Roles for Transaction

Similar Messages

• Authorization Role for S_ALR_87099918

  Hi all,
  I am not sure if this is the right place to post this one (if it is not, please tell me which one is, i have tried to search the forum, but can't seem to find the place to post about this "security" problem)
  Currently having a trouble while creating the authorization role for transaction s_alr_87099918 (primary cost planning : depreciation / interest).
  I have already maintained the authorization objects:
  -  A_A_VIEW and
  - A_PERI_BUK
  Checked with Su53, but no missing authorization object or anything
  While executing the transaction, the system said "no records were found", when i execute it with another ID, there are results. I have checked the parameter input-ed, both are already the same.
  I am wondering if anyone has ever experienced this before? 
  What can be the possible cause and the solution?
  Thank you so much
  Regards, Erwin
  Edited by: Erwin Hartono on Dec 3, 2010 9:39 AM

  Sorry, my deepest apologies, i think i found the right place to post this

• Role for a particular Transaction

  Hi,
     How will I know the role for a particular Transaction?
  like , I need to know the role of Transaction PFCG coz i dont have access to this Transaction now.....

  Vamsee,
  If you dwell down to the bottom of the access/authorizations/profile/roles etc what ever you call....you have something called authorizations.
  If you are talking about a particular transaction a custom one or a standard one, there is an auth. group assigned to it. Basis is the team which creates auth. objects and they create a profile which are infact added to the roles.
  These are the roles which are added to the user ids of the people using the system.
  Different roles which give us different authorizations to work with in the system.
  Hope I made my point clear.
  One more important thing is, you cant just ask basis to assign a particular profile or role which you might have found by some means like SU53. Because a tcode can be there in many roles or profiles. It is up to basis to decide what role they have to assign based on what authorizations you need. The profile or role which you might have found out may contain other auth's for other tcodes which basis may not want to offer.
  Thanks,
  Message was edited by: Naren Somen

• Roles for Contact Person in MM-SUS Scenario

  Hi !
  When we create a contact person using the Create user option in SUS, we assign the roles to the contact person. These roles are basically the standard SAP roles for SUS. We have created Z-roles ( a copy of the standard roles) to restrict cetain txns for users and would like to assign these Z-roles to the contact person . How can we ensure that the Z-roles are displayed instead of the standard roles ?
  Regards

  Hi
  <u><b>Please go through these complete SUS-MM Configuartion detail links, which will definitely help  -></b></u>
  <u>Roles:</u>
  SAP deliver standard roles with authorisations, if You want to maintain your own go to transaction PFCG.
  There are two type of role:
  - single role
  - composite role - (one or more single roles)
  To roles You can assign transaction codes, reports, URL links, etc. SAP System automatically creates the authorisations that you can set on Authorisations tab page.
  <u>Authorisation:</u>
  Authorization profiles must be generated before you can assign them to users. An authorization is generated for each authorization level in the browser view, and an authorization profile for the whole role as represented in the browser view.
  Re: Clarifications on EBP-SUS and MM-SUS Scenario
  Re: Cancellation from SUS hangs in XI interface
  Re: Vendor Replication in SUS scenario
  Re: SUS-MM for service items
  Re: Central Person already exists
  SUS and Central User Admin
  Re: User roles.
  <b>Please look at following links for Roles and Authorizations </b>
  <u>Links for user roles:</u>
  http://help.sap.com/saphelp_nw2004s/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/42/271d24d86211d2961a0000e82de14a/content.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/e4/15e48efd6c11d296430000e82de14a/frameset.htm
  http://help.sap.com/saphelp_erp2005vp/helpdata/en/d3/559a4271c80a31e10000000a1550b0/frameset.htm
  http://help.sap.com/saphelp_erp2005vp/helpdata/en/4e/52b74065448431e10000000a1550b0/frameset.htm
  <u>For profiles and authorisations:</u>
  http://help.sap.com/saphelp_nw2004s/helpdata/en/52/67151e439b11d1896f0000e8322d00/frameset.htm
  http://help.sap.com/saphelp_erp2005vp/helpdata/en/20/efcbfed8a511d397110000e82de14a/frameset.htm
  Regards
  - Atul

• Report to view all the Roles and Transactions assinged to a particular user

  Hi,
  I need to develop a report to view all the Roles and Transactions assinged to a particular user along with the Authorization values. So, if provide the Username, the report should be able to give Roles, Transaction Codes and the fields and thier authorization values for that TCodes..
  Regards,
  Sreenivas Raju

  Try this FM once - SUSR_USERS_LIST_ALV . It provides a list with Roles, Profiles, and also a detail button to check the authorization values etc.
  Also try this FM - SUSR_USER_DISPLAY_WITH_AUTHS, SUSR_USER_AUTH_FOR_OBJ_GET , SUSR_USER_DISPLAY_WITH_S_TCODE

• Authorization objects for  transaction, one to view, and one to maintain

  Hi all,
  My requrement is to create two authorization objects for  transaction, one to view, and one to maintain.
  I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
  Please suggest how to create object where i can asign activity codes.
  regards
  manish

  The Authorization Concept
  R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
  Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
  Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
  Do check this link as well.
  http://articles.techrepublic.com.com/5100-10878_11-5110893.html

• Authorization access Issue for Transaction Codes PA10 to PA40

  Hi Experts,
  I have created Custom role for accessing ALL HR Transaction codes in IDES System and added to the user & Tested.
  All transactions codes are working fine except PA10,PA20,PA30 &PA40
  We have new installation of ECC6.0 (HR) IDES System.
  I am new to HR Security.
  Here anything needs to configure in HR System for accessing transaction code PA10 to PA40.
  Please help me regading this.
  Advance Thanks,
  BBC

  I have checked in SM01, Transaction codes PA10 to PA40 are not locked.
  We are facing two issues
  1) when accessing T- Codes PA10 to PA40, System showing message: You are not authorized to use Transaction code.
  Thatz the reason i suggested you to check with basis consultant. Becuas he is the power user he can only see that from his window all the autharizations
  May be you checked from your user your user might have autharization. that user  might be end user who getting msg might not have authorizatoins.
  2) function module : HR_READ_INFOTYPE.
  When Debuging this, It calls internal FM
  HR_CHECK_AUTHORITY_INFTY and returns exception
  no_authorization=1
  See this means that that user have NO autharizatoins
  Best Regards

• Authorization Issue for Transaction Codes PA10,PA20,PA30 &PA40

  Hi Experts,
  I have created Custom role for accessing ALL HR Transaction codes in IDES System and added to the user & Tested.
  All transactions codes are working except PA10,PA20,PA30 &PA40
  Please help me regading this.
  Advance Thanks,
  BBC

  Hi,
  I had check with basis Team, they told that I have all authorizations.
  This is New Installation for R/3 HR IDES System. even basis Team  also created role for above transaction code but not getting access.
  We can accesss all transaction codes except these.
  All are new for HR. here anything needs to  be configure for access PA10 to PA40 Transaction codes.
  Please advice me.
  Thanks & Regards,
  BBC

• No role for business system defined in SXMS_CONF_ITEMS

  Hi Experts.
  I have the following problem. We were set up the XI in our company and now we are trying to configure and run it propertly. We had some problems so far and now there is the next one: I configured the simple scenario FILE-XI-FILE but it doesn't work <b>:(</b>. Every step from the scenario was completed successfully (after some problems) but when I have started runtime Workbench (RWB) in order to monitor the functionality of XI and I choosed <b>Component Monitoring | Components | Integration Server | Integration Engine GPI</b> I see that I have an error in Self-Test Status | <b>Are roles in SXML_CONF_ITEMS and SLD consistent</b>? In detail it's <b>No role for business system defined in SXMS_CONF_ITEMS</b>. My business and technical systems look to be well configured but now I'm hopeless because I can't find nothing more specific about <b>SXMS_CONF_ITEMS</b> table. I tried some notes and threads from the forum but nothing helped me after all. So please help if someone has an experience with something similar. Any help will be appreciated. Thanks
  Ondrej

  Hi,
  The role of a business system is defined centrally in the SLD. However, you can overwrite this setting locally in the table SXMS_CONF_ITEMS.
  This test checks whether the role descriptions are consistent. If not, the locally defined role is used at runtime.
  Check in transaction SXMB_ADM -> integration engine configuration a parameter (Corresponding Integ. Server) if all parameters are correct n not lost.
  refer : http://help.sap.com/saphelp_nw04/helpdata/en/a5/1b5342d8a7be30e10000000a155106/content.htm
  Runtime Workbench - Integration Engine
  http://help.sap.com/saphelp_nw04s/helpdata/en/70/58b43be7492354e10000000a114084/frameset.htm
  Regards
  Aashish Sinha
  PS : reward points if helpful

• Not Able To Find a Role For a specific Tode

  Hi Experts,
  I am trying to search a tcode.I have used as many ways as i could.
  1.Thru SUIM- Roles by transaction code.
  2.Thru SUIM- Roles by authorization value.
  3.Thru Table AGR_TCODES
  4.System trace
  5.Performed user comparision for all roles contain in my buffer.
  Also, I have checked in SE97 to check wheather there is any indirectly calling transaction code against it, but recieved no success yet.
  However ,my Colleague is able to perform that Txn.code without any authorization error.We both have exactly same roles.In my case, it is throughing missing authorization error.The Txn. code is /n/VIRSA/ZRTCNFG.
  Kindly help me inresolving the issue.
  Regards,
  Mukesh

  Hi,
  This TCode is available if your system has the GRC CC5.2 RTA. If you cann't find out the TCode in normal way (as used to do in every cases, for e.g. SUIM -> Roles by TCode assignment), please go to TCode SE84, then "Other Objects" -> Transactions. Put TCode "/VIRSA/ZRTCNFG" in the Transaction code field and execute.
  Now you can find out further to find out other related TCodes (VIRSA) corresponding to the same package (/VIRSA/RT).
  1. Go to SE16 -> table TDEVC -> put the package name and get the list.
  2. Go to SE80 -> put the package name (by selecting option "Package") and click on the Display button -> then expand the drop down "Transaction"
  FYI: This TCode is used to configure GRC Risk Terminator
  Now coming to the question, how to find out the role? The answer is very simple: You may not have the TCode /VIRSA/ZRTCNFG assigned to any role in menu (and listed in S_TCODE). Still the access to the TCode is granted due to "variable" or "range" entry in S_TCODE.
  Hope the answer is clear. Else, please let me know.
  Regards,
  Dipanjan

• Authorizations for transactions MIR6/MIR4

  Hi All,
  Need help to setup a security rights for transactions MIR6/MIR4.
  Here is the situation:
  We have setup an user profiles which allow the users to access
  transaction mir6 (provide a list of Invoide Documents(BELNR)which will
  lead into transaction MIR4, but we only want this group of users have
  the ability to Held the document NO POSTING RIGHTS. I have set user with role:
  MM_RELEASE_INVOICE users can access
  Please advice on how to go around with this security problem.
  Thanks in advance.
  Srii...

  Hi,
  one possible solution (though not tested personally) is via
  badi INVOICE_UPDATE and method CHANGE_AT_SAVE.
  Within this method you can do something like:
      CHECK sy-tcode = 'MIR4' OR sy-tcode = 'MIR6'.
  * Get OK-CODE of the main window
      CONSTANTS: c_okcode(17) TYPE c VALUE '(SAPLMR1M)OK-CODE'.
      FIELD-SYMBOLS: <fs_okcode> TYPE ANY.
      ASSIGN (c_okcode) TO <fs_okcode>.
      DATA: l_okcode LIKE sy-ucomm.
      CLEAR l_okcode.
      l_okcode = <fs_okcode>.
  * Read user authorizations with FM
  * SUSR_USER_AUTH_FOR_OBJ_GET
  IF USER NOT ALLOWED.
  * Do not allow posting
        CASE sy-ucomm.
          WHEN 'BU'.
            CLEAR <fs_okcode>.
            MESSAGE e061(zxxx) RAISING error_with_message.
        ENDCASE.
  ENDIF.
  Best regards.
  Edited by: Pablo Casamayor on Oct 31, 2008 7:51 PM

• Inconsistencies in P_ORGIN for Transaction code PU00

  Hello Gurus,
  I am getiing a inconsistancy error in the auth object P_ORGIN when I try to add a tcode PU00 and while going into the authorization tab.
  I understand that this need's to be corrected in SU24 for the tcode PU00 and deleting the proposed values and saving the settings then modifying the role and then changing back to the previous authorization values. I checked that the tcode PU00 has these values currently.
  P_ORGIN     AUTHC     M
  P_ORGIN     AUTHC     R
  P_ORGIN     AUTHC     W
  P_ORGIN     INFTY     
  P_ORGIN     PERSA     $PERSA
  P_ORGIN     PERSG     
  P_ORGIN     PERSK     
  P_ORGIN     SUBTY     
  P_ORGIN     VDSK1     $VDSK1
  Please let me know if I need to delete all these values then save the settings and then modify the role. I see that it prompts a workbench request for this changes.
  Regard's,
  Salman

  Hi Salman
  Yes, you would need to delete the objcet P_ORGIN and add it back with the same values as listed. It will promt you to create a workbench request. Once changes are done you can go to the role in transaction PFCG and authorization tab go to "Expert mode for Profile Generation" and check on "Read old status and merge with new data" to import the changes in the role.
  Once the changes are done in the role, generate the role.
  Thanks.
  Anjan

• Investigate - ECC roles for retirement.

  I am trying to investigate and find roles that can be retired in the ECC system. How do I come up with a list of roles that are ready for retirement (due to unuse or wrong naming convention, etc,etc)?
  What are the questions I should be asking?
  I have tried to follow the below approach, but it doesn´t seem to be effective enough:
  note- From hereon, when I mention roles, it means Z-Roles only.
  Please find the method I used to analysis the issue below:
  Requirement:  Investigate - ECC roles for retirement.
  (Self made points below)
  1. Document all roles in ECC, that have never been assigned to any user.
  2. Document all the roles in ECC, that do not have any users assigned to
  it since atleast one year.
  3. Document all the roles in ECC, that are forbidden to be assigned to
  any roles.
  4. Document all the roles in ECC, that do not follow the standard naming
  convention defined by the organisation.
  My question - Should I extend this list?
  Analysis:
  Transactions used extensively during analysis:
  SE16 Data browser
  SUIM User Information system
  S_BCE_68001425 Roles by Complex Criteria
  PFCG Role Maintenence
  Tables user extensively during analysis:
  AGR_AGRS  Roles in Composite Roles
  AGR_DEFINE  Role definition
  AGR_USERS  Assignment of roles to users
  Actions taken, to reach the solution:
  1. Single Roles - Without assignment in the last one year ( There has been no user assignment to these roles for atleast one
  year and no changes have been done to the role during this time.
  These roles are currently without any user assigned to them.
  2.Forbidden roles: These roles are not to be assigned to any users and it
  can be strongly recommended that they should be retired.
  There are currently no user assignement for this roles.
  3. Wrong Naming convention :  Roles that donot follow the
  standard role naming conventions (as defined). These roles should be
  retired.

  Hi..
  Last month we did this clean up activity. But after a lot of meandering here and there, like what has been stated, finally i decided to take help of the functional consultants of each module of SAP and removed all unwanted roles - from end users. It was a massive exercise, esp when roles were assigned indirectly,  but finally we could clean up a bit.
  But for some reasons, the back end team has kept the roles on the system and roles have not been deleted or completely removed from the system itself. May be as part of 2nd phase of clean up, we would do that.
  And also that was the reason why we felt - as to whether it is ok, to make any role as non-editable, and identify it, all those roles in one go, for a direct clean up at a later date. But I was not able to categorize that way.
  In case you have some other better ideas of cleaning up the system completely, please share your thoughts too. It would be very helpful.
  Thanks
  indu

• Creating several roles for one partner

  Hi everyone !
  I have created a partner with a role (=employee) . Then I wanted to create a second different role  ( = physical person)   for that same partner, but when I try to save the role in BP, I get an error message ;
  the message is "Enter at least one tax number for the business partner"
  Normally there is no tax number requirements for physical persons, only for organizations, so I don't understand where that message comes from. Is it due to the fact that I tried to create 2 roles for the same partner?
  Any helpful hints on this will be rewarded !
  Many thanks.
  C.K.

  Hi,
  Its definitely not because of 2 roles . You can assign as may roles. This message is because in the customzing there must be some setting for physical person role.
  You can get rid of this by follwoing steps
  go to transaction spro
  Cross application components->sap business partner -> business partner ->field grouping -> configure field grouping per role. Double click on the role Physical person. Double click on dataset BUTC01.  On the right side choose the radio button hide or optional. Now the message will not come.
  Wram regards,
  Smita.

• Roles for MSS Reports

  We are having some authorization issues with MSS reports. When we try to display the report from MSS , It says no authorization for transaction (name). When we give SAP_ALL to the manager at the backend, it works fine from MSS side. Please suggest if we are missing some thing. What are the standard MSS roles for the reports.
  Thanks

  Hi,
  The MSS reports must have some Program name, say REPORTX or it may be called by some transaction.
  Add the report name to the auth object P_ABAP for the MSS role or add the transaction name to the authorisation object S_TCODE and P_TCODE.
  Either way, the problem will be resolved.
  Or you can remove the SAP_ALL from the manager profile; Login with the userid of the manager. Try to run anyone of the reports and then after it throws the missing authorisation error, type in /nsu53 in the transaction bar and trace the missing authorisation. Accordingly add the same to the managers role.
  Thanks and Regards,
  Pinki