[SAP-PM] Restrict authorization object

Similar Messages

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• Restricting the authorization Object for B2B Transactions

  Hi All
  we are facing the problem in the ISA b2b app, actually the scenario is as below.
  we have various transaction types like b2b sales,Peoplesoft order,Request for Order change, RMA ,Request for Quotation(RFQ) and metel order.
  As per the requirement, The client wants only a few functionalities for a particular user.
  Example:
  Transaction Type Authorization
  PeopleSoft order View only View only
  B2B:Req. OrderCh x x
  B2B: Req. RMA
  B2B: Req. Quote x x
  Metel Order x
  For b2b sales transaction a lower level employee would only be able to view the order and he should be restricted to make any changes. Is there a posibility to restrict in this manner? This is Urgent. Please respond immediately. Thanking you in anticipation.
  Message was edited by:
  Sunil Kumar

  >
  Viral741 wrote:
  > Hi All
  >
  > I have a requirement in SAP Security to restrict the authorization object S_ALV_LAYO to a particular set of users.
  >
  > Background:
  >
  > We use composite roles which is shared accross all areas(Finace,marketing,work managment).Now the requirement is for from Work managment to restrict S_ALV_LAYO so that user cant change default layout and can create user specific layout,but other areas are not ready for this.So please let me know if there is any way i can restrict this auth object only for work managment area only.
  >
  > Thanks,
  >
  > Nitesh
  Nitesh,
  Remove access to S_ALV_LAYO for general users and give access to F_IT_ALV instead.  Keep S_ALV_LAYO for the users who will be maintaining the default layout.
  Good Luck!

• Restrict HR Authorization Object PLOG By HR Structural Auth Profile

  Via OSS Note 453786, SAP requested customers not to use HR Authorization Object PLOG_CON. 
  We have a requirement to restrict HR Authorization Object PLOG by HR Structural Authorization Profiles. How are other customers able to accomplish this objective without authorization object PLOG_CON being used?
  (Custom solution:  ZPLOG_CON/custom FM, or use HRBAS00_STRUAUTH BADI)?
  Thank you,
  Ken

  Ken,
  1. the note you mentioned is specific to sap version 46b. is that the version your client is on? just wanted to check.
  2. then you have not mentioned anything about the requirement, i mean explicit details.. without which it is very difficult to come to a solution.
  3. you look like you are on the right track of thinking though with the z-auth-object/function module/badi thingy...
  4. ultimately solution is dependant on the explicit requirements.
  the 'con' bit usually refers to context sensitiveness of security when a mixture of regular and structural auths would not meet the security requirements.... so at a high level:
  1. design the structural profile with the right combo of eval path and function module(z-fm?)
  2. do the right thing by plog by explicitly mentioning levels of suths for all objects and subtypes and infotypes as well.
  3. use p_origincon to assign the structural profile
  4. a combination of all of the above should do the trick...
  good luck
  cheers

• Authorization Restriction for Object Changeability :

  Hi ,
  How to restrict users from using Object changeability in Production System if they are given access to RSA1, even though the system is completely closed , with Object changeability, the users can still create a new Info package and upload data ?
  I have gone through the SDN and SAP documentation, but I could not find any such references.
  Looking forward to your valuable input on this.
  Regards,
  Ahmed.

  Hi there,
  You have an authorization object named S_RS_ADMWB (Data Warehousing Workbench - Objects).
  You can with that object restrict the several activities (display, execute, create, etc.) for different Datawarehouse InfoObjects (InfoPackage, etc.).
  Try to restrict that to the users.
  Diogo.

• BW Authorization Object to restrict Transporting Requests

  Hi...
  In our BW systems, all the developers are given the profile SAP_ALL. So, the developers have the access to transport their objects from BW Development(BWD) client to BW Quality(BWQ) Client and from BWQ to BW Production client (BWP).
  I want to restrict the developers to do the transports. What is the authorization object used to restrict the users to transport requests?
  Any documentation how to do that?
  Thanks,
  Sai.

  It can be done with the authorization objects S_TRANSPRT and S_CTS_ADMI.
  S_TRANSPRT creating transport request and S_CTS_ADMI for moving transport request.
  I would like to work on that project where I can get SAP_ALL access..:)
  Check the documentation.
  http://help.sap.com/saphelp_nw04/helpdata/en/8d/45ef39521e3314e10000000a11402f/content.htm
  Thanks.

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan

• Restrict a t.code VK11 using Site as authorization object

  Hi all,
  We want to restrict VK11 t.code using Site as one of the authorizations. By default it has only Sales Org, Distr channel and division. I've added one more field for "Site" manually.
  We have defined specific values for Site in authorization objects. Still system does not restrict VK11 executed by  user as per site. It works with Sales org/Distr ch/Division. But it does not restrict Site-wise for that role.
  Please help.
  Regards,
  Ankush

  > I've never got past 'play dead' with such objects
  Yip, I know that feeling. It is like when you leave home for a long trip having packed everything you need, but you still have the feeling that you have forgotten something important behind and will kick yourself when you need it.
  > Can you please provide step by step instructions for that?
  There is no step-by-step procedure nor medication to take for it. You just have to wait for it to dawn on you...
  Enjoy the weekend and happy coding authority-checks,
  Julius
  ps: I heard that this feeling is also caused by the rising popularity of ABAP OO programming techniques, where the checks are often natively imbedded.

• Restricting infoobject in query designer with authorization object

  Hi,
  We have to restrict CUSTOMER infoobject with a authorization object in query designer.
  How to do this task ? Request kindly suggest.

  thr RSSECADMIN tcode. Search with this key word you will get good docs & Wikis in SDN
  bhaskar

• What User authorization objects needed for connecting to SAP from xMII?

  We eneter a SAP user and password for connecting to SAP from xMII to retrieve the metadata of the incoming IDocs.
  When I specify a user with SAP_ALL user profiles, the IDocs are received properly in xMII. If I specify a user with privileges to run only certain transactions, IDocs are not received in xMII.
  What user authorization objects are needed for this user to connect to SAP from xMII?
  Thanks,
  Sara

  Sam,
  I turned on the SAP System trace for this user and figured out the following auth. objects are required for receiving IDocs in xMII:
  C_TCLA_BKA
  S_RFC
  S_CTS_ADMI
  B_ALE_MAST
  S_IDOCDEFT
  The following auth. object is required for making JCO call to SAP from xMII:
  C_AFRU_AWK
  Thanks,
  Sara

• Newly Created authorization Objects after SAP Upgrade

  Can someone tell me whether there is any transaction or table that display the added object authorizations after a Sap Upgrade ?
  Thanks in advance.

  Also, you can check SAP_NEW profile which shows which authorization objects have been added in which release.

• Authorization object to restrict a particular customer code in a sales org

  Hi,
  I have a requirement whereby a sap user who is assigned to Sales organization A needs to access a particular customer from sales organization B. However the sap user has no access to sales organization B. However the requirement is such that the sap user cannot be given access to all the customers in Sales organization B. He must only access one particular customer from Sales organization B and not all the customers in Sales organization B.
  The problem here is if we give the sap user access to Sales organization B, then the sap user can access all the customers in Sales organization B. So how can we give access only to a particular customer in the Sales organization B?
  Is there any authorization object which can accomplish this?

  Hi.
  You can use The Authorization object
  <b>V_KNA1_VKO</b>
  Tcode for Authorization objects: SU21
  Tcode for Authorization FIELDS: SU20
  Statement to perform Auth. Check  AUTHORITY-CHECK(See F1 HELP)
  <b>Reward if Helpful</b>

• How to restrict to find object in authorization object c_klah_bse

  Dear Experts,
  I would like to restrict my user to find object/class in CL30Nn authorization object c_klah_bse, I did not find choice/object list to be restricted.
  Kindly advice.
  Thank you.

  > where can i find possible values of Authorization hierarchy, Cost centers , cost center groups  in 
  Well, not in an internet forum. I think you should speak to the financial consultants who customized your system. These values will differ from company to company.
  Maybe someone can give you a list of source tables for these values but that would be just it, a list of values without an idea of their relevance  and validity......

• Authorization Object for 0TCTBISBOBJ - restriction field too short in PFCG

  Dear all,
  I created an authorization object (TA: RSSM) with the InfoObject 0TCTBISBOBJ and 1KYFNM. When I restrict my authorization object in TA: PFCG, I can only type in 11 letters for InfoObject 0TCTBISBOBJ but I need 12 because of a bad naming convention. Working with more than one asterisk (*) in this field is not working!
  Does anyone know how to manage this problem?
  Thanks in advance
  F. L.

  Martin,
  It is not possible to restrict this in CRM.  The person, organization, and group influences the type of address for the business partner.  There are no user exits available in CRM 4.0 that are at the point to perform an authorization check on this value.
  I had to unfortuantely debug and read much of BUPA_DIALOG_JOEL before reaching this conclusion.  The only way to achieve this would be to write a custom front-end to the BP transaction or PCUI screens for business partners.
  Hope this answers your question,
  Stephen

• How to restrict provide to a single account(by authorization object)

  Hello, i have two types of accounts.
  Account range 1: 10000000 -19999999
  Account range 2: 20000000 - 29999999
  For range 1 i have assigned authorization group AUT1.
  For range 2 i have assigned authorization group AUT2 (by transaction OB_GLACC12).
  So the general idea is some users will have access only to group 1 , etc. i have used autorization object F_BKPF_BES in  the role btw.
  I have created 4 roles:
  1) RANGE1_ALL (means user can create / modify delete GL from range 1)
  2) RANGE1_DISP(means user can only disp  GL from range 1)
  3) RANGE2_ALL(means user can create / modify delete GL from range 2)
  4) RANGE2_DISP(means user can only disp  GL from range 1)
  If i give RANGE1_ALL + RANGE2_DISP to the user, he can create/modify/delete for range1 and only display GLS from range2.
  Now the problem is if i want user to create/modify/delete for range1 but only display a specific account from range 2 ; say GL 29999000.
  Which authorization object can i use to specify the range 2 GL account directly?thx.

  Hi,
  The only option for you is to have a different authorisation object for that GL alone and assign it to the user. You dont assign RANGE2-DISPLAY object to that user.
  From FS00, you have to change the Auth group of that specific GL.
  Regards,
  Mike