Regarding sap authorizations
hi all
is there anyway to limit the users access to only their own batch input sessions in tcode sm35 using sap authorizations.
thanks in advance
mohan
hi,
check this
Checking User Authorizations in your ABAP Program
How to set Authorization to an ABAP Programs?
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
Use T/Code SE80 to Create Authorization object.
if u find it useful mark the points
Regards,
Naveen
Similar Messages
-
Sap authorizations in Webdynpro
I have a question regarding the use of authorizations from WebDynpro. We wants to use standard SAP authorizations when accessing the BAPIs through WebDynpro. For example: A sales person having a SAP logon should be allowed to see the data he would see using the transactions through SAP GUI. On the other hand persons without rights to the transactions should not be allowed to access the sales order data.
How do you do this?Hi Rama,
According to me ,Upto Now thr is no such readymade facility available.But we can implement it.
1)Create a Bapi for Autherization Or Use standard Bapis if any.
2)Use those Bapis in ur Project.
3)Before u executing ur Actual Bapi U can execute Ur Autherization Bapi.
4)According to The Result of Autherization Bapi ,U can Execute Ur Actual Bapi.
Regards,
Ramganesh. -
Hi,
Iam working in SAP Authorization team. Recently we had one issue, and it is long days back we have added one single role to many of the composite roles. But suddenly last week that single roles got deleted in some of the composite roles only from production system.
Could you tell me how it is happened?
Thanks!> This is because one of your team member have transported the single role with the same role name frm development to production unknowingly thats reason it been overwritten in prd server
Then I think the changes should reflect even in DEV & TEST as well. But here the issue is only in PRD which is very surprising.
Regards, -
Enterprise/ SAP Authorization in CMC
Hi Experts,
Just need to clarify that if we are using CMC with Enterprise Authorization, is it necessary to use InfoView with same Authorization or can we use SAP Authorization with it?
Thanks & Regards,
SumeetHi,
thats the most common way you are explaining.
End- Users are using the SAP Auth. for InfoView and the Administrator(s) are using the Enterprise Administrator with the Enterprise Authentication in the CMC.
Regards
-Seb. -
Dear All,
Good Day!
Hi! I would like to know if there is an site or link that discuss of SAP Authorization ( SAP R/3 System version 46c or 4.6c ), complete and detailed particulary. Since I am new in this field or environment I'm asking for your guidance and help being as SAP Basis Admin assigned in SAP Authorization Group. Your suggestion and help mean a lot to me.
Thanks A Lot,
ArminHi
for a detailed explanation of the Authorization concept & how to handle that, please go thru this ..
http://www.*********************/tutorials/authorization_analysis.htm
hope this info helps you!
with regards,
raj
<i>pls, award points</i>
<i>if, your query is answered, pls, mark this issue as answered. thanks!</i> -
Multimedia tutorials & online courses in SAP authorization
Hello,
Could someone please guide me to where I can find multimedia tutorials or online courses, or even conventional courses related to SAP authorizations.
Thank you in advance for your cooperation.
Best regards.
Reda Khalifa
IT Department - Almansour Automotive Group - EgyptHi Reda,
The "traditional" SAP auth courses are ADM940, ADM950 & ADM960
ADM940 is your standard auth concept stuff, 950 is mainly regarding Audit & 960 is looking at system level security (the most technical of the three)
There is loads of info on the individual courses on the SAP education site: http://www.sap.com/services/education/index.epx
Alternatively there is some pretty good (if not 100% accurate in all cases) info here:
http://www.*********************/
The security section of OSS is very, very useful with a whole load of guides on there:
https://websmp205.sap-ag.de/security
You will need an OSS ID to access the documentation. Your BASIS team will have one that they should let you borrow if you don't already have one.
A few other resources are a book/pdf called Authorizations Made Easy and the R/3 Security Guide: VOLUME I, II & III
If you enter those terms into google/another search engine you will get links to where you can buy those. -
Hi!
can any one help me regarding SAP SCRIPT. i unable to write a print program for sap script . can any one can send me sample code using ITCSY structure.
Thanks in advance.
Thanks & Regads,
DurgaPrasad.kHi,
refer this to write print program:
<b>The Print Program</b>
Structure of a print program
OPEN_FORM function
CLOSE_FORM function
WRITE_FORM
START_FORM function
END_FORM function
CONTROL_FORM function
The print program is used to print forms. The program retieves the necesary data from datbase
tables, defines the order of in which text elements are printed, chooses a form for printing and
selects an output device and print options.
<b>Function modules in a printprogram:</b>
When you print a form you must used the staments OPEN_FORM and CLOSE_FORM. To combine
forms into a single spool request use START_FORM and END_FORM.
To print textelements in a form use WRITE_FORM. The order in which the textelements are printed,
is determined by the order of the WRITE_FORM statements. Note: for printing lines in the body, you
can also use the WRITE_FORM_LINES function module.
To transfer control command to a form use CONTROL_FORM.
<b>Structure of a print program</b>
Read data
Tables: xxx.
SELECT *
FROM xxx.
Open form printing - Must be called before working with any of the other form function modules.
Must be ended with function module CLOSE FORM
call function 'OPEN_FORM'.....
To begin several indentical forms containing different data within a single spool request, begin each
form using START_FORM, and end it using END_FORM
call funtion 'START_FORM'.....
Write text elements to a window of the form
call function 'WRITE_FORM'.....
Ends spool request started with START_FORM
call funtion 'END_FORM'.....
Closes form printing
call function 'CLOSE_FORM'...
OPEN_FORM function
Syntax:
CALL FUNCTION 'OPEN_FORM'
EXPORTING
APPLICATION = 'TX'
ARCHIVE_INDEX =
ARCHIVE_PARAMS =
DEVICE = 'PRINTER'
DIALOG = 'X'
FORM = ' '
LANGUAGE = SY-LANGU
OPTIONS =
MAIL_SENDER =
MAIL_RECIPIENT =
MAIL_APPL_OBJECT =
RAW_DATA_INTERFACE = '*'
IMPORTING
LANGUAGE =
NEW_ARCHIVE_PARAMS =
RESULT =
EXCEPTIONS
CANCELED = 1
DEVICE = 2
FORM = 3
OPTIONS = 4
UNCLOSED = 5
MAIL_OPTIONS = 6
ARCHIVE_ERROR = 7
INVALID_FAX_NUMBER = 8
MORE_PARAMS_NEEDED_IN_BATCH = 9
SPOOL_ERROR = 10
OTHERS = 11
IF sy-subrc <> 0.
MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
ENDIF.
<b>Some important parameters:</b>
FORM Name of the form
DEVICE PRINTER : Print output using spool
TELEFAX: Fax output
SCREEN: Output to screen
OPTIONS Used to control attrubutes for printing or faxing (Number of copies, immediate output....
The input for the parameter is structure ITCPO.
CLOSE_FORM function
CALL FUNCTION 'CLOSE_FORM'
IMPORTING
RESULT =
RDI_RESULT =
TABLES
OTFDATA =
EXCEPTIONS
UNOPENED = 1
BAD_PAGEFORMAT_FOR_PRINT = 2
SEND_ERROR = 3
SPOOL_ERROR = 4
OTHERS = 5
IF sy-subrc <> 0.
MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
ENDIF.
Paramerters:
RESULT Returns status information and print/fax parameters after the form has been printed.
RESULT is of structure ITCPP.
WRITE_FORM function
CALL FUNCTION 'WRITE_FORM'
EXPORTING
ELEMENT = ' '
FUNCTION = 'SET'
TYPE = 'BODY'
WINDOW = 'MAIN'
IMPORTING
PENDING_LINES =
EXCEPTIONS
ELEMENT = 1
FUNCTION = 2
TYPE = 3
UNOPENED = 4
UNSTARTED = 5
WINDOW = 6
BAD_PAGEFORMAT_FOR_PRINT = 7
SPOOL_ERROR = 8
OTHERS = 9
IF sy-subrc <> 0.
MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
ENDIF.
Some important parameters:
ELEMENT Specifies which textelement is printed
WINDOW Specifies which window is printed
TYPE Specifies the output area of the main window. This can be:
TOP - Used for headers
BODY
BOTTOM - Used for footers
FUNCTION Specifies whether text is to be appended, replaced or added
Example of how to use the WRITE_FORM function module together with a script.
Form layout of the MAIN window
/E INTRODUCTION
Dear Customer
/E ITEM_HEADER
IH Carrier, Departure
/E ITEM_LINE
IL &SBOOK-CARRID&, &SPFLI-DEPTIME&
/E CLOSING_REMARK
<b>The print program</b>
Writing INTRODUCTION
CALL FUNCTION 'WRITE_FORM'
EXPORTING
ELEMENT = 'INTRODUCTION'
FUNCTION = 'SET'
TYPE = 'BODY'
WINDOW = 'MAIN'
EXCEPTIONS
OTHERS = 8
Writing ITEM_HEADER
CALL FUNCTION 'WRITE_FORM'
EXPORTING
ELEMENT = 'ITEM_HEADER'
FUNCTION = 'SET'
TYPE = 'BODY'
WINDOW = 'MAIN'
EXCEPTIONS
OTHERS = 8
Set ITEM_HEADER into TOP area of main window for subsequent pages
CALL FUNCTION 'WRITE_FORM'
EXPORTING
ELEMENT = 'ITEM_HEADER'
FUNCTION = 'SET'
TYPE = 'TOP'
WINDOW = 'MAIN'
EXCEPTIONS
OTHERS = 8
Write ITEM_LINE
LOOP AT .....
CALL FUNCTION 'WRITE_FORM'
EXPORTING
ELEMENT = 'ITEM_LINE'
FUNCTION = 'SET'
TYPE = 'BODY'
WINDOW = 'MAIN'
EXCEPTIONS
OTHERS = 8.
ENDLOOP.
Delete ITEM_HEADER from TOP area of main window
CALL FUNCTION 'WRITE_FORM'
EXPORTING
ELEMENT = 'ITEM_HEADER'
FUNCTION = 'DELETE'
TYPE = 'TOP'
WINDOW = 'MAIN'
EXCEPTIONS
OTHERS = 8
Print CLOSING_REMARK
CALL FUNCTION 'WRITE_FORM'
EXPORTING
ELEMENT = 'CLOSING_REMARK'
FUNCTION = 'SET'
TYPE = 'BODY'
WINDOW = 'MAIN'
EXCEPTIONS
OTHERS = 8
START_FORM function
CALL FUNCTION 'START_FORM'
EXPORTING
ARCHIVE_INDEX =
FORM = ' '
LANGUAGE = ' '
STARTPAGE = ' '
PROGRAM = ' '
MAIL_APPL_OBJECT =
IMPORTING
LANGUAGE =
EXCEPTIONS
FORM = 1
FORMAT = 2
UNENDED = 3
UNOPENED = 4
UNUSED = 5
SPOOL_ERROR = 6
OTHERS = 7
IF sy-subrc <> 0.
MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
ENDIF.
END_FORM function
CALL FUNCTION 'END_FORM'
RESULT =
EXCEPTIONS
UNOPENED = 1
BAD_PAGEFORMAT_FOR_PRINT = 2
SPOOL_ERROR = 3
OTHERS = 4
IF sy-subrc <> 0.
MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
ENDIF.
CONTROL_FORM function
The CONTROL_FORM function module alows you to create SapScript control statements from within
an APAB program.
Syntax:
CALL FUNCTION 'CONTROL_FORM'
EXPORTING
command =
EXCEPTIONS
UNOPENED = 1
UNSTARTED = 2
OTHERS = 3
IF sy-subrc <> 0.
MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
ENDIF.
Example:
Protecting the text element ITEM_LINE
CALL FUNCTION 'CONTROL_FORM'
EXPORTING
COMMAND = 'PROTECT'.
CALL FUNCTION 'WRITE_FORM'
EXPORTING
TEXELEMENT = 'ITEM_LINE'.
CALL FUNCTION 'CONTROL_FORM'
EXPORTING
COMMAND = 'ENDPROTECT'.
rgds,
latheesh
Message was edited by: Latheesh Kaduthara -
Hi i am new to SCN. I want a help regards SAP-PM . Where to post any query regards SAP PM
Please check this link SAP Portfolio and Project Management (SAP RPM, cProjects) and cFolders
Please check scn index to find relevant forum link.
SCN Site Index -
Need information/training material regarding SAP CRM Functional
Hello,
I am a SD Consultant.
I want to learn SAP CRM (Functional) on my own without going to any training institute or some thing.
Therefore, can anyone help me in forwarding the link(s) or document(s) with which I can learn about SAP CRM (Functional).
I want information/training material regarding SAP CRM 7.0 (on system/software working, not the general information, for example- why CRM, where CRM, etc)
For example, about org data, org structure, possible scenarios, etc.
Thanks in advance for spending your valuable time for me.
Regards,
T. ChaitanyaHi ,
In the SDN lot of documents are there search in the WIKI.check the standard sap doc cr100. -
Hi All,I have one serious problem regarding sap b1.
Hi All,
I have one serious problem regarding sap b1.
In Sales order whenever I select the item from list or tax from list one. I got this
Msg Box (Application has a problem. Diagnostic file c|:\Program file\SAP\sap Business one \Log\Sap Business one_20080602105441.dmp was created.
Please contact support and attach diagnostic file). When select ok sap b1 application close. If anyone required screen short of all this error plz give me Ur email id I will send u.
Can any one help me?
Awaiting Early Response
Regards
Rajkumar GuptaHi Rajkumar,
create a message at the marketplace and send them the diagnostic file with an error description.
lg David -
Regarding Prepayments,Authorization and capture of funds
Hi..
I have questions regarding the authorization and capture of funds in 11.5.10.2 when the Prepayment concept is used. I have read in OM manual that the authorization and capture happens in AR while creating a receipt.So how can I know that they happen immediately one after other in AR ??? i mean can I look into any columns of particular tables gets populated when authorization happens and some particular field is populated when capturing happens???
Mainly when prepayments are used does the authorization and capture happen in AR only one after other immediately?????
Can some one please help me....
Thanks...Hi,
when you create the batch-input session, you could set a user-name with the good authorization.
You could ask anybody to call your batch-input in SM35, the authorization of the transaction inside your batch is check with the username set in the batch.
So how did you create your batch-input session ??
Fred -
SAP Authorizations: ST01 - return code 12 (RC=12)
Hi All!
re: SAP Authorizations: ST01 - return code 12 (RC=12)
When using ST01 to trace SAP authorizations and you come accross a return code 12 (RC=12), how do change the authorization object to check?
Thanks for your help.Hi - some standard ST01 info I follow
Main RC codes
RC =0 Successful (user is authorised)
RC =4 Failed - user does not have authorisastions but does have the authorisation object in their buffer (different authorisation combination though)
RC = 12 Failed - user does not have the authorisation AND does not have not have the authorisation object in their buffer
With RC =0 it can be due to:
1. The user has access via authorisations
2. SU25 has switched the object off system wide
3. SU24 has switched the object off for the transaction
As a note with RC=12 - I find these fails can identify a misleading authorisation check. That is, the user is not meant to have access. Take care on RC=12, especially for object S_ALV_LAYO, S_DEVELOP, S_CTS_AMDI, S_USER_GRP and when investigating a typical end user.
IF the missing authorisation (RC=12) is required, you will need to fix the PFCG role and generate the authorisations so the user receives it. If the user has the access you will need to check user buffer or role generation/corruption issues. -
Regarding about sap authorization
Hi all,
I have some doubts about security in sap.
1.If I assign a tcode to a role ,will it take immedeate effect to the user or he need to logon again?
2.when will user logon to the system again ?
Regards,
naniHi,
There is no need for the user to log off..
He or even Basis can just refresh and to get the new authorisation assigned
Hope this helps
Cheers
Senthil -
Help regarding BI Authorization
Hi Experts,
I am working for first time on BI analysis authorization and I am having below queries to be clarified. Can you all please clarify my queries and help me.
1. In the project, we will not use HR and will therefore have to do local maintenance of authorizations in each system (for data access, we will also use a central identity management system). This will for sure affect the possibility of the automatic generation of authorizations. My first question is: can it still be used at all (can we load some data via flat-file or maintain some master data in BI)?
2. Is the concept of having queries linked to PFCG roles to be used at all in BI 7 (according to SAP standard), or is the thought that InfoProvider authorization should be used instead via 0TCAIPROV?
3. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
- Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
- Activate the technical content for analysis authorizations: 0TCA*
- Create authorizations in RSECADMIN, where we link a authorization object to a characteristic value (for instance, assign object: "XY" to characteristic=0comp_code with value=1010)
- Link the authorizations just created to PFCG roles (for instance create a PFCG role "XY access" which gives access to company code 1010).
- Create PFCG roles for "Report User" and "BW Developer" which have access to read respective create/change/delete rights of queries.
- Create PFCG roles with certain queries linked to them.
- Assign the PFCG roles to BW Users.
4. Does the BI 7 authorization concept enable the use of user groups, or should authorizations be assigned on a user to user basis?
5. What happens if I make a characteristic authorization relevant and then include this characteristic in a query and do not do any restriction on this characteristic (i.e. I do not provide any auth values to the system), will I then get an authorization error?
6. If automatic generation of user authorizations is used together with for instance SAP HR and loaded daily, does this mean that any other manual authorization assignments will be deleted/reset upon the next automatic generation?
7. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
- Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
- Activate the technical content for analysis authorizations: 0TCA*
- Create authorizations in RSECADMIN, basically one object that has a restriction for each of the authorization relevant characteristics and that uses different customer exit variables to determine which values to use. This customer exit then reads some table (which we maintain manually in BI) to find the values for each user based on user name.
- Link the authorization just created to a PFCG role.
- Give all reporting users this PFCG role.
- Create PFCG roles with certain queries linked to them.
- Assign the PFCG query roles to users.
Thank you very much in advance for helping.
Thanks & Regards,
SharathSharath,
Here are some insights/replies to the list of questions you supplied. BW Security can be complicated but the trick is NOT to allow the requirements to allow it to be complicated.
1) Are you sure you dont mean the IdM system will assist with role-based access assignments? If that is the question then, yes. For the data access (linked to roles via S_RS_AUTH : Analysis Authorizations) you could employee a flat-file load to DSOs and variable security on the authorizaiton relevant charactistics.
2) Yes, you will need to have authorizations to queries/reports via S_RS_COMP/S_RS_COMP1 still maintained in the roles. The InfoProvider (data access) will be maintained in the Analysis Authorization (S_RS_AUTH). You need to have both in order to successfully pass the auth checks from query/report to data.
3) Fundimentally (BW Security 101) sounds correct but again it typcially depends on the implementation and requirements on how you setup the anaylsis authoriations along with the roles.
4) No sure what you mean about "user groups" Analysis Authorizations can be assigned to "Users" or "Roles". You could always assign roles to user groups via SU10 or via IdM solution.
5) Depends on how its used in the query. If the query is dependant on a value to render the report (included in intial SQL stmt) then you will get "No Authoriation". If its setup as a free characteristic or drill-down, then you wont get authorization error until a statment checks values for authorization.
6) Depends on how it was implemented. refer to #3
Hope that helps a little.
Thanks,
Matt -
Hi Experts ,
When we run the WEB- I report created on bex query which has characteristic variable of processing type Authorization and ready for user input.
The error we are getting as " error getting levels for hierarchy (Dimension) : Unknown error.
Some time we get error as " Supplied XML is not valid "
Some time we get error as " Error in MDDatasewBW.getcelldata :Unknown error.
those error are coming when I choose value for the user input prompt in BO side.
Please help me to resolve this.
Regards
Ashutosh DHi Ingo,
The details are
SAP version: 710 Final Release Patch 8.
BO version XI 3.1 Patch level 1.7
The qurey run fine in BEx and give the data set which user is authorized to see ..
in BO we are getting this error.
If we do not slect any value in user input prompts it work fine in BO , but of no use we have to selcet some of value for user input prompts ...
Senario is : One user has access to global level data having * Authorization on Region
other user have restricted accees to data ( only for 2 region )
in BEX it gives right result
in BO it give error as meantioned.
let me know if you need any other information.
Regards
Ashutosh D
Maybe you are looking for
-
How to share an external display with another computer
Hey all, I'm not sure if this is possible, but I would like to be able to keep a pemanent dock attached to my work computer monitor (sweet 24" HD display) for my w510 to use as a secondary or even a primary monitor while I'm at work...the issue is t
-
Interactive PDF button problem
I created an interactive pdf in InDesign CS5.5. I added buttons on pages to navigate throughout the pages of the pdf. The pdf worked beautifully until a someone tried to open the pdf in Acrobat 6.0; all of the type (fonts) on the buttons became jumbl
-
How do I create a link in text which instructs the download of a pdf file?
-
Where can I get a longer Digital DIN cable? Help!
I need an extension for the digital din cable to my creative inspire 5.1 digital 5700. I can't get it anywhere and my speakers are now connected with the normal stereo speaker cable extension and I can't output 5.1 sound off of my PC cause only 2 spe
-
I downloaded some apps , how do i get an icon on my phone to access them ?
I DOWNLOADE SOME FREE WEATHER RELATED APPS ON MY I PHONE 5 . HOW DO I GETAN ICON ON MY PHONE SCREEN SO ICAN ACCESS THEM ?