S_TCODE..TCD..FROM..TO

When in the role maintence, if we do a search for the S_TCODE object we hit it. no wwhen we double click we get the box which states the tcodes executable. my question is :
1. What does the From and To coloumns mean?
Is it a range of tcodes? does ti differ if I give one below the other?
Thanks

Do you mean
From - To
AC05 - AS00
AS03 - F-01
If yes then it means All tcodes falls under this range will be included.
eg
1. AC05, AC06, .... ACZZ, AD01, .... ADZZ, ..... AR00,....,ARZZ, and AS00
2. AS03, AS04,..... ASZZ,AT00,...ATZZ, AU,...AZ,B....... E and F-01
So from Rance AC05 to F-01 excluding AS01 and AS02.
***Rewarad the points if it is helpful****
-Pinkle

Similar Messages

How to migrate Master Data (Rule set etc.) from GRC 5.3 to 10.1 without using the "Migration Tool"

Greetings,
We are currently on GRC 5.3 SP 18 (Java ONLY) and migrating to GRC 10.1. I referred the Migration Guide which outlines that GRC 5.3 needs to be upgraded to SP 20 as pre-requisite for using the "Migration Tool" . Our BASIS team is reluctant to perform this upgrade from SP 18 to SP 20.
Having said thus, I'm exploring options of migrating data from 5.3 to 10.1 without using the "Migration Tool:.
Rule set Migration:
I'm in the process of preparing the 9 different files (listed below) and later utilize the "Upload Rule" option for migrating the Rule set data from 5.3 to 10.1.
While I'm able to gather data for most of the files I'm not sure how can I obtain the data pertaining to the two files (Function Actions and Function Permissions) underlined and highlighted in Red below.
1. Business Process
2. Function
3. Function Business Process
4. Function Actions
5 .Function Permissions
6. Rule Set
7. Risk
8. Risk Description
9. Risk Rule Set Relationship
10. Risk Owner Relationship
Can someone please enlighten me and share their experience with regards to this exercise. Really appreciate your help !
- Janantik.

I have done this successfully before. Because you are having issues, I would NOT recommend using the migration tool to move the ruleset. Instead:
1. Download the ruleset files from 5.3
2. The 5.3 tcode-permission file, which defines which tcode permissions from SU24 need to be checked during risk analysis, needs to be split into the two files you mention above in red.
FUNCTION_ACTION : this file represents S_TCODE objects and TCD fields mapped to each function (Function to Tcode relationship). In the 5.3 file, you will filter on object S_TCODE and field TCD, and you will get a complete list that now represents "FUNCTION_ACTION". BUT instead of having all the jumbled permission info, you will just have 3 columns: Function - Tcode - Status.
3. The remaining permissions that are left over, after taking out the S_TCODE -TCD items, represent the "FUNCTION_PERMISSION" file in GRC 10.
4. Manually create the excel spreadsheets for each file.
5. Copy and past each sheet to a unique .txt file.
6. Upload the ruleset manually through SPRO-->GRC-->Access Control-->Access Risk Analysis-->SoD Rules-->Upload SoD Rules.
7. Select each file and then upload to the correct Logical Group.
This is a huge pain, but it works. Let me know how this goes and if you need any assistance.
-Ken

Open field in object S_TCODE

I've deleted a tcode from a role in menu tab. Now when I look at the object S_TCODE in the role it has an open(blank) field. I cannot delete this blank field from the object as S_TCODE shows up only in display mode though you enter the role in change mode. Further I do not see this blank field in the menu tab assuming that the blank field might got transfered from the menu. Please suggest how to remove the blank field from the object?
Thank you,
Partha.

Hi,
I had some similar issues already. The yellow status of S_TCODE came from a blank entry in the menu. If the menu is big, its hard to find that entry, which has to be removed from the roles menu. As a workaround to identify that 'blank' entry check table agr_hier for that role. Select Reporttype=TR and Report= (means leave the field empty and set as operator '='.
In the field Parent_ID you can identify now the node under which this entry is located and with the OBJECT_ID you can find the text in table AGR_HIERT (with that text you can use the search function in pfcg to find that entry(ies).
Then simpyl delete these entries from the menu and merge the authorizations. S_TCODE shall be 'green' afterwards.
b.rgds, Bernhard

How to prevent a portal user from using the BEx Analyzer ?

Hi,
we have different type of users : most users may use the portal as well
as the analyzer ;
we have one special user with extended authorizations : this user
should use the portal , where he has a limited set of queries to run
with hardcoded filters ==> this user should not be able to use the
analyzer however, since he then would be able to call all other queries
by using the find function ;
how can we make sure this user cannot use the analyzer , using SAP
authorizations ?
best regards,
Erwin Van Giel.

Hi,
if I remove the complete S_RFC authorization for the user then the BEx Analyzer cannot connect anymore to the BW system, but neither can the user run reports from the portal : it needs the S_RFC with 'SYST'.
If I only remove the RRMX from the S_TCODE and from the S_RFC, it does not prevent the user from starting the BEx Analyzer and connecting to the BW system. It only stops the user if he would start the RRMX transaction from within an SAPGUI session.
Perhaps there should be a value in the S_RFC that allows connections from the portal but not from the BEx Analyzer .... ?
so not solved yet ....
best regards,
Erwin.

Workbooks : Save as and Save

Hi,
we have read a lot of message about workbooks authorizations and how to allow users to save in their favorites. Also we have found differents message where some collegues try to avoid users to save workbooks, not in a role neither in their favorites.
In this topics the solution provided is to modify the workbooks object type as not modificable in the connection transport, that will not allow to users that has not SAP_ALL authorization create new workbooks and we have two differents types of user.
I will try to explain our scenario:
We have 3 types of users:
-- Keyuser:    Users which can create queries, and workbooks and save it in a shared folder
-- Enduser:    Users which can create workbooks and save only in their favorites, not in the shared folder.
-- Basicuser: Users should only execute the workbooks from the shared folder.
We have created one specific role for each type of user and one role with the folders where the users can share the reports.
For the Basicuser we have created a role with the next authorizations:
   - S_RFC --> ACTVT = 16 ; RFC_NAME = *; RFC_TYPE = FUGR
   - S_RS_AUTH --> BIAUTH = 0BI_ALL
   - S_RS_COMP --> ACTVT = 16 ; RSINFOAREA = ZLO_14* ; RSINFOCUBE = * ; RSZCOMPID = * ;RSZCOMPTP = *
   - S_RS_COMP1 --> ACTVT = 16 ; RSZCOMPID = * ;RSZCOMPTP = * ; RSZOWNER = *
   - S_RS_FOLD --> SUP_FOLDER = 'X'.
   - S_RS_PARAM --> ACTVT = * ; PARAMNM = *
In the role with the shared folder ZBI_SHARED_FOLDER the authorizations are:
   - S_TCODE   --> TCD = RRMX
   - S_USER_AGR --> ACTVT = 03 ; ACT_GROUP = ZBI_SHARED_FOLDER
As far as I have understand the authorizations that user should not be allowed to save any workbook at his favorites. But the user can save workbooks and also view, and create folder in the favorites.
Please has some one avoid that type of users to save any workbook by authorization whithout change the changeability of the object workbooks.
Our system version is SAP NetWeaver BI 7.0
I will apreciate any help, we have go live in one week.
Many thanks in advanced.
Maria

Hi,
we have openned a message to sap and the answer is that there is no way to avoid users save in their favourites by authorization.
Thanks.
Best Regards,
Maria

BI Folder Roles

hi to all,
I would require some input from the BI security experts the issue i am facing with the BI. I have created the few folder roles and assigned necessary authorization like s_user_agr and provided the folder in role check field. Now the issue is the BI team is not able to view the folder role. they have to save some workbooks in the folder role.
I am able to create the folder role and i can view them through Bex Analyzer one at a time. i am not able view all the folders through the Bex Analyzer even though they have been assigned. i have tried different means to solve this issue.
Can anyone please advice where i am missing in analyzing the defect.
your inputs are highly appreciated

> I am able to view the workbooks under the role tab, whereas BI consultants are not able to view them. I have assigned the role, done user comparison also, still they are not able to view them. can you please let me know what could be the reason.
Hi Madhu
Please check whether the users have access to following basic authrization objects or not.
S_TCODE
TCD RRMX
S_USER_AGR
ACTVT 03
ACT_GROUP Name of the role containing the workbooks
S_USER_TCD
TCD RRMX
S_RS_AUTH(For analysis authrizations), S_RS_COMP, S_RS_COMP1.
If everything is fine, please do a net meeting with the users to check what users are doing at their end. Probabely they are missing at some point. A minor miss could be the cause of the issue.
Thanks.
Anjan

Audit tool which generates Users, Roles, Auth objects, and Values

Hi,
I have a list regarding authorization provided by auditors.
Here I want to know how the auditors generated the list.
Do you know the transaction code or the program ID.....?
Probably the data in the list was extracted from our system, and some data were manually processed or added.
Hard to write down but fields and examples appear in the list;
-FIELDS-
User
Group
Full Name
Rule
Side
Operator
Role
Authorization
Attribute
Attribute Value
Associated Role
Associated Authorization
Associated Attribute
Associated Attribute Value
-EXAMPLES-
testuser01
group001
user01 test
Create Maintain Sales Order vs Create Maintain Customer Master Records
LHS
Any
Z_ROLETEST_001
Authorization=T-D524126500, Object=S_TCODE
TCD
FB01
Z_ROLETEST_002
Authorization=T-D524126600, Object=F_BKPF_BUK
ACTVT
1
Thank you in advance.
/Y.Shirako

> Install ABAP on your system which provides files for them to crunch in an SQL (or similar) database.
> Tool extracts data via RFC calls into your system that is then processed externally.
Yes, the interfaces of those tools are often a hazard in themselves...
I typically recommend customers to delete them completely. Sometimes this comment also exists in the code itself, but who reads code now-a-days in GRC projects, and why should they have to? ;-(
This looks very much like one of those tools (where the SQL statements are built externally).
Cheers,
Julius

How to config OrgRule for check of equality

Hello,
We use GRC Compliance Calibrator V5.2. Our RuleSet also contains Risks based on organization levels.
We have a SOD-Risk (R006) made up of two functions (YK06 and YK08):
Risk Function     TCODE     Auth.Object     Field     Value from     Value to     Condition     Status
R006     YK06     F-42     S_TCODE     TCD     F-42                         AND          0
R006     YK06     F-42     F_BKPF_BUK     ACTVT     1          2          AND          0
R006     YK06     F-42     F_BKPF_BUK     BUKRS     $BUKRS                    AND          0
R006     YK08     F110     S_TCODE     TCD     F110                         AND          0
R006     YK08     F110     F_REGU_BUK     FBTCH     2          31          AND          0
R006     YK08     F110     F_REGU_BUK     BUKRS     $BUKRS                    AND          0
Risk R006 is only critical, if the two BUKRS in the definition are the same value.
A User with BUKRS = 1000 in F-42 / F_BKPF_BUK and with BUKRS = 1000, 2000 in F110 / F_REGU_BUK is critical.
A User with BUKRS = 1000 in F-42 / F_BKPF_BUK and with BUKRS = 2000 in F110 / F_REGU_BUK is not critical.
We feel that the following OrgRule-Definition does not cover the requirement:
OrgRule ID     Risk     Org Level     Value From     Value To     Search Type
OR-BUKRS     R006*     BUKRS          1000          1000          AND
OR-BUKRS     R006*     BUKRS          1000          1000          AND
Our question:
How must the OrgRule for Risk R006 be defined in order to flag only Users with identical BUKRS as critical?
Thank you very much,
Jürgen Holtz

Hello Mr Alpesh,
thank you for refering me to the Quick Reference Guide "Organizational Rules and Organizational Level Reportingu201D. I am aware of this document and have followed it.
However, it does not exactly address my problem as the document explains how to set up OrgRules that cover two different OrgLevels (eg. BUKRS and WERKS).
In my case, I have a single OrgLevel.
However, I have found out that a single-line OrgRule solves my issue.
It is the following OrgRule:
OrgRule ID     Risk     Org Level     Value From     Value To     Search Type
OR-BUKRS     R006*     BUKRS          1000          1000          AND
Again, thank you for your input.
I close this posting as this question is now solved for me.
Best regards,
Jürgen Holtz

S_BCE_68002111 vs RSUSR002

Dear Experts
I have a problem with two programs.
S_BCE_68002111: Here I can define critical autorizations. For example S_TCODE = AL11.
RSUSR002: Complex selction criteria
I custo S_BCE_68002111 and y generate critical autorization with S_TCODE and AL11 value.
I thought the result should be the same, however it is not.
The program S_BCE_680002111 do not select all users if the users have the value of the authorization was a range.
For example
If user A has:
S_TCODE
TCD = AL11
If user B has
S_TCODE
TCD = A* .. AL12.
Program RSUSR002 shows users A and B with one range in the tcd field.
Program S_BCE_680002111 do not show B user.
In this case, the function of programs should be the same. S_BCE_680002111 can parameterize your own critical authorizations. So if I just put the same objects in both programs should meet the same users.
Why is the data selection is different? Although the selection is made from different tables the solution should be the same.
Thanks and regards David Sanchez.

Hi experts.
Thanks for your knowledge. The question was answered.
Now, I only have two points to your comments.
1 .- It is correct Mr Shekar.
2 - I do not like in some cases the program RSUSR02. The reason is that I can use a <> symbol in the selection of data values for the authorization of an authorization object.
For example, a batch input fails. A user should be able to evaluate the log of the batch to study the error. But perhaps I should not do any other action with the batch.
This program does not allow me to search for users who can do anything other than the SM35 evaluate the log.
I thought then that maybe I could use this program for users who have some critical transaction. In some cases the definition of critical low-level authorization object and value in others cases just the transaction.
Perhaps the simplest answer to my problem is: "Please David, use the GRC."
Thank for your help.
Best regards David Sánchez.

Purpose of L_TCODE

What is the purpose of L_TCODE?
Isn't it sufficient if we control the access using S_TCODE already?
It seems that in 4.6C, when accessing LI11N, system only checks if L_TCODE.TCD = LI11.
So all roles with S_TCODE.TCD = LI11N also have L_TCODE.TCD = LI11.
Similarly for these txn code
LI02N
LI03N
LI12N
LI13N
BUT After upgrade to ECC6.0, existing roles hit missing auth error : Lack L_TCODE.TCD = LI11N.
As a result, many roles need to be added with L_TCODE.TCD = LI11N
Is adding L_TCODE.TCD = LIXXN to the existing roles the only way to save the situation? or is there a better way?

Hi,
1.Please note that if you do not assign the txn via menu it wont be available in S_Tcode. You will not be allowed to run the transaction if it is not present in s_tcode. Hence providing the value only to l_tcode for this txn wont allow to work altogether.
2. Giving * in L_Tcode is ok but again the security related to ware house management will be compromised. But it will definitely work. Manual addition is needed.
Please let us know if any issue.
Regards
Aveek.

AC 5.3 RAR and Organizational rules

Hi all,
we are implementing risks based on organizational rules. It is not clear in my mind how the system manages actions that do not have authorizations objects activated (at permission levels) or have authorization object activated but without organizational fileds.
In other words: I have a SOD risk containing the function called FN99. In this function there are the actions TCD01 and TCD02. For TCD01 there are not permission linked and active (just tcode), for TCD02 there is only the authorization object M_BEST_BSA. So, this function does not have any authorization objects with organizational fields (BUKRS, WERKS and so on).
If we use the RAR organzational rules, the 2 actions TCD01 and TCD02 are managed or are not considered at all since they do not have organizational fields.
Thanks in advance.
Andrea Cavalleri

Andrea,
Within RAR you can run either risk analysis at transaction level or at permission level.
Transaction level: Just S_TCODE || TCD authorization objects will be checked
Permission level: S_TCODE and any other authorization object included within the SoD matrix will be checked
Risk Analysis at organizational level is a further level of permission risk analysis taken into account authorization objects that include ORG fields (BUKRS, EKORG, WERKS etc.) and verifying specific values you have defined within the organizational rules.
The goal of running risk analysis at organizational level is to eliminate false positives that might be detected when you run risk analysis at permission level without taken organizational authorizations into account.
Under an organizational Rule approach, you will be detecting conflicts JUST if user U1 is able to execute transaction T1 and T2 (assuming this pair of transaction define a conflict) within the same organizational level (for example the same Company Code).
Please, check the documents have been pointed out in this post.
Hope it helps. Regards,
Imanol

Authorization to release sales invoices to accounting.

Is it possible to give users SAP transaction VF02 without giving the authorization to release invoices to accounting?
is there any specifig object? Doing a SAP trace I see no specific objects involved in the releasing.
Thank you.

1
F_SKA1_BUK F_BKPF_BED F_BKPF_BEK F_BKPF_BES F_BKPF_BUK
are already view only
2# ST01 gave no suitable auth.checks in SAP
V_VBRK_VKO:VKORG=1000,ACTVT=02
V_VBRK_FKA:FKART=ZF2,ACTVT=02
S_TCODE:TCD=VF02
3# SHD0 I'm afraid it can be used only for screen fields like
Billing document
Document number
Company Code
Fiscal year
Reference no.
Search
in order to change menu buttons I think I have to buy http://www.synactive.com/ software to change the GUI
Any other idea?
Thank you

BEx Analyzer / authorizations / query search

Hello everyone
Today I have a problem with my authorizations for the the BEx Analyzer.
The technical name of my InfoArea is VCOPA.
I have a number of queries with the technical name VCOPA_MM001 / VCOPA_M01_X0001 / and so on.
When I open the BEx analyzer and search for queries (wildcard *) I get only my queries with the technical name VCOPA. So far so good... Unfortunately the Bex search results display additionally several query views (like 0D_DX_M01_Q0001_V05) and that is bad. So how can I stop this?
My authorization settings:
S_RS_COMP
ACTVT: 03, 16
RSINFOAREA: VCOPA*
RSINFOCUBE: VCOPA*
RSZCOMPID: VCOPA*
RSZCOMPTP: QVW, REP
S_RS_COMP1
ACTVT: 03, 16
RSZCOMPID: VCOPA*
RSZCOMPTP: QVW, REP
RSZOWNER: *
Thanks in advance..
Regards, Alex
Edited by: Alexander Stettler on Mar 5, 2010 2:50 PM

The roles are customized...
In addition to the listed authorization objekts (s_rs_comp / s_rs_comp1) I have the following objekts in use:
S_RFC
ACTVT : 16
RFC_NAME: *
RFC_TYPE:   FUGR
S_TCODE
TCD: RRMX
S_GUI
ACTVT: 60, 61
S_USER_AGR
ACTVT:     03
ACT_GROUP: *
S_RS_AUTH
BIAUTH: 0BI_ALL
S_RS_FOLD
SUP_FOLDER: X
S_RS_XCLS
ACTVT: 16
RSXCLSID: VCOPA*
RSZOWNER: *
Edited by: Alexander Stettler on Mar 10, 2010 11:25 AM

Role to access PFCG in "read-only mode"

Hi,
I've created a role to access transaction PFCG in "read-only mode", because some functional consultants asked for it.
However, it still gives them access to perform the "User Comparison" and I would like to remove that as well.
The role has the following authorization objects and values:
S_TCODE-TCD = PFCG
S_USER_AGR-ACTVT = 03
S_USER_AGR-ACT_GROUP = Y-, Z- (these are the allowed role names)
I really don't know what to do... any ideas?
thanks

Hello Gary,
Yes, I also noticed that. The restriction of a user compare in PFCG in the F4 help in PRGN_CUST, is the same SAP note as that for activity 22 (assigning the user to the role)...
You could have posted this on Sunday evening, that way Monday morning is closer to test it
Cheers,
Julius
PS: We now have at least two "Gary Morris" at SDN and have for some time been trying to contact the "real one(s)" to determine who-is-who. Another "name sake" is: https://forums.sdn.sap.com/profile.jspa?userID=3618541&start=0 for example.
If you have any concerns, feel free to email me (see my business card) or SDN (at) SAP (dot) COM.

How to list t-codes having common Auth Obj in a role

Dear Gurus,
I need to list out the all t-codes which have common authorization object in role.
Suppose, I have a role which contains the 10 t-codes. Now I need to list what are all the t-codes which having the common Authorization object (say XX_YY) in that role
The one way I know is, in the transaction SU24, give the 10 t-codes and list the authorization maintained to those t-codes and then take list of t-codes which have common Authorization object XX_YY..
This trick works if the role contains the less number of t-codes. But if the role contains maximum number of t-codes, then executing each t-code in SU24 and listing authorization objects to it is bit difficult.
Hence, Can any one tell me is there any other way to do this task.
Thank you very much in advance.
Regards ,
Hari

Hi,
If you are looking at any particular Authorization object in the role and want a list of tcodes which pull them into the role, you can feed in the Object name into table USOBT_C and get the list of transaction code to which they are connected.
In case you want list of all common authorization objects and relevant tcodes from within a role, you can download all values under S_TCODE object from table AGR_1251 by feeding in the role name into the table. Use this list as input to table USTOBT_C and filter the output "object" field to get the common authorization objects and tcodes sharing them.
P.S: The field-values for any authorization objects in the role may/maynot match the proposals in USOBT_C table depending on whether your auth object is in status "Standard"/"Maintained"/"Changed".
Thanks
Sandipan

S_TCODE..TCD..FROM..TO

Similar Messages

Maybe you are looking for