Restrict HR Authorization Object PLOG By HR Structural Auth Profile
Via OSS Note 453786, SAP requested customers not to use HR Authorization Object PLOG_CON.
We have a requirement to restrict HR Authorization Object PLOG by HR Structural Authorization Profiles. How are other customers able to accomplish this objective without authorization object PLOG_CON being used?
(Custom solution: ZPLOG_CON/custom FM, or use HRBAS00_STRUAUTH BADI)?
Thank you,
Ken
Ken,
1. the note you mentioned is specific to sap version 46b. is that the version your client is on? just wanted to check.
2. then you have not mentioned anything about the requirement, i mean explicit details.. without which it is very difficult to come to a solution.
3. you look like you are on the right track of thinking though with the z-auth-object/function module/badi thingy...
4. ultimately solution is dependant on the explicit requirements.
the 'con' bit usually refers to context sensitiveness of security when a mixture of regular and structural auths would not meet the security requirements.... so at a high level:
1. design the structural profile with the right combo of eval path and function module(z-fm?)
2. do the right thing by plog by explicitly mentioning levels of suths for all objects and subtypes and infotypes as well.
3. use p_origincon to assign the structural profile
4. a combination of all of the above should do the trick...
good luck
cheers
Similar Messages
-
Restricting the authorization Object for B2B Transactions
Hi All
we are facing the problem in the ISA b2b app, actually the scenario is as below.
we have various transaction types like b2b sales,Peoplesoft order,Request for Order change, RMA ,Request for Quotation(RFQ) and metel order.
As per the requirement, The client wants only a few functionalities for a particular user.
Example:
Transaction Type Authorization
PeopleSoft order View only View only
B2B:Req. OrderCh x x
B2B: Req. RMA
B2B: Req. Quote x x
Metel Order x
For b2b sales transaction a lower level employee would only be able to view the order and he should be restricted to make any changes. Is there a posibility to restrict in this manner? This is Urgent. Please respond immediately. Thanking you in anticipation.
Message was edited by:
Sunil Kumar>
Viral741 wrote:
> Hi All
>
> I have a requirement in SAP Security to restrict the authorization object S_ALV_LAYO to a particular set of users.
>
> Background:
>
> We use composite roles which is shared accross all areas(Finace,marketing,work managment).Now the requirement is for from Work managment to restrict S_ALV_LAYO so that user cant change default layout and can create user specific layout,but other areas are not ready for this.So please let me know if there is any way i can restrict this auth object only for work managment area only.
>
> Thanks,
>
> Nitesh
Nitesh,
Remove access to S_ALV_LAYO for general users and give access to F_IT_ALV instead. Keep S_ALV_LAYO for the users who will be maintaining the default layout.
Good Luck! -
HR restrictions required across personnel areas w/o structureal auths
The business has the need to restrict their HR users to a select population of users. Example, we need to be able to exclude the Executive population. The executive population is across multiple organizations (personnel areas) and we cannot use the employee subtgroup field to restrict on (04) for Executives because not we have some ISA's that we have coded US-ISAs so they are not reflected in the master data as (04). We have not implemented structural authorizations but I need to know if there is a means to restricting (PA20 - display of master data) on groups of associates without structural authorizations??
Hi,
From my clients implementations so far, I have seen two approaches to restrict access to executive's PA data in PA20:
1. Based on organizational key which can be restricted at role level via auth objects- P_ORGIN
2. Implementing custom exit/BADI in the PA20 program or implement customer specific auth object [P_NNNNN|http://help.sap.com/saphelp_470/helpdata/en/4e/74ba3bd14a6a6ae10000000a114084/content.htm] to additionally check authorization for a custom auth object while executing PA20 which restricts access for specific range of personnel numbers that belong to the executives.
In short, either organization key (i.e personnel area + cost center) or personnel number of executives should fall within a reserved number range which can be used to restrict the access to their PA data.
Thanks
Sandipan -
Hello!
I need to remake old profile (O-S-P) - keep all structure, but delete authorization on personnel numbers in top (O1).
O1
P1
P2
O2
P3
P4
O3
P5
=>
O1
O2
P3
P4
O3
P5
It's possible using combination of standard evaluation paths?
May be I need to create profile for
O2
P3
P4
O3
P5
+ the head
O1?
Thanks in advance!So, you want to show Organisation Unit level O1, but not the positions under level O1? But you still want to show Org Units and positions for O2 and O3?
I don't think this is possible with standard evaluation paths.
Not sure why you'd want to do this either....! -
Authorization Object for 0TCTBISBOBJ - restriction field too short in PFCG
Dear all,
I created an authorization object (TA: RSSM) with the InfoObject 0TCTBISBOBJ and 1KYFNM. When I restrict my authorization object in TA: PFCG, I can only type in 11 letters for InfoObject 0TCTBISBOBJ but I need 12 because of a bad naming convention. Working with more than one asterisk (*) in this field is not working!
Does anyone know how to manage this problem?
Thanks in advance
F. L.Martin,
It is not possible to restrict this in CRM. The person, organization, and group influences the type of address for the business partner. There are no user exits available in CRM 4.0 that are at the point to perform an authorization check on this value.
I had to unfortuantely debug and read much of BUPA_DIALOG_JOEL before reaching this conclusion. The only way to achieve this would be to write a custom front-end to the BP transaction or PCUI screens for business partners.
Hope this answers your question,
Stephen -
Authorization object M_MATE_MAR "Material Master - Material Types" in MM01
Hi,
We in CPS Energy are implementing VIrsa SOD conflicts on the roles that are in place in current SAP 4.6C version. The authorization object M_MATE_MAR is used by MM01(Creation of Material Master) transaction code & used at mutiple roles. We have restricted this authorization object by Material Type Authorization Group (BEGRU)as WMS1 & given activity a 01, 02 & 03 in a role. The same authorization object is used in Common roles also for displaying that is using transaction code MM03 (Display Material) but the activity & authorization group are ''. This '' is taking precedence over the the authorization object given in the other role.
Please let us know how to put a control on this authorization object which is used widely by large number of users.
Maintained Material Master: Material Types T-D119010802
Activity 01, 02, 03 ACTVT
Authorization group WMS1 BEGRU
Any help is really appreciated
Thanks
SreeHi Sree, your role with MM03 in it should not have * for actvt if it is only a display role.
As it is a display role actvt 03 would be more suitable. That way you could have display for all auth groups, but create and change/MM01&2 would be restricted to WMS1 (and any other materials with a blank auth group) -
Authorization object for "add approver" in contracts
Hello, Experts,
I am looking for authorization object for adding approver in contracts.
But without adding authorization for changing contracts.
Regards,
Rami Kleiman - HP1. you can try to restrict the authorization object ( Manager Role-- /SAPSRM/MANAGER) for contracts to display ( remove the change).
2. you can also change the personalization object key "BBP_WFL_SECURITY" to None ( but i, think this will affect all the objects like shopping carts purchase orders etc..)
Thanks
velu -
Authorization Object for Ibase
Hi all,
I am developing PCUI, and one of the requirement is based on login user from portal, the PCUI view for Ibase / Installed Bases should be View Only.
Can this be restricted via authorization object, by giving the 'Display' right to the role, instead of full authorization?
My basis inform me that he couldn't find the authorization object for Installed Bases. But I doubt it. Can any expert give me a guide?
** for launching the PCUI ~ Ibase, application is COMM_IBASE
regards,
Ginnie.Hi,
Check out the object
IB_IBASE AAAB Authorization Object for Installed Base
Rakesh -
Creation of a user with a particular authorization object (Very Urgent)
Hi,
There is a requirement in my project to create a user who can only reset his password. So for this I think a authorization object should be created and assign it to a profile which displays only the tab for reseting the password which is( Logon in SU01). I want to know two things in this regard.
1. The whole process of creating customised authorization object and assigning it to a profile and
2. Any other way to achieve the needed scenario.
Thanks & Regards,
Sujith
Edited by: Sujith K on Feb 4, 2008 1:26 PMIn transaction pfcg ,
give single/composite role name
give profile name and description in authorization tab, save it
enter into change authorization data
select manually tab
give authorization objects name (creating auth. objects)
fields will automatically come inside it
enter the field values
save and generate profiles (Profiles created)
go to su01,
create users (fill address, logon data, roles )
In pfcg,
select the role you created and click on the user comparison for giving the authorization to access.
award points if useful -
Error in Deleting Authorization Object
Hi,
I am trying to delete the authorization object in tcode RSSM, and I am getting following error:
Could not delete profile RSR_00006165 from the DUMMY user master
Message no. RSSBR063
Your input will be appreciated and points will be awarded for helpful answers to resolve this.
Thanks in advance,
SteveHi Steve,
All your roles which are depending on the specified authorization object should be free with AUTh.OBJ and then try to reomve the master data from the auth.obj and then delete the auth.obj, now it will allow you to delete the auth.obj
Regards
Sarath -
Authorization Object and Authorization...!!!
Hi BW Experts,
Could anyone plz tell me what is the difference between Authorization Object and Authorization..!!!
Thanks in Advance.
Regards,
Giftedbrain.Giftedbrain,
Authorization Object:
An authorization object groups up to ten fields that are related by AND.
An authorization object allows complex tests of an authorization for multiple conditions. Authorizations allow users to execute actions within the system. For an authorization check to be successful, all field values of the authorization object must be appropriately maintained in the user master.
Authorization objects are divided into classes for comprehensibility. An object class is a logical combination of authorization objects and corresponds, for example, to an application (financial accounting, human resources, and so on). The line of the authorization object class is colored orange in the profile generator.
For information about maintaining the authorization values, double click an authorization object.
The line of the authorization object is colored green in the profile generator.
Authorization:
Definition of an authorization object, that is, a combination of permissible values in each authorization field of an authorization object.
An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
Authorizations allow you to specify any number of single values or value ranges for a field of an authorization object. You can also allow all values, or allow an empty field as a permissible value.
If you change authorizations, all users whose authorization profile contains these authorizations are affected.
As a system administrator, you can change authorizations in the following ways:
· You can extend and change the SAP defaults with role maintenance.
· You can change authorizations manually. These changes take effect for the relevant users as soon as you activate the authorization.
The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user has sufficient authorization for a particular activity. To do this, it compares the field values specified in the program with the values contained in the authorizations of the user master record.
The line of the authorization is colored yellow in the profile generator.
-Doodle -
Restrict a t.code VK11 using Site as authorization object
Hi all,
We want to restrict VK11 t.code using Site as one of the authorizations. By default it has only Sales Org, Distr channel and division. I've added one more field for "Site" manually.
We have defined specific values for Site in authorization objects. Still system does not restrict VK11 executed by user as per site. It works with Sales org/Distr ch/Division. But it does not restrict Site-wise for that role.
Please help.
Regards,
Ankush> I've never got past 'play dead' with such objects
Yip, I know that feeling. It is like when you leave home for a long trip having packed everything you need, but you still have the feeling that you have forgotten something important behind and will kick yourself when you need it.
> Can you please provide step by step instructions for that?
There is no step-by-step procedure nor medication to take for it. You just have to wait for it to dawn on you...
Enjoy the weekend and happy coding authority-checks,
Julius
ps: I heard that this feeling is also caused by the rising popularity of ABAP OO programming techniques, where the checks are often natively imbedded. -
Restricting infoobject in query designer with authorization object
Hi,
We have to restrict CUSTOMER infoobject with a authorization object in query designer.
How to do this task ? Request kindly suggest.thr RSSECADMIN tcode. Search with this key word you will get good docs & Wikis in SDN
bhaskar -
Authorization object to lock the SOLAR 02 config structure
hi guys ,
does anyone know of a authorization object which can help lock the configuration structure in SOLAR02,
Users should be able to change the structure ,rename it etc but they shouldnt be able to delete any nodes in the Config Structure .
Regards
PraveenDear Praveen,
Have you checked the [Security Guide|http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000718044&_OBJECT=011000358700000370562009E]?
The auhtorization object should be described in that document.
Regards,
Paul -
BW Authorization Object to restrict Transporting Requests
Hi...
In our BW systems, all the developers are given the profile SAP_ALL. So, the developers have the access to transport their objects from BW Development(BWD) client to BW Quality(BWQ) Client and from BWQ to BW Production client (BWP).
I want to restrict the developers to do the transports. What is the authorization object used to restrict the users to transport requests?
Any documentation how to do that?
Thanks,
Sai.It can be done with the authorization objects S_TRANSPRT and S_CTS_ADMI.
S_TRANSPRT creating transport request and S_CTS_ADMI for moving transport request.
I would like to work on that project where I can get SAP_ALL access..:)
Check the documentation.
http://help.sap.com/saphelp_nw04/helpdata/en/8d/45ef39521e3314e10000000a11402f/content.htm
Thanks.
Maybe you are looking for
-
How to debug start routines of update rules from ODS to InfoCube
Dear gurus, I have an update rule from ODS to InfoCube. I wrote a start routine in the update rule. Now I want to debug it. I went to monitor and simulate update the data package and only got the prompt "No data exists in the corresponding PSA tabl
-
I have a External 2.0 usb hard drive that I use as a backup for my pictures, documents, videos etc. Currently I am using Windows XP but I want to get an Intel Based iMac. Can I just plug the hard drive in to transfer files or is it not that simple? T
-
Do I have to install Adobe Acrobat Pro to edit PDF files?
I am subscribed to Adobe PDF Pack. I want the ability to drag and drop to insert, delete, and arrange pages. So it appears I need Adobe Acrobat Pro. Is that correct? If I upgrade to Adobe Acrobat Pro, do I have to install anything on my PC? Or can I
-
SQVI (or SQ01) and how to insert custom table
Hello I'm trying to create an SoD report in R3 4.6C where I've created around 400 user groups based on HR employee information, the users are now assigned to their new (but still to be verified) user groups in DEV and QAS and I'm now at the stage of
-
What is this User agreement email people are talking about prior to shipment of 4s?
What is this user agreement email that people are talking about prior to shipment of 4s?