Restricting the IMG authorization to a specific module only

Similar Messages

• How to restrict the user id to a specific company code?

  Hi,
  I want to restrict a user id to access a specific company code only for both customizing and application data creation. This means that the user id can do customizing and create application data for that company code only and not for any other company codes.
  how can i do this?

  Hello Raja,
  You requirement of restricting users for application data can solved by adding the company code in the organization level button and the user will be restricted to mainatin application (transaction) data for the org element for which he is authorized for, if the transaction has objects which check company code.
  Customizing data authorization can be very tricky, as most of the customizing transactions are for maintaining customizing tables will not necessarily have an authorization check for org elements. In this case you may to manually insert a object called S_TABU_LIN alongwith S_TABU_DIS it will perform the job of restricting authorizations.
  In cases where the end user is accessing tables directly with SE16 S_TABU_DIS is the object that is check and maintained in PFCG.But,Such a restriction cannot be made with S_TABU_DIS alone. Fortunately SAP provides us with another authorization object S_TABU_LIN (Authorization for Organizational Unit), which can be used in conjunction with S_TABU_DIS to enforce such a restriction.
  This authorization object works only with Maintenance Views and Customizing tables. Also note that an Organization Criterion is a prerequisite for implementing the same
  A detailed step by step procedure to be followed is given below:
  1. The first step in implementation of line authorization is defining an Organization Criterion. For this we need to access the u201CSAP Reference IMGu201D customization page from SPRO transaction.
  2. From the IMG display screen select SAP Web Application Server -> System Administration -> Users and Authorizations -> Line Oriented Authorizations. Select the execute ( ) button for the u201CDefine Organization Criteriau201D.
  3. The resulting table display show all available Org Criteria values existing in the system. For our purposes we will create a new Org Criteria to suit our needs. Select the tab u201CNew Entriesu201D as shown below.
  4. Give an appropriate name starting with Y or Z for the new value. Note that a name starting with another letter will not be accepted by the SAP system. Click on u2018Saveu2019 button to save the newly created Org Criteria. This opens a new window asking for a Workbench Transport Request. This would be required so as to transport the new Line authorization restrictions further to the test and production systems.
  5. Now select the new Org Criterion u201CY_TESTu201D and double-click the u201CAttributesu201D tab as below to define the various Org Attributes.
  6. Provide the new Attribute name and Description for the same. Also fill the Authorization field value from the provided dropdown (1st Org Criterion Attribute u2026. 8th Org Criterion Attribute). The search help field is an optional field which can be filled if a search criterion exists or has been created earlier for the specific purpose. This field enables the u201CF4u201D when filling entries in the authorization object
  7. We already have a search help (C_T001) available, which provides as an F4 help the list of all available Company Codes in the system.
  Note that we can create up to 8 Org Attributes as per our requirements (by selecting u201CNew Entriesu201D tab), each corresponding to a column in the target table.
  8. Selecting the attributes link again will show us a list of all defined attributes and the authorization Field it will appear in. Now that we have defined the Attribute Field that we require, we need to associate each attribute to the corresponding Table Field in the target table.
  Select one of the attributes as below and double-click on the u201CTable Fieldsu201D button to define the field associations.
  9. Select the u201CNew Entriesu201D tab to create a new table field association.
  10. The View/table field must be filled with the target table which we need to control.
  11. The u201CField Nameu201D will require the field name of the target table which be linked with the specific Org Attribute. Performing an F4 on this field will display the list of all possible fields available in the View/table provided earlier. Here we will select the field name BUKRS (Company Code). Save the entries in the same workbench request created earlier.
  12. The next step would be to activate this new Org Criterion so that SAP now checks the authorization for S_TABU_LIN for every user
  13. In the u2018IMG displayu2019 go to SAP Web Application Server -> System Administration -> Users and Authorizations -> Line Oriented Authorizations. Select execute ( ) button for the u201CActivate Organization Criteriau201D.
  14. From the resulting customization screen tick the check-box for the Org Criterion that we have created. On saving the settings the system then asks for a Customizing Transport Request for further transport into test and development systems.
  15. Any user without this authorization will not be allowed in to the SM30 display/change screen for this table.
  16. In the role for which the S_TABU_DIS provides maintenance access for the table , we will now also need to maintain the object S_TABU_LIN.
  17. On selecting change button besides any authorization field you will need to select the Organization criterion which needs to be maintained here. Note that only one Org Criterion can be maintained in one instance of S_TABU_LIN object.

• Restrict the Keyboard entry and entry through scanner only

  Dear Experts,
  I have a scenario, A manufacturing company while billing products to the customers will scan the serial nos in the sale order. The serial numbers are wrongly typed during the manual entry.
  Hence Business has implemented Bar Code scanning for scanning serial numbers. Still users are manually entering serial numbers,
  To bring tight control in the process ... Business is asking to restrict the manual input and allow only Bar code scanning for serial number entry.
  I have tried the below to implement the same:
  The serial number field is made to display mode by making screen - input = 0.
  Now the text field is brought to display mode. But unable to scan the data in that field .
  Pl help if you have any idea on this.
  Thanks in advance.
  Vidhya

  Answer from Michael Evershed here: Re: Restrict keyboard entry allow only scanning
  > If your barcode scanner is the type that plugs into the keyboard port of the computer SAP can't distinguish between the barcode scanner and data entered by the keyboard.
  You have to ask your scanner manufacturer if there is a solution (for example, like using an encoder at scanner level, that will be decoded by the abap program)

• Restricting ipv6 pim rp to a specific group only

  Hi,
  I want to restrict the IPv6 pim rp to a particular group. No other group should be serviced by this pim rp.
  How to achieve this?
  The topology is as below:
  R1(f0/0) ----- (f0/0)R2(f0/1) ------(f0/1)R3(f0/0)-----------(f0/0)R4(f0/1)
  I want to configure R1 as the ipv6 pim rp. it should service only group FF08::1234:4567. I have configured the global ipv6 add of R1 (f0/0) as the pim rp add on all routers.
  I have configured R4 as the receiver of the group FF08::1234:4567.

  A few more things adding to Abdel's post:
  Assuming this is not bidir. You can advertise R1 as RP for only particular group:
  http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/command/ipv6-i4.html#GUID-8A16475D-EBA7-4EDE-8473-BE74A962A80A
  Or announced RP mappings from BSR.
  http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2mt/ip6-multicast.html#GUID-F44AA3FA-8E0A-4353-BDF5-6D1785AEC52C
  You can also play around with dropping register messages:
  http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/command/ipv6-i4.html#GUID-D801EA3B-C888-447B-9C32-EFF4DBDE69B3

• Adapter specific Module

  Hi
  What is Adapter specific Module ? Pls explain in detail
  Thanks,
  srini

  HI Srinivas
  Please go thru the following notes for Adapter Specific Modules.
  Dynamic Configuration Module: Note 974481
  Zip Module: Note 965256
              /people/stefan.grube/blog/2007/02/20/working-with-the-payloadzipbean-module-of-the-xi-adapter-framework
  Text Codepage Conversion Module: Note 960663
  XML Anonymizer Module: Note 880173
                         /people/stefan.grube/blog/2007/02/02/remove-namespace-prefix-or-change-xml-encoding-with-the-xmlanonymizerbean
  XML-to-Text Conversion Module :
  http://help.sap.com/saphelp_nw04/helpdata/en/44/748d595dab6fb5e10000000a155369/frameset.htm
  Payload Swapping Module: Note 794943
  http://help.sap.com/saphelp_nw04/helpdata/en/2e/bf37423cf7ab04e10000000a1550b0/frameset.htm
  Message Transformation Module: Note 793922
  http://help.sap.com/saphelp_nw04/helpdata/en/57/0b2c4142aef623e10000000a155106/frameset.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/50061bd9-e56e-2910-3495-c5faa652b710
  RequestResponseBean: http://help.sap.com/saphelp_nw04/helpdata/en/45/20c210c20a0732e10000000a155369/frameset.htm
  ResponseOnewayBean:
  http://help.sap.com/saphelp_nw04/helpdata/en/45/20cc5dc2180733e10000000a155369/frameset.htm
  Example Module from Adapter Development:
  http://help.sap.com/saphelp_nw04/helpdata/en/96/f04142099eb76be10000000a155106/frameset.htm
  Cheers..
  Vasu
  <i>** Reward Points if found useful **</i>

• How to restrict the dropdown values in Att/abs type in Record Working Time

  Hello experts,
  We are implementing ESS business package.  In the Record Working time, within the Weekly View and Daily View tabs, there is a column Att/abs.type which has several drop down values - like:  floating value, Funeral Leave, Military Reserve, Regular Attendance, etc.   Our requirement is to restrict the dropdown values  by means of showing only one of these values (say:  Regular Attendance) and others should not be shown.   How do we achieve this?
  Thanks
  Vicky R.

  Hi Siddarth,
  Thanks for the info.  By the way, this table info is not mentioned in the Business Package documentation.  Which documentation are you referring to?
  Thanks
  Vicky R.

• Restricting Authorization for a specific Info-object

  Dear All,
  I have a scenario where I have to restrict the account managers by specific channels.
  I have 2 info-objects, Sold-to party and Sales Channel. Sales Channel is defined as attribute of the the Sold-To Part info-object.
  I was exploring the BI authorizations concept in SCM 2007.
  I created a authorization called "Test" and assigned the info-object Sales Channel in the authorization and restricted it for one value. This authorization along with 0BI_ALL I have added to the role under BI authorizations.
  However in interactive demand planning, I cannot restrict by the sales channel. It allows me to load data for all the channels.
  If I remove 0BI_ALL object, then I cannot load anything in interactive planning.
  Does anyone have a step by step proceedure for using the BI authorization concept?
  Regards,
  Kedar

  Yes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).
  Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.
  Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.
  You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".
  Things to consider:
  1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.
  2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.
  3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom  authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.
  4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.
  This is probably enough to get you going, reply back if you have specific questions or issues.
  I've been thru this in a painful way, sometimes the best things learned are learned the hard way

• Restricting the authorization Object for B2B Transactions

  Hi All
  we are facing the problem in the ISA b2b app, actually the scenario is as below.
  we have various transaction types like b2b sales,Peoplesoft order,Request for Order change, RMA ,Request for Quotation(RFQ) and metel order.
  As per the requirement, The client wants only a few functionalities for a particular user.
  Example:
  Transaction Type Authorization
  PeopleSoft order View only View only
  B2B:Req. OrderCh x x
  B2B: Req. RMA
  B2B: Req. Quote x x
  Metel Order x
  For b2b sales transaction a lower level employee would only be able to view the order and he should be restricted to make any changes. Is there a posibility to restrict in this manner? This is Urgent. Please respond immediately. Thanking you in anticipation.
  Message was edited by:
  Sunil Kumar

  >
  Viral741 wrote:
  > Hi All
  >
  > I have a requirement in SAP Security to restrict the authorization object S_ALV_LAYO to a particular set of users.
  >
  > Background:
  >
  > We use composite roles which is shared accross all areas(Finace,marketing,work managment).Now the requirement is for from Work managment to restrict S_ALV_LAYO so that user cant change default layout and can create user specific layout,but other areas are not ready for this.So please let me know if there is any way i can restrict this auth object only for work managment area only.
  >
  > Thanks,
  >
  > Nitesh
  Nitesh,
  Remove access to S_ALV_LAYO for general users and give access to F_IT_ALV instead.  Keep S_ALV_LAYO for the users who will be maintaining the default layout.
  Good Luck!

• Restricting the ATP user for GATP - corrrect roles/authorizations

  Hi:
  If the dialog user that is used for the ATP check (from ECC to GATP) has more authorizations than needed and this is going to be a problem in production. The user can run SCM transactions from the results screen of ECC and this is not desirable.
  Therefore, the ATP user should be a restricted user that has only authorizations for this specific task. If you know what are the exact roles/authorizations to give to the ATP user, could you share them?
  Thanks in advance.
  Satish

  For R/3 please check OSS  Note 447543 - APO: Authorizations too comprehensive/not user-specific.
  "If it is necessary to have different authorization profiles in APO for different R/3 users when calling in APO, the following solution applies:
  Activate the setting in SM59 that is used for the RFC connection CURRENT USER.
  In the APO system, create the respective users and assign authorization profiles. This is necessary in order to achieve the necessary flexibility concerning authorizations in the APO system."
  For APO :
  AuthorizationsObject   C_APO_ATP in APO .
  please chose activity as per  user role.
  01       Create or generate
  02       Change
  03       Display
  04       Print, edit message
  06       Delete
  16       Execute
  39       Check
  Manish
  Edited by: Manish Kumar Rathi on Oct 21, 2008 1:24 PM

• How can i restrict the Expenditure Type values at a specific OU ?

  Dear Guys,
  I would like to ask about the Expenditure Types,
  I have implemented two projects for different Operating Units ,
  when navigating to any Projects responsibilty,and navigating the Expenditure Type field
  the values exist are all the values implemented across the OU not the values entered at this OU
  How can i restrict the Expenditure Type values at a specific OU
  Regards
  Amr Hussien

  Hello
  When you set up a project there is an option called Transaction Control.
  This option allow you to list the allowed or restricted elements of costs for the project.
  You may enter the transaction control on a project template and that will be copied to any new project.
  The cost elements may be expenditure types, expenditures categories, suppliers, employees, etc.
  In your case, I suggest to set up specific project templates for each operating units. On each template enter the list of allowed expenditures types for that OU.
  Doing so, the system restricts users from entering any expenditure item, supplier invoice, purchase cost etc, against an expenditure type, which is not allowed.
  Dina

• How to restrict the authorization to change backgroud configuration

  hello , I copy some users from my admin user which contain the sap_all profile. so these uses can change background configuration.     now,  I want to restrict the authorization that they can only view the background configuration but can not change it .        how can I set this authorization?     Can I change the sap_all profile? how to set it?
  thanks.

  Hi,
  You can copy the SAP_ALL profile to a new name say Z_SAP_ALL and provide display access to all the authorization object and make sure you remove all the critical tcodes in the Z_SAP_ALL profile.
  Once you are done with testing the role assign it to the user.
  Also search the threads in the forum...
  Rakesh

• How to restrict the access of FUNCTION MODULE for others after transporting

  A Function module needs to be executed in one server and should be executed when others try to access it.how to restrict the access of FM to one application server after being transported using SM59.

  issue resolved

• Defining Authorizations for User to restrict the data in report.

  Hi Gurus,
  I have no idea on authorization concept in BI. Please give me anyone steps to creating authorization objects, roles and profiles to restrict the data for users.
  Ex.
  i have functinal location info object checked as authorization relavent with below data.
  FL001
  FL002
  FL003
  FL004
  FL005
  FL006
  FL007
  FL008
  FL009
  We have users like below.
  User1
  User2
  User3
  Now, if User1 is analysing a report he can see only FL001, FL005, FL009 only, remaining have to be omited.
  If User2 is analysing that report he can see only FL002, FL003, FL009. And like wise.
  So, Please help me providing the completed steps. I have done somting but failed.
  Thanks in advance
  Peter.

  Hello Peter,
  Please go through the following links
  Authorization :
  http://help.sap.com/saphelp_nw70/helpdata/en/59/fd8b41b5b3b45fe10000000a1550b0/frameset.htm
  SAP Authorization Concept :
  http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
  Thanks.
  With regrads,
  Anand Kumar

• Using the command line with DESKI to run a specific module in a report

  I'm using BOXI R2 Desktop edition in a Windows Environment.
  I have a report with a macro inserted in it which is composed of several sub-modules. 
  I know I can launch the report from the command line as follows: "C:\PROGRAM FILES\BUSINESS OBJECTS\BUSINESSOBJECTS\BUSOBJ.EXE" -user "USERID" -pass "PSWD" "Directory and Filename" -keyfile "Keyfilename" -nologo
  What I want to know is can I launch the report from the command line and call a specific module.  So if I have 5 modules in a single report, can I just call 1 from the command line?
  How would that be formatted?
  Thanks in advance.

  There's some more stuff to be done to correctly call external executables.
  Read [When Runtime.exec() wont|http://www.javaworld.com/javaworld/jw-12-2000/jw-1229-traps.html], it shows some of the pitfalls of Runtime.exec().
  Edit: there's also JRuby, which might be worth a try.

• F4 Help in Module pool and restricting the entries

  Hi all,
        I was looking how to give F4 help in module pool program and restrict the number of entries on tht event.
  Take a example of VBELN, it is having number of entries so for F4 help we first take all the entries for VBAK for VBELN and then use FM 'F4IF_INT_TABLE_VALUE_REQUEST' and pass the table.
  So how can we restrict number of entries initially 200 and then user can input number of hits.
  ( How to use Callback subroutin ).
     Waiting for valuable additions.
  Thanks,
  Anmol.

  Hi ,
      This is my query, I want to restrict the number of entries fetched by the search help depending on the user input like in standard help.
  Like VBELN is having number of records how can we asign a help to field like VBELN( for example ), is there any way to restrict the entries on search help rather than selection all the entries for tht field from database which is not good for performance. Like initially it should fetch 100 or 200 records, then if user want more entries to be fetch he can input the number of entries like in standard help. Any idea on this.
  Thanks,
  Anmol.