Role & Authorization for HR Administrator?

Similar Messages

• Role authorization for product selection

  Hi All,
  i have a requirement for which i need your help. Now my Account Manager can see all products while placing an order. I want to restrict his selection to only 5* and 6* products. That means when he will look for placing an order in the next time, he should only see 5* and 6* products not all products. Can you please tell me how to go about this role authorization. 
  your valuable inputs will be appreciated.
  Regards,
  Sasmita

  Hi,
  I feel Access Control Engine would be the most elegant and futuristic solution.
  However, you need to review all the solutions suggested. Solution suggested by Shalini and Ashish are more practical. However, generally partner product range is used in case of Sold-to parties.
  Please review all the solutions suggested and take decision based on circumstances at your client's end.
  You can get more information about Access Control Engine at
  http://help.sap.com/saphelp_crm40/helpdata/en/04/0177f9bb67ac4cafb84bb4d4c1d8fc/frameset.htm.
  Also there are several guides and cookbooks on ACE at service market place.
  Regards,
  Deepak

• Roles & Authorizations for Web Reports...

  Hello Experts,
  We are newly implementing Web Reports in our organization. I need your great thoughts regarding implementing Authorizations for users to access the reports.
  We are using a report menu page that contain links to all the reports. The page opens by clicking on a link on the portal. The individual reports are basically accessed from this page by clicking on the corresponding button (links a URL ).
  I wonder if there is any way to look into the menu page (XHTML code of that web page/application) when ever the users click on the reports link and disable those buttons that the users are not allowed to access depending on the roles users are assigned to. Otherwise is there any better way to do it.
  And also how to call a function from web applications.
  This is a kind of urgent issue any quick ideas would be greatly appreciated.

  I apologize for the difficulty in reading this  I will repost.
  We have had no training or received any documenation on WAD.  The below was created from internet research.  Hence there may be WAD functionality that would allow easier maintenance, however; this is what we use.
  With our dashboard, I have a web template that contains hyperlinks for our reports.  I will call this HeaderTemplate1.  For each web page I have report templates.  These report templates have the HeaderTemplate1 mentioned above as well as the report tables, charts, text elements, tabs, etc.
  The JavaScript logic for accessing the urls of the specific report templates is contained within our HeaderTemplate1.
  Below is how our setup was tested.  Keep in mind, this was only for testing basic functionality.  If this is something we use I will most likely create a master data table that houses the user ID and an attribute for the header type.  Thus, any report menu changes can be altered quickly without changing the javascript of each report template.  Also this will accomodate the few thousand users we have.
  To add the functionality of different 'menus', I created another header template with the same hyperlinks of HeadertTemplate1 with the exception of one or two hyperlinks.  This, HeaderTemplate2, was added to each report template just below HeaderTemplate1.  Note that both HeaderTemplate1 and HeaderTemplate2 were set as visible on each report template.
  Also, on each report template I added a text element.  The 'List of Text Elements'property was set as such; Element Type = General Text Sympol,  Element ID = SYUSER.  This Text Element was linked to a query  or view from BEx via the dataprovider.  On the HTML side, I surrounded this Text Element with
  <Font ID="UserID",,,textelement....</Font>
  Each Report template has this javascript function, fnRepOnLoad, which is triggered at the OnLoad event.
  [<SCRIPT language = "JAVASCRIPT">                       
    function fnRepOnLoad()
      var user_ID=document.getElementById("UserID").innerHTML;
      if (user_ID=='USER123')
        document.all["HEADTMPLT1"].style.visibility = 'hidden';
        document.all["HEADTMPLT1"].style.position = 'absolute';
      else         
        document.all["HEADTMPLT2"].style.visibility = 'hidden';
        document.all["HEADTMPLT2"].style.position = 'absolute';
  </script>
  The function results as this.  If the user is USER123, HeaderTemplate1 is hidden, leaving only HeaderTemplate2 visible.  Otherwise HeaderTemplate2 is invisible leaving on HeaderTemplate1 visible.
  We do not use buttons as our global leaders prefer hyperlinks but buttons can be enabled or disabled similarly.
  As mentioned before, if this method is implemented, I will create a reportable master data table.  Create a customer exit variable to retrieve the header template required for the user.  This header template variable value will then be pulled by a text element on each report template.  The script function will act as follows.  If many report headers are necessary I may use a case statement.
  Var User_template=document.getElementById("UserTmplt").innerHTML;
  If UserTmplt = HeaderTemplate1
  -->  make all header templates other than HeaderTemplate1 invisible
  else
  -->  make all header templates other than HeaderTemplate2 invisible
  etc...
  I hope this helps.  Please keep me posted with your solution.  I am very interested to learn what others are doing.
  Best Regards,
  Larry

• Role authorization for CJ88 T Code

  SAP Gurus
  can any one tell me control the CJ88 T code, my client is having 4 business areas but, so in one business area employee will not access the other business area WBS element, can any one tell me how can i control
  thanks in adv
  venkat

  You could get with your Basis group to add the authorization object: F_BKPF_GSB - Accounting Document: Authorization for Business Areas to the CJ88 transaction and set it to be checked at execution.  Then you could create different roles for each business area and set them to the different values for BA.  You can use TCode SU24 to see that there are no authorization objects in CJ88 for checking BA in SAP standard.
  Alternately, you could find another role that already has this object and limit it by each area, but this would take multiple, nearly identical roles.
  Regards

• Required Authorization for BI Administrator

  Hello
  I would like to know, what kind of authorization is required for a BI Administrator on ECC 6.0.  I'm keep gettting ERROR as
  Source system DEVCLNT510: No authorization for remote activation of DataSources
  Also, I don't have access to RSO2 transactions in ECC system as well. Is there any standard Authorization Objects that I neeed access to on the ECC side ?
  Thanks for your help
  BI

  Hi,
  For Remote activation of datasources from BI system, you need authorization object S_RO_BCTRA.
  When you get some authorization issue, immediately call transaction SU53 and you get the authorizaton needed.
  Regards,
  Murali.

• Roles/authorizations for user to Solman Diagnostics.

  We have a need to have non-administrator persons access our Sol Man
  Diags environment. We do not want them to access with j2ee_admin
  account.
  How / what roles or authorizations do I assign to restricted users so
  users cannot see the administration and setup tabs and not be able to
  turn traces on?

  The roles for the end users are mentioned in the standard SMD guide  pleas go thuroug it

• Role authorization for FAGLB03

  I am trying to create a role the only contains FAGLB03 and I would like to be able to restrict which accounts and comany(s) the user can see.  When I create the role there are no authorization objects associated with FAGLB03 so I cannot restrict it.  Is it possible to do this, and if so how?

  Hi John,
  Go to SU24 and type in transaction FS10N and activate the ones you need. inorder to know what needs to be activated run the transaction and see what object it is checking and activate those in SU24.
  Thanks,
  SS

• SAP BI : Roles & Authorizations

  Hi,
  I am working on roles & authorizations for SAP BI 7.0 How can I create authorization for a scenario mentioned below:
  One user (userid ALAN) has two vendors under him viz V001 & V001A.
  V001 has access to plant A001, A002 and
  V001A has access to plant A002, A003, F002.
  The data is created in SAP R3 and brought into SRM using criteria based on document type say ELEM. Even though V001 does not have access to plant A003, it can create documents of type ELEM. The business does not want this document to appear for V001.
  The business needs documents to be displayed as follows, irrespective of documents existing in SAP R3:
  Plants A001, A002 for V001 and
  Plants A002, A003, F002 for V001A.
  Please confirm if the following approach will work:
  Create vendor - plant role
  Role 1
  Vendor = V001
  Plants = A001, A002
  Role 2
  Vendor = V001A
  Plants = A002, A003, F002
  Assign User ALAN both roles Role 1 and Role 2.
  Please suggest a solution as I have to deliver about 2000+ roles by end of week.
  Thanks in advance.

  Hi,
  Seems that you are looking for a merge of the authorization. Please take a look in the note 1000004 where you are going to see the explanation about the merging.
  1000004 - Merging and optimizing analysis authorizations
  This documentation should help you.
  Regards,
  Rafael

• Authorization Role needed for change

  Hi,
  What role is required for user to do change/ display for IR objects .
  After role assignment is there any other configuration to be done.
  Currenlty we can only see objects in IR, dont have authorization for change.
  What needs to be done.
  Thanks.

  Hi John,
  Role: SAP_XI_Developer
  SAP_XI_DEVELOPER (Composite)
  SAP_SLD_DEVELOPER
  SAP_XI_DEMOAPP
  SAP_XI_DEVELOPER_ABAP
  SAP_XI_DEVELOPER_J2EE
  Notes:
  No access to the Administration of the XI Tools URL,
  ABAP
  C SXI_CACHE to view the cache but not refresh it
  C SXMB_MONI
  C SPROXY
  C SXMB_IFR
  D SXMB_ADM
  D SLDCHECK
  D SLDAPICUST
  SLD
  D create/change Technical /Business System
  D create Software Catalog (Product/Software Component Version)
  D create/change Development (Name Reservation, Content Browser, Class Browser).
  REPOSITORY
  D import SWCV (Software Component Version) from SLD
  D create new namespace under a SWCV
  D create/change new or existing Integration Scenarios and Integration Processes because the Software Component cannot be changed
  D create/change new or existing Interface Objects because the Software Component cannot be changed
  D create/change new or existing Mapping Objects because the Software Component cannot be changed
  D create/change new or existing Adapter Objects
  DIRECTORY
  D transfer integration scenario from Repository
  D create/change Party
  D create/change Service Without Party
  D create/change Service Receiver Determination
  D create/change Service Interface Determination
  D create/change Service Sender Agreement
  D create/change Service Receiver Agreement
        RWB
  C Component Monitoring
  C Message Monitoring
  C Performance Monitoring
  C Alert Configuration
  C Alert Inbox
  C Cache Monitoring

• Is there any way to force a Role Check for authorization from a Ztable

  Hi all,
  I have an issue that deals with Authorization check using a role. I have to know if there is any way to make a Role force to check if an entry exists in a Ztable.
  Eg. A User is assigned a role Z:Ztable_check. Can we now force this Role to somehow check for a particular entry in a Ztable which has a Username and its Corresponding Authorized Cost center. Can the role check from the Ztable and allow the user to view only those cost centers that he is allowed to.
  Don't know if this is even theoretically possible.

  hi
  see if this helps you
  <b>The SAP Authorization Concept
  Authorization checks are a means of protecting functions or objects in the R/3 System. The programmer of the function determines where and how these checks are made, while the user administrator determines (within the framework defined by the programmer) who can execute a function or access an object.
  The terms central to the SAP authorization concept are:
  Authorization field
  This is the smallest unit against which checks can be made. The programmer can create authorization fields by selecting Tools &#8594; ABAP Workbench &#8594; Development &#8594; Other tools &#8594; Authorization objs &#8594; Fields.
  Example: ACTVT and CUSTTYPE.
  Authorization object
  An authorization object groups together 1 to 10 authorization fields which can then be checked as a combination. The programmer can create authorization fields by selecting Tools &#8594; ABAP Workbench &#8594; Development &#8594; Other tools &#8594; Authorization objs &#8594; Objects.
  Example: The authorization objekt S_TRVL_BKS groups together the authorization fields ACTVT and CUSTTYPE.
  Authorization
  An authorization is a combination of permitted values for each authorization field of an authorization object. The user administrator creates authorizations by selecting Tools &#8594; Administration &#8594; Maintain users &#8594; Authorization.
  Example:
  S_TRVL_CUS1 is an authorization for the authorization object S_TRVL_BKS with the values
  for customer type (CUSTTYPE) and
  02 for activity (ACTVT).
  Users who have this authorization are allowed to change the bookings of all customers.
  S_TRVL_CUS2 is an authorization for the authorization object S_TRVL_BKS with the values
  B for customer type (CUSTTYPE) and
  03 for activity (ACTVT).
  Users who have this authorization are allowed to display the postings of all customers.
  Authorization profile
  An authorization profile represents a simple workplace in the context of authorizations. An authorization profile contains authorizations for the authorization objects a user needs to operate effectively in a restricted task area. The user administrator creates authorizations by selecting Tools &#8594; Administration &#8594; Maintain users &#8594; Profiles.
  User master record
  Your user master record is checked when you logon to the R/3 system. Through the authorization profiles, this provides restricted access to the functions and objects of the R/3 System. The user administrator creates authorizations by selecting Tools &#8594; Administration &#8594; Maintain users &#8594; Users.
  Authorization check
  The programmer can perform authorization checks with the ABAP command AUTHORITY-CHECK by specifying the value to be checked for each authorization field defined. The system then scans the profiles in the user master record for the authorizations specified. If one of the authorizations found for all fields of the authorization object covers the values specified by AUTHORITY-CHECK, the check was successful.
  Example: Check whether the user is allowed to change the postings of business customers:
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
                  ID 'ACTVT'    FIELD '02'
                  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
    MESSAGE E...
  ENDIF.
  If the authorization S_TRVL_CUS1 exists in the user's master record, the authorization check is successful. However, if the authorization S_TRVL_CUS2 exists, but not the authorization S_TRVL_CUS1, the check fails.
  Authorization assignment
  The system administrator is responsible for assigning user master records with the correct authorizations. You should use the Profile Generator to maintain authorization profiles. However, you can also change them manually. Each authorization object contains authorizations. These are grouped together in authorization profiles such that each authorization profile represents a job description, for example 'flight reservations clerk'. You assign one or more authrization profiles to each user master record. You can assign an authorization to as many authorization profiles as you like, and an authorization profile to as many composite profiles and users as you like. Composite profiles are used in manual authorization maintenance, and form a further division in the authorization structure. However, they are not strictly necessary.
                    User master record
                  Auth. profile  Composite auth. profile
             Authorization              Auth. profile
               Values              Authorization
                                 Values</b>
  plz reward if satisfied

• Necessary Roles/authorizations required to Userid for workflow assignment.

  Hi all,
  Am working on a Custom workflow assignment.
  This is the first time, customer is working on workflows in this system.
  Henceforth, we need to do basic setup/configuration, before starting actual work.
  I want to know, what all Roles/authorizations are required for my userid throughout the assignment.
  Currently, we have got,
  EXX_BC_SAP_ALL_RESTRICTED :: All authorization without basis
  SAP_BC_BMT_WFM_ADMIN::Administrator for Business Workflow
  SAP_BC_BMT_WFM_DEVELOPER::Developer for Business Workflow
  SAP_SWFMOD_ADMIN::Workflow Modeler Administrator
  Are these sufficient or do we need any other roles?
  With above authorizations, i am unable to access below mentioned t-codes,
  SWNCONFIG                     Extended notifications for business workflow
  SWU3                             Automatic Workflow Customizing
  SWWCOND_INSERT     Schedule background job for work item deadline monitoring
  SWWCLEAR_INSERT     Schedule background job for clearing tasks
  Pls let me know the role, i need to get for above t-codes.
  Kindly go thru your SU01 t-code & let me know what all roles are used in your workflow system.
  cheers.
  santosh.

  Hi,
  I recommend you to have roles related to SWLD tcode (SAP menu Workflow). The basis must know what are the exact names.
  These are some roles:
  SAP_BC_BMT_WFM_ADMIN                    --> Administrator for Business Workflow
  SAP_BC_BMT_WFM_CONTROLLER         --> Process Controller for Business Workflow
  SAP_BC_BMT_WFM_DEVELOPER                --> Developer for Business Workflow
  SAP_BC_BMT_WFM_GP_ADMIN                --> Role for Guided Procedure Business Workflow Administrators
  SAP_BC_BMT_WFM_GP_SERVICE_USER -->Service User for Guided Procedures Business Workflow API
  SAP_BC_BMT_WFM_PROCESS              --> Business Workflow Implementation Team
  SAP_BC_BMT_WFM_UWL_ADMIN              --> UWL: Administrator for Workflow Functionality
  SAP_BC_BMT_WFM_UWL_END_USER         --> UWL: End User for Workflow Functionality
  SAP_SWFMOD_ADMIN                              --> Workflow Modeler Administrator
  SAP_SWFMOD_TRANSPORT                         --> Access to transport manager
  SAP_SWFMOD_USER                              --> Workflow Modeler Administrator
  SAP_WF_ADMINISTRATION                         --> Business Workflow: Work for administrator
  SAP_WF_CONTROLLER                              --> Business Workflow:Work for process controller
  SAP_WF_EVERYONE                              --> Business Workflow: Work for Everyone
  SAP_WF_IMPLEMENTATION                         --> Business Workflow: Work for Implementation Team
  Regards,

• Restricting the ATP user for GATP - corrrect roles/authorizations

  Hi:
  If the dialog user that is used for the ATP check (from ECC to GATP) has more authorizations than needed and this is going to be a problem in production. The user can run SCM transactions from the results screen of ECC and this is not desirable.
  Therefore, the ATP user should be a restricted user that has only authorizations for this specific task. If you know what are the exact roles/authorizations to give to the ATP user, could you share them?
  Thanks in advance.
  Satish

  For R/3 please check OSS  Note 447543 - APO: Authorizations too comprehensive/not user-specific.
  "If it is necessary to have different authorization profiles in APO for different R/3 users when calling in APO, the following solution applies:
  Activate the setting in SM59 that is used for the RFC connection CURRENT USER.
  In the APO system, create the respective users and assign authorization profiles. This is necessary in order to achieve the necessary flexibility concerning authorizations in the APO system."
  For APO :
  AuthorizationsObject   C_APO_ATP in APO .
  please chose activity as per  user role.
  01       Create or generate
  02       Change
  03       Display
  04       Print, edit message
  06       Delete
  16       Execute
  39       Check
  Manish
  Edited by: Manish Kumar Rathi on Oct 21, 2008 1:24 PM

• Table for Role & Authorization group

  Hi Gurus,
  I am looking for a table or FM to get all roles for Authorization group.
  I tried in SUIM tcode but could not able to find exact DB table for these.
  Giri
  P.S.: To Moderator:
         My earlier thread was locked for the same question, I was searching in SDN and google from last 3 days and could not able to find enough information on it. AGR_USERS, TBRG, TACT are the tables i found. But still there is a link missed between Role & Authorization Group.

  Thomas,
  My report have selection screen with Auth group and user.
  If user provides Auth. Group then need to find all roles linked to auth group and users assigned to that role.
  In my investigation, there is link between Auth. Group <--> Auth. object.
  Also Auth. Object <--> Role.
  but still there is a fine link missing between Auth Group <--> Role.
  For Eg: Auth Object S_TABU_DIS will be associated to all Auth. Groups but assigned to only limited roles.
  I tried to debug the SUIM transaction multiple times but couldn't find the tables to find the link and not able to find the FM's.
  if anybody have any idea to find that link between Auth. Group & Role then it will be helpful....
  Giri

• "Low-level" authorizations for accessing BW reports - add users to role

  Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
  Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.

  Hi!
  i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
  with regards
  ashwin
  <i>PS n: Assigning point to the helpful answers is the way of saying thanks in SDN.  you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.</i>

• Need FM which create authorization for a Role

  Hi,
  i neeed to create authorization for the roles. can anybody tell me , is there any FM to create authorization for a Role.
  it is done through PFCG transaction.
  i need a FM which creates authorization for a Role.
  Thanks in advance

  Hi Sami
  Try this link.
  Re: Programatically create Security Profiles via BAPI/FM in R/3?
  Regards
  Neha