Restricting HR Tables fields via auth object?

Similar Messages

• Query field, Auth object (characteristic variable)

  Please bare with me as I am a little new to this and dont really know what im asking. I have been asked to populate an Auth object for a BW query field via a user exit. Basically when you add a field to the row section of the query designer, say i add 'Grant' you then get a number of characteristics, one of which is Grant(Auth), which you can set to be processing by 'Customer exit'. I have been given the user exit but am a little unsure how i would go about populating this auth object field. Any help would be much appreciated
  Regards
  Martin

  hi Mart,
  check if helps
  http://help.sap.com/saphelp_nw04/helpdata/en/6d/58f438114ee836e10000000a114084/frameset.htm
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/696affac-0701-0010-f7b5-cc431fc9365d

• Populating auth object of a BW field

  Please bare with me as I am a little new to this and dont really know what im asking. I have been asked to populate an Auth object for a BW query field via a user exit. Basically when you add a field to the row section of the query designer, say i add 'Grant' you then get a number of characteristics, one of which is Grant(Auth), which you can set to be processing by 'Customer exit'. I have been given the user exit but am a little unsure how i would go about populating this auth object field. Any help would be much appreciated
  Regards
  Martin

  Hello Martin,
  you can do this in i_step = 1 (called directly before variable entry) in Exit ZXRSRU01. There you can fill your auth object with FM RSSB_AUTHORIZATIONS_OF_USER. See also thread Re: BW Authorizations, examples and infos you can find in these docs: https://websmp210.sap-ag.de/sapidb/011000358700005475101999 and https://websmp210.sap-ag.de/sapidb/011000358700005475091999.
  Hope this helps
  Martin

• Authorization object to display table field names in english text in SE17

  Hi,
  One of users have issues with the filed name getting displayed in technical format instead of english text while browsing table information in SE17. Normally we can set this in through Settings->User Parameters. But here for this user, user parameter option is greyed out and he doesn't have access to SE16.
  Is there any other way to change user specific parameters, instead of granting him accesss to SE16 or enabling user parameters in SE17?
  Thanks,
  Mano

  Hi,
  I made him run SU53 on SE17 transaction the log is showing that authorization check failed for S_ALV_LAYO with value 23.
  Actually i have access SE16 and for me also, user parameter option is greyed out in SE17. I ran SU53 on SE17 in my session i also got same log.
  One more observation is, the user's colleague also doesn't have access to SE16 and user parameter option is greyed out in SE17 but he can view the table field names in english. So we are wondering if some authorization object is missing here.
  We do not want user to make any changes through GUI.
  Thanks,
  Mano.

• CC5.2: Auth objects database table for legacy systems

  Hi,
  Where are the auth objects for legacy systems stored?
  I mean, for SAP systems the auth objects ar stored in the tables SAPOBJ and SYSSAPOBJ.
  Can anybody help me?
  Thanks in advance

  correct formatting...I wish you could edit your posts instead of reposting!
  Just a performance tip--> since it looks as though you are looping through and performing the same statement many times, you should consider using a prepared statement:
  PreparedStatement ps = con.prepareStatement("insert into Table1 (Col1,COl2,Col3) " +
  "values ( ? , ? , ? )");
  for (int k=0; j<array1.length; k++) {
  if (array1[k] !=null)
  tt = array1[k].getArray2();
  for (int j=0; j<50; j++) {
  if (array2[k] !=null)
  ps.setString(1, tt[j].getString1);
  ps.setString(2, tt[j].getString2);
  ps.setString(3, tt[j].getString3);
  ps.executeUpdate();You will notice a significant performance gain if you are looping many times.
  Advanced--> huge performance gain if you use batch statement in this loop!
  PreparedStatement ps = con.prepareStatement("insert into Table1 (Col1,COl2,Col3) " +
  "values ( ? , ? , ? )");
  for (int k=0; j<array1.length; k++) {
  if (array1[k] !=null)
  tt = array1[k].getArray2();
  for (int j=0; j<50; j++) {
  if (array2[k] !=null)
  ps.setString(1, tt[j].getString1);
  ps.setString(2, tt[j].getString2);
  ps.setString(3, tt[j].getString3);
  ps.addBatch();
  //when completed all looping
  int[] insertCount = ps.executeBatch();Jamie

• Create organis'l level field for auth. field that occurs in multiple object

  Hello,
  When trying out PFCG_ORGFIELD_CREATE I ran into a problem:
  I want to have an organisational level field for BEGRU in C_STUE_BER (Auth.grp in BOM-header);
  there are other auth.objects that also have a field called BEGRU (eg M_MATE_MAR, M_MATE_MAT, F_BKKA_BPG);
  we have roles that have several of these objects.
  Running PFCG_ORGFIELD_CREATE leads to problems in those roles that have several of the objects with a field BEGRU. In general the values to be assigned to BEGRU in different objects is not the same.
  The only solution i can think of is to have per role only one object with field BEGRU.
  This would mean a serious redesign of our roles :-(.
  Is there another option?
  Thanks for your contributions.
  John Hermans

  Another option is to create transactions for the BEGRU and maintain SU24 for them.
  But that is not scalable for large BEGRU values and has an implication for menus and number of transactions, in addition to the number of roles...
  But BEGRU fields should be used with caution, as the objects which use them are mostly not intended to be scalable (like P_PERNR is scalable....) so Su24 or well documentented "Maintained" authorizations might be an option to switch to.
  Cheers,
  Julius

• DI API Object.Property = SQL.TABLE.FIELD

  Hi,
  I'm facing a real challenge everytime I'm trying to find the SQL table field associated with a DI API
  object property.  Any documentation on it ?
  For now I would need to know these : in the form of OBJECT.PROPERTY = TABLE.FIELD
  InventoryItem.MinInventory = ?
  InventoryItem.WhsInfo.MinimalStock = ?
  InventoryItem.QuantityOnStock = ?
  InventoryItem.QuantityOrderedByCustomers = ?
  Thank you very much

  Hi Marc,
  You can try to search for this document in SDN : API DataBase Field Mapping D 6.7 52-3.pdf
  I found it somewhere several months ago. Sorry, I dont remember where it is.
  Or if you wish I can send it to your email. its about 1.6MB. in the format of Acrobat reader.
  For your query :
  InventoryItem.MinInventory = OITM.MinLevel
  InventoryItem.WhsInfo.MinimalStock = OITW.MinStock
  InventoryItem.QuantityOnStock = OITM.OnHand
  InventoryItem.QuantityOrderedByCustomers = OITM.IsCommited
  Regards
  edy

• Table maintainance (restriction on displaying fields)

  hello
  i have created table maintainance generator.now my requirement is i dont want to display all table fields.just 2 fields want to display.all other should be in invisible.can anybody suggest me how to do it?
  regards
  soniya s.

  Hi Soniya ,
  To Hide one of the field from table into the Table Maintainance generator,
  Call one module Say :
  MODULE Hide in the PBO of the Module pool of table maintainance generator Program.
  Write the Following code in above module :
  MODULE Hide OUTPUT.
    LOOP AT SCREEN.
      IF screen-name = 'ZGIFT_DISPATCH-MAKTX'.
        screen-invisible  =  0.
        MODIFY SCREEN.
      ENDIF.
    ENDLOOP.
  ENDMODULE.                 " Hide  OUTPUT
  Replace the name of field accordingly in IF condition.
  It will Work.
  Thanx and Regards,
  Nikhil Joshi

• Same Auth Objects CM in su24

  Hi All –
  In SU24 for a Tcode SU01 in “S_TCODE” the following auth objects are CM.
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  & for Tcode PFCG
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  I am developing a role initially with SU01 Tcode. For the auth object S_USER_AGR, I am giving 01,02,03,06 field values.
  Later I add PFCG Tcode for same role “P_TCODE”. For the auth object S_USER_AGR , I am giving 22,21 field values.
  My question is if the role is assigned to a user
  1.     will he be able to create, change, display, & delete roles using PFCG ????
  2.     What is the best way to restrict the user’s in create, change, display, & delete???
  3.     For PFCG Tcode none of the Auth. Obj’s (the objects that are added by adding SU01 or PFCG Tcode VIA MENU)are maintained in the role what would be the implication??
  Thanks,
  VJ

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• Restrict HR tables

  Hi
  Could you pls tell me How to restrict HR tables in S_TABU_DIS and display all other
  thanks in Advance

  Hi Prasad,
  As I said, identify all the authorisation groups placed on the HR tables and make sure that these are <i>not</i> included in S_TABU_DIS for the normal users.
  Your HR team will tell you exactly which tables contain sensitive data.  All the tables that don't have an authorisation group assigned to them (you can see this in table TDDAT) should have an authorisation group assigned against them.  Not all HR tables are just in the H* and P* name spaces so you need to get the input from someone who properly understands the tables (you may be able to find a list somewhere here: SAP ERP Human Capital Management (SAP ERP HCM))
  This way you can split table access between Non-HR (They don't have any HR relevant table auth groups in S_TABU_DIS field DICBERCLES) and HR (They have access to the restricted auth groups).
  It's not a straightforward piece of work as access to tables via SE16 etc (I assume that's why you need to protect the data) is not designed for granular access without a considerable amount of additional work being involved.
  I hope that answers your question

• Restriction for table maintainence

  Hello Gurus,
  I am working on a SLO project, where i had merged 5 source systems to one system.
  In few roles in source systems for table maintainence the authorization groups is maintained as '*' in production.
  In source systems if they maintain * they would be able to display/change the data related to that system only.
  But now in target system , if we maintain * in authorization group they are able to display/change the data related to all the 5 systems.
  This need to restricted, Please provide some pointers on how this can be done.
  This restriction should be in such a way that they should be able to change data related to the system they belong to .
  Thanks,
  Sanketh.

  >
  Sanketh Teegala wrote:
  > Thanks for the reply prashanth.
  >
  > But , suppose consider users are maintaining table T001B. ( they are maintaining it through parameter transactions).
  > as it is a standard table it has been assigned to same authorization group in both source and target systems.
  > In source system , user is able to view data related only that system.
  > But in target system user is able to view other system data also.
  >
  > How can i restrict this data ?
  >
  > Thanks,
  > Sanketh.
  Hi Sanketh,
  I hope you are progressing with your SLO task.  Once you have finished this project, most things will be simple in comparison
  Unfortunately your requirement is not a simple one
  You could use line item auths (nasty to set up IMO).  Have a search for info on auth object S_TABU_LIN
  Alternatively you could introduce auth checks on key auth fields (e.g. BUKRS, WERKS etc) into the method that you use to display table data.  This would likely require new transactions with validation code that is performed before data is displayed or limits what can be updated.  Another messy approach would be to use parameter transactions that pass in an org unit into the table selection criteria.  You would need one for each org unit so will likely not be practicable.
  What I would say is that focus on what is legally required.  If none of it is required by law then focus on getting the rest of your consolidation done first and then address this in partnership with your project development team.

• Passing a table-field value in Crystal to a Store Procedure in SQL Server

  I have been checking all over the interenet via searches and although some seem to come close to this, its still not what I want.
  Essentially I need to pass value from Table-Field record (for each record read/selected) via a paramete to a Stored Procedure(SP) in SQL Server 2205/2008.  I do NOT want to be prompted for a value for this parameter each time the report is run, simple pass the value in which will be used along with other select criteria to bring back one value for the report to use in a calcuation per record.
  The value of the parameter is a date, but I understand it would be better to pass it in as a varchar(8) - 'YYYYMMDD' - and then reconvert it inside the SP, as follows:
  In Crystal Reports 2008 SP3, I have a formula defined as,
  trans_date = ToText ({F1ARS_STMT_WS_TRAN.TRANS_DATEI}, 'YYYYMMDD')
  and essential just want to pass this to the SP below ... i.e. trans_date  ---> @strTransDate
  I then link the key fields [EXCH_RATE_TABLE_NAME] and [TRANS_CCY_CODE] to other tables in the Database Expert, and put [EXCH_RATE_AMT] on the report and use it to calculate what I want.
  This works fine when the prompt comes up and I put in a proper date, but I don't what it to prompt, but simple pass the F1ARS_STMT_WS_TRAN.TRANS_DATEI in via the fornula/parameter and let teh SQL do the rest for each record selected..
  CREATE PROCEDURE [dbo].sp_GET_EXCH_RATE_AMT (@strTransDate varchar(8))     --use format 'YYYYMMDD' to represent the date as a string.
       -- Add the parameters for the stored procedure here
       -- @TransDate datetime = now
  AS
         declare @TransDate datetime
       set @TransDate = CONVERT(DATETIME, @strTransDate, 112)
  BEGIN
       -- SET NOCOUNT ON added to prevent extra result sets from
       -- interfering with SELECT statements.
       SET NOCOUNT ON;
      -- Insert statements for procedure here
  SELECT [EXCH_RATE_TABLE_NAME], [TRANS_CCY_CODE], [EXCH_RATE_AMT]
  FROM [F1CCY_EXCH_RATE]
  WHERE [MAJOR_CCY_CODE] = 'BBD'
  AND   [START_DATEI] =
       SELECT MAX([START_DATEI])
       FROM [F1CCY_EXCH_RATE]
       WHERE [MAJOR_CCY_CODE] = 'BBD'
       AND   [START_DATEI] <= @TransDate
  END
  GO
  GRANT EXECUTE ON sp_GET_EXCH_RATE_AMT TO PUBLIC
  GO
  Thanks for any help.  Can't tell the headache this has caused my both literally and figuratively.

  Hello,
  I moved your post to the Report Design forum. Lots of SQL help in here...
  I believe the problem is due to you using a Parameterized Stored Procedure. The first thing CR has to do is connect to your DB source which requires the date parameter before it can run the query to add the date filter, it's the SP that is prompting for the parameter. Therefore the report has not run so it can't get the field value from the report until you fill in the info for the SP. Catch 22 problem.... Which came first, the Chicken or the Parameter....
  The report will work as you have noted but I don't know of anyway to refresh unless parameter is filled in again....
  Jason has a lot of great solutions when it comes to these dilemmas, Possibly using a Command Object may help but I believe you will still run into the same issue....
  Only way I can think of is to not use a parameter in the SP and let CR do the filtering client side. Of course this means all data is coming back to the client PC as you are likely trying to find a work around for.
  Thank you
  Don

• P_GROUP Field in S_DEVELP Object?

  Hi Experts,
  When user needs a S_DEVELOP Object,provides the SU53 with P_Group as <dummy>.We also provides the user with S_Develop with P_GROUP as blank.Even P_GROUP field is blank, user is able to work.Then what is the purpose of P_Group field in S_Develop?
  Kindly help me.
  When I searched in Internet,I am not able to get enough information about P_GROUP field on S_DEVELOP Object.
  Regards,
  Karthika

  p_group in s_program is used for submitting the report, protecting variant maintenance, scheduling it in a background jobstep, etc. So, it is for using the report.
  p_group in s_develop is used for the development environment of the report, such as maintaining text elements, navigation in where-used-lists, changing the report attributes - which include the authorization group itself.
  If an auth group has been set via report RSCSAUTH, then it implies an intention to use it for S_PROGRAM control in SA38, SM37, etc. S_DEVELOP works better using packages and object types in my opinion.
  If you attempt to change the auth group via SE38, SE80 etc when it has already been set from RSCSAUTH, then the system will warn you. But you can accept the warning and create an inconsistency for a while... rather always use RSCSAUTH for both when making changes.
  S_PROGRAM is more usefull for you to use the group in security, but S_DEVELOP is stronger. Please be carefully with all aspects of object S_DEVELOP.
  Cheers,
  Julius

• Creating a new Search Help on a standard SAP table field?

  Good day, everyone!
  As part of a report I am writing, the customer would like to have Search Help added to the AUFEX field in table AUFK.  They would like this functionality so that when they are changing an order via t-code ko02, they can get a list of valid values to put in field AUFEX.  I would like to tie it to a zTable I've created; in my zTable, I have just 2 fields:  a key value (that will go into AUFEX) and a text description of the key value.  This zTable is used in my report.
  While I've created a Search Help on this table already for table maintenance, I've never added a custom Search Help to an existing standard SAP table field before.  I've done some Googling and other searching to see what I need to know, but I've only been able to find information on Collective Search Helps.  AUFEX doesn't yet have a Search Help field, so I don't think Collective Search Helps is my answer.
  Is this possible?  Can I add a custom Search Help to a standard SAP table field that doesn't have any Search Help linked to it yet?  Is there an existing thread or guide somewhere that can tell me how to do this?
  Thank you!

  Hi
  Yes u can: u can assign the search help to (A) data element livel or (B) field table livel.
  After creating your search help:
  A) Run SE11, insert your data element (AUFEX), press edit and insert the search help in "Search Help" area on DEFINATION tab;
  B) Run SE11, insert your table (AUFK), press edit, place the cursor on your field (AUFEX) and go to GoTo->Search help->for field
  But u should consider it'll mean to change a standard object for both cases: so u need to get the access key from your OSS.
  Max

• Access via 'NULL' object reference not possible   - GET_RANGE_TABLE_OF_SEL_

  Hi Guru's,
     i am new for WebDynpro programming.I am trying to use select-options tutorial.
  System showing select options and table binding on screen when i test the application.
  I have using search button to get the value which user will i/p.for that onaction method created, i have writen the code to get the values which user will input.
  Method  given below is of componentcontroler
  method wddoinit .
    data: lt_range_table type ref to data,
          rt_range_table type ref to data,
          read_only type abap_bool,
          lt_range_table1 type ref to data.
    data: lr_componentcontroller type ref to ig_componentcontroller,
          l_ref_cmp_usage type ref to if_wd_component_usage.
  create the used component
    l_ref_cmp_usage = wd_this->wd_cpuse_select_options( ).
    if l_ref_cmp_usage->has_active_component( ) is initial.
      l_ref_cmp_usage->create_component( ).
    endif.
    wd_this->m_wd_select_options = wd_this->wd_cpifc_select_options( ).
    wd_this->m_handler = wd_this->m_wd_select_options->init_selection_screen( ).
    wd_this->m_handler->set_global_options(
                            i_display_btn_cancel  = abap_false
                            i_display_btn_check   = abap_false
                            i_display_btn_reset   = abap_false
                            i_display_btn_execute = abap_false ).
    lt_range_table = wd_this->m_handler->create_range_table( i_typename = 'S_CARR_ID' ).
    wd_this->m_handler->add_selection_field( i_id = 'CARRID'
    it_result = lt_range_table i_read_only = read_only ).
    call method wd_this->m_handler->add_horizontal_divider
      exporting
        i_id = 'LINE'.
  endmethod.
  Method  given below is of VIEW.
  method ONACTIONSEARCH .
    DATA: NODE_FLIGHTS TYPE REF TO IF_WD_CONTEXT_NODE.
    DATA: RT_CARRID TYPE REF TO DATA.
    DATA: ISFLIGHT TYPE TABLE OF SFLIGHT.
    DATA: WSFLIGHT TYPE SFLIGHT.
    FIELD-SYMBOLS: <FS_CARRID> TYPE TABLE.
  Retrieve the data from the select option
    RT_CARRID = WD_THIS->M_HANDLER->GET_RANGE_TABLE_OF_SEL_FIELD( I_ID = 'S_CARR_ID' ).
  Assign it to a field symbol
    ASSIGN RT_CARRID->* TO <FS_CARRID>.
    CLEAR ISFLIGHT. REFRESH ISFLIGHT.
    SELECT * INTO CORRESPONDING FIELDS OF TABLE ISFLIGHT FROM SFLIGHT
                         WHERE CARRID IN <FS_CARRID>.
    NODE_FLIGHTS = WD_CONTEXT->GET_CHILD_NODE( NAME = `FLIGHTS` ).
    NODE_FLIGHTS->BIND_ELEMENTS( ISFLIGHT ).
  endmethod.
  while executing appln. error is trigger on line given below
  RT_CARRID = WD_THIS->M_HANDLER->GET_RANGE_TABLE_OF_SEL_FIELD( I_ID = 'S_CARR_ID' ).
  Err: The following error text was processed in the system BCD : Access via 'NULL' object reference not possible.
  please help me out on this issue.
  Thanks and Regards
  Vinayak Sapkal

  hi ,
  The attribute M_HANDLER is an attirbute of component controller (as told by your post) and so you cannot access it as you have done it.
  You will have to access it as .
  WD_COMP_CONTROLLER->M_HANDLER->GET_RANGE_TABLE_OF_SEL_FIELD(I_ID = 'S_CARR_ID' ).
  Try doing it.
  Or else , if you have created a similar attribute in your view itself , then it is "INITIAL" and hence you are getting the dump.
  You will have to assign the view attribute "M_HANDLER" with the value of your component controller attribute "M_HANDLER" ,because all the initializations are done in WDDOINIT of comp controller and on component controller atribute "M_HANDLER".
  Thanks,
  aditya.