Resultant user authorization of t-codes with a common Auth. Object

Similar Messages

• USER AUTHORIZATION FOR T-CODE OB52 & OKP1

  Hi Experts,
  I would like to know if there is a t-code that assigns USER to open another t-code.
  OB52 & OKP1?
  I want to restrict this t-code for only few users....
  Is it possible?
  Need advice plese
  Rey

  Hi Rey,
      As per my knowledge the authorizations will be done by BASIS consultants.
  R.K

• Regarding user authorization of t-code

  I am trying to give authorization for one of my user regarding SM35 
  I did YAT and got attached file. MY ABAP programmer said it is not authorization issue it is something related to system error can you please help me out and guide me what should I do. 
  The problem is whenever she run SM35 it always said Server is not active. I checked using SM13 for server and it is active so I am not sure why it is going on please go through file and If you need more information email me 

  Hi,
  when you create the batch-input session, you could set a user-name with the good authorization.
  You could ask anybody to call your batch-input in SM35, the authorization of the transaction inside your batch is check with the username set in the batch.
  So how did you create your batch-input session ??
  Fred

• -24950 ERR_USRFAIL: User authorization failed

  Hello All,
  I installed mini Sap in my system.
  I have two entries in my host file.
  1.) 127.0.0.1 localhost
  2.) 10.10.0.10 computername
  When i open SAP MMC and enter the user name and password in the database below the NSP with the computer name,
  the error comes as -24950 ERR_USRFAIL: User authorization failed
  i tried with all sorts of usr name and password please help me.

  Hi Sundar,
  excuse the question, but does this have anything to do with SAP NetWeaver Enterprise Search? Iwould think it does not.
  All,
  please post to appropriate forums!
  Thanks,
  Karsten

• Do 2 same auth objects with different values bleed together?

  If I had a user who had Auth object F_BKPF_BUK with Activity 01 and Company Code 1200 and also Auth Object F_BKPF_BUK with Activity 03 and Company Code 1300, would the user have 01 and 03 for both Company Code 1200 and 1300 or would the user be restricted to 01 for 1200 and 03 for 1300?

  It depends on the object and how the result of the authority-check is "built".
  For the result of a single authority-check Sanju is correct.
  It would not make sense to attempt to display something (retrieving the value from the record) which has not been created yet (checking the value in the entry screen).
  However the opposite can be true for authority-checks within arguments:
  -  IF weak_check_failed    "user is not authorized...
  -  THEN perform strong_check    "permit everything if passes...
  -  ELSE return_to_...     "Go back to list...
  However, in many cases this weaker : stronger check is against different objects.
  Other transactions will completely bypass the one object and only use a stronger one.
  F_BKPF_BUK should be okay for transactions FB01 and FB03, for example.
  Cheers,
  Julius

• Code for user authorization

  Hello All,
  I have to implement a sample code which will filter out activities according to user authorization. Please help me in this regard.
  Thanks in advance.
  Paul.

  Hi,See the below code and write as per your need.
  INITIALIZATION.
    AUTHORITY-CHECK OBJECT 'ZPRCHK_NEW'
             ID 'TCD' FIELD SY-TCODE
             ID 'BUKRS' DUMMY
             ID 'PRCTR' DUMMY
             ID 'SPART' DUMMY
             ID 'WERKS' DUMMY
             ID 'VKORG' DUMMY
             ID 'EKORG' DUMMY.
    IF SY-SUBRC NE 0.
      MESSAGE I000(VZ) WITH TEXT-002 SY-TCODE .
      LEAVE PROGRAM.
    ENDIF.
  Regards
  rajendra

• Authorization Issue with Custom Pending Value Object and Anonymous Users

  Hi,
  I am just converting my demo from version 7.1 to 7.2. I am not doing upgrade. The demo uses a custom pending value object USER_REQUEST. The idea is that new employee goes to Java AS as anonymous user and enters her details and store where she will work. After submitting request there is an approval process using custom entry type USER_REQUEST. If the request is approved then IdM converts USER_REQUEST into MX_PERSON entry. This works nice in 7.1 but I am having problems with replicating this in 7.2. I created new UI task accessible by anonymous that creates new USER_REQUEST entry. I also assigned role idm.anonymous with UME action idm_anonymous to UME built in group Anonymous users.
  My problem is with the field STORE. This field is a reference field to another custom entry type STORE (this entry type will be used in context based assignment). Every new employee must selects a store where she will work. The problem is when user clicks on button "Select". Web dynpro terminates and returns authorization error. I also tested this with entry type MX_ROLE. I added attribute MXREF_MX_ROLE and same issue. So it seems that just assigning UME action idm_anonymous is not enough to list objects from identity store. I found a workaround for this issue. When I assign also UME action idm_authenticated to Anonymous users then it does not dump and I get a pop up window where I can search for store. It does not seem right to assign idm_authenticated to anonymous users.
  Another issue is with display task for entry type USER_REQUEST. I assigned a display task to entry STORE and I set that Anonymous have access to this task in Access control tab. I assigned default value to the field store. So when a user opens page she can see a hyper link to display already assigned store. When user clicks on this hyper link it opens a new pop up window and user must authenticate against Java AS. After successful authentication the display task for entry STORE is displayed. I would assume that anonymous user can display it without authentication.
  So to me it seems like authorization checks have been changed in 7.2 versions and are more strict for anonymous tasks. Hence my question is how can I implement my scenario. Am I missing some configuration or what's the proper solution to my two issues? I don't count assigning idm_authenticated to Anonymous users as a solution. This workaround does not solve my second issue.
  Thanks

  Some of the folks from Trondheim labs check, but rather infrequently.  There's another person who I guess is in consulting that also checks from time to time.
  Sorry I can't help you with your main question...
  Matt

• In other words jQuery mobile does not generate code with result can not test Apps in dw cs6

  from the time compiled in phonegap dw c6 tools and tested from dw the App in Android sdk, for a jQuery mobile App the, code in split/Live is the same as split/Live/Live Code.... in other words jQuery mobile does not generate code with result can not test Apps in dw cs6, but design shown without jQ mobile generated code, well?

  well, jQuery mobile stopped to generate code with result can not test Apps in dw cs6, but design shown without jQ mobile generated code, well (neither generated code seems nor design as seem in mobile)....????

• Creating variable with the user Authorization in BEx

  Hi gurus,
  i want to create a variable with user authorization in BEx. Can any one please tell me the steps to create the variable for authorization.
  Thanks in advance
  sandy

  Hi,
  Please take a look and refer the section Use of Variable filled Authorizations(User Exit)
  Advanced Features of SAP BW Reporting Authorizations
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
  Hope this helps.
  Cheers,
  Gimmo

• We are facing error  with user "PIDIRUSER". Response code is 401 in XI

  Hi,
  When we are trying to create objects in PI Integration Directory.
  Connection to system REPOSITORY using application REPOSITORY lost. Detailed information: Error accessing "http://cordev02:50000/rep/query/int?container=any" with user "PIDIRUSER". Response code is 401, response message is "Unauthorized":
  Request all to please help me to resolve this Issue as this is holding up our XI development.
  Regards,
  Anand V

  Hi Anand,
  In order to solve this, ensure you have maintained the  correct password, which MUST be the same, for all the service user on XI and ensure it has eight (8) characters in length.
  You may check all the places it should be maintained, such as Exchange Profile, SU01, SLDAPICUST, etc..
  Check the note below:
  #999962 - PI 7.10: Change passwords of PI service users
  Also ensure that the user has the correct role as per link below:
  http://help.sap.com/saphelp_nwpi71/helpdata/en/9f/d12940cbf2195de10000000a1550b0/frameset.htm
  Regards,
  Caio Cagnani

• Report parameters - user authorization

  Hi all -
  We are trying to limit the ways a particular user can run a report (with a standard selection screen 1000).  For example, the report has a parameter for company code on the selection screen - but the user should only be allowed to run the report for ONE particular company code.  We can obviously create a transaction code that starts with a particular variant in order that the appropriate data is populated.  However, we want to limit the user's access to other variants available to that report.  Is there a way we can disable the "Get variant" button for a report selection screen? 
  If anybody has another suggestion as to how we can run a report where the user only has authorization to run with particular parameters, I would really appreciate hearing about it!
  Thanks -
  Abby

  Thanks, but unfortunately company code is just an example... there are other fields as well.  
  But I think I've found the solution...  limit the function code GET as shown below...
  DATA itab TYPE TABLE OF sy-ucomm.
  PARAMETERS test(10) TYPE c.
  AT SELECTION-SCREEN OUTPUT.
  APPEND: 'GET' TO itab.
  CALL FUNCTION 'RS_SET_SELSCREEN_STATUS'
  EXPORTING
  p_status = sy-pfkey
  TABLES
  p_exclude = itab.
  Thanks for the help!

• JBO-25014: Another user has changed the row with primary key oracle.jbo.Key

  Hi,
  I am developing a Fusion Web Application using Jdeveloper 11.1.2.1.0. I have a home.jspx page that has a ADF table built on efttBilling View Object. . When you click on one of the rows in the table, it will take you to detail.jspx where you can edit the row and save. When 'save' is clicked, stored procedures are executed to update/insert rows into few tables , and then go back to home.jspx where you need to see updated content for that row.
  To get down to the exact issue, updates are made to the tables on which the efttBilling View Object is built using a stored procedure. Once this is done, I am trying to requery view object to see new content. But I keep getting JBO-25014: Another user has changed the row with primary key oracle.jbo.Key error. Following are the approaches I followed to query new results:
  a. Executed Application Modules Commit Method. Created 'Commit' Action binding and tied it to homePageDef.xml. Called this binding from a view scope bean.
      BindingContainer bindings = BindingContext.getCurrent().getCurrentBindingsEntry();
       OperationBinding operationBinding = bindings.getOperationBinding("Commit");
      Object result = operationBinding.execute();
     if (!operationBinding.getErrors().isEmpty())
      return null;
  b. Marked 'Refresh on Insert' , 'Refresh on Update', 'Change Indicator' checkboxes for all the attributes in the entities associated with efttBilling View Object.
  c. Tried to Requery View Object. Created a refreshViewObject method in Application Module Impl.java file, exposed this method to the client interface and created a invokeMethod Action binding in home.jspx
  Code in Application Module:
    public void refresheftTransactionsforBillingAccountViewObj1View()
      System.out.println("In eftTransactionsforBillingAccountViewObj1");
    findViewObject("eftTransactionsforBillingAccountViewObj1").executeQuery();
  Code in view scope bean
          DCBindingContainer bindings =
         (DCBindingContainer)BindingContext.getCurrent().getCurrentBindingsEntry();
          OperationBinding operation =
          bindings.getOperationBinding("refresheftTransactionsforBillingAccountViewObj1View");
          operation.execute();
  I have searched web, ADF forums and tried methods suggested in there but no sucess.
  Could anyone please provide some insight in this issue. I have been battling with this since quite some time. I can provide you with the log file too.
  Thanks!
  Shai.

  What code does your Commit method have .. can you try using the Commit executable from the AM itself instead ?
  Also -
  Shai wrote:
  'Change Indicator' checkboxes for all the attributes in the entities associated with efttBilling View Object.
  which all attributes you set this property for . it should just be for History columns as such.
  Did you also check if this could be your scenario ?
  Decompiling ADF Binaries: Yet another reason for "JBO-25014: Another user has changed the row with primary key orac…
  OR
  JBO-25014: Another user has changed the row with primary key oracle.jbo.Key
  OR
  Another user has changed the row with primary key -Table changed externally
  Message was edited by: SudiptoDesmukh

• Ultiroute says "Check user authorization"

  My Ultiroute has suddenly started giving me a "Please check your User Authorization" error message when I try to route a board. Ultiboard runs fine, the internal rip-up router seems to be OK, but Ultiroute won't run any more. I can't find any way of dealing with this. The software is Ultiboard 2001 SP2.
  Thanks!

  Hello,
  You should be able to use the same Release Code if your hardware configuration hasn't changed; anyway if for some reason you have issues with this, just use the Online Release Code Generator to get a new code.
  Ultiboard/Ultiroute 2001 are products that we don't support anymore, therefore I won't be able to tell you what caused this error.
  Did the re-install work?
  Are you using a hardware dongle?
  Operating system?
  Ultiboard version (Personal, Pro)? 
  Regards,
  Fernando D.
  National Instruments

• CRM Analytics - User Authorization Not Suficient

  Hi Guys,
  We have implemented the CRM analytics report, however when I access the menu Sales Pro in CRM and try to open the report Closed Opportunities, I get the error : User Authorization not sufficient.
  If I open the error I get the message :
  Diagnosis
  The user doesnot exist in the BI client or has insufficient authorizations
  Procedure
  Contact system administrator to verify the user is setup properly in both CRM and BI client
  Procedure for System Administration
  Verify that the user exist in BI client with the same user id, if not create it and assign proper authorizations as per the configuration guide.
  When I run the query or the webtemplate in BW I don't have authorization problems, but I can't run from CRM.
  Any suggestion about how to fix it?
  Thanks in advance,
  Fernando

  Hi Fernando,
  The report which you have implemented is doing a RFC call to BI system where some other system program is getting called which have authorization logic check for the RFC user ( or the person who is running the report). here report is terminating with error. I have face the similar issue.
  generally such reports we use to schedule as a background job with batch user which have SAP ALL access but I feel in your case user who runs the report have not sufficent authorization in BI system and also you are not running report as an background job.
  There aretwo tricks to findout the missing authorization which I also have used.
  First option : close all the session except one in CRM and than run the report as soon as the error comes open transaction code SU53 to know the missing authorization - may be you can fail here as the authorization check fail in BI.
  Second option definitely will work. Whenerror is coming double click on the mmessage to know the message detail(class and number) than again run the report in debugging mode (/H- type in address bar to activate debugging) than set breakpoint in the message and press f8( may be system will not set the break point immediately than you need to debug till the RFC calls BI system) . system will take you to the exact authorization code check where the error is coming. there you can find out the missing authorization object which is not included in the user assigned role. than can ask access team to add in the user role.
  I hope this will solve your issue. Please revert with your finding.
  Thanks,
  Prem

• User Authorizations and security

  Hi,
       I need to know that , is it required to give <b>SAP_ALL</b> to <b>functional consultants and ABAP developers user id</b> created , or there are some different set of roles to be created. where do I find these security best practices , so that I can implement them.
  Regards
  Puneet

  Sathi,
  Yes, you can in fact do this...it is a fairly involved process but once done it works very well.
  Remove ALL authorization objects pertaining to BUKRS (in this particular example you only want to limit users to a company code) from your role. We'll call this first role ZT_role. You will have your transaction codes in here.
  You will have a number of other authorization objects that you could do this same thing with. We are currently not only doing this with company code, but cost center/profit center, plant and several more. The process is the same. If you don't want to allow certain users access to a company code, plant...etc. pull the auth obj out of the transaction role.
  Next, create a brand new role WITHOUT T-CODES in it and name it something like ZD_Locking_role (whatever you want to call it...but in a sense you are locking users down with this role).
  In this 2nd role you will need to manually enter each Authorization Object that uses BUKRS from your 1st role and then add in the company code(s) you want to allow people to see (again...manually add those auth objects needed as mentioned above for cost center/plant etc.).
  Now, you shoudl be able to assign the 1st AND 2nd role to a person. Now, they will will only be able to see the company codes you placed in the locking role.
  If you only assign the 1st role, they will not be able to view/change by company codes. By adding the second role, the SAP system checks the auth object against their entire profile in their master record and should allow them work fine.
  Good luck!
  For those that care...
  We not only do the above, we took it many steps further. We created derived roles broke those down to display only and create/change roles. In other words, the locking role would read something like Z_DISPLAY_XXX or Z_CRT_CHG_XXX (where XXX is the company).
  User roles assigned to associate Joe Smith - As an AR Manager this person needs access to ALL AR function for creation/display and change but only allowed to display all AP documents and not change all within company code XXX:
      Transaction roles:
  ZT_AP_DISPLAY role (AP needs to run XK03 or XK04...any and all t-codes are locked down to display only! [03 or 08...etc.])
  ZT_AR_MANAGER role (AR Manager needs to display (only) AP stuff but not be able to change. They also need to be able to perform all other functions (create/change) as an AR Manager)
      Locking Roles:
  ZD_DIS_BUK_XXX (XXX is company code) [display only]
  ZD_CRT_CHG_BUK_XXX (XXX is company code) [create change]
  With a thoroughly thought out system you can have a very sight system while being able to allow user the versatility to see only certain information.
  Good luck!