Restrict Authorization in SAP_ALL & SAP_NEW for SCC4 T-CODE only display

Similar Messages

• CCMS ALERT for SCC4 t-code

  Hi ,
  I want to set CCMS alert in SOLMAN for t-code SCC4 in satellite system ,Please advice.
  Thanks
  Chander

  Hi,
  As far as I am aware no CCMS monitor exists for this. What you can do is to set parameter rec/client = ALL in DEFAULT.PFL this will then enable you to at least go and look who and when it was opened using report SCC -> Utilities -> Change logs
  This will also only be helpful if everyone used individual and no generic user makes the changes.
  Also refer to link this monitors the table where the change entries are made and changes can then in turn be alerted on.
  http://scn.sap.com/thread/931751
  Kind Regards,
  Johan

• What is the best approach for executing this code only once?

  Hi,
  What would be the best way to this using JSF/Java web architecture? I have a login page, login.jsf, that submits login credentials to another servlet and if successful, is redirected to a login success page, which I have called "main.jsf", my application's main page. What I want to do, however, is when the login success mechanism redirects to my application, I want to run a bit of Java code (which requires access to the session object) that executes only once, and then redirects to my application's main page.
  In other words, I could put this Java code on my application's main page, but then it would execute every time a user visited it.
  Any advice on the most efficient way to do this?
  Thanks, - Dave

  laredotornado wrote:
  Thanks for your reply but I have a question. If the filter is executed on every page, then, assuming the user is logged in, the code would be executed every time. How can I create this such that my code snippet is executed only once, preferably after the user is re-directed to the login success page?It is more secure. On login just put the User object as attribute of HttpSession and check in the filter if it is there.

• Restrict authorization in VA01 for partner function field

  Hi all,
  I need a way to restrict authorization in VA01/VA02 for users so that in the headers tab -> partners, the employee responsible field is locked. Other fields (i.e. ship-to/sold-to should still be changeable)
  What is the best way to achieve this?
  Thanks,

  This is not the solution for your query to make it non modifiable. You want it on user base but if you make it non modifiable it will be in display mode for all users. But if you want to try this you can make it non modifiable in following path
  Sales and distribution > Master Data > Customer Master > customer hierarchy > partner determination for sales document header.
  Im not sure the exact path because i have no access of system at this time. But you can find it in above nodes.
  Proper solution of your question is user exit as mentioned above.

• Restriction authorization

  Dear Gurus,
  Users in our production system have access to t-code se38,se11.
  Now we want to remove these authorizations,but these authorizations are provided to the users via diffrent roles and its difficult to track these authorizations.
  I want to know that is it possible to create a restriction authorization where we can define the t-code value as 'not equal' and restrict the desired authorization
  Please update
  Thanks and regards
  Tushar

  I agree with Netweaver Expert.
  If you are finding it difficult to identify those roles then I suggest that someone on your security team gets training ASAP as it it a very, very basic task to ID roles with those authorisations.  You can do it in SUIM or via table AGR_1251 in less than 10 minutes.

• How to restrict the user id to a specific company code?

  Hi,
  I want to restrict a user id to access a specific company code only for both customizing and application data creation. This means that the user id can do customizing and create application data for that company code only and not for any other company codes.
  how can i do this?

  Hello Raja,
  You requirement of restricting users for application data can solved by adding the company code in the organization level button and the user will be restricted to mainatin application (transaction) data for the org element for which he is authorized for, if the transaction has objects which check company code.
  Customizing data authorization can be very tricky, as most of the customizing transactions are for maintaining customizing tables will not necessarily have an authorization check for org elements. In this case you may to manually insert a object called S_TABU_LIN alongwith S_TABU_DIS it will perform the job of restricting authorizations.
  In cases where the end user is accessing tables directly with SE16 S_TABU_DIS is the object that is check and maintained in PFCG.But,Such a restriction cannot be made with S_TABU_DIS alone. Fortunately SAP provides us with another authorization object S_TABU_LIN (Authorization for Organizational Unit), which can be used in conjunction with S_TABU_DIS to enforce such a restriction.
  This authorization object works only with Maintenance Views and Customizing tables. Also note that an Organization Criterion is a prerequisite for implementing the same
  A detailed step by step procedure to be followed is given below:
  1. The first step in implementation of line authorization is defining an Organization Criterion. For this we need to access the u201CSAP Reference IMGu201D customization page from SPRO transaction.
  2. From the IMG display screen select SAP Web Application Server -> System Administration -> Users and Authorizations -> Line Oriented Authorizations. Select the execute ( ) button for the u201CDefine Organization Criteriau201D.
  3. The resulting table display show all available Org Criteria values existing in the system. For our purposes we will create a new Org Criteria to suit our needs. Select the tab u201CNew Entriesu201D as shown below.
  4. Give an appropriate name starting with Y or Z for the new value. Note that a name starting with another letter will not be accepted by the SAP system. Click on u2018Saveu2019 button to save the newly created Org Criteria. This opens a new window asking for a Workbench Transport Request. This would be required so as to transport the new Line authorization restrictions further to the test and production systems.
  5. Now select the new Org Criterion u201CY_TESTu201D and double-click the u201CAttributesu201D tab as below to define the various Org Attributes.
  6. Provide the new Attribute name and Description for the same. Also fill the Authorization field value from the provided dropdown (1st Org Criterion Attribute u2026. 8th Org Criterion Attribute). The search help field is an optional field which can be filled if a search criterion exists or has been created earlier for the specific purpose. This field enables the u201CF4u201D when filling entries in the authorization object
  7. We already have a search help (C_T001) available, which provides as an F4 help the list of all available Company Codes in the system.
  Note that we can create up to 8 Org Attributes as per our requirements (by selecting u201CNew Entriesu201D tab), each corresponding to a column in the target table.
  8. Selecting the attributes link again will show us a list of all defined attributes and the authorization Field it will appear in. Now that we have defined the Attribute Field that we require, we need to associate each attribute to the corresponding Table Field in the target table.
  Select one of the attributes as below and double-click on the u201CTable Fieldsu201D button to define the field associations.
  9. Select the u201CNew Entriesu201D tab to create a new table field association.
  10. The View/table field must be filled with the target table which we need to control.
  11. The u201CField Nameu201D will require the field name of the target table which be linked with the specific Org Attribute. Performing an F4 on this field will display the list of all possible fields available in the View/table provided earlier. Here we will select the field name BUKRS (Company Code). Save the entries in the same workbench request created earlier.
  12. The next step would be to activate this new Org Criterion so that SAP now checks the authorization for S_TABU_LIN for every user
  13. In the u2018IMG displayu2019 go to SAP Web Application Server -> System Administration -> Users and Authorizations -> Line Oriented Authorizations. Select execute ( ) button for the u201CActivate Organization Criteriau201D.
  14. From the resulting customization screen tick the check-box for the Org Criterion that we have created. On saving the settings the system then asks for a Customizing Transport Request for further transport into test and development systems.
  15. Any user without this authorization will not be allowed in to the SM30 display/change screen for this table.
  16. In the role for which the S_TABU_DIS provides maintenance access for the table , we will now also need to maintain the object S_TABU_LIN.
  17. On selecting change button besides any authorization field you will need to select the Organization criterion which needs to be maintained here. Note that only one Org Criterion can be maintained in one instance of S_TABU_LIN object.

• COPA for 10 company code out of 14 company codes

  Hi Experts,
             I have one query regarding COPA. My one of the client want to implement COPA for 10 company code out of 14 company code of the company and all this 14 company codes come under single controlling area. And now client want to implement the COPA for 10 company codes.
  So my query is
  1 Whether it is possible to implement COPA for 10 company codes only?
  2 If it can be possible then which are the probable precautions to be taken. And also which are the challenges can be faced in this?
  Thanks & Regards
  Sri

  Hi Ajay
  Sorry for inconvenience because closed issue again I am re opening
  Could you please  give some additional input about the user exit
  Because  my abapers  put break point  even though it is not  triggering  that stage
  I am getting the below error message non relevant copa  company code
  Prof.segment for prim.cost elements not advisable for costing-based CO-PA
  Message no. KI183
  Thanks
  Sri

• Only Primary NC code for Default NC Code

  Hi All,
  In SAP ME 5.2, In operation maintenance when browse for Default NC code i need only primary Nc code to be listed, here i am getting all the NC code.
  Any specific setting needed for this filteration.
  Any activity rules related with this filteration.
  Regards,
  rajiv

  Okay thanks for your response...
  In Rich POD, in LOG NC Reject plugin when i browse for the NC Code it displaying all the NC Codes irrespective of the NC Group assigned to the operation...
  I am able to see all the NC Code from All the NC Groups...
  How to solve this issue.. i want to see only the NC Codes belongs to the paticular NC Group in which i assigned the operation, only the selected NC Codes for the operation......
  This is working fine when i am logging NC in Normal POD, For the operation only the assigned NC codes belongs to the particular NC Group is gettind displayed.
  Any rules related for this setting or any specific configuration.....
  Thanks,
  Rajiv

• Spro full authorization without sap_all and sap_new

  Hi Friends,
  Can u suggest me how to give spro full authorization without sap_all and sap_new profile.
  Thanks & Regards,
  Tarun

  Hi Gowrinadh,
  This is an interesting discussion. I don't mean to take shots at your concept, but I have some concerns about it as a solution.
  > I have prepared a role 8 months back, we passed 2 patch upgrade cycles and I can confirm that this role will work even after the next version of ECC upgrade.
  Sometimes the symptoms only make themselves visible later, and we don't know what is coming in the next version of ECC. Of course it should be largely compatable, but there will be new stuff. You can be sure of that.
  > If there are any modules or new functionalities required, then customer has to request for it in addition.
  My understand is that the customer requests a full and working SPRO role for each release. They will not find the tcodes for you and do not want to play ping-pong via support tickets either with it.
  So each time you bill your customer for the 20 or 40 hours work for maintaining these tcodes manually in ranges? Appart from being error-prone, this solution is not scalable for when SAP might introduce another 20000 tcodes into the SPRO. Or someone convinces SAP to introduce an S_TCODE check for every line of code the whole system... (this is something which some people seem to believe in...), which would introduce several billion new tcodes for you...
  > For which we can build separate role.
  That is different. The question here (and certainly your solution) is to have them in the same role without duplicates but still including all SPRO access.
  If you build them as seperate roles, then you can merge them as projects into one composite and live with the duplicates while checking for any known objects which should not be included.
  I would agree with you. That is in my opinion a better solution, but it is not what you have been describing earlier.
  > We can plan for authorizations and build roles based on the inputs for today and tomorrow received from customer.
  That is the whole point in having maintainable roles and scalable processes. Manually maintaining 20k tcodes is incompatable with such requirements.
  > By the way, the max no of consultants and business process owners having this role is not more than 40.
  I don't think that assigning the role to less people will make it more usefull, nor that assigning it to more people will bring down it's per user cost of maintenance.
  There is some old code posted here already which does what you have described in less than 1 minute. You can find it via the tables I have mentioned above, and will recognize it (and it's age)  by the header lines it uses for internal tables. But it still works, since about release 3 point something...
  Cheers,
  Julius

• BASIS--to restrict authorization for a PO document type & 122 movement type

  Dear All,
  Plz guide me how to restrict authorization for a PO document type & for a movement type 122 i.e. for eg. if a user has authorization for PO document type IC then he should not be able to rum movement type 122 for any T-code he runs.
  Thanks in advance
  Arpit
  Basis

  Hi,
  Your request was not too clear to me.. As per my unde
  Here is some details of Authorization object related to Purchase Order:
  Document Type in Purchase Order( M_BEST_BSA )
  Purchasing Group in Purchase Order (M_BEST_EKG )
  Purchasing Organization in Purchase Order  (M_BEST_EKO)
  Plant in Purchase Order  (M_BEST_WRK )
  Document Type in Outline Agreement (M_RAHM_BSA )
  Purchasing Group in Outline Agreement (M_RAHM_EKG )
  Purchasing Organization in Outline Agreement ( M_RAHM_EKO )
  Plant in Outline Agreement ( M_RAHM_WRK )
  This can be helpfull to you to restrict authorization to PO..
  In Organization Level, it can be restricted by Purchasing group, Purchasing organization and plant..
  Regards,
  Sandip

• How to restrict authorization for OBC4

  Dear all
  How to restrict authorization for obc4( field status) for user id wise
  Regards
  nasa

  Hi Nasa
  You try to use the S_TABU_LIN object. With this object you can control access to tables (called from maintenance views, SM30 etc) based on the database key for the table.
  And as far as I cant see, the OBC4 transaction is just a couple of maintenance views for V_T004V andf V_T004F.
  You can find a small how-to [here|http://www.mhn-consulting.com/s_tabu_lin.html]
  Regards
  Morten Nielsen

• To restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.

  Hi,
  We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
  Presently we can restrict authorization at Purchasing organization level but not at Plant level.
  Any pointer please!
  Regards,
  Chetan

  First of all, this is not the right forum to post such a question.  Coming to the requirement, this can be achieved by creating a role in PFCG where you can restrict plant and assign this role to each user id.  Your basis team can do this.
  thanks
  G. Lakshmipathi

• Restrict authorizations for loads from HR to BW for certain data

  Hi,
  our customer wants protect some data in the HR productive system. This data are defined/restricted by certain personal areas.
  It is not enough to use reporting authorizations in BW to restrict presentation in queries or use filters in infopackets during load to avoid this data.
  The requirement is to make load of such data from HR to BW absolutely impossible, even BW administrator cannot see them and must not be able to load them.
  We will probably have to somehow limit ALEREMOTE users authorizations in BW. I do not know how and I even doubt, that extractors in HR source system perform authorizations checks for fields.
  Is there any way to do this?
  Thank you very much,
  Petr

  Hi Petr,
  Create a general enhancement program (restricted authorization) with generic name, which should be called dynamically for every datasource.
  Refer-
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/2d99121a-0e01-0010-e78c-b1ae566a2413?overridelayout=true
  Not personally tested but check following.
  In that program, you may try applying following logic:
  1) You may need to use TYPE ANY field symbols
  2) In While Loop until all fields of C_T_DATA checked, may be a counter based on total number of fields.
      DELETE C_T_DATA where <TYPE_ANY1> EQ (OR use IN) specific value(s) of Personnel Area
      DELETE C_T_DATA where <TYPE_ANY1> CS (Contains, check pattern) specific value(s) of Personnel Area
  ENDWHILE.
  Optionally: For Standard Daatsources in the same program you can add logic based on standard field only "WERKS".
  Note: You may need to research on dynamic pointing using field symbols for every field.
  Thanks
  Arun Purohit

• Authorizations to restrict Query Designer with Only Display option

  Hello,
  I have looked all most all possible ways in internet to find out a suggestion/solution for the below. But Invain.
  I would like to know the Transactions, authorization objects and profiles  that are responsible to restrict users not to change and copy queries from QD.
  I need only display option for queries.
  Also,please confirm shall we restrict the same from Transaction SCC4.
  Thanks In Advance.

  Hi there,
  Since you're talking about a QD system, you should lock it in transaction SCC4.
  In case you need to change things in QD without opening the system in SCC4, you can go to transaction rsa1->transport connection and click on Object Changeability. In there you can define what paricular options are "opened for changes" even with SCC4 in close mode.
  Also, for roles having that objects, you should use the authorization object S_RS_COMP and S_RS_COMP1 with Activity with value 02 - Display
  Diogo.

• SAP_ALL & SAP_NEW profile

  Dear Freinds,
  What is difference betn SAP_ALL & SAP_NEW profile.
  is sap_new has all content of sap_all and new one or not.
  and also plz provide other standerd SAP profile.
  Thanks.
  sachin

  Hello Sachin,
  SAP_ALL:- Which is a composite profile, normally assigned to administrators.
  To assign all authorizations that exist in the SAP system to users, assign the profile SAP_ALL.(Normally all authorizations in the above sentence means,for SAP standard objects).
  SAP_NEW: - Composite profile to bridge the differences in releases in the case of new or changed authorization checks for existing functions, so that your users can continue to work as normal. This composite profile contains very extensive authorizations, as, for example, organizational levels are assigned with the full authorization asterisk (*).
  Let me say wat are the few things that i know which SAP_NEW authorzation object dont have the authorization to
  1. Create a user ,Changer a user's record
  2. Cant create a role and cant generate a profile.
  Let me say wat are the few things tat SAP_NEW authorization object have,
  like access to newly created customized objects
  If u have any more queries regarding the difference between these two, refer this link: -
  http://help.sap.com/saphelp_erp2005vp/helpdata/en/52/6711b8439b11d1896f0000e8322d00/frameset.htm
  Regards,
  Kanthi. D