Reg authorization object forceful completion of UD

Similar Messages

• Reg :authorization objects

  hai..
    This is manny...i would like to congrats for all sdn users.plz let me know about.. what is the exact meaning of authorization object and object classes and authorization fields.i have little bit confusion regarding dis on.i want exact meaning of those ones.plz provide any documentations.
  what is the use of authorization object and authorization fields and object clases and .where we used..?
  Thanks and Regards,
  MANNY..

  Hi Manyam,
  Please see the links and get the solutions.
  http://help.sap.com/saphelp_nwmobile71/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
  http://help.sap.com/saphelp_nw70/helpdata/en/52/6716a6439b11d1896f0000e8322d00/content.htm
  Regards,
  Anil

• Authorization Object S_SCRP_TXT

  Hello,
    I need an explanation (perhaps I'm missing some SAP security basys notions):
  Why the authorization object S_SCRP_TXT has the flag "checked" in SU24, let's say for transaction VA02, but actually is not checked?
  Thanks in advance.
  Best regards,
  Andrea

  Hello,
    first of all I'll share how I came to this awareness:
  - in transaction VA01 or VA02 from the scroll-down menù, I follow the path "Go to --> Header --> Texts": here I can edit the text types assigned to the Sales document;
  - I created a user, assigned to a role containing authorization object S_SCRP_TXT, excluding the TEXTID I wanted;
  - I run transaction VA02 using that fictitious user, but it was able to edit texts anyway;
  - I removed authorization object S_SCRP_TXT completely from that user's profile, but it was able to edit texts the same;
  To be sure I used the ST01 to carry out a trace, but it was not checked.
  Thank you.
  Best regards,
  Andrea
  Edited by: abrusa on Oct 13, 2011 1:57 PM

• Authorization Object for 'Save As Completed' in Parking Document

  Hi,
  Is there any authorization object for 'Save As Completed' in Parking document. The user who is 'Parking' should not have the 'Save As Completed' enabled. It should be disabled. Because we are using that in the workflow. Similarly, the user who performs Save As Completed should not have 'Park' option.
  Regards,
  JMB

  Hi,
  I would like the park and post transactions to be used by different users in my company.
  would you be able to give the authorisation objects where the ristrictions have been placed.
  Regards,

• Reg: Transporting Authorization Objects

  Hi,
  If a custom authorization object has been created, can someone please guide on it to be transported across landscape.
  Regards,

  Hi,
  Yes. create a workbench request and open it in change mode.
  Now you will have table with editable fields with 3 fields.
  1. In programID field enter R3TR
  2. In object type field enter SUSO
  3. In Object name field enter the respective Z authorization object.
  You also need to make sure that the respectie class is available in the target systems. if not, repeat the above procedure with object type as SUSC.
  Regards,
  Gowrinadh

• Org Level Roles / Authorization Object Roles

  Hi board,
  I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".
  The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.
  My questions are:
  - Is it technically feasible (for a large-scale company)?
  - What is your experience?
  - Drawbacks?
  Kind regards and many thanks for your help,
  Richard

  Richard Hösl wrote:
  > Hi there,
  >
  > that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful. 
  >
  > Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
  >
  > Kind regards,
  >
  > Richard
  Hi Richard,
  It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.
  A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions.  That bucket invariably contains more authorisations than the transactions require.  Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........
  If you have organisational complexity then you should look elsewhere to simplify. 
  By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).
  Put the effort in the design stage and it will pay dividends later on down the line. 
  Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.
  Cheers
  Alex

• Creation of a new Authorization object

  Hi ,
  I need to create a new Authorization group and add three existing tables to it.
  Kindly suggest a way.
  Regards.

  Authorization Field
  Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the database table TACT and the customer-specific table TACTZ.
  Maintenance using transaction SU20.
  Authorization Object
  Repository object that forms the basis for authorizations. An authorization object comprises up to 10 authorization fields. The combination of authorization fields, which represent data and activities, is used for authorization assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
  Maintenance using transaction SU21.
  Authorization
  Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
  Maintenance in transaction SU03 or generation from transaction PFCG (profile generator for role maintenance).
  Authorization Profile
  Grouping of several individual authorizations or further authorization profiles. Can be entered in the user master record instead of individual authorizations. An authorization can be assigned to authorization profiles as often as you wish.
  Maintenance in transaction SU02 or generation from transaction PFCG (profile generator for role maintenance).

• How to use authorization object P_PERNR ?

  Hi, Gurus~
  In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
  So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
  Authorization level:  W,S,D,E
  Infotype: 0008
  Interpretation of assignment personnel number: E
  Subtype: *
  and then, i maintain her master data 0105's subtype 0001-system user name as 00041
  i think she shouldn't maintain her own 0008 now ,but she still can maintain it
  i want to know why and how to solve it, did i do it in the right way?
  Thank you in advance!

  P_PERNR   HR: Master Data - Personnel Number Check
  You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
  The following values are possible for the PSIGN field:
  I   =          Authorization for personnel number assigned, that is for own personnel number
  E  =          Authorization for all personnel numbers excluding own personnel number
  You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
  This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
  Example of Personnel Number Check P_PERNR
  The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
  The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
  PSIGN = I
  INFTY = *
  SUBTY = * AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0008
  SUBTY = *
  In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
  The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
  As the following examples illustrate, inconsistent authorizations can be granted.
  Example 1:
  AUTHC = *
  PSIGN = I
  INFTY = 0014
  SUBTY = M* AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0014
  SUBTY = *
  The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
  The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
  The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
  Example 2:
  AUTHC = *
  PSIGN = *
  INFTY = *
  SUBTY = *
  This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
  As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
  Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
  If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
  P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.

• Change authorization object in a derived role

  Hi Gurus,
  What's happen if someone has added a new authorization object in a derived role?
  He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
  <u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
  What do you think about this ?
  Thanks
  Hery-zo

  Do i understand this right??? do functional teams have access to PFCG to create roles???
  If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
  1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
  2 ask all functional teams to describe the roles points to be adressed:
     A TRX in every role
     B all wanted restrictions on every TRX (described functionally)
     C orglevels on which restrictions should be build.
     D Test process for every TRX in every role (both positive and negative)
     E  check all roles against table USOBT and look for manually added objects,  
         if they can not give a good reason for adding these REMOVE them.
  3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
  4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
  5 check your roles for the corrected TRX after this change and update the other roels involved as well.
  6 ONLY allow roles that have followed the above process to go to Production.
  The above steps are the only way to create a secure SAP Production system for you!

• Authorization object for InfoArea access

  Hi,
  what authorization object should i use to give access to just a few InfoAreas on workbench and Bex ?
  thx

  Hi,
    As you are having S_RS_ICUBE in your role, drill down the complete tree, now you can see Info cube, Info area, activity etc options. at info area level give the info area name and if you want to restrict for few info cubes, you can give cube names as well. now goto activity tab Display (03), Refresh(66) and maintain(23), this depends on your requirment. same you can give in S_RS_ODSO and S_RS_COMP and S_RS_COMP1, if you have * here, it will overwrite the restrictions of other object.

• Assigning of authorization object to authorization group

  I have created an authorization object and I have assigned this to already exsiting authorization group.I would like to assign the authorization object to a new  authorization group.Please confirm how to create an authorizaton group and assigning a authorization object to this new authorization group.

  hi,
  I have got a pdf related to this.
  I shall send that to you if i can get ur mail id.
  I too havent tried this. I dont have any authorizations to do with my server.
  Plz follow the following steps:
  1. Create a user (for example for SAP DEV, TEST, or PRD systems).
  2. Open the SAP Profile Generator (transaction PFCG) available in SAP R/3 versions 4.6 and above.
  3. Create an Activity group (Role since SAP 4.6C), for example ZBODI_ROLE.
  4. Enter a description for the role.
  5. Go to the Authorizations tab and click Change authorization data.
  6. On the Change Role: Authorizations screen, click the Manually,toolbar icon.
  7. The Manual Selection of Authorizations window opens.
  8. Type in the following authorization objects.
  S_ADMI_FCD*
  S_BTCH_JOB
  S_DEVELOP*
  S_DATASET
  S_PATH
  S_RFC
  S_TABU_DIS
  S_TCODE
  S_RS_ADMWB — for SAP BW
  9. Click OK
  10. Return to the Change Role: Authorizations screen.
  11. Manually configure components by entering the values  that support Data Integrator operations include:
  • Administration
  • Batch
  • BW loading
  • Development
  • File access
  • File system access
  • RFC calls
  • RFC calls in BW
  • Table source access
  • Transactions
  12. To complete the security profile, click the Back icon (or press F3), select
  the User tab, enter your SAP user ID for Data Integrator and click the Save icon.
  Regards,
  Sailaja.

• QM Authorization object

  Dear Friends,
  may i know what are the key  Authorization object in QM module
  like  plant,company code,inspection type ,status profile
  Thanks & Regards
  Rah

  Hi Raj,
  Table maintenance authorization       S_TABU_DIS
  Transaction authorization     Q_TCODE
  Material authorization     Q_MATERIAL
  Authorization objects for maintaining the master data:
  Catalog maintenance
  - code groups     
  Q_CAT_GRP
  - selected sets Q_CAT_SSET
  Insp. method based on status     Q_STA_QMTB
  Insp. charac. based on status     Q_STA_QPMK
  Inspection plan maintenance     Q_ROUT
  Plan characteristics according to
  plan type     Q_PLN_FEAT
  Authorizations for inspection processing:
  nsp. type for insp. lot      Q_INSPTYPE
  Usage of codes from catalogs
  - group codes     
  Q_GP_CODE
  - usage decision code Q_UD_CODE
  Inventory postings     Q_STCK_CHG
  Inspection completion     Q_INSP_FIN
  Change control charts     Q_SPC
  For Plant and Company code there are different authorization obj. are used for different purposes.
  e.g.
  M_MATE_WRK will be used for material master access at plant level.
  along with the Authorization Field as 'WERKS'
  M_MATE_BUK will be used for material master access at company code level
  along with the Authorizarion Field as 'BUKRS'
  While for Inspection type the Authorization obj. is Q_INSPTYPE
  Regards,
  Shyamal

• Authorization object F_CN_BAPI

  Hi everyone,
  I have a question regarding the authorization object F_CN_BAPI (FS-AM Simplified Authorization Check in BAPIs) the values permitted is ' ' (not selected) and X (selected) and is connected with the F_CN_ACT.
  I need to configure the roles so that it will go through all the authorization check so that when BAPI's are called it will still check if the user has the correct authorization object.
  What should be the correct combination for this two authorization object if I want it to go through to the authorization object check. Should it be selected or not selected?
  Thanks.

  You must ensure that the value is always ' ' and the best way of doing this is to maintain SU24 for all proposals with this value so that it is always standard (which is almost completely "idiot-proof"
  Good luck,
  Julius

• Re: authorization object

  Hi,
      I have created authorizatin field for authorization object and class.  So now how can i add this authorizationh object for a particular user.
  rgds
  p.kp

  Hi
  for a particular user we have three ways of authorization check:
  <b>Authorization </b>
  Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
  Maintenance in transaction SU03 or generation from transaction PFCG (profile generator for role maintenance).
  <b>Authorization Profile </b>
  Grouping of several individual authorizations or further authorization profiles. Can be entered in the user master record instead of individual authorizations. An authorization can be assigned to authorization profiles as often as you wish.
  Maintenance in transaction SU02 or generation from transaction PFCG (profile generator for role maintenance).
  <b>User Master Record </b>
  The existence of a user master record is a prerequisite for logon to an SAP system. The master record determines which actions a user is allowed to execute and which authorizations they are assigned. Default settings, such as the format in which decimal places are displayed in lists, are also stored in the user master record. An authorization profile can be assigned to users as often as you wish.
  Maintenance in transaction SU01.
  Hope this helps
  Regards
  Amit

• Link users - positions - roles - authorization objects

  Hi guys,
  I want to write a report that would link USERS to POSITIONS to ROLES and finally to AUTHORIZATION OBJECTS. The user would enter the SAP username in the selection screen and the report should extract all the information listed above.
  I am able to link the following:
  + Users to positions via function module RH_BRANCH_GET
  + Users to roles via table AGR_USERS
  + Roles to authorization objects via function module PRGN_1251_READ_FIELD_VALUES
  Unfortunately, I dont know how to link positions to roles
  Does anyone know how to do that?
  Also, is there a more efficient way, than the approach highlighted above, to complete this requirement
  Thanks for your time
  -TR

  Hi,
  you can find a link between role and HR object in table HRP1001. The field SOBID contains name of the role. You need to find way how to convert object ID into position role. Be careful about additional fields from that table.
  Cheers