Regarding the authorization based on persinal subarea

Similar Messages

• How to check the authorization based on webdynpro application

  Hi Experts,
  I was asked to develop a webdynpro component with two webdynpro applications, one each for internal party and external party to be used.
  So how to restrict or check the authorization based on webdynpro application used?
  Do we have any authorization object like S_TCODE for webdynpro application in roles and authorizations?
  Please enlighten me.
  Regards,
  Ajay Matam

  You can assign an authorization object to the Web Dynpro Application within SICF -
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/61/d93822a88e15489a9391f309767366/frameset.htm
  Of course you could also programatically check which web dynpro application is being used from within the component and then call a custom auth-check. However maintain at the SICF is probably better for visibilty and long term maintenance costs.

• Regarding the Authorization in ABAP-HR

  Hi all,
      I want to know about the Authorizations in the ABAP-HR. If any body is having any material regarding the can you plz share with me...
  thanks in advance,
  Suresh

  Hi Kutam,
  Chk these Links....
  Can i have the list of infotypes .
  abap hr
  http://www.asug.com/client_files/Calendar/Upload/HR_STRUCTURAL_AUTHORIZATIONS.ppt
  Reward Points if Useful
  All the Best
  Gokul

• Regarding the authorization objects

  hi
  this is the requirement.
  how to provide the authorization for the given transaction code and they provided field for that and some numbers.
  please provide me the code for this
  thanks in advance

  Hi,
  Check below code,
  AUTHORITY-CHECK OBJECT 'B_ALE_MODL'<- author. object
  ID 'ACTVT' FIELD A_ACTVT<-Fields
  ID 'CUSTMODEL' FIELD A_CUSTMODEL.<-Field
  IF SY-SUBRC <> 0 AND NOT A_OWN_REACTION IS INITIAL.
  MESSAGE ID 'B1' TYPE 'E' NUMBER '125'
  WITH 'B_ALE_MODL' A_ACTVT A_CUSTMODEL ''.
  ENDIF.
  Thanks and Regards,
  Chandra M

• Regarding the Authorizations

  Hi all,
  I need to give authorization of tcode Like MMPV  for one user.
  I had done by using PFCG then i went to role and then i given the tcode.
  but it is not working , he is getting again the Auth problem

  Did you maintain the Authorization data correctly? For eg, MMPV Tcode, is the user trying to create or change or display the tcode?
  Also, check if the org structure has been setup correctly.
  Lemme know if this helps.
  Thanks
  Sudhan Shan

• Authorization based on personnel subarea

  Hi All
  I have to set up an authorization for my HR users restricted upon their location of work. I have set up personnel subarea for the same. However, am not able to find the personnel subarea object in the profile generator screen for the role.
  For reference
  PA               PSA      
  Corporate      Gurgaon
  Plants           Panoli
                      Udaipur
                      Jammu
  Marketing      All Marketing Locations
  I want to set up an authorization for user to only be able to access Plants -> Panoli data
  Please advice
  Regards
  Lokesh Gupta

  hi,
  Have a look at this pdf.It may help u.
  http://www.sap-press.de/download/dateien/726/sappress_authorization_system_engl.pdf
  http://wiki.ittoolbox.com/index.php/SAP_HR_-_Check_your_basics-Answers-1#DATA_AND_AUTHORIZATIONS
  cheers,
  Manoj.

• How to restrict authorization based on profit center in ke80 report

  hi friends
  we have a situation where we need to maintain the authorization based on profit center in ke80 report. The authorzation object K_PCA is not working. whenever we assign a particular profit center and then generate the profile, we still get the message no autjorization and when we check su53 it shows it needs '' asterisk. but we cant assign the asterisk as we have 5 subsidaries and there are using 5 different set of profit centers so assigning asterisk () would be comprimising on our security.
  does anybody came across this situation and if yes how did they resolve this?
  I need your suggestions on how to maintain this restriction.
  Regards,
  Imran

  Hi Friends
  The problem has beend solved. It turns out that this is a report writer issue. We raised the issue with SAP and they informed that 'For Report Painter/Writer every item is checked if you have the authori-zation or not. Only the items with authorization fullfilled will be displayed afterwards'.
  Based on SAP answer we created different reports for each profit center/company code.
  I would like to thank you all for your time and inputs.
  Regards,

• Regarding Prepayments,Authorization and capture of funds

  Hi..
  I have questions regarding the authorization and capture of funds in 11.5.10.2 when the Prepayment concept is used. I have read in OM manual that the authorization and capture happens in AR while creating a receipt.So how can I know that they happen immediately one after other in AR ??? i mean can I look into any columns of particular tables gets populated when authorization happens and some particular field is populated when capturing happens???
  Mainly when prepayments are used does the authorization and capture happen in AR only one after other immediately?????
  Can some one please help me....
  Thanks...

  Hi,
  when you create the batch-input session, you could set a user-name with the good authorization.
  You could ask anybody to call your batch-input in SM35, the authorization of the transaction inside your batch is check with the username set in the batch.
  So how did you create your batch-input session ??
  Fred

• How to delimitate the authorization on BI based on HR auth. object P_ORGIN

  Hi all,
  I need to insert in my BI role one authorization object to delimitate the view of data in the report (data are extracted from and SAP HR system) based on Personnel Area. On the HR system I have the authorization Object P_ORGIN that can be filled inside the roles for what concerns the value of  Personnel Area.
  How can I apply the same limitation inside the BI role?
  Many Thanks,
  Valentina

  Hi,
  R u using any other roles . If yes then open that roles and add object p_origin .It should work.
  Regards
  Nilesh

• OAM - Authorization based on the authentication method

  We are using OAM 10g for a customer to protect a large number of web application. In order to access those applications a user can chose from several authentication methods (e.g. client certificate, SecureId and mobile TAN). All applications use the same cookie domain and OAM provides SSO to the user. The customer now wants to define access rules for each of the applications based on the chosen authentication method.
  In other words, he wants to have the flexibility to define rules such as the following:
  Application A: Only accessible with client certificates
  Application B: Only accessible with mobile TAN
  Application D: Only accessible with SecureId or mobile TAN
  Application E: Accessible with any authentication method
  In order to implement this with OAM we would have assign each authentication method a different authentication level and define authorization rules that depend on those authentication levels (maybe using a custom authorization plug-in). According to the OAM documentation it doesn't seem possible to reference the authentication level in a authorization rule.
  Does anyone know a way to implement these requirements.
  Any help is appreciated.
  Best regards,
  Donat

  This is how I think we can do this.
  Write Authentication plug-in which adds which authentication scheme was used to login to the application in one of the multivalued attribute in OID. Write Authorization plug-in also which checks this value and makes authentication decision.
  One more approach is, Create as many attributes in OID as number of authentication schemes you have. Each of them is a flag representing whether user is logged in with the authentication scheme or not. When user authenticates using an authentication scheme, turn on that flag. Also flush access server user profiles cache. In the authorization rule, use this flag to make authorization decisions. Using this approach, you do not have to write authorization plugin but this may not be scalable approach as you might have to create a new attribute in OID when new authentication scheme is added.
  You can also keep this information somewhere in database or flat file and use that information in authentication and authorization plugin.
  I hope one of this solutions will help you.
  Thanks
  Kiran Thakkar

• Purchasing Group authorization based on the user

  Hi All,
  Can anyone suggest me ideas on how to restrict in accessing details of a PO for a  purchasing group based on the user who tries to access it .
  the object is M-BEST_EKG.
  need guidance in using AUTHORITY_CHECK in restriciting PO group based on the userid.
  Thanks in advance.
  Regards,
  Ry

  Hi,
  ACTIVITY controls what user can do to the PO.
  01-Create
  02-Change
  03-Display
  EKGRP controls the purchasing group
  To restrict to a specific purchasing group, modify the authorization object in the role which user has to allow the specfic P.Grp. only
  Cheers !

• Authorization based on MRP Controller in the PR

  Hi All,
  I want to restrict authorization of PR creation and list of the PR based on MRP controller.
  For e.g.  User X can only create PR with MRP controller A in PR. He can not create PR with any other MRP controller.
  And He can only display PR with MRP controller A.
  I have tried to put object  M_MTDI_ORG on the authorization but it's not working.
  Thank you for your help....
  Cheeryl

  Hi,
  The below information was available when I searched for this ..
  MRP controller for PR document type
  If you mean restricting which MRP controller codes can be entered in PReq on the "Contact person" tab, then the BAdI ME_PROCESS_REQ_CUST, method CHECK can suit you.
  Call the method IM_HEADER->GET_DATA to obtain the PReq doc. type in RE_DATA-BSART.
  Call the method IM_HEADER->GET_ITEMS to obtain the PReq items in its parameter RE_ITEMS. Then call loop through the items in RE_ITEMS and call RE_ITEMS->GET_DATA to obtain the item data in its parameter RE_DATA.
  Check RE_DATA-DISPO and set the exporting parameter CH_FAILED if you want to prevent the PReq to be saved.
  Please see if this helps you.
  Thanks
  Shailesh

• Authorization based on STD Cost Centre Hierarchy - different hier levels

  Hello,
  I need to create an Authorization scenario where the same user, which have autorization based on Cost Centre Standard Hierarchy, would have access to Cost Centre Hier "NODE A" for "CUBE 1" and Cost Centre Hier "NODE AB" for "CUBE 2". The challange is that he cannot access "NODE A" on "CUBE 2".
  How can I have this? Would it work if I create 2 different authorization objects based on cost centre, each one for a different cube?
  Current authorizations are set up for CUBE 1 based on roles assigned to users and this affects more than 300 User ID. So I need a solution with few impact on what is already set up...
  BW version 3.1
  Thanks in advance

  Just for the forum information, I have made further progress on this.
  I have created different Authorization Objects (both based on cost cecntre) and assigned each one o a different cube. I will then have 2 roles assigned to the user: one role with Auth Object X will provide access to cube A only; the other role with Auth Object Y will provide access to cube B only.
  Regarding the hiearchy level, as this does not depend of the Authorization Object but on the Cost Centre Object itself, I dont need to create (Tcode: RSSM) duplicated hierachy technical names for the same node of the hiearchy depending on the auth. Object.
  Hope this helps who's browing on the forum and have a similar issue. Otherwise, please contact me.
  Regards

• BW authorizations based on assigned PPM users/roles + inherited roles

  Dear experts,
  We using PPM 5.0 SP7, and we are having trouble defining authorizations for BW reports.
  We would like to use the same authorizations as in PPM business client, so that BI would use/check the authorization from business client.
  This check would include:
  - users or roles gain access from direct assignment to an item
  - users or roles gain access that is inherited in the bucket structure, both structure and classification buckets.
  Users would have access to BW reports, but they could see data only from the same structures/classifications or direct assignments that are given to them in PPM business client.
  Can we utilize the same authorization methods, or do we need to create and maintain this in another place (BW)?
  If needed, how to create similar authorization model to BW?
  Kind regards,
  Antti Forsell

  Hello,
  Please see these docs,
  [Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
  [An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
  [Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
  Thanks
  Chandran

• Help regarding BI Authorization

  Hi Experts,
  I am working for first time on BI analysis authorization and I am having below queries to be clarified. Can you all please clarify my queries and help me.
  1. In the project, we will not use HR and will therefore have to do local maintenance of authorizations in each system (for data access, we will also use a central identity management system). This will for sure affect the possibility of the automatic generation of authorizations. My first question is: can it still be used at all (can we load some data via flat-file or maintain some master data in BI)?
  2. Is the concept of having queries linked to PFCG roles to be used at all in BI 7 (according to SAP standard), or is the thought that InfoProvider authorization should be used instead via 0TCAIPROV?
  3. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
  - Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
  - Activate the technical content for analysis authorizations: 0TCA*
  - Create authorizations in RSECADMIN, where we link a authorization object to a characteristic value (for instance, assign object: "XY" to characteristic=0comp_code with value=1010)
  - Link the authorizations just created to PFCG roles (for instance create a PFCG role "XY access" which gives access to company code 1010).
  - Create PFCG roles for "Report User" and "BW Developer" which have access to read respective create/change/delete rights of queries.
  - Create PFCG roles with certain queries linked to them.
  - Assign the PFCG roles to BW Users.
  4. Does the BI 7 authorization concept enable the use of user groups, or should authorizations be assigned on a user to user basis?
  5. What happens if I make a characteristic authorization relevant and then include this characteristic in a query and do not do any restriction on this characteristic (i.e. I do not provide any auth values to the system), will I then get an authorization error?
  6. If automatic generation of user authorizations is used together with for instance SAP HR and loaded daily, does this mean that any other manual authorization assignments will be deleted/reset upon the next automatic generation?
  7. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
  - Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
  - Activate the technical content for analysis authorizations: 0TCA*
  - Create authorizations in RSECADMIN, basically one object that has a restriction for each of the authorization relevant characteristics and that uses different customer exit variables to determine which values to use. This customer exit then reads some table (which we maintain manually in BI) to find the values for each user based on user name.
  - Link the authorization just created to a PFCG role.
  - Give all reporting users this PFCG role.
  - Create PFCG roles with certain queries linked to them.
  - Assign the PFCG query roles to users.
  Thank you very much in advance for helping.
  Thanks & Regards,
  Sharath

  Sharath,
  Here are some insights/replies to the list of questions you supplied. BW Security can be complicated but the trick is NOT to allow the requirements to allow it to be complicated.
  1) Are you sure you dont mean the IdM system will assist with role-based access assignments? If that is the question then, yes. For the data access (linked to roles via S_RS_AUTH : Analysis Authorizations) you could employee a flat-file load to DSOs and variable security on the authorizaiton relevant charactistics.
  2) Yes, you will need to have authorizations to queries/reports via S_RS_COMP/S_RS_COMP1 still maintained in the roles. The InfoProvider (data access) will be maintained in the Analysis Authorization (S_RS_AUTH). You need to have both in order to successfully pass the auth checks from query/report to data.
  3) Fundimentally (BW Security 101) sounds correct but again it typcially depends on the implementation and requirements on how you setup the anaylsis authoriations along with the roles.
  4) No sure what you mean about "user groups" Analysis Authorizations can be assigned to "Users" or "Roles".  You could always assign roles to user groups via SU10 or via IdM solution.
  5) Depends on how its used in the query. If the query is dependant on a value to render the report (included in intial SQL stmt) then you will get "No Authoriation". If its setup as a free characteristic or drill-down, then you wont get authorization error until a statment checks values for authorization.
  6) Depends on how it was implemented. refer to #3
  Hope that helps a little.
  Thanks,
  Matt