Rebuild Authorizational data (User Buffer) Dynamically

Similar Messages

• Get authorization data by passing user role

  Hi All,
  Can anybody please tel me to retrieve user authorization data if i  pass user role i want to get whole authorization data for that role.
  Thanks,

  I am not sure about the authorization objects/values for a given role, but you can get that for a user using the FM SUSR_USER_AUTH_FOR_OBJ_GET.

• Authorisation check: Data not in user buffer

  Hi,
  I have just cretaed a new role in PFCG and generated it and assigned a user to it. This role only has 2 transactions assigned.
  I have created it in development system and tested it in QA system. Everything was fine. I then transported it to production and assigned the user again.
  I asked the user to log off and log back on and test the transactions for which i created the role for.
  When the user tried, an error was returned with no authorisation to that transaction.
  When i go to SU53 to display the authorisation data check for that user, it says beside the Autorisation profile under the Authorisation Data for that user:
  "Exists in the master data, but not in the user buffer"
  I have searched on this but to no avail. I would have tought that by login off and login back on the user buffer would have been regenerated/updtaed  but the issue remains despite several attempts.
  How come did it work in QA and not in Prod. (QA is a copy of Prod)
  How do i get to solve this issue?
  Thanks in advance.
  Regards, Thibault Frenay

  Hi Justin,
  Thanks for the solution. i too faced same issue and resolved with your solution.
  Regards,
  Sasi bhushan.

• Maintaining BW authorization data in R/3

  Hi,
  I am faced with a new problem now. My client wants to maintain BW authorization data in R/3 for ease of maintainence. I have used two ODS template for data (value) and (hierarchy) - (0TCT_DS01 and 0TCT_DS02) and have created two data targets for filling in the data and using CSV file for proofing of the concept. My assumption is that if data load from CSV file can execute thte functionality, I can achieve the same thing by extracting data from R/3 also. While generating the profile using RSSM it says that complete authorization data is not maintained. Probably I am not filling in the relevant fields with correct data.
  Can anyone help me with the steps involved in doing this and the fields for which entries are mandatory ? Would highly appreciate the help extended with points.
  Abhishek

  My reqmt says I have to restrict viwewing of data at node level. Let me elaborate more.... Users of sales region EAST and users of region WEST may have same profiles but EAST user should be able to see east data and WEST user should be able t0 see only west data. I am able to do this by using RSSM and restricting the view at report level but client wants to do this at a common place and the table needs to be maintained in R/3 ?
  Is my reqmt clear ?
  Abhishek

• How to extract authorization data to standart BW DSO's  from  SAP R/3 system

  Hi All,
  Does anyone have any experience about this topic? I want to use SAP R/3 as a source system and after i extracted the data to business content DSO's in BW  ,i will generate authorization objects from DSO 's.
  I am using standar BC DSO 's
  0TCA_DS01 Authorization data - Values
  • 0TCA_DS02 Authorization data - Hierarchies
  • 0TCA_DS03 Descriptive Text Authorizations
  • 0TCA_DS04 Assignment User Authorizations
  • 0TCA_DS05 Generate users for Authorizations
  I have deep research but cant find anything.
  Best Regards
  Ozan

  Hi Ozan,
  You can go though thread provided by Suman, These DSO's will help to maintain Analysis Authorizations in BW automatically In-short you don't need to maintain it, it will come from R/3 and same will be configured in BW.
  Regards,
  Ganesh

• How to Control authorization for users with certain status for level 2 WBS Element

  Dear All,
  Is there any standard way or enhancement available to control authorization for users with certain status for WBS Element i.e. for example
  Pre-requisite:
  There is only 2 level of project i.e.
  Lev_ WBSE_______Description
  1___ 7-14.E_______summay outage controller
  2___ 7-14.E.2310__ Plant/unit # 2310
  2___ 7-14.E.2310__ Plant/unit # 2220
  Project Controller  (authorization role assigned "Z_PS_OP7_OTGCON_C") have all project level authorization
  Plant/Unit Controller (authorization role assigned "Z_PS_OP7_PLNTOTG_C_2310") have only level 2 authorization with enhancement that we did in system by Z table.
  User ID_ Plant #
  123345_ 2310
  122455_ 2220
  Issue:
  After System Status released and User Status approved the WBS basic date for Plant/Units should be restricted from updating/changing by Plant/Unit Controller level and only project controller should have this authority.
  Solution required: 
  Can any one tell how to control this scenario either by standard or enhancement available to control authorization
  BR
  Saqib Usman   

  Hi,
  Did you explore SAP Enhancement CNEX0002 Using Transaction CMOD?
  Thank you and regards,
  Varshal Kachole
  The SCN Rules of Engagement

• Function Tab is missing under Authorization Data in ERM

  Hi,
  After Uploading roles to the ERM, the functions tab under authorization data is missing.
  In the QA the same role has all 4 tabs (including the functions tab)
  I've made sure that the "This option allows you to add a function to an authorization" is set to "yes".
  Can anyone tell me why is that?
  Thank you,
  Drorit

  Hi,
  Ensure that the user ID you are using has sufficient authorization (Eg: Actions: view authorization data etc...).
  Regards,
  Rama

• Difference between Change Authorization Data / Display Authorization Data

  Hello,
  My question is wrt to implementation of "principle of treble control" i.e three SAP administrators i.e.
  1. Authorization data administrator
  2. Authorization profile administrator
  3. User Administrator
  I have created a role & added a transaction to it e.g. "FAGLL03" or "FF67".
  No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile. Even when I save the profile with the proposed name, it status still says "No authorization data exists". Since no authorization data is available, administrator 2 is unable to generate profile. If administrator 1 has to generate profile then why is administrator 2 required.
  Definition of Administrator 1 is:
  The authorization data administrator creates the roles, selects transactions and
  maintains the authorization data. He or she simply saves the data in the Profile
  Generator since he does not have the necessary authorization for generating the
  profile. He or she accepts the proposed profile name “T-...”. The authorization data
  administrator may not change users, nor generate profiles.
  Definition of Administrator 2 is:
  The authorization profile administrator starts transaction “SUPC” and chooses All
  Roles. He or she then restricts his selection, for example by entering the ID of the
  role to be edited. On the next screen, he or she chooses Display Profile to check
  the data. If all the data is correct, he or she generates the authorization profile. The
  authorization profile administrator may not change users, change the data for roles,
  nor generate profiles containing authorization objects beginning with S_USER*.
  Thanks.

  Hasan Saeed Khan wrote:
  Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
  I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.
  On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."
  It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:
  Create role
  Add transactions to menu
  Edit profile, org levels & authroization data.
  Hit 'save'.
  Accept proposed profile name.
  Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')
  And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"
  So it should be possible to maintain roles and profiles separately.

• Document search error in webshop(Error in authorization check: user unknow)

  Hi All
  actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
  actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
  actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
  <b>Error in authorization check: user unknown.</b>
  Can you please help me where to check the authorizations in the system for accessing the documents.
  Regards
  Sunil

  Hi Sunil generally this kind of error will occur when you choose acknoledgement
  for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
  Reward if helpful
  Venkat

• Data load buffer [1] does not exist error when loading cube

  Hello
  I'm trying to load data using Essbase Studio. Everything was working fine, the load used to occur very quickly.
  After updating the SQL query to load a larger period ( 5 years instead of 2 ), the load fails after exactly 10 minutes ! I'm wondering if there's a timeout configuration or something similar in Essbase because I have other cubes that has large queries that are stopping after exactly 10 minutes.
  The environment is:
  Essbase 11.1.2.1 on Linux 64 bits
  Data source: Oracle 10r2 database
  This is Essbase Studio Log
  Failed to deploy Essbase cube
  Caused By: Failed to load data on database: CartTst.
  Caused By: driver.DriverException.GetDatabaseInfoFailed
  Caused By: IO Error: Socket read timed out
  Caused By: Socket read timed out
  This is the Cube Application Log
  [Thu Jul 19 18:34:38 2012]Local/CartTst///1136855360/Info(1013210)
  User [ERS0411@AD_Directory] set active on database [CartTst]
  [Thu Jul 19 18:34:38 2012]Local/CartTst/CartTst/ERS0411@AD_Directory/1114749248/Info(1013091)
  Received Command [LoadBufferTerm] from user [ERS0411@AD_Directory]
  [Thu Jul 19 18:34:38 2012]Local/CartTst/CartTst/ERS0411@AD_Directory/1114749248/Error(1270040)
  Data load buffer [1] does not exist

  I am getting the same error: Data load buffer [2] does not exist
  When I changed the load rule it works fine.
  Thanks Glenn

• How to get the End date of the dynamic period in Financial Reports

  Dear All,
  I have a issue with the Financial Report, I want to show the text under the Heading in the Balance Sheet like 31 DEC 2008 but in this date should be the end date of the dynamic period what user select in the POV.
  Can any one have any idea about this.
  Regards
  rao.

  There are 2 options:
  1. Use the POVAlias text function:
  e.g. <<POVAlias ("Grid1", DimName)>>
  (you could also use POVMember if the items you want is the member and not the alias).
  2. Have a hidden column on the report referencing the POV selection, then reference this in the header.

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• No authorization to change authorization data

  Hello,
  When trying to change an opportunity in our CRM system we get this error message only for one partner.
  "No authorization to change authorization data"
  Our user has SAP_ALL, SAP_NEW and we don't find anything in st01.
  Any idea for this issue? Could it be an HR authorization object missing? Or a CRM one?
  Thanks in advance.
  Best Regards,
  Olivier

  Sometimes error messages are misleading or returned from other users's contexts (rfc, service calls, etc) or even hardcoded in worste cases.
  You will need to debug it and stop on the message number to see where it is coming from and why.
  Cheers,
  Julius

• [ProjectServer 2013] Resource authorization data lost on PSI Resource Update

  Hi,
  as the title says I noticed that sometimes resource authorization data of a resource/user is lost in ProjectServer 2013 on a PSI resource update. Since it did not happen every time for every resource (user) I tried to investigate this issue in more detail.
  I found out that it is related to a change in the resource availabilities. A resource/user loses its resource authorization data on a UpdateResources PSI call when the following criteria are fulfilled:
  - "Earliest available" or "Latest available" date is set
  - Resource/user has more than one ResourceAvailablities row
  - Max units are changed for one of the rows
  Since this is a quite complicated and specific issue here are some simple steps to reproduce it on a PWA instance:
  1. Create new resource/user.
  2. Enter any date in the "Earliest available" field and assign the user to some security groups.
  3. Programmatically change the max. units of any ResourceAvailablityRow and update the resource via the UpdateResources PSI call.
  4. Open the user in PWA. The security group associations will not be there any more.
  I have successfully reproduced this issue on two different PWA instances on two different servers.
  Did i miss anything obvious or is this a well known issue?
  If yes are there any workarounds?
  Did anybody else run into this issue?
  Thanks in advance for you help,
  Michael

  I created a Fiddler trace (see link at the end of the post) but i could not find anything suspicious in there.
  If it helps here is the code that i use to reproduce the issue:
  var singleResDs = resourceClient.ReadResource(resUid);
  var maxUnitsRow = singleResDs.ResourceAvailabilities.First();
  maxUnitsRow.RES_AVAIL_UNITS = maxUnitsRow.RES_AVAIL_UNITS + 1;
  resourceClient.CheckOutResources(new Guid[] { resUid });
  resourceClient.UpdateResources(singleResDs, false, false);
  resourceClient.CheckInResources(new Guid[] { resUid }, false);
  As you can see there is nothing special about it.
  I also checked the patch level on one of the servers and its 15.0.4569.1506 which corresponds to SP1 (April 2014). I can definitely try to install the newest CU and check if that fixes the issue.
  Fiddler trace:
  http://bit.ly/1DvaWsZ
  EDIT:
  I have now installed the March 2015 CU (15.0.4701.1001) and the issue is still existing.

• Maximum Number of users in a "User Group" (SU01/Logon data/User Group)

  All,
  My security person recently approached me with a problem she has regarding user groups.  She wants to assign user groups so that way division leaders/designees can handle password resets within their own area.  To do this she has started using the "User Group" field in SU01/Logon data.
  She's told me the maximum number of users she can add to a "User Group" is 30.  Can anyone else confirm this?  Is there a setting (profile or otherwise) to increase this limit?  Any DSN or outside reading that anyone can refer me to on this matter?
  Many thanks....

  > There is a little green clip board icon on the bottom right corner...
  I only get that after hitting the Authorization data button in SU10 and the the Multiple selection button next to the user. Ow, and it's not green, the upload from textfile button is
  By the way, hitting F4 on a user input field in SU10 will also provide you with the possibility to select more than 30 users in one go.
  Edited by: Jurjen Heeck on Dec 29, 2009 12:08 PM