RE: Transport of Auth Obj Maintained in SU24

Similar Messages

• What auth obj to use for allowing user to create and save workbook?

  Hi all,
  We are on BI 7.0, we have requirement which will allow users to develop and save workbooks (NOT BEX query) via BEx Analyzer. I have examined the auth obj S_RS_WKBK but it is obsolete auth obj and there is nothing similar obj in BI 7.0.
  i then looked at the S_BDS_D, is this all i need in order to allow user to save workbook on to the backend system?
  pls note, user can only save workbook NOT BEx query.
  regards,
  Joe

  Hi,
  Actually there is no direct away to do it
  First use the Authorisation s_user_agr , here in the activity field assign01,02,03 and 06 , in the role name assign a specific role name.
  In s_user_tcd in transaction asssign - RRMX.
  Got to PFCG, maintain the role.
  Hopr this will be expedite.
  ThaX and Regards
  Vaibhave Sharma

• Auth obj - Maintainence status change

  Hi,
  would like to change the Maintainance status of Auth obj from "Changed" or "Maintained" to --> "Manual" . Is it possible, without adding the same manually.
  planning to do this as during merging, "Manual" auth objs are not disturbed.
  Thanks,
  Sam
  Message was edited by: Sam

  Hi Sam,
  It sounds like you are planning to "merge" your roles by inserting
  the profiles of the selected roles. While this will accomplish your goal
  of getting access for your users - it will be a nightmare to maintain.
  As already mentioned, you will be bypassing the functions of profile generator in
  the way it was intended to function. If you want to merge 2 roles, then you
  should only merge the menu sections of the roles and then allow PG to
  select your authorization objects. If you only have profiles, then look
  at the values in S_TCODE and insert these into the role menu section.
  Regards,
  JC

• Changing the AUTH OBJ in table

  hi experts,
  I am creating the Z* table, when i am creating the the AUTH obj under the table maintenance generator, it is coming as
  S_TABU_DIS, but i want to change this AUTH obj to S_TABU_NAM.
  looking forward for your valuable answers.

  First read [Note 1516880 - Authorization check for generic table access (S_TABU_NAM)|https://service.sap.com/sap/support/notes/1516880]
  The authorization concept for the generic table access using such standard transactions as SE16, SE17, SM30, SM31 or SM34 (or their "proxy" transactions) was previously only bound to the authorization object S_TABU_DIS.
  With Note 1481950, the authorization concept
  was enhanced with the authorization object S_TABU_NAM that checks the access at table name level:
             If a user does not have any S_TAB_DIS authorization for a certain table, the system also checks whether he has an S_TABU_NAM authorization. The access is permitted if the user has an S_TABU_NAM authorization...
  Regards,
  Raymond

• Analysis auth obj assigment

  Hi
     Iam created one auth obj in rsec admin. how can i assign the auth obj to user .My answer is  1)direct assigment 2) through roles.
  for example: created analysis auth obj is : ztest_1
  It have the info obj : 0customer. and iam entered two values(values : A & B) in detail tab.
  In role tab where i have to find the created analysis auth obj.to assign values .like below
  Now i would like to assign this auth obj to user1 through role only for the customer value A .
  For user2 i have to restricted vale B.
  In direct assigment path will be the user>assign>specify the user name (user A)> give the created analysis auth obj (ztest_1)>select insert.
  This is the  process ...right?
  Now i would like to assign only one value (value A for the user A).How it is possiable in direct assigment..
  Other wise i have to create diff analysis auth obj(ztest_1...etc) for diff values(A &B)f or particular info obj(customer)?
  Thanks
  B.K
  Edited by: B.K on Jul 15, 2008 12:44 PM

  Hello B.K.,
  When you create an authorization ztest_1 with 0customer with values A & B, this will always have the two values for the customer just like it was before with the old authorization method.
  So no matter what way you assign this authorization to the user it will always have the two values!
  To separate (filter) only one value (A or B) you have to create two different authorizations, one for customer A and one for customer B.
  To assign, the direct assignment is just like you referred.
  To assign with the roles, go to the desired role in PFCG, enter in change mode, go to tab Authorizations tab and click on change authorization data (pencil button).
  Inside there, click on manual insert objects (something like this) and insert the object name S_RS_AUTH.
  You'll have a yellow sign.
  Expand that tree where the yellow sign is and click on the pencil button in front of the last yellow sign of the tree.
  In "Value from" in that next window insert the name of the authorization (in your example ztest_1).
  Generate your role.
  Now if you assign that role to the user "user1" in transaction su01.
  If ztest_1 has the values A & B for customer then user1 will have both values. If you separate the two authorizations let's say ztest_1A and ztest_1B with respectively the values A and B separate for the 0customer object.
  You could assign in the role the value ztest_1A in S_RS_AUTH values, and assign that role to the user "user1" in su01, and you could direct assign (just like you referred before) to the user2 the authorization object ztest_1B.
  Therefore you'll have user1 with the value A and user2 with the value B.
  Please assign points,
  Diogo.

• Auth obj for Tax number 1 and Tax number 2 in fk02

  In tocde FK02 and FK03 we want to restrict some of the fields i.e Tax number 1 and Tax number 2 i.e field stdc1 & stdc2 ,to be visible to some users only ,Is there any auth obj for these fields which we could restict to specific users.

  Hi,
  You can give the authorization for tab wise Genaral data/accounting data/Payment transaction
  Check the auth. objects:
  F_LFA1_BUK     Vendor: Authorization for Company Codes
  F_LFA1_BEK     Vendor: Account Authorization
  F_LFA1_APP     Vendor: Application Authorization
  F_LFA1_AEN     Vendor: Change Authorization for Certain Fields
  Regards,
  Kishore K

• Difference in Objects maintained in SU24 and inside the role.

  Hi Experts,
  I noticed that for t.code F-67,default objects maintained in SU24 are different from the objects associated with same t.code in a role.
  In SU24 only three objects are associated(F_BKPF_BUK,F_BKPF_KOA and S_TCODE), wherein a role there are eight objets maintained.(F_BKPF_BED,F_BKPF_BEK,F_BKPF_BES,F_BKPF_BLA,F_BKPF_BUK,F_BKPF_GSB,F_BKPF_KOA and F_FAGL_SEG)
  Please clarify ! what is the reason of this difference.
  Regards,
  Mukesh

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• SU10   -  Search by Auth Obj Values

  Hi,
  I have a audit requirement, where in which I need to use more than <b>3 Auth objs selection by values</b> as a search criteria. I could see SU10 / S_BCE_68001400 permits(shows) only 3 possible entries for "by values".
  Would appreciate your expertise..
  Thanks,
  Sam

  Another idea for you which might help:
  Run the report (rsusr002) for your first 3 objects -> fields -> values. Then highlight the "user name" column of the result and copy it to your clipboard and restart the report again fresh. Go to the "multiple selection by user" button (yellow arrow) and select the little clip-board button. It will insert the list of users. Then run the report again with your further objects -> fields -> values including this restraint.
  (You can also download the list to a file and import it using the green colour clipboard).
  You would get the same (potentially inaccurate) result as if you could select more than 3 at the same time.

• Same Auth Objects CM in su24

  Hi All –
  In SU24 for a Tcode SU01 in “S_TCODE” the following auth objects are CM.
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  & for Tcode PFCG
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  I am developing a role initially with SU01 Tcode. For the auth object S_USER_AGR, I am giving 01,02,03,06 field values.
  Later I add PFCG Tcode for same role “P_TCODE”. For the auth object S_USER_AGR , I am giving 22,21 field values.
  My question is if the role is assigned to a user
  1.     will he be able to create, change, display, & delete roles using PFCG ????
  2.     What is the best way to restrict the user’s in create, change, display, & delete???
  3.     For PFCG Tcode none of the Auth. Obj’s (the objects that are added by adding SU01 or PFCG Tcode VIA MENU)are maintained in the role what would be the implication??
  Thanks,
  VJ

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• How to know Which T-Code belongs to which auth.obj?

  Hello Friends,
  <b>Lets say a user has got authorization to execute SU01.
  Now I want to know to which auth.object this t-code belongs to and which activity the user is having for that t-code?
  can u explain it step by step how to check this?</b>

  Hi Rakesh,
  Basically every T-Code is made up of auth.objects. To know what objects are used for the T-code use Tcode SU24.
  In the initial screen enter the T-code SU01 (execute (f8) or click on clock icon)
  In the second screen you will have three buttons.
  1.Check indicator (display)
  2. Check Indicator (change pencil icon)
  3. Value list
  Click on 1st button Check Indicator (only Display)
  You will be promted with list of objects.
  U  N  C  CM Check ID       Object     Object name
  Now check for the objects which are CM (checked and maintianed)
  The same objects will be displayed in the roles where you have assigned the T-code SU01.
  To Display the field values for each object which are maintained click on the button Field Values.
  You will be prompted with (default /maintained) values assigned for each object.
  But..
  To know exact values (activity values) you need to check in the role.
  Make a list of all the objects availabe in the SU24 check for the same in the role.
  Hope now its clear
  If you need more info let me know
  cheers
  Soma

• How to list  t-codes having common Auth Obj in a role

  Dear Gurus,
  I need to list out the all t-codes which have common authorization object in role.
  Suppose, I have a role which contains the 10  t-codes. Now I need to list what are all the t-codes which having the common Authorization object (say XX_YY) in that role
  The one way I know is, in the transaction SU24, give the 10 t-codes and list the authorization maintained to those t-codes and then take list of t-codes which have common Authorization object   XX_YY..
  This trick works if the role contains the less number of t-codes. But if the role contains maximum number of t-codes, then executing each t-code in SU24 and listing authorization objects to it is bit difficult.
  Hence, Can any one tell me is there any other way to do this task.
  Thank you very much in advance.
  Regards ,
  Hari

  Hi,
  If you are looking at any particular Authorization object in the role and want a list of tcodes which pull them into the role, you can feed in the Object name into table USOBT_C and get the list of transaction code to which they are connected.
  In case you want list of all common authorization objects and relevant tcodes from within a role, you can download all values under S_TCODE object from table AGR_1251 by feeding in the role name into the table. Use this list as input to table USTOBT_C and filter the output "object" field to get the common authorization objects and tcodes sharing them.
  P.S: The field-values for any authorization objects in the role may/maynot match the proposals in USOBT_C table depending on whether your auth object is in status "Standard"/"Maintained"/"Changed".
  Thanks
  Sandipan

• Transporting table and table maintainance generator

  Hi,
  Can i transport the table and table maintainace generator and function group of the table with in single request or not.
  One more thing is when i transport the table maintainance generator,will the entries also be transport to another system or not.
  Thanks in advance,
  Suresh

  Hi Suresh,
  Go to SE54-> Utilities-> Total Transport. The following things are transported.
  The total transport transports the complete maintenance dialog:
  authorization group
  authorization group assignment
  control entry
  events
  function groups
  maintenance objects
  variants
  Content wont be transported it seems.
  Thanks & Regards,
  Nagaraj Kalbavi

• Transport of Auth. Group

  Hi Guys,
  Can anyone help me out to transport an existing Authorization Group.The group is the one for the ABAP programs.
  Thanks
  Peeyush

  They are in 2 seperate tables which serve seperate but related purposes.
  Instead of assigning the authorization group in the ABAP editor (SE38, etc) for each report, you are wanting to synchronize them accross a system landscape and would also want to replace them for standard reports you have protected after an upgrade.
  For this report RSCSAUTH is provided. If you read the documentation on it in SE38 it should be clear to you how it works and how to transport from it.
  Note that if you assign an auth group via this report, the ABAP Editor will throw a warning at the developer if they try to change the group directly in SE38. It does not explicitly state that they are bringing the concept out of sync, and they can accept the warning.
  Best is to show them how to use RSCSAUTH correctly... and always make the changes from there.
  Cheers,
  Julius

• Problem in transporting Variants - "You cant transport client-specific obj"

  Hi,
  I am facing a problem while trying to transport variant from DEV to QAS.
  When I tried to transport one of the variants (of a program) from DEV to QAS (quality system), it gave me an error that: "You cannot transport client-specific objects".
  Pleasehelp.
  Thanks,
  Vishal.

  Hi,
  The program is Not a local object. I am trying to assign the variant to a transport via. SE38->variant->display->utilities->transport request-> request number.
  Is there a way to modify this variant from client specific to "non-client-specific".
  Also, please let me know hoe do we copy this variant into a new variant which is not client specific (i.e. a global variant).
  Thanks,
  Vishal.

• Auth obj with company code - Search

  Hi,
  We are looking for list of Authorization objects which contain company code field for Audit. The listing should have Role, Authorization obj and the <b>company code and values</b>.
  Is there any we can query this info.
  Thanks,
  Sam

  Hi Sam,
  i do not know if this will help you,
  but just take a look in the AGR Tabels.
  TC SE16 -> AGR*
  br,
  Carsten