Restriction authorization

Dear Gurus,
Users in our production system have access to t-code se38,se11.
Now we want to remove these authorizations,but these authorizations are provided to the users via diffrent roles and its difficult to track these authorizations.
I want to know that is it possible to create a restriction authorization where we can define the t-code value as 'not equal' and restrict the desired authorization
Please update
Thanks and regards
Tushar

I agree with Netweaver Expert.
If you are finding it difficult to identify those roles then I suggest that someone on your security team gets training ASAP as it it a very, very basic task to ID roles with those authorisations.  You can do it in SUIM or via table AGR_1251 in less than 10 minutes.

Similar Messages

  • BASIS--to restrict authorization for a PO document type & 122 movement type

    Dear All,
    Plz guide me how to restrict authorization for a PO document type & for a movement type 122 i.e. for eg. if a user has authorization for PO document type IC then he should not be able to rum movement type 122 for any T-code he runs.
    Thanks in advance
    Arpit
    Basis

    Hi,
    Your request was not too clear to me.. As per my unde
    Here is some details of Authorization object related to Purchase Order:
    Document Type in Purchase Order( M_BEST_BSA )
    Purchasing Group in Purchase Order (M_BEST_EKG )
    Purchasing Organization in Purchase Order  (M_BEST_EKO)
    Plant in Purchase Order  (M_BEST_WRK )
    Document Type in Outline Agreement (M_RAHM_BSA )
    Purchasing Group in Outline Agreement (M_RAHM_EKG )
    Purchasing Organization in Outline Agreement ( M_RAHM_EKO )
    Plant in Outline Agreement ( M_RAHM_WRK )
    This can be helpfull to you to restrict authorization to PO..
    In Organization Level, it can be restricted by Purchasing group, Purchasing organization and plant..
    Regards,
    Sandip

  • Restrict Authorization at Material level during production confirmation

    Hi SAP Gurus,
    I would like to ask if its possible to restrict authorization at Material Level during production confirmation.
    Our scenario is we have SFG and FG which are handled by different group of people but it has the same Order Type. Now we want to restrict authorization such as one department can only confirm SFG and the other department can confirm FG only.
    Is it possible to set authorization at material type or production scheduler level. IF not possible, is there other way except creation of new Order Type?
    Thanks,
    Raymond

    Hi Raymond,
    DO you mean I should create a customized table for this?
    Yes
    Are there no standard way?
    As per my knowledge, you can control through production order type, so you need to create seprate order type for this
    Thanks,
    Sankaran

  • How to restrict authorization for OBC4

    Dear all
    How to restrict authorization for obc4( field status) for user id wise
    Regards
    nasa

    Hi Nasa
    You try to use the S_TABU_LIN object. With this object you can control access to tables (called from maintenance views, SM30 etc) based on the database key for the table.
    And as far as I cant see, the OBC4 transaction is just a couple of maintenance views for V_T004V andf V_T004F.
    You can find a small how-to [here|http://www.mhn-consulting.com/s_tabu_lin.html]
    Regards
    Morten Nielsen

  • To restrict authorization of tcode MEK1,MEK2,MEK3,MEK4 at plant level

    Hi,
    We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
    Presently we can restrict authorization at Purchasing organization level but not at Plant level.
    Any pointer please!
    Regards,
    Chetan

    Hi,
    You can restrict the users for the authorization of these T-Codes on their  User ID. Take help of  Basis who controls Roles & Profiles. (T-Code PFCG)
    Hope this helps,
    Best regards
    Amit Bakshi

  • To restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.

    Hi,
    We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
    Presently we can restrict authorization at Purchasing organization level but not at Plant level.
    Any pointer please!
    Regards,
    Chetan

    First of all, this is not the right forum to post such a question.  Coming to the requirement, this can be achieved by creating a role in PFCG where you can restrict plant and assign this role to each user id.  Your basis team can do this.
    thanks
    G. Lakshmipathi

  • Restrict authorizations for loads from HR to BW for certain data

    Hi,
    our customer wants protect some data in the HR productive system. This data are defined/restricted by certain personal areas.
    It is not enough to use reporting authorizations in BW to restrict presentation in queries or use filters in infopackets during load to avoid this data.
    The requirement is to make load of such data from HR to BW absolutely impossible, even BW administrator cannot see them and must not be able to load them.
    We will probably have to somehow limit ALEREMOTE users authorizations in BW. I do not know how and I even doubt, that extractors in HR source system perform authorizations checks for fields.
    Is there any way to do this?
    Thank you very much,
    Petr

    Hi Petr,
    Create a general enhancement program (restricted authorization) with generic name, which should be called dynamically for every datasource.
    Refer-
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/2d99121a-0e01-0010-e78c-b1ae566a2413?overridelayout=true
    Not personally tested but check following.
    In that program, you may try applying following logic:
    1) You may need to use TYPE ANY field symbols
    2) In While Loop until all fields of C_T_DATA checked, may be a counter based on total number of fields.
        DELETE C_T_DATA where <TYPE_ANY1> EQ (OR use IN) specific value(s) of Personnel Area
        DELETE C_T_DATA where <TYPE_ANY1> CS (Contains, check pattern) specific value(s) of Personnel Area
    ENDWHILE.
    Optionally: For Standard Daatsources in the same program you can add logic based on standard field only "WERKS".
    Note: You may need to research on dynamic pointing using field symbols for every field.
    Thanks
    Arun Purohit

  • Restrict authorization in VA01 for partner function field

    Hi all,
    I need a way to restrict authorization in VA01/VA02 for users so that in the headers tab -> partners, the employee responsible field is locked. Other fields (i.e. ship-to/sold-to should still be changeable)
    What is the best way to achieve this?
    Thanks,

    This is not the solution for your query to make it non modifiable. You want it on user base but if you make it non modifiable it will be in display mode for all users. But if you want to try this you can make it non modifiable in following path
    Sales and distribution > Master Data > Customer Master > customer hierarchy > partner determination for sales document header.
    Im not sure the exact path because i have no access of system at this time. But you can find it in above nodes.
    Proper solution of your question is user exit as mentioned above.

  • Business Blueprint -  Restricting authorization at Business Scenario

    Hi All,
    We would like to restrict authorizations at a Business Scenario level, say FI module users are restricted to update only their documents and only view SD documents.
    Can anyone let me know if this is possible?
    Thank you for your time.

    Hi Guys,
    Blueprints are available online!!
    Go through the links
    The Blue print for Business Inteligence:
    http://help.sap.com/bp_biv335/BI_EN/html/Business_Blueprint.htm
    Now if you are looking the Blueprint for any other modules, Select from the list
    http://www.sap.com/services/servsuptech/bestpractices/index.epx
    regards
    Happy Tony
    <b>Points == Thanks</b>

  • Restrict authorizations for payment item transaction

    Hi All,
    This is regarding authorizations for a banking system.
    The requirement is the users need to be restricted for the following transaction based on the Bank Posting Area or the contract managing unit.
    BCA_PAYMITEM_CREATE
    When the user goes to create payment item the user should be allowed to enter an account which has been created with the contract managing Unit ZSUM007 or Bank Posting area ZSUM. The user should not be allowed to go in for any other values of contract managing unit and Bank Posting Area
    BCA_PAYMITEM_MAINTN
    The user should be allowed to enter an account which has been created with the contract managing Unit ZSUM007 or Bank Posting area ZSUM .The user should not be allowed to go in for any other values of contract managing unit and Bank Posting Area.
    I checked the transactions in SU24 and found only authorization object S_TCODE associated with the transcations BCA_PAYMITEM_CREATE and BCA_PAYMITEM_MAINTN.
    Can someone please suggest a way to acheive this.
    Regards,
    Thamarai.

    Hi Shiva,
    I tried assigning the org unit using PFCG ORGFIELD CREATE.
    Now the org unit in pfcg shows Org. level Contract-Managing Organizational Unit (Encrypted) but there is no coresponding field in the authorization objects in the role.
    Can you please help since the project is very critical.
    Regards,
    Thamarai.

  • How to restrict authorization based on profit center in ke80 report

    hi friends
    we have a situation where we need to maintain the authorization based on profit center in ke80 report. The authorzation object K_PCA is not working. whenever we assign a particular profit center and then generate the profile, we still get the message no autjorization and when we check su53 it shows it needs '' asterisk. but we cant assign the asterisk as we have 5 subsidaries and there are using 5 different set of profit centers so assigning asterisk () would be comprimising on our security.
    does anybody came across this situation and if yes how did they resolve this?
    I need your suggestions on how to maintain this restriction.
    Regards,
    Imran

    Hi Friends
    The problem has beend solved. It turns out that this is a report writer issue. We raised the issue with SAP and they informed that 'For Report Painter/Writer every item is checked if you have the authori-zation or not. Only the items with authorization fullfilled will be displayed afterwards'.
    Based on SAP answer we created different reports for each profit center/company code.
    I would like to thank you all for your time and inputs.
    Regards,

  • How to restrict authorization for MMBE

    Hi,
    I need to restrict the authorization for t-code MMBE according to plant wise. Can anybody tell me about the procedure and authorization object used.
    Regards

    M_MATE_WRK Material Master: Plants is the object that is used to control teh display of data at plant level in tcode MMBE

  • Restricting Authorization for a specific Info-object

    Dear All,
    I have a scenario where I have to restrict the account managers by specific channels.
    I have 2 info-objects, Sold-to party and Sales Channel. Sales Channel is defined as attribute of the the Sold-To Part info-object.
    I was exploring the BI authorizations concept in SCM 2007.
    I created a authorization called "Test" and assigned the info-object Sales Channel in the authorization and restricted it for one value. This authorization along with 0BI_ALL I have added to the role under BI authorizations.
    However in interactive demand planning, I cannot restrict by the sales channel. It allows me to load data for all the channels.
    If I remove 0BI_ALL object, then I cannot load anything in interactive planning.
    Does anyone have a step by step proceedure for using the BI authorization concept?
    Regards,
    Kedar

    Yes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).
    Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.
    Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.
    You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".
    Things to consider:
    1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.
    2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.
    3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom  authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.
    4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.
    This is probably enough to get you going, reply back if you have specific questions or issues.
    I've been thru this in a painful way, sometimes the best things learned are learned the hard way

  • How to restrict authorization at Profit Center?

    Hi all,
    There is one TCODE S_AC0_52000888 : Payable for Profit Center, which will list out the details about each company code and it associated profit center.
    Following is the scenario:
    we have a company code 1000, This company code has some profit center.
    while executing the above tcode S_AC0_52000888, we have that oppurtunity to select the
    profit centers which we want to see the details for. We have some 10-20 profit centers
    in company code 1000, but however, we want to restrict the users to see the details for
    respective profit center.
    Can any one help me in acheiving this task? your help would be greatly appreciated!
    and also rewarded.
    Thanks and Regards,
    Faisal

    Hi Friends
    The problem has beend solved. It turns out that this is a report writer issue. We raised the issue with SAP and they informed that 'For Report Painter/Writer every item is checked if you have the authori-zation or not. Only the items with authorization fullfilled will be displayed afterwards'.
    Based on SAP answer we created different reports for each profit center/company code.
    I would like to thank you all for your time and inputs.
    Regards,

  • Restrict authorization for saving BI query bookmark on BEx Portfolio

    Hi experts,
    I would like to find a way to control the saving query bookmark  functionality on BEx Portfolio. The problem is that every BI user can save in the BEx Portfolio which is observable to every user at global level. Is there a functionality to restrict the authorization so that only Power users are allowed to save bookmarks under BEx portofolio and where as non power user are allowed to access them
    Thanks

    Hi All,
    i'm also having same requirement, please reply with solution if any one did it,
    http://scn.sap.com/message/13836154
    Thanks
    Naga

Maybe you are looking for

  • Epson SX218 doesn't print (client-error-document-format-not-supported)

    Hi there, I'm currently trying to figure out how to get my Epson Stylus SX 218 to work. Unfortunately, cups (or the printer or whatever causes my problems...) obviously just doesn't want me to get this to work. Here's what I've done so far: I install

  • Auto cancellation of oraphaned report requests.

    Hello all, I'm trying to find a way to cancel any request that is running if a given user navigates away from a report that is still generating - ie its orphaned. Say for example they log in and connect to a dashboard, tab 1 runs a report, they immed

  • Re: Export Return

    HI Guru, i have purchase the material via import purchase. i found some of the material are defect. now i want to return that material via export to same vendor. in this flow excise part also exsiste. please give the details about the return flow for

  • Open link in new tabs

    How do I get Safari to open links in new tabs instead of windows?

  • APEX 2.1: Importing Users???

    Hello, i exported my DB, Application and the users seperatly. I imported the DB_DumpFile and the Application to my new server. I tried also to import the User (user.sql), but without success. How can import it? It wasnt possible by SQL-Console of the