SCM authorizations

Similar Messages

• SCM Authorization Issue

  Hi,
  We are facing a serious
  authorization problem in our SCM system.
  We want to provide a bifurcation at
  the Production Planner "APO_PL_PPS"
  level.This is possible for
  authorization object "C_APO_PPL"
  (PP/DS, Production Planner),
  however "C_APO_PROD" (Master Data,
  Products) consists of only 3 fields.
  Since the Product Id's ("APO_PROD")
  do not follow any specific
  nomenclature in our landscape, we
  cannot provide any limitation here.
  The problem is that when Product Id is "*"; irrespective of other
  objects (eg. APO_PL_PPS); all the Product's can be viewed by all users.
  Is there some way in which we can allow users belonging to a particular
  Production Planner to view only their respective Product Id's..
  Please help, since it's real important that only users belonging to a
  particular Production Planner view their respective Product Id's.
  Thanks a lot,
  Saba.

  In C_APO_PPL authorization object as you said it is possible to put in Production planner as a criterion. You can create multiple authorizations based on Production Planner values. The production planner is part of Location Product master. There are authorization acitivites like Display and Change that should enable one production planner set not to view something under the purview of other production planner. There could be production planner IDs that are like logical groupings. Eg. Assume there are two business units U1 and U2. Then, 1U1 or 2U1 are IDs for two production planners under unit 1. similarly 2U2 or 3U2 for production planners under unit 2. Unit 1 and 2s could be logical set of location products. Given this you can then use patterns such as *U1 or *U2 for authorization roles. From what I see in your notes it looks when you create a role for production planner *U1, the *U2 production planners are able to display and change data for *U1
  If this is not working, I would recommend you to raise OSS message.

• SAP SCM Authorizations

  Hi,
  I am looking SAP SCM Security tcodes and tables that are used on daily basis like in R/3 ECC SU01,SU10,SE10,SU01,PFCG,SU24,SE16,SE11,SE38,su21,su20 etc.
  thanks

  Hi Jain,
  I highly recommend you to read this nice guide if you haven't read yet:
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/80c094de-90aa-2910-02b8-e31a6f5ff0c2
  In this guide you'll be able to find definition of roles and responsibilities when implementing GRC.  You'll understand that Auditors should take a GRC course also; GRC it's a tool that involves a lot of areas. If you've been working with SAP authorizations so far, you won't have problems understanding GRC, you should read the corresponding guides and you'll be able to "map" your company requirements via system configuration.
  Cheers,
  Diego.

• SCM Authrization Issue

  Hi,
  We are facing a serious
  authorization problem in our SCM system.
  We want to provide a bifurcation at
  the Production Planner "APO_PL_PPS"
  level.This is possible for
  authorization object "C_APO_PPL"
  (PP/DS, Production Planner),
  however "C_APO_PROD" (Master Data,
  Products) consists of only 3 fields.
  Since the Product Id's ("APO_PROD")
  do not follow any specific
  nomenclature in our landscape, we
  cannot provide any limitation here.
  The problem is that when Product Id is "*"; irrespective of other
  objects (eg. APO_PL_PPS); all the Product's can be viewed by all users.
  Is there some way in which we can allow users belonging to a particular
  Production Planner to view only their respective Product Id's..
  Please help, since it's real important that only users belonging to a
  particular Production Planner view their respective Product Id's.
  Thanks a lot,
  Saba.

  Before you change the standard program, I would suggest keeping the thread here for a while to see whether somebody who has encountered this in APO knows whethere the naming convention (nomenclature) is the intended design and whether or not an alternate solution (work-around for retro-fit) is possible / available.
  If you wish, I can move this thread to the "APO" forum to see whether the functional or development folks have solved this problem? Formally, forum "cross-posting" is not encouraged, but if you do, then please also cross-reference the threads...
  Cross-reference.... SCM Authorization Issue
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 4, 2008 7:16 AM

• Planning Stucture authorization issue in SCM

  Hello Experts,
  Need your help.
  In our SCM7.0 system, we have implemented FM: /SAPAPO/MCP_PERMISSION_CHECK2 for authorization check to Planning Structure Infocube. That is working fine.
  Now Users are facing authorization issue in Prodcution when they executed transaction /n/SAPAPO/SDP94 with below message.
  Error message: You do not have authorization for all the characteristic values selected Message no. AUTHORITY041
  Analysis authorization trace message: " Message EYE001:    You do not have sufficient authorization for InfoProvider ZDM_PLN1 with activity 03.
  We have assigned customized analysis authorization and that is maintained with InfoProvider  "0TCAIPROV" as " * ".
  Earlier this was working fine in production but now users are getting authorization issue. When we tested in other systems, it is working fine.
  I appreciate your help in this issue.
  Regards
  Ravi
  Edited by: Ravi K on Jul 5, 2011 6:04 PM

  Ravi
  Verify the selections in the Production system v/s the test system. Are they exactly the same ? I can think of two possibilities -
  1. User is attempting to access a selection where he/ she does not have access to at least one of the CVC's filtered by the CVC.
  2. The selection definition should (but does not in your case) contain the characteristic on which the authorization is setup.
  Rishi Menon

• Error while posting data from SCM to XI

  Dear Expertise,
  I got a requirement where I need to post data from SCM to XI server. From SCM
  side it is an ABAP proxy. When I tested the scenario and checked in the MONI of
  SCM I got an error. But SCM is correctly configured pointing to XI under Tcode
  SM59 (SM59 --> Connection Type H (HTTP Connection to ABAP System) -->with
  correct user credentials and PIPE line URL of XI server).
  Please let me know is this the correct settings for ABAP proxy for connecting
  from SCM system to XI system.
  Error Dump in SXMB_MONI:
    <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
  - <!--  Call Integration Server
    -->
  - <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="">
    <SAP:Category>XIServer</SAP:Category>
    <SAP:Code area="INTERNAL">HTTP_RESP_STATUS_CODE_NOT_OK</SAP:Code>
    <SAP:P1>401</SAP:P1>
    <SAP:P2>Unauthorized</SAP:P2>
    <SAP:P3 />
    <SAP:P4 />
  <SAP:AdditionalText><!DOCTYPE html PUBLIC"-//W3C//DTD HTML 4.01Transitional//EN">
    <SAP:ApplicationFaultMessage namespace="" />
    <SAP:Stack>HTTP response contains status code 401 with the description Unauthorized Authorization error while sending by HTTP (error code: 401, error text: Unauthorized)</SAP:Stack>
    <SAP:Retry>M</SAP:Retry>
    </SAP:Error>
  Thanks in Advance,
  Gujjeti

  HI
  Check these
  For Error: HTTP_RESP_STATUS_CODE_NOT_OK 401 Unauthorized
  Description: The request requires user authentication
  Possible Tips:
  • Check XIAPPLUSER is having this Role -SAP_XI_APPL_SERV_USER
  • If the error is in XI Adapter, then your port entry should J2EE port 5<System no>
  • If the error is in Adapter Engine
  –then have a look into SAP note- 821026, Delete the Adapter Engine cache in transaction SXI_CACHE Goto --> Cache.
  • May be wrong password for user XIISUSER
  • May be wrong password for user XIAFUSER
  – for this Check the Exchange Profile and transaction SU01, try to reset the password -Restart the J2EE Engine to activate changes in the Exchange Profile After doing this, you can restart the message

• Uploading Roles from ECC 6.0 to SCM 5.1 (APO)

  Hi,
  We are trying to re-use some roles created in SAP ECC 6.0 in order to be used in a APO(SAP SCM 5.10) system.
  We downloaded and uploaded the roles to the target system, although we do not identify any problem in doing that I will like ask the experts if there is something that I should do or not, and if there is something that we have to take into account in doing this.
  The roles are only for some activities that are the same in both systems like user administration, authorization administration and other technical stuff that is the same in both systems.
  Our goal of course is that every time that we make changes in the source system we will download and upload in order to keep updated the target system.
  I would like appreciate your opinion
  Best Regards
  FedeX

  > We downloaded and uploaded the roles to the target system, although we do not identify any problem in doing that I will like ask the experts if there is something that I should do or not, and if there is something that we have to take into account in doing this.
  Well, there could be a difference in objects, customizing switches and patchlevels which could lead to unwanted (and sometimes almost invisble) problems. If there are objects in the roles that do not exist in the target system (or if they're linked to a non-existent object class) you will not be able to see or maintain them in PFCG.
  This will also cause problems when transporting these roles through the target landscape.
  So I'd suggest you thoroughly compare TOBJ on both systems and make sure these tables are identical for the objects concerned. That should cover technical issues. After that make sure the systems behave the same (customizing etc).

• Restricting Authorization for a specific Info-object

  Dear All,
  I have a scenario where I have to restrict the account managers by specific channels.
  I have 2 info-objects, Sold-to party and Sales Channel. Sales Channel is defined as attribute of the the Sold-To Part info-object.
  I was exploring the BI authorizations concept in SCM 2007.
  I created a authorization called "Test" and assigned the info-object Sales Channel in the authorization and restricted it for one value. This authorization along with 0BI_ALL I have added to the role under BI authorizations.
  However in interactive demand planning, I cannot restrict by the sales channel. It allows me to load data for all the channels.
  If I remove 0BI_ALL object, then I cannot load anything in interactive planning.
  Does anyone have a step by step proceedure for using the BI authorization concept?
  Regards,
  Kedar

  Yes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).
  Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.
  Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.
  You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".
  Things to consider:
  1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.
  2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.
  3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom  authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.
  4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.
  This is probably enough to get you going, reply back if you have specific questions or issues.
  I've been thru this in a painful way, sometimes the best things learned are learned the hard way

• DBM Error return code -11 in LC10 Administration in SCM System Live Cache

  Hello,
  We have installed SCM 4.1 on Solaris on one box and LC 7.5 on another solaris box.
  For kernel upgrade, we shut down Live Cache using LC10>administration on SCM server. After kernel patch, other patches for ABAP stack, we upgraded LC to SP11 build 35.
  Since then, we get following error in LC10.
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  Name and Server : LCA - gva1073
  DBMRFC Function : DBM_EXECUTE
  Command : dbm_version
  Error : DBM Error
  Return Code : -11
  Error Message : tp error: Terminating. [nlsui0.c 1934] pid
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  Also, in DB59, when we try to check connection, we get following error -
  General Connection Data
  Connection Name....: LCA
  Database Name......: LCA
  Database Server....: gva1073
  tp Profiles........: no_longer_used
  DBM User...........: CONTROL
  Test Scope
  1. Execute an external operating system command (DBMCLI)
  2. Determine status using TCP/IP connection SAPDB_DBM (DBMRFC
  command mode)
  3. Determine status using TCP/IP connection SAPDB_DBM_DAEMON (DBMRFC
  session mode)
  4. Test the SQL connection (Native SQL at CON_NAME)
  Application Server: gva1075_SCD_03 (
  SunOS )
  1. Connect. test with "dbmcli db_state"
  Successful
  2. Connect. test with command mode "dbmrfc db_state"
  Unsuccessful
  dbm_system_error
  Name and Server : LCA - gva1073
  DBMRFC Function : DBM_EXECUTE
  Command : db_state
  Error : DBM Error
  Return Code : -11
  Error Message : tp error: Terminating. [nlsui0.c 1934] pid
  3. Connect. test with session mode "dbmrfc db_state"
  Unsuccessful
  dbm_system_error
  Name and Server : LCA - gva1073
  DBMRFC Function : DBM_CONNECT
  Error : DBM Error
  Return Code : -11
  Error Message : tp error: Terminating. [nlsui0.c 1934] pid
  4. Connect. test with "native SQL" ( LCA )
  Successful
  ++++++++++++++++++++++++++++++++++++++++++++++++++++
  Can anybody please help?
  Thanks and regards,
  Vaibhav

  Hello Vaibhav,
  while using transaction LC10, the error 11 "tp error: Terminating. [nlsui0.c ...]" occurs. The user authorization with tp fails and the application server cannot connect to the liveCache.
  I assumed, that it's due to a library version mismatch, tp cannot use the liveCahe UNICODE libraries.
  Please check, that the tp call at the command line works properly. And a dbmcli call in the transaction SM49 with the tp options
  (dbmcli ::
  -d <LC-SID> -n <LC-servername> -tpp <profile> -tpi <system-SID>
  -tpc <connection - LCA/LDA> dbm_version)
  works also properly.
  I recommend you to update the liveCache client software on the Application server.
  If you've got access to OSS/Service Market Place, then please take a look at note
  649814 how to update the liveCache client software on the application server.
  < Please also review the SAP notes 847736 & 831108 > 
  Before the liveCache client version will be upgraded on the application
  server you can use the workaround by switching off the central authorization for the liveCache LCA/LDA connections:
  In transaction LC10, choose Integration and deactivate the option Central authorization, then save.
  If you are the official SAP customer, I recommend you to create the ticket to SAP on 'BC-DB-LVC' queue.
  Thank you and best regards, Natalia Khlopina

• No authorization for the creation of resource WG10 00_1000_001

  Dear All,
  While checking SMQ1(Outbound queue), we found 2 displayed , pls check below details.
                 Queue Informationen
  Number of Entries Displayed:                11
  Number of Queues Displayed:                  2
    Cl. Queue Name               Destination                      Entries
    100 CFLDZ31CLNT100_0034      E06CLNT100                               4
    100 MCEX03                   NONE                                     7
  While Double clicking queue (CFLDZ31CLNT100_0034), Its shows Status SYSFAIL .
  Please check details log.
  Cl. Queue Name               Destination                      Entries    Status   Date 1     Time 1   NxtDate    NxtTim   Wait for queue
  100 CFLDZ31CLNT100_0034      E06CLNT100                               4  SYSFAIL  22.09.2011 12:57:11 22.09.2011 13:16:32
  Note : E06CLNT100 (SCM System).
  While double clicking SYSFAIL Its shows No authorization for the creation of resource
  00_1000_001.
  Kindly Suggest.

  And also User not able to do activate Integration Model using Transaction CFM2 , it is giving error as below .
  System:    E06CLNT100    User:  KAPGATEG 22.09.2011 12:57:11
  Function/Q/SAPAPO/CIF_RES_INBOUND4
  Text:        No authorization for the creation of resource WG10
  Kindly advise.

• Restricting the ATP user for GATP - corrrect roles/authorizations

  Hi:
  If the dialog user that is used for the ATP check (from ECC to GATP) has more authorizations than needed and this is going to be a problem in production. The user can run SCM transactions from the results screen of ECC and this is not desirable.
  Therefore, the ATP user should be a restricted user that has only authorizations for this specific task. If you know what are the exact roles/authorizations to give to the ATP user, could you share them?
  Thanks in advance.
  Satish

  For R/3 please check OSS  Note 447543 - APO: Authorizations too comprehensive/not user-specific.
  "If it is necessary to have different authorization profiles in APO for different R/3 users when calling in APO, the following solution applies:
  Activate the setting in SM59 that is used for the RFC connection CURRENT USER.
  In the APO system, create the respective users and assign authorization profiles. This is necessary in order to achieve the necessary flexibility concerning authorizations in the APO system."
  For APO :
  AuthorizationsObject   C_APO_ATP in APO .
  please chose activity as per  user role.
  01       Create or generate
  02       Change
  03       Display
  04       Print, edit message
  06       Delete
  16       Execute
  39       Check
  Manish
  Edited by: Manish Kumar Rathi on Oct 21, 2008 1:24 PM

• DP - No authorization for all characteristics value

  Dear All,
  I am trying to implement the role SAP_APO_FCS_SU (APO: Demand Planning Standard User) in SCM 5.0.
  When I logon as a user who has been assigned to this role and try to load a predefined selection profile or create one, I get the error “You do not have authorization for all the characteristic values selected”.
  Can you please let me know what I am doing wrong?
  Thanks in advance for your help.
  Emilie

  Hi Raj,
  I created a BI authorization object for my additional characteristics (ie, other than 9AMATNR and 9ALOCNO) and then added to the role.
  Below is the link for how to create BI authorization object.
  [http://help.sap.com/saphelp_scm50/helpdata/en/8f/9d6937089c2556e10000009b38f889/frameset.htm]
  Regards,
  Emilie

• Roles and authorizations in BI content

  Hi experts,
  I'm trying to define a very simple scheme of roles and authorizations for my queries.
  So, i'm trying to limit the acess by infocube and DSO, but I'm missing the authorizations objects for Cube and DSO.
  I know that authorization object for queries it's S_RS_COMP.
  So my roles would be something like
  BI_ROLE_FI
  Authorization Object                                  Autorization Object Value
  Acess query (S_RS_COMP)                         NA                              
  Infoobject (whats the object???)                   0FIGL_C01
  DSO (whats the object???)                            0FIGL_O14
  BI_ROLE_PUR
  Authorization Object                                  Autorization Object Value
  Acess query (S_RS_COMP)                         NA                              
  Infoobject (whats the object???)                   0PUR_C01
  Can you help me find out whats the missing information
  Thanks and regards
  Joana

  Hi,
  Iu2019ve gave authorization to the object youu2019ve mentioned, but itu2019s still not working.
  Basically what I have is the following:
  One role that allows me to execute queries, workbooks, etc.
  A second role, dependent on the area of work, that should allow me only to have access to queries  from cubes/MP/DSO that are specific to users area.
  I will then give each user role 1 + the adequate role 2, depending on their work area.
  For role 1 I have got:
  S_RFC     
  Activity: 16
  Name of RFC to be protected: *
  Name of RFC object to be protected: *
  S_TCODE     
  Transaction code: RRMX
  S_GUI     
  Activity: 16
  S_USER_AGR     
  Activity: 01, 02, 03
  Role Name: ANLG_BI_01
  S_USER_TCD     
  Transaction code: RRMX
  S_RS_AUTH     
  BI Analysis Authorization: BI_ALL
  S_RS_COMP     
  Activity: 03, 16
  InfoArea:*
  InfoCube: *
  Name (ID) of a reporting component: *
  Type of a reporting component: *
  S_RS_COMP1
  Activity: 03, 16, 22
  Name (ID) of a reporting component: *
  Type of a reporting component: *
  Owner (Person Responsible) for a reporting Component: *
  S_RS_TOOLS
  Logical Command Name: THEMES
  Iu2019ve tested this role, and it works u2013 they can access queries, create workbooks, create permanent model workbooks
  For role 2 u2013 Finance I have     
  S_USER_AGR     
  Activity: 01, 02, 03
  Role Name: ROLE2
  S_RS_ADMWB
  Activity: 03,66
  Data warehousing workbench Object: INFOAREA
  S_RS_ODSO
  Activity: 03
  Infoarea: 0FIGL_ERP
  DataStore Object: 0FIGL_014
  SubObject for ODS Object: *
  S_RS_ICUBE
  Activity: 03, 66
  Infocube SubObject: *
  Infoarea: 0FIAP
  InfoCube: 0FIAP_C02
  S_RS_MPRO     
  Activity: 03
  Infoarea: 0FIN_REP_SIMPL_1_ERP
  MultiProvider: 0FIAP_M20, 0FIAP_M30
  MultiProvider SubObject: *
  I then gave to my test user this 2 roles, and with that user I can still see every infoarea, and access all reports.
  I will have more specific roles u2013 to other areas (SCM, TV, etc), but I chose this one has an example.
  First question I have: can I manage my requirement in 2 different roles: one for action that can be performed (role 1) and other for areas that they can access data from (role 2)?
  What objects/restrictions am I missing in role 2?
  Many thanks
  Joana

• Authorization in APO: org level concept (parent role -- derived role) ?

  Hello experts,
  we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
  Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
  My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
  Regards
  Thomas

  I got the solution - the profile generation was missing !

• Process Order Source Display in SCM

  Hello users, please forgive my ignorance in this are but I am trying to understand why a specific users would not have a Source/Target section in an SCM Process Order in a released status.
  If the user drills into a process order from the product view then the following data sections should be available for display:  Dates/Times, Primary Product, Status, *Source/Target*.  For one user the Source/Target section is not displayed.
  Is there a users specific setting that determines this display?
  Thanks

  Hi Christopher,
  Are the authorizations for the specific user and any otehr user(for whom display is correct) similar ?
  Regards
  Datta