Roles with different Authorizations

Similar Messages

• Reg: Mass generation of roles with open authorization

  Hi,
           Is there an option to mass generate roles with open authorizations ?
           It would be helpful if it there exists some transactions or reports that would help in doing so unlike CATT scripts or batch sessions.
  Regards,

  Hi Arravind,
  Why cant you correct the roles by filling up those open fields?? I guess you can create a CATT script to acheive your objective but I suggest better to check why there are open fields in the role then generating them blindly.
  Do let us know if you need any more information from our side. If you want to know how to create a CATt script then search for it in SDN/Google you will surely get your answer.

• Two user with same profile and role having different authorization

  Dear All,
  I have very strange case of authorization . We have a new abap developer in our company . Her profile as copied from an exiting abap developer's profile in Development system. But she don't have authorization for lot of transaction that the existing user have. I checked the profile tabs , role tabs . then done the user compare for all the roles , but of no use.
  I did a compare of the two uses using S_BCE_68001430 and could see is that the existing abap user is having authorization starting with T_PXXXXXXXX that is giving him extra rights. These authorization is not present in any of the existing role he is assigned to (checked using S_BCE_68001396). The authirsaction in the roles start with T-DXXXXXXXX
  Will appreciate if any one can give any input . The problem is i need to assign each authorisation the existing user having manually to the new user.
  regards
  Tony

  Thanks for the mail.
  I check the "Reference User for Additional Rights" -- there is no refernce user assgined.
  I checked the table USR04 the no. of Profle for the two users are diffrent and in the table UST04 also the the existing uer is having addtional profiles.
  I like to add one more point Some of the roles of the  two users are composite roles and both the composite and its orignial roles are included the profile of both users.
  Does any one have idea of the authorisations starting with T_PXXXXXXXX
  regards
  tony
  MANDT BNAME          PROFILE    
  100   CHARLHO        B_LSMW_ALL 
  100   CHARLHO        T-D1780054 
  100   CHARLHO        T-D1780057 
  100   CHARLHO        T-D1780058 
  100   CHARLHO        T-D17800581
  100   CHARLHO        T-D1780075 
  100   CHARLHO        T-D17800751
  100   CHARLHO        T-D1780086 
  100   CHARLHO        T-D17800861
  100   CHARLHO        T-D17800862
  100   CHARLHO        T-D17800863
  100   CHARLHO        T-D17800864
  100   CHARLHO        T-D1780087 
  100   CHARLHO        T-D1780088 
  100   CHARLHO        T-D1780247 
  100   CHARLHO        T-D1780304 
  100   CHARLHO        T-D1781182 
  100   CHARLHO        T_P0920411 
  100   CHARLHO        T_P09204111
  100   CHARLHO        T_P092041110
  100   CHARLHO        T_P09204112
  100   CHARLHO        T_P09204113
  100   CHARLHO        T_P09204114
  100   CHARLHO        T_P09204115
  100   CHARLHO        T_P09204116
  100   CHARLHO        T_P09204117
  100   CHARLHO        T_P09204118
  100   CHARLHO        T_P09204119
  100   TESTUSER2      B_LSMW_ALL 
  100   TESTUSER2      T-D1780054 
  100   TESTUSER2      T-D1780057 
  100   TESTUSER2      T-D1780058 
  100   TESTUSER2      T-D17800581
  100   TESTUSER2      T-D1780075 
  100   TESTUSER2      T-D17800751
  100   TESTUSER2      T-D1780086 
  100   TESTUSER2      T-D17800861
  100   TESTUSER2      T-D17800862
  100   TESTUSER2      T-D17800863
  100   TESTUSER2      T-D17800864
  100   TESTUSER2      T-D1780087 
  100   TESTUSER2      T-D1780088 
  100   TESTUSER2      T-D1780247 
  100   TESTUSER2      T-D1780304 
  100   TESTUSER2      T-D1781182

• Built a new role with DISPLAY authorizations in MM

  Hi All,
  I have been given a task to create a role for MM (Materials Management) Display only.
  What i have done is from pfcg created a role and in the menu tab i selected copy menus from sap menu and now i have to maintain authorizations.
  when i go to authorizations tab and change role authorizations there are somany objects that need to be maintained for example Basis,controlling, FI,MM,PM,SD.
  can some one please tell me what need to be maintained and what tcodes need to be assigned to this role (for MM ).
  Many thanks for your time and help.
  Havent Been given any tcodes****
  Kind Regards,
  Vamsi.
  Edited by: vamsi koganti on Apr 8, 2008 5:53 AM

  Hi,
  depend on what t-codes you defined, the oject class and authorization objects maybe vary.
  there is no exact predefined template for your purpose, but common authorization class that relate to MM are :
  MM_B
  MM_D
  MM_E
  MM_G
  MM_L
  MM_R
  MM_S
  MM_W
  any other object class, in example SD for SD modules depend t-codes that you have assigned.
  if you don't understand what value to be set, ask your BASIS or other functional, if they don't understand too, try to inactivate it and try to login. if you are facing unauthorized one, try /nSU53 to determine what authorization is missing.
  rgds,
  alfonsus guritno

• Different authorizations for a Dashboard in a SAP NW BW Portal

  Hi everybody,
  we would like to use BO Dashboards / Xcelsius in our company. Everything is fine and the dashboards are looking fantastic. Since we would like to publish them on our SAP BW portal I have a question. Given a dashboard with a SAP NW BW connection that is published as an iView in the portal. And we have users with different authorizations. For example there is user A with the authorization to see data from a BW query for departments ABC and there is a second user X with the permission for dept. XYZ.
  Is it possible to configure the connection / dashboard in a way that only the data is used for the dashboard in dependence of the authorization at the SAP portal?
  Thanks for your help!

  Hi,
  The person who creates the dashboard should have a BW ID which should have access to all the data required for the dashboard and as well access to EP portal. Else he wont be able to test and validate the dashboard once the development is done. 
  The BW ID's belonging to the users with which they will access the dashboard, if already created or need to be created , then you can ask the authorization team to extend these ID's to EP System as well as provide the necessary BW Roles, ie access to the related queries and info providers. Once this is done they will have access to EP portal as well as the dashboard and the data displayed will be based on the roles provided to the ID.
  For ex User A will only see departments A-D and the User X will see Departments X-Z. You need not write logic for Dynamic Visibility as such for this. Once the roles are assigned to the users they wont be able to see any other data apart from the ones assigned to their ID's.
  Thanks & Regards,
  Arjun.C.T

• Role with SPRO for FICO

  Hello SAP EXperts,
  Can anyone tell me how to create a role with SPRO authorization for FICO transactions and roles only. I need to assign a role with which a FICO consultant can do all the customizing related tasks in the development server. Please give some solution.
  I invite your valuable inputs
  Thanks & Regards
  Vanitha
  Edited by: Vanitha badampudi on Oct 21, 2008 1:33 PM
  Edited by: Vanitha badampudi on Oct 21, 2008 1:36 PM

  Hi there,
  The easiest way to get all of the t-codes, is for a customising project to be created in the IMG with all of the relevant IMG activities assigned to it.  (Your FI CO consultant can assist here.)
  Once that has been done, you can go and create a role in PFCG.  Select the menu tab, then select Utilities - Customizing Auth. and it will then ask you to select a customising project.
  Once you've done that, all IMG activities and transactions for that customising project will automatically be entered into the menu.
  You then need to go and maintain and generate the authorisations.
  That's my suggestion.
  Hope you can use it.
  Regards
  Lucille

• Problem with branch authorization scheme

  Hello,
  I am trying to use 2 non-conditional branches (onsubmit after processing) with different authorization schemes (the first one should be executed for USER, the second - for ADMIN). But it doesn't work - the branch with smaller sequence number is executed in spite of the fact that user has no right because of authorization scheme of this branch (the second one should be executed for this user).
  Why do this happens?
  Regards,
  Nikolay

  We use our own installation of HTML DB, so it is not on the Oracle site.
  The first branch (which is executed in spite of authorization) sets page-item using value of item which is not accessible for this user (using the same authorization scheme as branch). Therefore this value equels null (we don't setup this item for this user) instead of using another branch with another value.
  Thanks.
  Nikolay

• Assigning different authorizations inside a role to different users

  Hello,
  Could someone please guide me to how can we assign different authorizations (authorizations field values) for an authorization object inside a role to different users; i.e. in the role maintenance transaction (pfcg) after we create a new role and add an authorization object to it, if this authorization object has several authorizations (authorization field values), and if I need to add two users to that role, how can I assign to one user an authorization different from that assigned to the other user ?
  Thank you in advance.
  Best regards.
  Reda Khalifa
  IT Department - Almansour Automotive Group - Egypt

  Hi Reda,
  That documentation complicates the subject slightly as it is talking about principles that are at a lower level than the usual role level.
  We have 1 authorisation object - S_TRVL_BKS
  Authorisations have been created for this object, called S_TRVL_CUS1 and S_TRVL_CUS2
  In this context, an authorisation is an instance of an authorisation object that has been populated with data.
  Before the profile generator you used to create authorisations (auth objects populated with data) and assign them to profiles which are then assigned to users.
  In this example 2 profiles would be needed
  Profile1: S_TRVL_CUS1 and S_TRVL_CUS2
  Profile2: S_TRVL_CUS2
  Miller would be assigned profile1, Meyers would be assigned profile2
  The profile generator allows us to easily build authorisations and profiles and packages them up in a role.  This way, we can assign transactions and authorisation objects into a role, populate the authorisations (which is what we do in the authorisations tab in the role) and automatically create the profile.
  The example in the documentation is still valid because it requires 2 seperate authorisations (and therefore profiles and roles) to be assigned to different people.  Unfortunately this is not explained very well in the documentation.
  I hope that makes sense, roles are static and the permissions that they give do not vary dynamically.   In BW we can use variables to do something similar and to some extent structural authorisations in HR work dynamically however this doesn't apply to R/3 or ECC.  (it can be done in come cases but costs many, many £££/$$$'s)
  Please let me know if you want me to elaborate further on this
  Cheers
  Alex

• SECATT - Mass creation of users with different assigned roles

  Hello! I've been tasked with creating an eCATT to do a mass creation of users and each user will have a different role assigned (besides the general roles). We're doing this to test out the different roles we have created. I've done some searching through the forums and found some different ideas but I'm not sure they are exactly what I need. One suggestion was to use SU10 to make the role assignement but I'm guessing I would still need to setup a parameter for each role so I would initially need to know how many roles would be entered. I would like for the eCATT to be able to handle assigning multiple roles to a user with each user possibly getting a different number of roles. Would anyone be able to suggest a way to assign different roles to different users through an eCATT?
  Thank you!

  Hi Wendy,
  To create users, maybe SU01 or SU10 can be used.  To assign users to a role, maybe you can try with PFCG.
  SU01 and SU10 have the view from the user - for each user, different roles can be selected and assigned to that user. 
  PFCG has the view of roles - for each role, different users can be selected and assigned to that role. 
  Hence if you know which roles should be assigned to which users, PFCG might be easier.
  Hope such information is helpful for you.
  Kind Regards, Qian

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Use of default XACML with custom role mapper and authorization provider

  Hi,
  Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
  My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
  Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

  I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
  Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
  The chosen approach depends on where you're getting the role information from.

• Call logical links with different enhancement sets on the same business role

  Hello,
  I am trying to create a business role that contain logical links with different enhancements. I know how to choose an enhancement for the business role but I can't find a way, if possible, that one business role does it.
  I know how to give an option to choose different roles for the same user, i'm looking for a way to do this in the same window
  Thanks,
  Noa

  does not matter anymore

• HELP!! Authorization in the same laptop with different operation systems

  My BF installed Win 7 operation system on his laptop yesterday and re-authorized it when he used iTunes. However, when he finished authorization, a dialog block showing that "*Including this one, you have authorised two computers out of your available 5*" appeared; what's worse, when he connected his iPhone to the laptop, it deleted all the bought apps in the iPhone, instead of synchronizating.
  I also want to install Win 7 operation system, but I'm afraid that the same thing would happen again (to my iTouch).
  We're quite confused that why the authorization in the same laptop with different operation systems is counted as two times. Friends who know please tell us whether this is the case.. If not, please tell us how to deal with it as we frequently re-install operation system for quicker operation.
  Message was edited by: Shiwen
  Message was edited by: Shiwen

  It's the *operating system* that is authorised, not the particular user profile or the hardware. Before upgrading/reinstalling deauthorise and you won't run out...
  tt2

• Authorization object with no authorization field

  Hi Experts,
  I have created authorization object with no field checking.
  This is possible? Because i want to create this auth object for conversion only, and its not needed field checking.
  Please advice.

  Hi
  See this and do accordingly
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Regards
  Anji

• Not clear with the Authorization concept for Marketing Plan

  Hi All,
  I am new to CRM and was going through some of the prescribed document for CRM marketing
  when i encounter with the authorization concept in marketing plan,for example how
  can i restrict a user with a campaign manager role from changing marketing plan.please
  provide the step by step procedure.
  Regards,
  Sanju

  Hi Sanju
  User with a campaign manager role can be restricted for changing marketing plan using authorization group.
  We define authorization groups for use in the Marketing Planner. Authorization groups can be maintained at both marketing plan level and campaign or trade promotion level. Authorization groups enable us to control which users are authorized to change which of these two types of marketing project. We could, for example, define one authorization group to be assigned to a marketing plan, then define further authorization groups to be assigned to the different campaigns within the marketing plan. In the Marketing Planne.
  Follow below steps
  1. Define authorization group using following IMG Path
  Customer Relationship Management / Marketing / General Settings / Define Authorization Group.
  2. In authorization object CRM_CPGAGR of the role Campaign manager maiantian activity 01, 02, 03 ,06 (this will allow user to create, change, display and delete)
  3. IMG defined authorization group ex: ABC can be seen under the tabstrip Basic Data of marketing plan.
  4. Now user have to choose the Authorization group ABC from the drop down in Basic tab to create a marketing plan. User will get the change access for all the marketing plan which have the authorization object ABC.
  Hope this will help...
  Rgds
  Mallikarjun