Question on Authorization Object.

Similar Messages

• Red Light with Authorization Object in PFCG

  Hello All - I have a question with authorization objects, there are three roles with red lights 'ON' in authorization object screen in our PRD. However users who are using these roles have no auth issues, standard procedure is to make all lights green in PFCG by maintaining these auth objects.
  Big question is "what is the down fall by leaving these objects RED, I need to support my theory when I say all lights green with auth objects.
  Why best practise says maintain all lights to green?
  Please suggest, appreciate your suggestions.
  Thanks.
  Edited by: AJ on May 12, 2009 9:44 PM

  Hi,
  > "What will be the difference between leaving that red lights 'ON' vs "disabling" these red objects? (I am bit confused on this).
  Red Object: As you know that authorization Objects comprises of Authorization fields. There are certain fields, which are known as "Organization Level" fields and need to be maintained Centrally. If you miss this fields, then the traffic light icon is RED. For all other authorization fields, light will be Yellow if you miss any blank field to maintain. During check, these fields will provide missing authorization (but you may not get error if same object is present in the role with all fields maintained status).
  Disabled Object: If you make any Object Disable, then during check, this Object will not be treated for checking Authorizations. But profile generator will keep this in mind, so you don't get Standard Objects repeatedly (if already present in Deactivated status also) whenever you go to "..Merge with New Data".
  You all other questions are very nicely answered already.
  Regards,
  Dipanjan

• Authorization Object is not working when report is modified.

  Hi BW Guru's
  We have Company Code as Authorization Object .and we have 3 company Codes (xxxx,yyyy,zzzz).where the users under Company code xxxx are not supposed to view company code yyyy,zzzz data etc.
  I modified an existing Report and transported to production.But the Authorization Object is not working for that report.The Report is defaultly displaying all the company codes data(xxxx,yyyy) for all the users.But for the other reports its(company code ) is working fine.
  What could be the problem?Is theproblem in transporting the objects.But i transported all the objects inluding auhorization object.
  Please send me the solution as it is very much urgent.
  The solution will be def. awarded with full points.
  Regards
  Sanjay

  hi Sanjay,
  please don't post the same question again, check and response back from your previous thread
  Re: Authorization Object is not working when report is Modified.
  hope this helps.
  would be nice if you reward for helpful answers to all of your previous postings, e.g
  docs related to RRI

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan

• How to use Standard Authorization Object 'M_MATE_WRK'  in SE38?

  Hi all,
  We have developed one program which calculates the commercial price of the material   
    and update the same in the material master.
  Now we want to implement authorization checks at Plant Level.
  For this purpose I am Using 'M_MATE_WRK' which is standard authorization object.
  But in my Program when I am checking for it, its giving the sy-subrc value as 0.
  This indicates that either it is successful or the object is not active for this particular  program. In my case I know that its the second case only.
  So now somewhere i need to 'Check' this object for this particular Program.
  I have checked SU22 , SU24 but couldn't figure out where should i do the respective  setting.
  I am working on ECC 6.0
  Please help me on this.
  Bare with me if i am asking a silly question.

  Hello All,
  The Problem is resolved now.
  Actually it was the first case only.
  When i created the new user id and checked i realized that its working fine and there was
  some mistake while checking previously.
  Anyways thanks for ur reply.

• A question about authorization of "me29n".

  I have a question about authorization of "me29n".
  In the screen of me29n, after I choose "cancel release" option,  there are several button I can use, such as "delete","lock","unlock" and so on.    now I want the "delete" button become unavailable after I choose "cancel release".    how can I archive ?   Is there any authorization object to use?   thanks a lot.

  Hello Victor,
  It is possible through Transaction code "SHDS".
  try to create new variant for it.Also you need to take
  ABAP'rs help in this .Try it.All the Best.
  Regards,
  Manjula.

• Can we reuse the Authorization objects in MM01 for  Custom TCODE  ZMM01

  Hi all,
  We need to create screens  or transaction code ZMM01 which will have all views in the form of a tab like sales data will have a tab to input sales information like plant data as its own tab to input plant specific data
  ceating material  masters  entries in Ztables like ZMARA,ZMARC,ZMVKE.
  Now my question is can we use the same authorization objects which are being used for standrard MM01 transaction code because same users who use MM01 will use ZMM01.
  If this is possible how can I know what are the authorization objects which I need to program for my ZMM01 Tcode.
  All replies are rewarded.
  Regards
  Martin.

  hi yes
  it is possible go to transaction SU21
  and search MM_G object class you can reuse the same for ur Z transaction
  also u will have to use SU22 to assing tcode to the obejct class
  Harish

• Use of RSSM to create authorization objects

  I have a few questions on the way of using authorization objects via RSSM.
  First, i would like to know if there is a limit in the number of values used as a filter in the authorisation object.
  First, what is the quantity limit of values that we can use as filter? CC00000010, CC00000011, CC00000012, ..., n. In this case what would be the value of n. In our fonctionnal need, ranges of values would not be an option.
  My second question is in relation with the use of an authorization object composed of two characteristics. Is there a way to build a case in witch the authorization check return a positive answer to a logical OR between the two  characteristics?
  Example 2, lets say that you want to perform an authority check on the cost center OR on the profit centre. Is there a way to build the authorization object to make sure that there is no error messages when the user has the authorization for the cost center CC00000010 OR the profit center PF00000011.
  Best regards,
  Stéphane Beaudoin

  why would you use Pages when there are templates in iweb
  as for the URL question, that is determined by the host, not iweb which just writes the page. but I would not use tinyurl since it has become a favorite of phishers and other web nasties. it might be worth getting a domain name if you can find a good deal.
  i would search for some realtor sites to see the kinds of information they are giving and how they are laying it out. and make sure that all photos look really really good. nothing is more off putting on a house ad than crappy photos

• BI 7 - Authorization objects

  Hi,
  I am trying to save the authorization object which I have created, But I am getting error message "Characteristic 0TCAACTVT not authorization relevant". Please help me on this error

  >
  Ramesh Babu M wrote:
  > Hi,
  >
  > I am trying to save the authorization object which I have created, But I am getting error message "Characteristic 0TCAACTVT not authorization relevant". Please help me on this error
  This is not about MaxDB or any other database but about SAP BI - just post this question there and the chances to get a useful reply will raise immediately!
  regards,
  Lars

• HR custom authorization objects

  Is it possible to have more than one custom HR authorization object active at the same time? For example if I need 2 custom variations of P_ORGINCON (I  have some very complex requirements),  is that possible, or am I limited to just 1? Having more than 1 seems to present a problem when I run RPUACG00 to generate include MPAUTCON. It overlys the code generated fo the first cusom object with code for the second object, therefore only allowing cgenerated code to exist for 1 of the objects.
  And one additional question - when I create a custom HR object (one which contains infotype, subtype, persg, persk etc), am  I limitied to only using fields from PA0001 in that object?  If I include some other field that does not exist on PA0001, when I run RPUACG00 it gives me the error "Field xxx is not allowed  in authorization object Z_xxx".
  Many thanks,
      Mike

  One example of a  requiremnet I have is for a manager to have 3 different types  of authority based on when a position was in his org structure. So if a position is currently in his org structure he might have WRITE access to their infotype 2,6,8... for positions that were in his org strucure between 1 and 60 days ago (but are not in his structure as of today) he might have WRITE access to their infotype 2 and 6 and READ access to other infotypes, and for people that were in his structure 61-9999 days ago, he might have only READ  access to all the position's infotype data.
  I was thinking of using 3 disctinct HR authorization objects to cover each of these 3 scenarios, but ran into the issue mentioned above with the generation program RPUACG00.

• What is standard authorization object for  Personal development  P_PLOG

  Hi,
  Recently i got a object in HR and i dont have any experince in HR.Could you guide me how to asssign standard authorisation object for the personal development p_plog? how to see the infotypes and what is the header field in innfotypes?

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• RSSM: Checks Authorization Objects for Infoprovider are not activ

  Hello,
  we have BW 3.5 and we use RSSM Authorization Objects.
  When we create a new cube with an Infoobject that is authorization relevant, in our development-system in rssm the flags for the checks are automatically activ.
  When we transport the new cube to our production-system, the flags in RSSM for the authorization object are not activ.
  Sometimes the new infoprovider is not in the list of the infoprovider in rssm, so we have to "update check status" with the appropriate icon.
  My question:
  It is possible, that when we import the new cube in our production-system, that all authorization objects are activ??

  Hi,
  Normally system would check all the authorization relevant objects whenever a new Info cube is imported and in case if you want to transport these changes to Production system manually then follow the below listed steps:
  1) In Development system, check or un-check the authorization relevancy using the transaction RSSM on a given Info provider
  2) These changes are stored in table RSSTOBJDIR
  3) Create a manuall transport request and include these entries covering the required Authorization objects manually. 
  R3TR TABU RSSTOBJDIR
  Ex: If Info object 'A' is authorization relevant in Development system but not in Production system and you want to transport this change to Production system then include object 'A' table entries manually.
  Hope this helps.
  Cheers
  Bala Koppuravuri

• Standard authorization object for Infotype 41

  hi
  Just wondering did anyone came across standard profile that can define access based on date types?
  thanks

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• When to create new authorization objects

  Hi Experts,
  I am learning SAP Security.
  I have one question , what is the necessity of creating new authroization field and object , when SAP gives a huge list of objects /fields.
  Is there any reason behind like, whenever a customised transaction is created, a new authorization object or filed has to be created?
  Regards,
  Rekharaj

  Trick is to find not only a standard authorization object with the same field you are looking for, but an object already assigned to the users with those roles with the same semantic for all it's fields - so that you can simply reuse the existing concept which is also assigned to the sets of users.
  Often you will find "base" function modules and classes you can use to do all that work for you. Just call them at the correct location in the code and dont forget to check the return code and react to it.
  If you use BAPI APIs to access or process data, then many of them make these same semantically correct checks "out of the box".
  Cheers,
  Julius