Relate authorization object to transaction

Hi experts,
I am currently working on authorization on AS ABAP, creating roles containing different SAP standard transactions
Actually I wonder if it is possible to relate an auth. object to a certain transaction. This could be necessary for my authorization concept because there are several SAP standard transactions checking the same auth. object.
As an example take transactions SE16 and SM30. Both check auth. object S_TABU_DIS.
If I now want to create a role which gives a user the permission to edit customizing tables in SM30 but not in SE16 there is no way (until now I do not know one) to define an instance of S_TABU_DIS with read/write permission for SM30 and another instance with only read permission for SE16.
I tried to use two roles putting one transaction into each. When I give the user the "SE16 role" he has no write permission in SE16. But when I give him the "SM 30 role" too he has write permissions in both, SM30 and SE16.
Therefore I guess that the authorization of the SM 30 role "overwrites" the read-only permission of the SE16 role.
Now my question to you: Is there any way to bind an auth. object to a transaction, so that an authorization defined from an auth. object is only valid for a certain transaction?
Thanks in advance for all answers!
Best regards,
Torben

Hi Bernard,
With transaction se93 you can add an authorization object to a transaction as far as I know. I never used it but it is possible. If you call transaction PFCG you see that object S_USER_AGR is used. I understood that this is a static authorization and the dynamic authorization is in the abap.
Have fun
Bye
Jan van Roest
Edited by: J. van Roest on Feb 18, 2011 12:15 PM
Edited by: J. van Roest on Feb 18, 2011 12:16 PM

Similar Messages

  • Authorization objects for  transaction, one to view, and one to maintain

    Hi all,
    My requrement is to create two authorization objects for  transaction, one to view, and one to maintain.
    I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
    Please suggest how to create object where i can asign activity codes.
    regards
    manish

    The Authorization Concept
    R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
    Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
    Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
    Do check this link as well.
    http://articles.techrepublic.com.com/5100-10878_11-5110893.html

  • Authorization Object   for  Transaction code XSLT_TOOL

    Hi Friends
    When i try to use transaction xslt_tool the following error appears "You are not authorized to use transaction xslt_tool".
    Can anyone give  the Authorization object  for  transaction  xslt_tool,
    Regards.
    Wishva

    Give access to the transaction in PFCG. 
    Then use SU53 to highlight any additional access required.

  • Link authorization object to transaction code

    Hi to all
    how to link authorization object to transaction code?
    i think we can do by using SU24, i am not getting how to do ?
    can any one help me on this Immediately
    Regards
    raadha

    In SU24
    In the Application tab
    Type of Application: 'Transaction'
    Transaction Code:  'Tcode'
    In the Authorization Object tab
    Authorization Object: 'Authorisation object name'
    Type of Application: 'Transaction'
    Then Execute or Press F8...

  • Authorization Object for Transaction Code

    Hi,
    Is there a report I can execute to give me the list of authorization object for this transaction code?
    Thanks.

    Check Transaction SU24
    Alternatively you can go to SE16-- enter the table name TSTCA, then enter the T CODE, you will get the object related to that T Code.
    Reward points..

  • Adding new authorization objects to transactions

    Hi experts,
    i would like to add new authorization objects to specific transactions, for example the object K_CCA for checking the cost element in the transaction KB15N.
    What do we have to maintain, except the transaction code with (SU22). What do we have to do with the program behind the transaction?
    Is it "just" adding two line of code into the auth object check in the program, similar or like described for client specific ABAP-programs???
    Any experiences on that?
    Regards
    Florian

    Hi,
    First add the objects in DSO then in Info Cube.
    Map the same with transformation.
    Move the objects to production then DSO.
    Load the DSO first. then delete the data from cube in production.
    Now move the modified cube and transformation to production.
    Now load the Cube from DSO.
    No need to change any thing in existing query.
    I hope this will help.
    Thanks,
    S

  • Report to view user nm, authorization objects, activity, transaction code.

    Hi All,
    I want to view a user-wise report that displays the transaction code, authorization objects and activities for which the user has authorization.
    Is there any standard report to view all this at a glance?
    Can anybody help me on this?
    Thanks.

    u can try SUIM tcode
    its really helps u
    regards,
    Abhilash

  • Assigning authorization objects to transaction

    Hi All,
    While creating a new role using transaction PFCG, If i enter transaction SE38, i will get lot of authorization objects, fields where i can decide whether i should allow only display or change or create etc. But if i create my own transaction, then i will not get these authorization objects. Where should i assign there objects for my transactions.
    I tried to assign this in transaction se93, but that did not work.
    Thanks in advance.
    Best Regards,
    Surendra<b></b><b></b>

    TRY with SE97.
    and check the check box change mode and try running there you can change the authorizations..
    vijay

  • List of Authorization Object with Transaction Code

    Dear All ,
        Does SAP provide  any report to list all the Authorization Object ? and which object is belong to which transaction code ?
    Thanks .

    hi olrang ,
    STEP BY STEP TO CREATE AUTHORIZATION OBJECT:
    STEP1:  goto  SU21 transaction and create a new Authorization Object
    Object Name:  Z.....
    Text:  ...........
    ClassL  SD (YOUR MODULE)
    AUTHOR:  YOUR ID
    STEP2:  Give authorizatin fields as
    ACTION - Action of the Authorization
    Activity -  Document Destribution.
    STEP3:  Basis will create a role using transaction  PFCG and assign this authorization object to that role.
    STEP4:  Call the AUTHORITY-CHECK Object in your code.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    IF sy-subrc 0.
    MESSAGE e000(zzpp) WITH 'No Authorization'.
    ENDIF.
    and it belongs to  SU24 transaction code
    Saurabh Goel

  • Authorization Objects in Transaction codes

    Dear Experts
    we are trying to make Authorization Matrix for users authorizations , so what i need to know if is there any way i can get template list includes Tcodes and the Authorization objects corresponding to each Tcode , it will be a lot easier to make the roles .
    please if anyone can advice how i can get the tcode list with its objects it will be great.
    thanks
    Sameh Essa

    Authorization Matrix - Not any table / programme will work for you in this case, you better maintain below checklist :
    1) Gather company data : Organization Structure HR will help you in this. (you need to get all details on Organization values such as Company Code, Plant, Purchasing / Sales Organization etc.,
    2) Prepare a sheet for every module (PP,MM,SD,FI,CO,HR etc.,)
    3) Study the Organization structure & Identify the Job responsibility of the person in current organization & what function he / she will do in SAP.
    4) A sheet contains T-codes & description (you can get list of tcodes from respective functional consultant), Role Name, Activity - create/change/display et.,
    5) Don't add all t-codes Ex- PP : Add only those tcodes access by you users : End or Core users. Sometime it doesn;t make sense to give create / change / delete t-codes to a user who's only responsible for doing data entry job or a user who is responsible only for creating materials not approving / sending.
    6) Make a sheet that maps you users to role
    7) Always review / approve your Matirx from respective Functional Head, as a BASIS we can't take decision on Functional side.
    8) Always test you roles in DEV / QAS (training client) assigned to a test user by your functional cunsultant.
    9) Always remember of cross functionality authorizations (like some time they may
    10) Always make sure that none of the user gets any BASIS activity authorization.
    I gather above points from my experience where I was involved in designing Matrix, It can be defferent depends upon the organization.
    Regards;

  • Authorization object (pfcg transaction) x funds center group

    Hi,
    I would like to know how i can by u201Cauthorization objectu201D in PFCG transaction to allow that some user can access the funds center group (created in FM_SETS_FICTR1 transaction). Is there u201Cauthorization objectu201D to funds center group ?
    On the other hand, I need that one user access just all Funds Centers of the especific funds center group using u201Cauthorization objectu201D.
    Kind regards in advance.
    Claudio

    Hi Mauri,
    the transaction SU24 for  FM_SETS_FICTR1 transaction just show the object F_FICA_FCG and this object only open the fields: FM_AUTHACT and FM_FIKRS for this object.
    I solved the this problem applying the Alex´s idea bellow:
    Hi, if Fund centers from FC groups doesn't across (i mean that one FC can include just to one FC group), then you can       upload FC from groups and maintain Auth group via LSMW.
    Ex. maintain for all FC from FC group BQ000020 auth. group=BQ02 etc
    thanks a lot
    Claudio

  • Authorization Object (pfcg transaction) versus Funds center group

    Hi,
    I would like to know how i can by u201Cauthorization objectu201D in PFCG transaction to allow that some user can access the funds center group (created in FM_SETS_FICTR1 transaction). Is there u201Cauthorization objectu201D to funds center group ?
    On the other hand, I need that one user access just all Funds Centers of the especific funds center group using u201Cauthorization objectu201D.
    Kind regards in advance.
    Claudio

    Hi Alex,
    Your ideia is good, but unfortunaly my Funds center doesn´t have its code starting with the same character. Ex..._BQ000020 is a Funds center group_ of Funds center  ET000030, BF000043 and CJ000031.
    thanks a lot
    Claudio

  • What is authorization object and how to create it for a table

    Hi All,
    What is authorization object and how to create it for a table?
    Thanks

    Hi
    Authorization
    For authorization checks, there are many ways of linking authorization objects with user actions in an SAP system. The following discusses three possibilities in the context of ABAP programming.
    Authorization Check for Transactions
    You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.
    Authorization Check for ABAP Programs
    For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.
    Authorization Check in ABAP Programs
    A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.
    AUTHORITY-CHECK OBJECT object
                            ID name1 FIELD f1
                            ID name2 FIELD f2
                            ID namen FIELD fn.
    object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With  f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the useru2019s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1  FIELD f2 with DUMMY.
    After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.
    Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:
    ·        0: The user has an authorization for all specified values.
    ·        4: The user does not have the authorization.
    ·        8: The number of specified fields is incorrect.
    ·        12: The specified authorization object does not exist.
    A list of all possible return values is available in the ABAP keyword documentation. The content of sy-subrc has to be closely examined to ascertain the result of the authorization check and react accordingly.
    REPORT demo_authorithy_check.
    PARAMETERS pa_carr LIKE sflight-carrid.
    DATA wa_flights LIKE demo_focc.
    AT SELECTION-SCREEN.
      AUTHORITY-CHECK OBJECT 'S_CARRID'
                      ID 'CARRID' FIELD pa_carr
                      ID 'ACTVT' FIELD '03'.
      IF sy-subrc = 4.
        MESSAGE e045(sabapdocu) WITH pa_carr.
      ELSEIF sy-subrc <> 0.
        MESSAGE e184(sabapdocu) WITH text-010.
      ENDIF.
    START-OF-SELECTION.
      SELECT  carrid connid fldate seatsmax seatsocc
        FROM  sflight
        INTO  CORRESPONDING FIELDS OF wa_flights
        WHERE carrid = pa_carr.
        WRITE: / wa_flights-carrid,
                 wa_flights-connid,
                 wa_flights-fldate,
                 wa_flights-seatsmax,
                 wa_flights-seatsocc.
      ENDSELECT.
    Regards
    Hitesh

  • Authorization object assignment on USERS

    Hi,
    i have to maintain authorization objects in transaction types and users in our company, such that the executives (management of all org. units) of the company are able to see all the transactions including activities within the whole company.
    on the other hand the employees (<b>not executives</b>, belonging to a specific org unit) should be able to see ONLY the transactions belonging to his org. unit
    useful info is avlbl at: http://help.sap.com/saphelp_crm50/helpdata/en/26/99973915e69238e10000000a11402f/frameset.htm
    but where and how are these authorization objects assigned?
    Kindly help, thnx, all answers appreciated.
    Jacob.

    hi Jacob,
    Look at <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/81/0e0f61b566dc44bbb4055b3ccd25be/frameset.htm">Identity Management</a> maybe it helps you.
    Regards.
    Manuel

  • Authorization object for Internal order

    Hi experts,
    My requirement is while creating the PO using the internal order as reference  i need to check the internal order is valid for that user or not.
    Is there is any standard authorization object  for internal order is available using which i can validate the internal order by assigning this authorization object in the user role.

    Hello,
    When you try to create internal order and once you get the error.
    Open another session with /OSU53
    This gives you the details of authorization objects or transaction codes you are lacking.
    Provide this to security administrator of your team.
    Hope your problem will be solved.
    Regards,
    Ravi

Maybe you are looking for

  • Error in communication channel AS2 Seeburger EDI Adapter

    Hi, I am facing one issue in communication channel at receiver side. Adapter type is AS2 Seeburger EDI adapter. Brief overview of scenario: Sender is R/3 sending an IDOC and Reciever is Party (Vastra_Gotaland). The error in reciever communication cha

  • How can I add an attribute to a SAML 2.0 response?

    I am trying to implement SSO with a relying party while using Azure AD as the IdP and they require the email address to come from one of the following attributes below in the SAML response.  But I can't for the life of my find out where I can configu

  • GRC 10.1 Integration with PI 7.4 and BODS?

    Hi Experts, As per our system design we have to configure workflow for termination of users in SAP PI 7.4 and BODS system through GRC 10.1. Can someone share the connection steup instruction for the above systems? Thanks, Trinetra

  • My iTunes won't update

    My itunes wont update...everytime i try to update it says the file has become corrupted and that it will try to complete on the next update but i have tried redoing the update and still remains the same. I also cant get onto my itunes as it requires

  • HT3204 Hi i am having trouble down loading itunes.  I keep getting these error messages.....................runtime error:

    Hi Having problems down loading itunes.  Keep getting this message Runtime Error! R6034 An application has made an attempt to load the C runtime library incorrectly. Does anyone have any suggestions? Thank you