS), so the replacement would affect these modules.
  Thanks.
  Reda

  Hello Reddy,
  We are about to implement the HCM module (We are now in the testing
  phase), on the same client as that of our SAP ERP implementation.
  We need to authorize on the personnel number grouped by 'Payroll Area'
  in transactions PA30, PA40
  In authorization object P_ORGIN, the field VDSK1 is already used to
  authorize on an attribute : cost center (organizational key) for each
  organizational unit, so we can't configure it to authorize on other
  fields from info type 0001 (e.g. Payroll Area).
  We need to continue using the conventional / general authorization and
  not the structural authorization, to stay in compliance with our
  authorization schema already implemented in our FI, MM, SD & CS modules.
  ( Also, as per thread : Steps for creating structural authorization profile using trans. OOSP
  the structural authorization cannot be used to authorize on Payroll Area.)
  We need to go through the HR module implementation without any changes
  in the ABAP code.
  So, the last way out is the custom-specific authorization object, and as I mentioned before, the authorization object P_ORGIN was already used in other ERP modules; e.g. FI, MM, SD & CS,
  ( Note : I haven't started yet implementing this solution.)
  Thanks.
  Reda

• User List for a specific Authorization Object

  Hi all,
  i am looking for a way to get a list of all users assigned to a specific Authorization Object with specific values. The FM 'authority_check' is the other way arround and not that what i need. Do someone have an idea.
  Many thanks in advance.
  Ali

  Hi,
  Try this FM
  SUSR_USER_AUTH_FOR_OBJ_GET
  Check this FM
  AUTHORIZATION_DATA_READ_SELOBJ
  Rgds,
  Prakash
  Message was edited by: Prakashsingh Mehra

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• Roles in BW (Authorization Objects)

  Hi,
  I want to create a role in BW which will provided access to 9 reports on a particular info cube.
  What are the authorization objects do i need to use to achieve this purpose
  Level of authorization:
  Execute any report on that particular data target
  Thanks

  Hi BW KING,
  1.before going to authorizations u have to decide on which Infoobject u have to apply authorizations.
    EX: SD--- Sales Org, MM -> palnt ,purorg,FI> companycode.
  first u ahve to decide which area & on which Infoobject.
  2.goto that Infoobject --> change there check the checkbox Authorization relavent object cahechbox
  2.after that  U Have to goto RSSM there u have to create authorization object
  Ex: Zxxx ( XXX is Infoobject Name ).
  3. In the same transaction Screen u have Infocube selection radio Button check that then select on which cube(cube means under that cube all Quaries) u have to make authorization for that perticuler Infoobject.
  4.next goto PFCG create role & save it
  5.goto Authorization tab in that selct  edit authorization it will give automatiaclly authorization Templates in that u have to select only S_RS_RREPU & press Enter.
  6. Select manual pushbutton it will ask authorisation object enter ur authorization object what u have created ( zxxx) .
  7.click generate  +enter
  8. goto user tab Enter userId+enter  + click on  usercomparision+ enter
  9.save the role.
  Thanks,
  kiran

• Programmatically assigning Authorization Objects to roles

  Hi there,
  I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
  What I want to do is the following:
  There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
  In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
  Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
  I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
  Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
  Thank you very much,
  Gregor
  Edited by: Gregor Bender on Mar 11, 2008 8:41 AM

  >
  Gregor Bender wrote:
  > I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
  Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
  For mass regenerating profiles there's transaction SUPC.
  For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
  If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.

• Custom authorization object

  Hi all,
  I have created a custom authorization object to define a data security based on the Company code field.
  These are the steps I did:
  - I create a new authorization object containing the Company code field (BUKRS).
  - I create a new role with this authorization object, and I have assigned a specific value to the Company code field.
  - The role contains also the standard authorization object HR Master data which contains the field: infotype, personnel area...
  - I have assigned the new role to a user and I have executed a report, but I had not the expected result.
  - I had assigned the custom authorization object to the report transaction through SU24 and SU22, but I had not the expected result.
  As expected result I was expecting that the data are filtered based on the Company code I put in the authorization field.
  Any idea about the problem?
  thx!

  Please check that you have followed all of the steps listed here when creating your object:
  <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm">http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm</a>
  - April

• HR Authorization : Custom Authorization Object  for P_ORGIN

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  but still it is taking the P_ORGIN object

  Online Help
  <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a>

• What is standard authorization object for  Personal development  P_PLOG

  Hi,
  Recently i got a object in HR and i dont have any experince in HR.Could you guide me how to asssign standard authorisation object for the personal development p_plog? how to see the infotypes and what is the header field in innfotypes?

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• Standard authorization object for Infotype 41

  hi
  Just wondering did anyone came across standard profile that can define access based on date types?
  thanks

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• What is authorization object and how to create it for a table

  Hi All,
  What is authorization object and how to create it for a table?
  Thanks

  Hi
  Authorization
  For authorization checks, there are many ways of linking authorization objects with user actions in an SAP system. The following discusses three possibilities in the context of ABAP programming.
  Authorization Check for Transactions
  You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.
  Authorization Check for ABAP Programs
  For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.
  Authorization Check in ABAP Programs
  A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.
  AUTHORITY-CHECK OBJECT object
                          ID name1 FIELD f1
                          ID name2 FIELD f2
                          ID namen FIELD fn.
  object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With  f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the useru2019s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1  FIELD f2 with DUMMY.
  After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.
  Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:
  ·        0: The user has an authorization for all specified values.
  ·        4: The user does not have the authorization.
  ·        8: The number of specified fields is incorrect.
  ·        12: The specified authorization object does not exist.
  A list of all possible return values is available in the ABAP keyword documentation. The content of sy-subrc has to be closely examined to ascertain the result of the authorization check and react accordingly.
  REPORT demo_authorithy_check.
  PARAMETERS pa_carr LIKE sflight-carrid.
  DATA wa_flights LIKE demo_focc.
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'S_CARRID'
                    ID 'CARRID' FIELD pa_carr
                    ID 'ACTVT' FIELD '03'.
    IF sy-subrc = 4.
      MESSAGE e045(sabapdocu) WITH pa_carr.
    ELSEIF sy-subrc <> 0.
      MESSAGE e184(sabapdocu) WITH text-010.
    ENDIF.
  START-OF-SELECTION.
    SELECT  carrid connid fldate seatsmax seatsocc
      FROM  sflight
      INTO  CORRESPONDING FIELDS OF wa_flights
      WHERE carrid = pa_carr.
      WRITE: / wa_flights-carrid,
               wa_flights-connid,
               wa_flights-fldate,
               wa_flights-seatsmax,
               wa_flights-seatsocc.
    ENDSELECT.
  Regards
  Hitesh

• Is S_RFCACL a critical Authorization Object ?

  Hi All,
  As we know that S_RFCACL (Authorization Check for RFC User (e.g. Trusted System)) is required for having access to the trusted systems.
  In most of our roles for this authorization Object we have maintained the * value for the following fields:-
  RFC_SYSID
  RFC_TCODE
  This has been made as an observation by the auditors as having this critical access with the users.
  But my question is how can it be the critical access when the user should have id's in both the systems(trusted and trusting) to login to the called system.
  Also even if the user logs into the called system he will only be able to execute the list activities/t-codes that he is authorized to in that system, it will override the * value maintained in RFC_TCODE.
  What possibly could be the risk from this authorization object ?
  Regards,
  Parichay

  Parichay Jain wrote:
  In most of our roles for this authorization Object we have maintained the * value for the following fields:-
  RFC_SYSID
  RFC_TCODE
  This has been made as an observation by the auditors as having this critical access with the users.
  The object itself is certainly critical, but as you stated the trust itself has to have been setup at the system level for the authorization to be going anywhere.
  These two fields are in all honesty only irritating and you can successfully defend putting a * into them.
  RFC_SYSID values for a role means you unit test a role in DEV, integration test in in QAS and then use it live in PROD. Additionally the field RFC_INFO is actually the installation number and you can be fairly sure that will be the same in the landscape. So only adding the pairs of production system IDs means you cannot test the same roles, which is a bit silly.
  RFC_TCODE is even sillier. The generic RFCs for starting transactions (eg. ABAP4_CALL_TRANSACTION) check the transaction code themselves again and that is then user specific roles relating to their job functions. Restricting S_RFCACL additionally in a system role (eg. common role for all users) means that you must double-discriminate against all possible transactions which can be called via RFC and list them all there and maintain the list. But the check happens later again and the application authorizations in the transaction are generally checked as well. Waste of time.
  @ Alex: The RFC_EQUSER = Y field only means that if the calling and called user ID names are the same, then the field RFC_USER is not checked and therefore does not have to be maintained. But it is often misunderstood and the field RFC_USER gets a * value as well (which is where the real music is..) and the EQUSER setting has no further affect. Technically, it actually weakens the authority-check on the user field - which is correct because otherwise you have to maintain it and end up with personalized roles, which is most silly of all.
  So you can quite safely tell you auditor that Julius agrees with you and they are barking up the wrong tree..  :-)
  Cheers,
  Julius

• Authorization objects generated by a transaction

  Hola buenas tardes, tengo un problema con unos roles. Actualmente existe una transaccion llamada FDTA la cual me muestra unos TXT para tranferencias Bancarias tanto de HR como de FI, resulta que el personal de HR puede ver los TXT de FI y los de FI tambien puede ver los de HR, como puedo saber que objetos genero esa transaccion, o como puedo determinar que campo es el que limita esta opcion? 
  Gracias por su atencion,

  Hola Juan Carlos,
  Deberías poder ver desde la PFCG, agregando la transacción desde el menú, todos los objetos de autorización pertenecientes a dicha transacción. Para saber en que objetos le está fallando al usuario, dile que ejecute cuando le da el error la transacción SU53, esta pantalla te dará el objeto de autorización en cuestión.
  Hi Juan Carlos,
  You should be able to see all authorization objects for a transaction, by adding it first on the transaction menu from PFCG. Furthermore, if you want to troubleshoot specific auhtorization objects, instruct the user to execute transaction SU53. This screen will show you specific authorization object that failed at that moment.

• Basis authorization object class

  Hi All,
  Few roles contain ABAP & BASIS objects but 1 user should NOT get access to these. How can I restrict ABAP & BASIS objects only for 1 user id without disturbing access for other users.
  I tried creating Z roles for this user id and deactivating BASIS objects but still some other roles containing ABAP objects are accessible which I dont want to give.
  Is there any shorter way out?
  thx
  Bhushan

  Hi Bhushan,
  As i am not next to you, i cannot say on how the user gets to SU01. But if i were you, i would do the following
  1. Go to table AGR_1251 and list all the roles used and check on the object S_TCODE
  2. check for any presence of ranges
  3. If the table result shows SU01, then you i am sure you know what to do - if the table shows SU01 in the output but you see that it is not in any of the role menus, then spend some time to understand about calling transactions and called transactions (Ex: PFUD internally calls for SU01). you can search the forum for more details
  If you dont find desired results from the above try controlling / restricting the authorizations for SU01 for the related objects like: S_USER_AGR, S_USER_GRP, S_USER_SAS............
  But I would never remove ALL basis objects (or) ABAP objects from my authorizations based on the object groupings in SAP.
  S_DEVELOP is a ABAP object grouped in the BC class, but i wouldnt remove it entirely because my user is a functional consultant, there are ways of controlling the access of the object. As an example, sending customers from R/3 to an external systems using the BD* transaction would need authorizations on S_DEVELOP. Doing this is a functional job and S_DEVELOP is a ABAP object
  so try controlling the access on the objects rather than removing the objects from the authorizations.