Roles in BW (Authorization Objects)

Similar Messages

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• Querying roles containing specific Authorization Object

  Hello!
  We're using BI7 with new considerations about security. I want to get all roles that contains a specific Authorization Object, I've tried using TX SUIM, but had no success.
  Is there any report, transaction or something else where to find this info?
  I hope you can help!
  Regards!
  Bernardo

  Bernardo,
  If "new security model authorization objects" means analysis authorizations (SAP's official naming for objects mantained by RSECAUTH), those used in roles can be retrieved again using tcode SE16: just query AGR_1251 but this time providing S_RS_AUTH for field OBJECT. The result set shows roles that contain analysis authorizations. If you want only the roles which have specífic analysis authorization, just provide its name for field LOW. Be sure to fill in this field with all capital letters.
  On the other hand table RSECVAL keeps the values defined for analysis authorizations.
  Hope this helps.
  Regards,
  Fernando

• Programmatically assigning Authorization Objects to roles

  Hi there,
  I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
  What I want to do is the following:
  There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
  In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
  Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
  I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
  Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
  Thank you very much,
  Gregor
  Edited by: Gregor Bender on Mar 11, 2008 8:41 AM

  >
  Gregor Bender wrote:
  > I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
  Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
  For mass regenerating profiles there's transaction SUPC.
  For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
  If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.

• Custom authorization object

  Hi all,
  I have created a custom authorization object to define a data security based on the Company code field.
  These are the steps I did:
  - I create a new authorization object containing the Company code field (BUKRS).
  - I create a new role with this authorization object, and I have assigned a specific value to the Company code field.
  - The role contains also the standard authorization object HR Master data which contains the field: infotype, personnel area...
  - I have assigned the new role to a user and I have executed a report, but I had not the expected result.
  - I had assigned the custom authorization object to the report transaction through SU24 and SU22, but I had not the expected result.
  As expected result I was expecting that the data are filtered based on the Company code I put in the authorization field.
  Any idea about the problem?
  thx!

  Please check that you have followed all of the steps listed here when creating your object:
  <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm">http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm</a>
  - April

• What is standard authorization object for  Personal development  P_PLOG

  Hi,
  Recently i got a object in HR and i dont have any experince in HR.Could you guide me how to asssign standard authorisation object for the personal development p_plog? how to see the infotypes and what is the header field in innfotypes?

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• Standard authorization object for Infotype 41

  hi
  Just wondering did anyone came across standard profile that can define access based on date types?
  thanks

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• Doubt regarding Authorization Object

  Hi All,
  I am not able to creat a Buiseness Agreement in CRM. Following is the error message which is getting displayed:
  The auothirzation check for object CRM_ORD_PR has sent back the return code 12. The activity carried out was to create.
  I checked my role and this authorization object is present with * (All) access.
  Please le me know how to correct this error.
  Thanks,
  Ritesh

  Hi,
  See the output in Su53 transacton once you get this error.
  Regards,
  Nirmal.K

• Is S_RFCACL a critical Authorization Object ?

  Hi All,
  As we know that S_RFCACL (Authorization Check for RFC User (e.g. Trusted System)) is required for having access to the trusted systems.
  In most of our roles for this authorization Object we have maintained the * value for the following fields:-
  RFC_SYSID
  RFC_TCODE
  This has been made as an observation by the auditors as having this critical access with the users.
  But my question is how can it be the critical access when the user should have id's in both the systems(trusted and trusting) to login to the called system.
  Also even if the user logs into the called system he will only be able to execute the list activities/t-codes that he is authorized to in that system, it will override the * value maintained in RFC_TCODE.
  What possibly could be the risk from this authorization object ?
  Regards,
  Parichay

  Parichay Jain wrote:
  In most of our roles for this authorization Object we have maintained the * value for the following fields:-
  RFC_SYSID
  RFC_TCODE
  This has been made as an observation by the auditors as having this critical access with the users.
  The object itself is certainly critical, but as you stated the trust itself has to have been setup at the system level for the authorization to be going anywhere.
  These two fields are in all honesty only irritating and you can successfully defend putting a * into them.
  RFC_SYSID values for a role means you unit test a role in DEV, integration test in in QAS and then use it live in PROD. Additionally the field RFC_INFO is actually the installation number and you can be fairly sure that will be the same in the landscape. So only adding the pairs of production system IDs means you cannot test the same roles, which is a bit silly.
  RFC_TCODE is even sillier. The generic RFCs for starting transactions (eg. ABAP4_CALL_TRANSACTION) check the transaction code themselves again and that is then user specific roles relating to their job functions. Restricting S_RFCACL additionally in a system role (eg. common role for all users) means that you must double-discriminate against all possible transactions which can be called via RFC and list them all there and maintain the list. But the check happens later again and the application authorizations in the transaction are generally checked as well. Waste of time.
  @ Alex: The RFC_EQUSER = Y field only means that if the calling and called user ID names are the same, then the field RFC_USER is not checked and therefore does not have to be maintained. But it is often misunderstood and the field RFC_USER gets a * value as well (which is where the real music is..) and the EQUSER setting has no further affect. Technically, it actually weakens the authority-check on the user field - which is correct because otherwise you have to maintain it and end up with personalized roles, which is most silly of all.
  So you can quite safely tell you auditor that Julius agrees with you and they are barking up the wrong tree..  :-)
  Cheers,
  Julius

• [SAP-PM] Restrict authorization object

  Dear All,
  Currently, I have some querries with authorization. Below are the details:
  1. Authorization Object : I_AUART --> Order type
  2. 2 roles use same authorization object (Let's say Role 1 and Role 2)
  3. One is to change and other is only display
  4. Let's say the order type are (I_AUART) : PM01 - PM05
  5. Role 1 (change) contains PM05
  6. Role 2 (Display) contains PM01-PM04
  And the question is:
  What should I do to assign that roles into one user name. In condition that the related user name only able to change order type PM05, and on the other side user still able to display all order types?
  Many thanks for your incoming advice.
  Kind Regards,
  MD

  hi
  while creating roles itself in the USER tab page assign this to the user id .after specified the user id then both the roles will be seen for that user id
  for other user create seprate role for diplay only for all order types and assign to the respective user id
  or use T code SU10 select the user id and specify the roles created for the respective user
  regards
  thyagarajan
  Edited by: thyagarajan krishnamurthy on Jan 15, 2008 4:07 PM

• How to authorization object S_TABU_LIN in BW/BI step by step

  Hi,
  I would like to use the authorization object  S_TABU_LIN in BI 7.0  step by step procedure.
  In what scenario we would use this object.
  We have a requirement  on F4 value restriction on query designer .
  When the user try to filter the characterstics in the esigner where is getting all the values,He is not suppose to get all the values in the filter condition the query designer.
  Some would advise me on the above requirment

  Hi,
  Standard Roles and Standard Authorization Objects
  SAP delivers standard roles covering the most frequent business transactions. You can use
  these roles as a template for your own roles.
  Refer the links
  www.scribd.com/doc/11546905/User-Roles
  www.sap.com/germany/about/company/revis/pdf/DS_Leitfaden_BW_en.pdf
  www.biavenue.co.za/downloads/3%20-%20BI%207%20Developers%20Guide.pdf
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30adcac6-7a55-2a10-9fa9-a61d947f6ec9
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e0a93c0e-3a98-2b10-55ae-8dbcbad61f8e
  Hope the above links will hwlp you
  Naresh

• Authorization object: S_TABU_LIN

  Hello to all,
  I have created an authorization on company code and everything works fine when i use the value for which the user is authorized. But the problem is, that the user sees all company codes.
  I know that it is possible that a user only sees the values of a master data info Object for which they have the authorization when pushing S_TABU_LIN authorization but I don't find how to applicate.
  Thanks in advance for any ideas.

  Hi,
  Standard Roles and Standard Authorization Objects
  SAP delivers standard roles covering the most frequent business transactions. You can use
  these roles as a template for your own roles.
  Refer the links
  www.scribd.com/doc/11546905/User-Roles
  www.sap.com/germany/about/company/revis/pdf/DS_Leitfaden_BW_en.pdf
  www.biavenue.co.za/downloads/3%20-%20BI%207%20Developers%20Guide.pdf
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30adcac6-7a55-2a10-9fa9-a61d947f6ec9
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e0a93c0e-3a98-2b10-55ae-8dbcbad61f8e
  Hope the above links will hwlp you
  Naresh

• Authorization Object inative in PFCG

  Hi,
  We created an authorization object for a Z BSP application that is used in htm page.
  When I try to create a role allowing that authorization object in PFCG, auth. object remains inactive and there is no possibility to active it.
  Does anyone knows how I can activate this object ?
  Many thanks.

  I was having the same problem. I was adding an auth object S_ASAPIA of class BC_Z to role (both manually or via Selection Criteria, the authorization is in the selection criteria list) but for some reason I could not make it active, the authorization is brought into the role as inactive. After some digging I realized the problem by looking up the authorization object in SU03. When I tried to check for authorizations associated with the authorization object in SU03 I got an error message:
  No fields have been maintained for this object
  Message no. 01231
  Checking table TOBJ I realized that this is not the only such problem:
  Here are 4 objects in my ECC system that have the same problem. ([ObjectID] [Object Class ID])
  K_ORGUNIT     CO
  S_ASAPIA     BC_Z
  S_RS_PPMAD     RS
  ZSTAT     BC_A
  I found these auth objects by searching for blanks in the field FIEL1 in table TOBJ.
  By the way I also found a number of objects that were not assigned to a valid Authorization Object Class. PFCG will not allow you to add these objects at all, even though they do exist in table TOBJ. ([ObjectID] [Object Class ID])
  CRMCONFMOD     CRM
  CRM_WSC     CRM
  CRM_WST     CRM
  PLM_LAYOUT     PLMB
  RSCRMBUPA     RSAN
  RSCRMEXTR     RSAN
  RSCRM_TG     RSAN
  RSDMEENGIN     RSAN
  RSDMEMBW     RSAN
  RSDMEMODEL     RSAN
  S_ESH_T_BG     TST
  S_ESH_T_MT     TST
  S_ESH_T_PR     TST
  I found these objects by copying all the classes in table TOBC and filtering out all the records in table TOBJ using exclude values in the field OCLSS. The resulting list is those objects not assigned to a valid object class.
  Note that most of this data was SAP delivered.
  Hope this helps to answer this Q.

• BI authorization objects not appearing in RAR, error while generating role

  Hi
  I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
  (a)  In Risk Analysis and Remediation (RAR) component, I am creating Functions and
        Risks for Business Intelligence (BI) module. For that I have downloaded the
        descriptive text and authorization object data from BI development system and
        uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
        RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
        Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
        the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
        authorization objects for the actions in them.
  (b)  In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
         in DBI 100 and I put the  BI transaction codes in authorization data , I get the
         authorization objects . Risk analysis is also being done successfully. But at the time
         of Role generation in background mode , it is giving an error message :
         Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
         I am thus unable to generate any role in DBI 100.
  (c)  In Compliance User Provisioning (CUP), I have imported a standard role from DBI
        100. Then I have added Functional Area, Business Process, Subprocess  and
        Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
         gives an error Error creating request. But requests are getting created and roles are
         being assigned to users in ECC development  systems using the same Initiator, CAD, stage
         and path.
  Can anyone please help me ?

  -

• Is there a Limit on number of authorization objects in a role?

  Hi all,
     Is there a Limit on number of authorization objects in a role because I am getting the following error.
  Authorization is full. Please enter fewer values
  Message no. 01262
  Diagnosis
  You have included too many values in an authorization.
  Procedure
  Please distribute the data to at least two authorizations and combine them in a profile.
  Thanks.

  Hello Neha,
  Message no. 01262 refers to the entered values in an authorization, not to the objects listed in the profile!
  So this message tells you, that you have to split the authorization, as the authorization contains too many values. It is not a quesiton of that you have entered too many different objects to the profile!
  Please refer also to:
  [SAP Note 410993|https://service.sap.com/sap/support/notes/410993]
  and
  [SAP Note 943796|https://service.sap.com/sap/support/notes/943796]
  b.rgds, Bernhard