Security authorization restrication for IW32 transaction

Similar Messages

• Best Approach to create Security / Authorization Schema for an APEX Apps

  Hi,
  I am planning to create a Security / Authorization Schema for an APEX Application.
  Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
  I am looking for following features...
  1. users LOGIN and then user's name is stored in APEX_USER...
  2. Based on the user, I want to restrict the Application on following levels.
  - TABS
  - TABS - Page1 (Report
  - Page2 (Form)
  - Page2 (Region1)
  - Page2 (Region1, Button1)
  - Page2 (Region1, Items,....)
  AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
  I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
  My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
  Also what should be the FRONT end, we should have to enter these detail...
  SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
  Thanks,
  Deepak

  Hi Raghu,
  thanks for the detial info.
  so that means..I should have 2 table...
  master table (2 columns - username, password)
          username    password
     user1       xxxx
     user2       xxxx2nd table (2 columns - username, chq_disp_option)
  - In this table, we don't have Y/N Flag you mentioned..
  - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
  - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
  - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
            username    chq_disp_option
     user1       re_region1
     user1       re_region2
     user1       tb_main
     user1       Page1
     user1       Page5
     ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
  - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
  Thanks,
  Deepak

• Create Display Authorization Profile for SAP Transaction SPRO (IMG).

  Dear All,
  In my current implementation project there is an requirement to create display authorization profile for SPRO. I have tried a lot but was not able to do so.
  Any one is having an experience in creating display profile for SPRO (IMG) ? If any one has worked on this issue then please guide me.
  Thanks,
  Avinash

  Hi
  This is security related question. I am not security expert.
  But you can check this, Include the following authorization objects in the profile and assign this profile to the target user.
  S_IMG_ACTV
  S_PROJECT
  S_PROJ_AUT
  S_PRO_AUTH
  and assign activity = 03 (Display).
  Hoipe it helps.
  regards
  Srinivas

• Authorization restriction for BP transaction

  Hi,
  We need to restrict the BP transaction access to user in the below mentioned way in our SRM system.
  1. Restricting BP access to all the users with display access.
  2. Restricting BP access to security users with create, change and display access.
  What is the main object for BP transaction for restricting access in the above mentioned scenarios?
  Here, we have observed one more issue like....
  Let say object-B_BUPR_BZT(not sure) is a main object for transaction-BP. If we restrict activity to 03 in that object, it will give display access when we are executing transaction-BP.
  Some of other transactions(like PPOMA_BBP) are there in SRM, those are also maintaining same object with all activities(create,change,Display).
  In this scenarios, how the above mentioned restriction is going to help the user.
  Please check and advice in this.
  Thanks & Regards,
  KKRao.

  > Let say object-B_BUPR_BZT(not sure) is a main object for transaction-BP.
  It may be a "main object" for BP, but that doesn't tell you much at all about the security aspects or where in the logic of the transaction it is used. This object is for example not a part of the business logic of transaction SE80, or that I am sure.
  If you have no clue, then start in SU21 and read the application help documentation on the transaction (to understand it's context) and the use-cases of the object - also to find the other transactions. Then you will become more sure.
  You also need to understand that in the same way the transactions, reports and the "real checks" are layers in the security, objects themselves can also be selective and layered in a conceptually consistent way, or (to make it more interesting...) transaction dependently.
  There are lots of shortcuts (even out-of-the-box roles which someone might try to sell you...) but ultimately if you use a SAP system to "build" your business processes, then you need a concept to secure your build. SAP owns the authority-checks in standard programs to enable the process to comply with legal requirements and some common sense.
  => So, you need to choose your transaction (or other entry point) carefully and understand the objects which they use.
  Cheers,
  Julius

• How do i find authorization object for a transaction code?

  Hi SD Guru's
  I need to find the authorization object for both standard & Z transactions.
  How can i find this?
  Regards
  Ravi

  Hi,
  check the coding with SE38 for "authority-check" and you will get the objects or set a breakpoint on statement "authority-check" while you execute the transaction.
  Regards,
  Andreas

• Restricting the authorization Object for B2B Transactions

  Hi All
  we are facing the problem in the ISA b2b app, actually the scenario is as below.
  we have various transaction types like b2b sales,Peoplesoft order,Request for Order change, RMA ,Request for Quotation(RFQ) and metel order.
  As per the requirement, The client wants only a few functionalities for a particular user.
  Example:
  Transaction Type Authorization
  PeopleSoft order View only View only
  B2B:Req. OrderCh x x
  B2B: Req. RMA
  B2B: Req. Quote x x
  Metel Order x
  For b2b sales transaction a lower level employee would only be able to view the order and he should be restricted to make any changes. Is there a posibility to restrict in this manner? This is Urgent. Please respond immediately. Thanking you in anticipation.
  Message was edited by:
  Sunil Kumar

  >
  Viral741 wrote:
  > Hi All
  >
  > I have a requirement in SAP Security to restrict the authorization object S_ALV_LAYO to a particular set of users.
  >
  > Background:
  >
  > We use composite roles which is shared accross all areas(Finace,marketing,work managment).Now the requirement is for from Work managment to restrict S_ALV_LAYO so that user cant change default layout and can create user specific layout,but other areas are not ready for this.So please let me know if there is any way i can restrict this auth object only for work managment area only.
  >
  > Thanks,
  >
  > Nitesh
  Nitesh,
  Remove access to S_ALV_LAYO for general users and give access to F_IT_ALV instead.  Keep S_ALV_LAYO for the users who will be maintaining the default layout.
  Good Luck!

• Authorization object for parameter transactions

  Hi all,
  I'm trying to restrict transaction VL10h for shipping point,this transaction is a parameter transaction and is not controlled by an authorization object directly.when I run a trace , transaction Vl10x shows up. The authorization object that is being checked is V_LIKP_VST.
  Note : The requirement is when the user executes transaction VL10h he/she should be able to display only those shipping points they are authorized to.
  Please advice.
  Thanks,
  Mohan.

  Hi Mohan,
  For transaction VL10H you can specify values for the following fields in authorization object V_LIKP_VST:
  -Activity:
  01     Create or generate
  02     Change
  03     Display
  04     Print, edit messages
  18     Deliveries from coll. proc.
  24     Archive
  25     Reload
  85     Reverse
  -Shipping point: Here you must set the restriction for each group of users that are allowed for the maintenance of the shipping points that are used for delivery processing.
  You can restrict the access through these fields.
  Regards,
  Leandro

• Transaction Launcher - TCode Authorization Issue for ERP transaction

  We are trying to implement an ERP transaction in the CRM WebUI via the transaction Launcher.  Everything has been set up properly and the transaction appears in the nav bar.  I am running it to launch a new window.  When i click on it, a new window pops up, with transaction IC_LTXE and an error saying
  *"You do not have authorization to view transaction ZSD_IC".*
  Everything seems to be set up properly and we can access the transaction with the same user id in ERP. He has SAP_ALL.
  Does this have anything to do with IC_LTXE?  Is there anything special i need to do to assign proper authorization to this user.
  Thanks,
  jeremy

  Hello Jeremy,
  We are trying to execute R/3 transaction from Transaction Launcher but we are facing problems.
  In order to execute transactions from TL we have copied object TSTC to ZTSTC  in both systems and use the method Execute to be used from Transaction Launcher customizing. Then we have customized T. Launcher in order to get two links, one to R3 transaction  (using the object ZTSTC, method execute and XD03 as value parameter) and one to CRM transaction (using the object ZTSTC, method execute and CRMD_MKTDS as value parameter).
  When we execute the TL link to CRM, transaction works properly through ITS, but executing the link to R3 transaction we receive the following popup message:u2018Logged Off Successfully. You have been logged off from SAP NetWeaver Application Server.u2019 the screen gets in blank and no further actions are executed.
  In order to correct the fail we have implemented these notes, but the problem still remains.
  0001224663 Launch of Front Office with Transaction Launcher fails
  0001263716 Launching Front Office Process using Transaction Launcher
  Based on your experience could you help us to get the right configuration to reach R/3 transaction through Transaction Launcher.
  Thank you very much in advance.
  Best regards.

• Authorization Object for Transaction Code

  Hi,
  Is there a report I can execute to give me the list of authorization object for this transaction code?
  Thanks.

  Check Transaction SU24
  Alternatively you can go to SE16-- enter the table name TSTCA, then enter the T CODE, you will get the object related to that T Code.
  Reward points..

• Authorization Check in Business Transactions

  Hi All,
  i need to create Authorization Check for Business Transactions ( create/display/change ).
  The standart sap Authorization  object CRM_ORD_OP  or CRM_ORD_LP is no good for me .
  does  anyone know  a BADI or something else i can use ?
  Thanks
  Lilach.

  I would suggest to give the authorization with CRM_ORD_OE if he isn' t in the document may be he is the organization which is selected on the activity..
  For details, please have a look at this link :
  http://help.sap.com/saphelp_crm70/helpdata/EN/48/a44236ceb873e8e10000000a42189b/content.htm
  BR,
  Cenk Sezgin

• Add new authorization object for production order creation/change/display

  As mentioned. I definded new authorization object using "Production scheduler" (Field Name : FEVOR) by SU20. then use SU21/SU24 to add authorization object for some transaction code such as COOIS. use PFCG maintain new role and assign a  fixed production scheduler value and assgin transaction code COOIS to this role. create new user ID and assign to that role.
  logon system with new ID, run COOIS. but system don't check new authorization object(production scheduler). who can tell me why it is and how i can add new new authorization object for standard transaction code?
  Thanks.
  Kevin.WU

  Hi,
  there is an icon of generation.  just click there in PFCG and also in su21.
  then add this object in new role.
  Assign this role to user id
  while assigning the role also there is a generation.
  Please take a help of BASIS consultant also as this is entire a BASIS process.
  Regards
  Amit parkhi

• Menu Enhancement for IW32 (Program Name SAPLCOIH)

  *Please let me know any menu enhancement available for IW32 Transaction ( Program Name SAPLCOIH). I need to add new button in application toolbar. please let me know ASAP.*

  Hi ,
    Check out IWO10011 (SMOD)
  Regards,
  Himanshu

• Error :Authorization check for caller assignment to J2EE security role whil

  Hi Experts,
               i m working as a portal resource .
  after the deployment of standered Sap e-rec package .
  i m getting some error. i have assigned the recruiter role to one test user.
  Now i m getting two issue:
  1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
  2) I m able to see few iview for the test user but those are also in detailed navigation view.
     And few ivews are giving following error :
    i)Internal error
  ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  /System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
  Full Message Text
  ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  please suggest what can be  done or what is pending from my side.

  Prajakta2602 wrote:
  Hi Experts,
  >
  > the previous issue got solved..
  > it was due to servies pack miss match and applying notes
  > the Basis guy  checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
  > notes 1445294 and 1175239 were applied.
  > now the issue is:
  >
  >
  >  After implemetation and  i assigning the standerd sap roles
  > 1)Recruiter Administrator
  > 2)Recruiter
  > to the test user .
  > but for few iview it is showing error as in
  > 1) you are not a authorized user
  > 2) internal error
  >
  > please help experts.
  >
  >  i m working on portal side have i to assign any role to that test user..
  >
  >
  > Thnaks & Regards,
  > Prajakta
  You can run a quick check using the below steps:
  1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
  2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
  Regards,
  Mahesh

• No authorization for this transaction with movement type 601

  Dear All,
  This is chandra i am getting this error in delivery level " No authorization for this transaction with movement type 601. If give the authorization for SAP ALL its working fine. If give the authorization for SAP SD T.Codes i am getting this error. Plz help me.
  Thanks and regards
  Chandra

  Dear Chandra,
  Check with -
  T. Code: OMJJ
  Select Movement Type: 601 and Double-Click: "Allowed Transaction" (From Left-hand side) .
  Check whether the Transaction is allowed for Movement Type 601 or not
  Note: if Transaction is not listed (i.e. not allowed) and you wanna allow this Transaction with Movement type 601, then -
  Up-there, Tab: New Entry. Click on it.
  Maintain entry as:
  MovTy: 601
  TCode: As reqd.
  and Save.
  Best Regards,
  Amit

• Authorizations for which transactions are required in BW?

  Hi,
  Can any ony please give some information regarding
  Authorizations for which transactions are required in BW Production Support?
  Regards,
  Aryan

  Hi Aryan,
  Authorizations for the following transactions are required in BW
  1. RSA1
  2. SM37
  3. ST22
  4. ST04
  5. SE38
  6. SE37
  7. SM12
  8. RSKC
  9. SM51
  10. RSRV
  11.RSPC
  13.RSMON
  The Process Chain Maintenance (transaction RSPC) is used to define, change and view process chains.
  Upload Monitor (transaction RSMO or RSRQ (if the request is known)
  The Workload Monitor (transaction ST03) shows important overall key performance indicators (KPIs) for the system performance
  The OS Monitor (transaction ST06) gives you an overview on the current CPU, memory, I/O and network load on an application server instance.
  The database monitor (transaction ST04) checks important performance indicators in the database, such as database size, database buffer quality and database indices.
  The SQL trace (transaction ST05) records all activities on the database and enables you to check long runtimes on a DB table or several similar accesses to the same data.
  The ABAP runtime analysis (transaction SE30)
  The Cache Monitor (accessible with transaction RSRCACHE or from RSRT) shows among other things the cache size and the currently cached queries. The Export/Import Shared buffer determines the cache size; it should be at least 40MB.
  ****Assign Points If Helpful****
  Regards,
  Ravikanth