Restricting authorizations in PA30 within the payroll department

Similar Messages

• Any ideas on restricting userID Role Assigment within the SAP Security Team

  Hello,
  I have gotten a request to look into restriction of assignment of roles to oneself within the company SAP Security Team. Thoughts I have come up with so far involve the use of UserID User Groups, Role Assignment Ranges, and forcing all role assignements for all userIDs through GRC-AC CUP for QA and Prod. Has anyone come up with a workable solution that is outside of these suggestions that they have put into practice?
  Thanks in advance for your help!
  John

  Hi John,
  There can be a manual control in place and individual should not assign role/s to himself / herself.
  Otherwise, security team members can be assigned to a specific group (let say Security) and they shouldn't have access to authorization S_USER_GRP with ACTVT 22 & CLASS - Security.There should be a dedicated power user to assign the role/s to the security team members and this can be auditted (SM20 log for manual super user / FireFighter log for FireFighter user).
  Thanks
  Prasanna

• Authorizations setting for running the process chain

  Hai
  Iam planning to run the process chain for loading the data into ODS. But i dont have authorization for it.
  so what are the authorizations i need to run the process chain in my system. And how can i set all those authorizations to my user-id.  I have all authorization rights .
  Pls let me knw
  kumar

  Hi,
  Authorizations for Process Chains
  Use
  You use authorization checks in process chain maintenance to lock the process chain, and the processes of the chain, against actions by unauthorized users.
  ·        You control whether a user is allowed to perform specific activities.
  ·        You control whether a user is allowed to schedule the processes in a chain.
  The authorization check for the processes in a chain runs when the system performs the check. This takes place upon scheduling or during synchronous execution. The check is performed in display mode. The check is performed for each user that schedules the chain; it is not performed for the user who executes the chain. The user who executes the chain is usually the BI background user. The BI background user automatically has the required authorizations for executing all BI process types. In attribute maintenance for the process chain, you can determine the user who is to execute the process chain.
  See also: Display/Maintenance of Process Chain Attributes ®  Execution User.
  Features
  For the administration processes that are bundled in a process chain, you require authorization for authorization object S_RS_ADMWB.
  To work with process chains, you require authorization for authorization object S_RS_PC. You use this authorization object to determine whether process chains can be displayed, changed or executed, and whether logs can be deleted. You can use the name of the process chain as the basis for the restriction, or restrict authorizations to chains using the application components to which they are assigned.
  Display/Maintain Process Chain Attributes
  Use
  You can display technical attributes, display or create documentation for a process chain, and determine the response of process chains during execution.
  Features
  You can display or maintain the following attributes for a process chain:
  Process Chain ® Attribute ® ...
  Information
  Description
  ( Rename)
  You can change the name of the process chain.
  Display Components
  Display components are the evaluation criterion in the process chain maintenance. Assigning the process chains to display components makes it easier to access the chain you want.
  To create a new display component, choose Assign Display Components in the input help window and assign a technical name and description for the display component in the Display Grouping dialog box that appears.
  Documents
  You can create and display documents for a process chain.
  For more information, see Documents.
  Last Changed By
  Displays the technical attributes of the process chain:
  ·        When it was last changed and who by
  ·        When it was last activated and who by
  ·        Object directory entry
  Evaluation of Process Status
  If you set this indicator, all the incorrect processes in this chain and in the overall status of the run are evaluated as successful; if you have scheduled a successor process upon error or always.
  The indicator is relevant when using metachains: Errors in the processes of the subchains can be evaluated as “unimportant” for the metachain run. The subchain is evaluated as successful, despite errors in such processes of the subchain. If, in the metachain, the successor of the subchain is scheduled upon success, the metachain run continues despite errors in “unimportant” processes of the subchain.
  Mailing and alerting are not affected by this indicator and are still triggered for incorrect processes if they have an upon error successor.
  Polling Indicator
  With this indicator you can control the response of the main process for distributed processes. Distributed processes, such as the load process, are characterized as having different work processes involved in specific tasks.
  With the polling indicator you determine whether the main process needs to be kept until the actual process has ended.
  By selecting the indicator:
  -         A high level of process security is guaranteed, and
  -         External scheduling tools can be provided with the status of the distributed processes.
  However, the system uses more resources; and a background process is required.
  Monitoring
  With the indicator in the dialog box Remove Chain from Automatic Monitoring?, you can specify that a process chain be removed from the automatic monitoring using CCMS.
  By default CCMS switches on the automatic process chain monitoring.
  For more information about the CCMS context Process Chains, see the section BW Monitor in CCMS.
  Alerting
  You can send alerts using alert management when errors occur in a process chain.
  For more information, see Send Alerts for Process Chains.
  Background Server
  You can specify here on which server or server group all of the jobs of a chain are scheduled. If you do not make an entry, the background management distributes the jobs between the available servers.
  Processing Client
  If you use process chains in a client-dependent application, you can determine here in which client the chain is to be used. You can only display, edit, schedule or execute the chain in this client.
  If you do not maintain this attribute, you can display, edit, schedule or execute the process chain in all clients.
  Process variants of type General Services that are contained in a process chain with this attribute set will only be displayed in the specified client.
  This attribute is transported. You can change it by specifying an import client during import. You must create a destination to the client set here in the target system for the import post processing (transaction RSTPRFC)  The chain is activated after import and scheduled, if necessary, in this client.
  Execution User
  In the standard setting a BI background user executes the process chain (BWREMOTE).
  You can change the default setting so that you can see the user that executes the process chain and therefore the processes, in the Job Overview. You can select the current dialog user who schedules the process chain job, or specify a different user.
  The setting is transported.
  The BI background user has all the necessary authorizations to execute all BI process types. Other users must assign themselves these authorizations so that authorization errors do not occur during processing.
  Job Priority
  You use this attribute to set the job priority for all of the jobs in a process chain.
  Hareesh

• Authorization issues in executing the chain

  Hi Techies,
  When im triying to execute the chain, the chain allows me to do so and went well but all the jobs corresponding it were running under my ID. Later I tried to schedule the chain on ALEREMOTE, but it throws error saying ALEREMOTE do not have authorization to execute the infosources as it hits its first infosource.
  We made the Trace On and tried to find any unauthorized hits in it, but the trace went well wthout any error.
  Need to confirm:
  1. ALEREMOTE was assigned with CPIC User role, does this effects?
  2. In BW Global Settings, for the field BW suer ALE entry have ALEREMOTE, where earlier it was not there. After making this entry, the chain does not even allow to trigger on my ID and on ALEREMOTE.
  3. If this entry effects, whats the significance of this field.
  Regards,
  Subhash.

  Hi Subhash,
  for the administration processes that are bundled in a process chain, you require authorization for authorization object S_RS_ADMWB.
  To work with process chains, you require authorization for authorization object S_RS_PC. You use this authorization object to determine whether process chains can be displayed, changed or executed, and whether logs can be deleted. You can use the name of the process chain as the basis for the restriction, or restrict authorizations to chains using the application components to which they are assigned.
  http://help.sap.com/saphelp_nw70/helpdata/en/35/c7e442e3c15704e10000000a155106/frameset.htm
  The BI background user has all the required authorizations to execute all BI process types. Other users have to assign themselves these authorizations so that authorization errors do not occur during processing.
  http://help.sap.com/saphelp_nw70/helpdata/en/d3/53e03b8235953ee10000000a114084/frameset.htm
  Hope this helps.
  Regards
  Andreas

• I need a prior version of firefox...version 1.5 because my payroll department software is not compatible with firefox 6.0... how do I get the other - older - version ??

  my payroll department uses eSAP payroll program. It is NOT compatible with your new version...6.0. I need your older version 1.5 so i can access my payroll records. I am currently being forced to use Internet Explorer and I absolutely HATE that software.
  please help !!! How do I get the older version? Version 1.5 - thank you.

  I would hope the problem is that Firefox 5 is not compatible with some of McAfee's additional add-ons. It will be rather worrying if it has a problem with the McAfee security programs themselves. Please state exactly which software and version you are having problems with.
  There are known issues with McAfee's Site Advisor [/questions/839953#answer-205178] but it is hoped McAfee will solve that in a few weeks.

• Restrict Authorization at Material level during production confirmation

  Hi SAP Gurus,
  I would like to ask if its possible to restrict authorization at Material Level during production confirmation.
  Our scenario is we have SFG and FG which are handled by different group of people but it has the same Order Type. Now we want to restrict authorization such as one department can only confirm SFG and the other department can confirm FG only.
  Is it possible to set authorization at material type or production scheduler level. IF not possible, is there other way except creation of new Order Type?
  Thanks,
  Raymond

  Hi Raymond,
  DO you mean I should create a customized table for this?
  Yes
  Are there no standard way?
  As per my knowledge, you can control through production order type, so you need to create seprate order type for this
  Thanks,
  Sankaran

• Restricting Authorization for a specific Info-object

  Dear All,
  I have a scenario where I have to restrict the account managers by specific channels.
  I have 2 info-objects, Sold-to party and Sales Channel. Sales Channel is defined as attribute of the the Sold-To Part info-object.
  I was exploring the BI authorizations concept in SCM 2007.
  I created a authorization called "Test" and assigned the info-object Sales Channel in the authorization and restricted it for one value. This authorization along with 0BI_ALL I have added to the role under BI authorizations.
  However in interactive demand planning, I cannot restrict by the sales channel. It allows me to load data for all the channels.
  If I remove 0BI_ALL object, then I cannot load anything in interactive planning.
  Does anyone have a step by step proceedure for using the BI authorization concept?
  Regards,
  Kedar

  Yes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).
  Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.
  Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.
  You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".
  Things to consider:
  1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.
  2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.
  3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom  authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.
  4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.
  This is probably enough to get you going, reply back if you have specific questions or issues.
  I've been thru this in a painful way, sometimes the best things learned are learned the hard way

• Restriction of time posting within CATS and PS networks and activities

  Hello to you all,
  Prior to post this message, I've tried to check if there was any existing topic which could help, so sorry if this was the case...
  I'd like to know if there was any possibility within SAP standard functions to restrict possibilities of time posting within CATS on PS networks and activities.
  Actually I'd like to know if it could be possible that a user can only post times on Networks / Activites which he has been given authorizations?
  Is there anything existing within the customizing or maybe authorization objects which can be managed, or nothing in standard SAP and so a specific development would be required?
  Thank you very much in advance for you advices and experiences...
  Best Regards.
  DT.

  Hello,
  I am not that expert on PS, but from CATS point of view you can validate the Time sheet with CATS0003 or CATS0006
  You could do something like:
  CLEAR i_messages.
  LOOP AT CHECK_TABLE
    IF CHECKTABLE-<Field you want to validate>.
        i_messages-msgty    = 'E'.
        i_messages-msgid    = <>
        i_messages-msgno    = <>
        i_messages-pernr    = check_table-pernr.
        APPEND i_messages.
    ENDIF.
  ENDLOOP.
  For more information you can refer to:
  https://wiki.sdn.sap.com/wiki/display/ERPHCM/User-exitsinCATS
  Regards,
  Bentow.

• SharePoint Foundation Sandboxed Code Service - Unable to activate worker process proxy object within the worker process

  Issue:
  On a vanilla installation, the sandboxed code service (e.g. SPUCHostService.exe) is started; however, SPUCWorkerProcessProxy.exe and subsequently SPUCWorkerProcess.exe fails to start.
  Resolution/Workarounds attempted:
  Attempted 2 different Load balancing settings – local and remote (i.e. affinity)
  Ensured local computer policy on server for ‘RPC Endpoint Mapper Client Authentication’ and ‘Restrictions for Unauthenticated RPC clients’ is disabled.
  Ensured following key in registry is set properly - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC
  Attempted to bypass SharePoint’s check for certificate revocations at crl.microsoft.com
  Ensured the service account is added to the respective groups (e.g. Performance Log Users, Performance Monitor Users, IIS_IUSRS, WSS_ADMIN_WPG, WSS_WPG)
  Increased limit of ‘AbnormalProcessTerminationCount’ of SPUserCodeService via Powershell
  We have tried all possible workarounds from the following MSDN reference:
  http://blogs.msdn.com/b/sharepointdev/archive/2011/02/08/error-the-sandboxed-code-execution-request-was-refused-because-the-sandboxed-code-host-service-was-too-busy-to-handle-the-request.aspx
  ULS:
  02/21/2014 05:24:50.64  SPUCHostService.exe (0x0230)  0x0F74  SharePoint Foundation Sandboxed Code Service              fe8a               
  Medium               -  - Unable to activate worker process proxy object within the worker process: ipc://38432b45-2f32-4926-ade2-ef53ae1cd501:7000  
  02/21/2014 05:24:50.64  SPUCHostService.exe (0x0230)  0x0F74  SharePoint Foundation Sandboxed Code Service              fe8c               
  Medium               -  - Error activating the worker process manager instance within the worker process. - Inner Exception: System.InvalidOperationException: Unable to activate worker
  process proxy object within the worker process: ipc://38432b45-2f32-4926-ade2-ef53ae1cd501:7000     at Microsoft.SharePoint.UserCode.SPUserCodeWorkerProcess.CreateWorkerProcessProxies()    
  02/21/2014 05:24:50.64  SPUCHostService.exe (0x0230)  0x0F74  SharePoint Foundation Sandboxed Code Service              ei0t               
  Medium               - Process creation/initialization threw an exception. Stopping this process. "ipc://38432b45-2f32-4926-ade2-ef53ae1cd501:7000"
  02/21/2014 05:24:50.65  SPUCHostService.exe (0x0230)  0x0F74  SharePoint Foundation Sandboxed Code Service             
  fe87                Medium               -  - Error activating the worker process manager instance within
  the worker process. - Starting worker process threw - Inner Exception: System.InvalidOperationException: Unable to activate worker process proxy object within the worker process: ipc://38432b45-2f32-4926-ade2-ef53ae1cd501:7000     at Microsoft.SharePoint.UserCode.SPUserCodeWorkerProcess.CreateWorkerProcessProxies()   
  Any other insights on how I can troubleshoot the issue described?
  Thanks in advance!

  Hi ,
  For resolving your issue , you can do as the followings:
  1. Logged into the Web Server with the Timer Service Account.
  2. Ran the powershell command to check the SID of the account running the spucworkerprocessproxy.exe:  
  $(Get-SPManagedAccount -Identity "THE SERVICE ACCOUNT").Sid.Value
  3. Checked the registry :
  HKEY_USERS\[SID OF THE SERVICE ACCOUNT]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  4. Changed the value 0x00023c00 to 0x00023e00
  In addition, here are some similar posts for you to take a look at:
  http://social.technet.microsoft.com/Forums/en-US/aae497df-5f0d-4f86-a724-c7b805ccd07f/sharepoint-sandboxed-code-service-troubles?forum=sharepointgeneralprevious
  http://blogs.technet.com/b/operationsguy/archive/2011/01/17/sharepoint-2010-sandboxed-code-solutions-and-web-proxy.aspx
  http://social.msdn.microsoft.com/Forums/en-US/c21e2c3a-a259-4d5f-8071-eff52b7bddc3/issue-sandbox-solution-too-busy-to-handle-the-request?forum=sharepointgeneralprevious
  I hope this helps.
  Thanks,
  Wendy
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Wendy Li
  TechNet Community Support

• Delivery Schedule within the Firm Zone of a SA not firming

  Hello,
  We have delivery schedules within firm zone (defined in the Additional Data in item detail) of a SA but they are not firmed by MRP run.
  Here is the material master setting and other relevant information:
  MRP Type = PD (firming type = blank)
  Planning Time Fence = 0 (in MRP1 view)
  Not check the flag in OMIN to firm only the transmitted schedule line
  Maintained Firm/Trade-off zone (as mentioned above) and Binding on MRP = '1' in an item of a SA
  The delivery schedule supposedly be firmed based on the firm zone but is keep pushed out instead after MRP run.
  I appreciate very much if you can tell what's causing the problem and how to remedy it.
  Kind Regards,
  Eddie

  Eddie,
  Your batch job is OK however until the delivery schedule with new schedule line proposals has been transmitted they can be changed by MRP as they are not yet firm.
  From my experience the OMIN settings affect the MRP type firming settings (P1, P2, ...) not the SA related firm settings. Here the binding on MRP key is determining what MRP can change or can not change.
  See here the extract out of the help function on the OMIN setting.
  Firm Only Schedule Lines Transmitted to Vendor by Purchasing
  If you set this indicator, the system only firms the schedule lines which have been transmitted to the vendor by the purchasing department.
  Use
  This function is used if you use a planning time fence in the planning run. If you use firming type 1 ("Automatic firming and order proposals are displaced"), the system automatically firms existing schedule lines when they move into the planning time fence.
  Use this indicator if you only want the system to firm schedule lines that have already been checked and passed on to the vendor per message transfer. If, for example, the quantity of a schedule line was changed but the changed quantity has not yet been passed on to the vendor, then the old quantity that has already been passed on to the vendor is firmed as soon as this schedule line moves into the planning time fence.

• HT1420 I purchased new computers twice within the same year because they old were damaged in a storm.  However, I can't deauthorize/reauthorize the new computers.  How do I deal with this situation.

  I purchased new computers twice within the same year because they were damaged in a storm.  However, I can't deauthorize/reauthorize the new computers because it has been less than a year.  How do I deal with this situation?

  BrianBlaze wrote:
  I have 3 Computers at home, I am studying computer sciences and am constantly rerformatting my computers, installing windows and linux over and over again.... EVERYTIME I reformat I have to authorize the same computer and so it takes up one of my 5 authorized computers... Anyways after deauthorizing all my computers in september I was not aware I couldn't do it for another year (why does APPLE assume these stupid tactics prevent piracy). Anywysw I need to reach apple and have them make it so I can do it again. I had a similar problem with Playstation and when I called them they fixed it for me... even windows (which you can only have one serial per computer) made it easy because all I had to do was call them and they fixed it for me. Now I need APPLE to do the same and this is the only place I could see to actually say what is going on... I can't believe I have to do this with my iPhone... I wanted an mp3 player and a phone together and if I can't put new songs until September 20, 2012 I am going to freak out!
  HELP!
  Brian
  Try this link: http://www.howtogeek.com/howto/23974/beginner-deauthorize-all-computers-associat ed-with-your-itunes-account/

• How to restrict authorization based on profit center in ke80 report

  hi friends
  we have a situation where we need to maintain the authorization based on profit center in ke80 report. The authorzation object K_PCA is not working. whenever we assign a particular profit center and then generate the profile, we still get the message no autjorization and when we check su53 it shows it needs '' asterisk. but we cant assign the asterisk as we have 5 subsidaries and there are using 5 different set of profit centers so assigning asterisk () would be comprimising on our security.
  does anybody came across this situation and if yes how did they resolve this?
  I need your suggestions on how to maintain this restriction.
  Regards,
  Imran

  Hi Friends
  The problem has beend solved. It turns out that this is a report writer issue. We raised the issue with SAP and they informed that 'For Report Painter/Writer every item is checked if you have the authori-zation or not. Only the items with authorization fullfilled will be displayed afterwards'.
  Based on SAP answer we created different reports for each profit center/company code.
  I would like to thank you all for your time and inputs.
  Regards,

• How to restrict authorization for OBC4

  Dear all
  How to restrict authorization for obc4( field status) for user id wise
  Regards
  nasa

  Hi Nasa
  You try to use the S_TABU_LIN object. With this object you can control access to tables (called from maintenance views, SM30 etc) based on the database key for the table.
  And as far as I cant see, the OBC4 transaction is just a couple of maintenance views for V_T004V andf V_T004F.
  You can find a small how-to [here|http://www.mhn-consulting.com/s_tabu_lin.html]
  Regards
  Morten Nielsen

• What steps are required to configure the Payroll Tax ( USA)?

  Hi All,
  Please answer
  What steps are required to configure the Payroll Tax ( USA)?.
  Thanks in Advance
  Thank you,
  GKReddy.K

  hi Dan
  this is covered in the Rapid Clone documents -- Refreshing a Target System
  Note: 230672.1 - Cloning Oracle Applications Release 11i with Rapid Clone
  Note: 406982.1 - Cloning Oracle Applications Release 12 with Rapid Clone
  you should run adautocfg.sh on the application tier as well. Otherwise the essential information regarding your application tier will not be registered within the database and you will not be able to connect to your database through the application.
  adcfgclone will not be necessary on the application tier.
  Yes, you need to run AutoConfig to populate FND_NODES with the application nodes information. You may also need to clear the FND_NODES table as described in the following note:
  Note: 260887.1 - Steps to Clean Nonexistent Nodes or IP Addresses from FND_NODES
  https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=260887.1
  source;- https://forums.oracle.com/thread/652681
  AppsMasti
  Sharing is Caring

• To restrict authorization of tcode MEK1,MEK2,MEK3,MEK4 at plant level

  Hi,
  We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
  Presently we can restrict authorization at Purchasing organization level but not at Plant level.
  Any pointer please!
  Regards,
  Chetan

  Hi,
  You can restrict the users for the authorization of these T-Codes on their  User ID. Take help of  Basis who controls Roles & Profiles. (T-Code PFCG)
  Hope this helps,
  Best regards
  Amit Bakshi