Security Authorizations for IDOC

can anybody explai me following.
Roles and responsibility wrt the Security Authorizations the user should have to process the IDOCs at the receiving end and also the monitoring the IDOCs
Regards,
Rahul

Hi Shesha,
I presume you have the SAP Integration kit intalled and configured, and imported the BW roles in the CMC... you are also login with the SAP user account (User1, User2). This would be a base requirement to make this work.
In your OLAP universe, you need to set the connection properties of the connection to. Select Use Single Sign On when refreshing reports at view time to allow the user to benefit from SAP SSO.
You have currently used User1 for the connection and saved the universe with this user id, thus, when the connection is made to BW, it is User1 with its role permissions accessing the data, even if you are logged on as User2, User1 is being authenticated.
Hope this helps
Jacques

Similar Messages

  • Role base security & authorization

    hi,
         i want the details about Role based security & authorization for all objects in reporting and the T.codes related to security & authorization (like RSSM ....).
    plz help me with any document and security manual

    Hi,
    I hope search inthese forums would definately hep you.
    My previous postings on the Data level security at the Reporting side:
    https://forums.sdn.sap.com/click.jspa?searchID=966335&messageID=2940809.
    https://forums.sdn.sap.com/click.jspa?searchID=966335&messageID=2783106
    And take a loook on the links:
    https://websmp107.sap-ag.de/~sapidb/011000358700000274062002
    https://websmp107.sap-ag.de/~sapidb/011000358700000972382004
    With rgds,
    Anil Kumar Sharma .P
    Message was edited by:
            Anil Kumar Sharma

  • IDOC Scenario - User  has no RFC authorization for function group EDIN

    Hi all,
    I'm trying to configure an IDOC scenario from ECC to XI.
    RFC's, ports and destinations already configured. On WE19 I'm creating an IDOC for testing the scenario. The IDOC is sent successfully, and it stops on TRFC Monitor with error "User PIRFCUSER has no RFC authorization for function group EDIN." .
    Some of you knows what authorization is needed? Basis team said the roles are the same at DEV environment, and there this scenario works fine.
    Thanks for your help.
    regards.
    Roberti

    Hi,
    Check with PIRFCUSER user , that is having the right authorization or not ..
    And make sure that this user is present in the system & it should  not locked.
    to check that user is present or not-----goto su01 of the system & check
    Regards
    Seshagiri

  • No authorization for changing Customer Centrally- Idoc in Error Status 51

    Hi Experts,
    We are implementing MDM for one of the client.
    The client  runs a  modification scenario in MDM for Customer Master.
    He modifies a customer record in MDM and this record is transfered from MDM to ECC via PI through Idocs.
    We are using standard Idocs for Customer Master which is DEBMDM
    There are 2 Idoc's generated in ECC by PI from DEBMDM as DEBMAS and ADRMAS.
    ADRMAS Idoc is succesfull in ECC and the corresponding record is modified.
    Now the issue is that the corresponding DEBMAS Idoc goes into Error 51.
    The Error details is as below:
                                                                                    No authorization for changing vendor Centrally                                                                               
    Message no. F2326                                                                               
    System Response                                                                               
    You cannot access the requested data.                                                                               
    Procedure for System Administration                                                                               
    If necessary, include an entry in the user's authorization profile for  
        the authorization object and parameters specified below.                                                                               
    Authorization object:                                                                               
    o   F_KNA1_APP                                                                               
    Parameters:                                                                               
    o   Activity: 02
        o   Application authorization : *
    We gave the respective authorization object to the RFC User ID used in PI RFC created to connect to ECC.
    Also we have given the user id  Tcode authorization like XD01/02/03.
    But this error still persists.
    Request to throw some light on this.
    Cheers
    Dhwani

    Check these threads
    [Re: IDOC STATUS - 51 " IDOC HAS TEST STATUS|IDOC STATUS - 51 " IDOC HAS TEST STATUS";
    [Error Inbound IDoc - Status 51|Error Inbound IDoc - Status 51;
    thanks
    G. Lakshmipathi

  • Best Approach to create Security / Authorization Schema for an APEX Apps

    Hi,
    I am planning to create a Security / Authorization Schema for an APEX Application.
    Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
    I am looking for following features...
    1. users LOGIN and then user's name is stored in APEX_USER...
    2. Based on the user, I want to restrict the Application on following levels.
    - TABS
    - TABS - Page1 (Report
    - Page2 (Form)
    - Page2 (Region1)
    - Page2 (Region1, Button1)
    - Page2 (Region1, Items,....)
    AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
    I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
    My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
    Also what should be the FRONT end, we should have to enter these detail...
    SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
    Thanks,
    Deepak

    Hi Raghu,
    thanks for the detial info.
    so that means..I should have 2 table...
    master table (2 columns - username, password)
            username    password
       user1       xxxx
       user2       xxxx2nd table (2 columns - username, chq_disp_option)
    - In this table, we don't have Y/N Flag you mentioned..
    - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
    - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
    - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
              username    chq_disp_option
       user1       re_region1
       user1       re_region2
       user1       tb_main
       user1       Page1
       user1       Page5
       ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
    - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
    Thanks,
    Deepak

  • Authorization for RFCUSER for IDOC adapter

    Hello,
    who can tell me, which authorizations the RFC User must have I want to use for the IDOC adapter.
    I have the problem, that I can not download the idoc definition into IDX2. Error: "No RFC authorisation..."
    Is there a list of authorization this user MUST have.
    best regards
    Werner Magerl

    Hi,
    The thread speaks of the same issue.
    User abcd has no RFC authorization for function group SYST
    If it's of any help.
    regards
    Vijaya

  • TS3297 I forgot my security answers for purchase authorization.

    I am trying to make a purchase from a new computer, but i forgot the answers to my security questions for authorization for purchases.

    1. See my User Tip for some help: Some Solutions for Resetting
        Forgotten Security Questions: Apple Support Communities.
    2. Here are two different but direct methods:
        a. Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
        b. Call Apple Support in your country: Customer Service: Contacting Apple for
            support and service.
    3. For other queries about Apple ID see Frequently asked questions about Apple ID.
    4. Rescue email address and how to reset Apple ID security questions
    5. For online assistance use Apple - Support - Express Lane

  • Need RICEF Security specfifications for Interfaces and Conversions

    Hi All,
    I need RICEF security specfications for Interfaces and Conversions. Can anyone provide any input on this.
    Regards
    Plaban

    Hi Plaban,
    Thanks for the detailed explanation. As mentioned, as per my knowledge there is no specific guideline/template that you may adapt while designing the security design for the Interfaces and Conversions.
    However, the most common issues that occurs with IDOCs is with file interfaces are related to file permissions, file ownership and character conversions moving between platforms.
    Ensure that the appropriate authorization (read/write and with filters) authorization is provided. Identify the various levels of authorizations required and implement the same.
    Further, most issues with ALE interfaces are with RFC user ID permissions. Ensure that the appropriate and only the Required authorization is provided to these IDs. This way you can tighten the authorization to the specific level. You may need to completely test the functionality before implementing this.
    It is always important to understand these limitations during the functional design. If any specific additional functionality is required, you may need to have a custom based solution.
    Hope this answers your question!!
    Warm Regards,
    Raghu

  • Unable to find security data for sender

    Hello, does anybody know what this message means. The problem appear when I send an Idoc to XI. Other interfaces (Master data) are working properly. My question is, do I need to make some extra settings for the transactional data interfaces (SHPMNT)?
      <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
    - <!--  Technical Routing
      -->
    - <SAP:ErrorHeader xmlns:SAP="http://sap.com/exchange/MessageFormat">
      <SAP:Context />
      <SAP:Code p1="sapdev222,SHPMNT.SHPMNT05/urn:sap-com:document:sap:idoc:messages" p2="VENDORMASTER_WOLTERKLUWER_ERP_BE,IDZ0001_DeliveryReplicate_IB/http://wolterskluwer.com/xi/midas_deliveries" p3="" p4="">PHYROU.UNDEFINED_SECURITY</SAP:Code>
      <SAP:Text language="EN">Technical routing: Unable to find security data for sender sapdev222,SHPMNT.SHPMNT05/urn:sap-com:document:sap:idoc:messages for receiver VENDORMASTER_WOLTERKLUWER_ERP_BE,IDZ0001_DeliveryReplicate_IB/http://wolterskluwer.com/xi/midas_deliveries</SAP:Text>
      </SAP:ErrorHeader>
    regards
    Ernesto Duran

    HI,
    i am also getting the same error in my scenario. Could u plz inform me what is the solution?
    Rgds,
    Ram Sri

  • Cancel a SD invoice error message "no authorization for transaction FB08"

    Hi Gurus,
    I am trying to cancel a SD invoice and am receiving the error message " no authorization for transaction FB08" is coming. Never has this happened in past, i have checked all the security authorizations also and they are in place. Accounting document status is showing as not cleared. Also, as per my understanding cancellation of invoice happens through VF11 which does not calls FB08. Please point out reasons as to why this could be happening and the possible solution thereof.
    regards
    Anmol Pareek

    Hi Anmol
    Once you got the error screen, immediately after that goto T code SU53 and expand all link. Take the screen shot and send it to your BASIS team to provide you proper access.
    Yes you are correct cancellation is done through VF11 but sometime some programs internally calls other T codes.
    take help of your basis team.

  • What happends when you give 2 groups with some of the same members different authorizations for a document

    Hello,
    I'm doing my internship at a litte Telekom company. I'm investigating how they can use MS SharePoint as their central place to put projectinformation. Now i've been thinking what happends when i do the following:
    Make one document library
    Add 2 groups to the Active Directory, group "A" with all the employees and group "B" with only four people working on a project. When i add a document to the document library and set the authorizations for the document as
    follows:
    Group B: Read/Write
    Group A: Read
    Does the people from group B still be able to edit the document, because they are also in group A?
    I don't have a test environment to test this myself.
    Why i want to know this? The company want's one place to place all their documents with projectinformation. This information is about different projects. You only wan't that people can change the specific document when they are working on the specific project
    where the document belongs to.  

    You get the union of permissions, so if one group allows access and the other not, you will get the union of both and therefore access. Of course, you can break security settings per library/folder or document, and specify new settings,
    if you need too.
    Kind regards,
    Margriet Bruggeman
    Lois & Clark IT Services
    web site: http://www.loisandclark.eu
    blog: http://www.sharepointdragons.com

  • Proper security structure for Single Sign on Server

    We are all used to how we design security structure for vCenter Server if you have had an existing VMware environment prior to 5.1.  Who should have administrative privileges in vCenter Server, what roles, permissions, and so on should be assigned to what users and groups - these questions have already been addressed in our current configuration.
    Now Single Sign on introduces a significant new point of consideration for determining issues of access and authentication.
    I'd like to get some ideas on how this should be handled.  For example, should previous VMware administrators by definition become Single Sign on Administrators? Should the administrators of the Active Directory domain now start to get involved with the Single Sign on Server?
    For example, Single Sign on now forces VMware administrators to configure things like:
    -Password Complexity Policy for SSO
    -Password Expiration for SSO
    -Lockout Policy
    We already probably have these things tightly controlled in AD and locked down with group policy, but you can't apply group policy directly to an SSO server and make it receive a GPO from Active Directory.  (You can make the Windows OS that SSO is running on have a GPO applied, but it won't configure SSO itself, just the OS).
    VMware admins are looking at a new set of questions relating to authentication and authorization.  Someone has to have written something or will be writing something to help us get the big picture of what is changing with SSO if anything and how we need to look at SSO from a security design and best practices.
    Should we just make existing vCenter Server admins SSO admins or do we need to take a step back and reconsider?

    Hello,
    Actually, yes. SSO is fairly robust in 5.5. It has a few limitations around email of expired passwords, but that is mainly because some people do not use them. I use SSO to provide the usernames and passwords for all my VMware vCenter and related product service accounts. I.e. an account for vdp, Horizon, vCops, Log Insight, etc.  This is more about keeping systems segregated once more with no real need for AD for services. But AD via SSO is used by users.
    Read the documentation, and determine how SSO fits into your current password policy and take a long hard look at your virtualization management environment. Is there a 1 service account per service talking directly to vCenter? If not, SSO can help you implement that. The key is to match its functionality to your security policy.
    Best regards,
    Edward L. Haletky
    VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
    Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
    Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

  • What's the best way to do authorization for my app?

    The authorization situation is somewhat complicated for my app.
    Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM.
    From what I've seen so far, there are two different options of setting the authorization for the component:
    1. Set its Condition
    2. Set its Security Authorization Scheme
    Here is my understanding for each (from my limited experience with APEX):
    1. Set its Condition
    + Can pass in parameters such as :APP_USER, page numebr, P0_ITEM. So I can just create one function that does all the authorization
    - Have to combine the SQL query with the component's non-authorization display conditions, if any.
    2. Set its Security Authorization Scheme
    + By name, it seems like it should be used for authorization
    - Cannot take in parameters relating to the page, such as the page number --> therefore I will need to create many different schemes, for all the different pages.
    #2 will end up with a long list of schemes (each with its own SQL queries) for different pages, which doesn't seem as efficient as #1 with far fewer SQL queries and just take in parameters.
    Which one should I pick?
    Thanks!

    953006 wrote:
    Thanks fac586 for the detailed response, and also everyone else who replied. You guys are very helpful and respond promptly. And we'd appreciate it if you changed "953006" into a real handle promptly.
    Andre mentioned using conditions:
    The way I work around this is to have two functions, one which is used at the page level as a normal authorization scheme and one which can be passed variables which is called as a Condition and the name of the item is one of the variables, in effect giving it "self awareness".But fac586 said:
    You can't pass "parameters" to authorization schemes. Use application items, APEX collections or application contexts to set current context before the authorization scheme is evaluated, and access these values in the functions.Does this mean, fac586, that we can avoid conditions altogether? No, it means that I prefer to use Authorization Schemes to control access to resources based on user privileges and security, and Conditions to control rendering and processing for functional reasons. Using the approach described above I have found it possible to maintain this separation.
    Say if a page has two buttons, Button_A and Button_B. Button_A has a set of requirements for displaying and Button_B has its own set of requirements (some of which are shared with Button_A). So far, the only way that I can see of using pure authorization is to write 2 different authorization schemes, and set the authorization schemes for the two buttons respectively.What's the problem with that? Consider a more concrete example using a standard APEX report/form pattern for customer maintenance. Page 6 contains the report, and page 7 is the maintenance form with P7_CREATE and P7_SAVE buttons. Only users entitled to create new customers should have access to P7_CREATE, and only users able to edit customers access to P7_SAVE. This would be controlled by the CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes respectively. Functionally, conditions are used to show P7_CREATE if the P7_CUSTOMER_ID is null, and P7_SAVE if it's not null. We don't mix non-functional security considerations with functional requirements.
    The CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes are of type PL/SQL Function Returning Boolean. These are implemented using package functions. Exactly how a user has create/edit customer privilege is determined in the package. Determinants that are shared by multiple schemes can be combined at this level. These implementations can be changed as necessary without requiring changes to the application.
    The authorization schemes are reusable across pages and components. On page 6, CREATE_CUSTOMER can be used on the "Create New Customer..." button; EDIT_CUSTOMER on the report column containing the "Edit" links.
    Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM. So I guess this goes back to my original concern with Authorizations:
    [Using purely authorizations] will end up with a long list of schemes (each with its own SQL queries) for different pages [and page items] ....
    Re: VPD policies. Note that in the example above there's no need for the authorization schemes to "know" which pages/items are being evaluated. The P7_SAVE button and the page 6 link column are involved with the EDIT_CUSTOMER operation, so that authorization scheme is applied to them.

  • Authorization for specific business scenario or business step in solar01

    Dear all,
    we have an issue regarding solution manager blueprinting management restricting an access to specific nodes. Our goar is to have several substructures devided by modules like: FI, SD, PS and etc. And each team member according his position in a company should have an access only to his substructure and all the related documentation below that. Saying an access means a change mode not a display access.
    Please find the steps have been performed during the configuration of project below:
    All the configuration around system landscape has been done properly.
    A new project for solution was created in solar_project_admin.
    A correct logical componens has been assigned.
    All the required users have assigned as a team members of a project.
    At the projec. team member tab a box has been checked in for: restrict changes to nodes in project to assigned team members.
    A proposed structure of nodes has been created within Tx solar02.
    The right team members have assigned to specific node. So that only they suppose to have a change permission within that nodes. All others read only access.
    Every user has sap_solar01_all role assigned to him. We have tryed assigning varios roles according to  http://help.sap.com/saphelp_sm310/helpdata/en/db/a1033b2a98f46ae10000000a11402f/content.htm
    However as a result we are having a change permission allowed for every node within the structure. Like FI responsible member can access to any node from a tree. And he can make a change for SD related documentation.
    Please assist regarding this issue.
    Kind regards,
    P.S.
    I found a thread with a similar problem which was solved by activating a checkbox which is already activated in our system and actually doesn't solve that problem for us.
    Authorization for specific business scenarios in Solar01/02
    Edited by: Artjoms Nikulins on Mar 11, 2010 3:37 PM

    Hi
    As far my knowldege goes this is not possible to do within same project or making the same.
    You can have project specific access given to member but you cannot go module wise authorization.
    Ofcourse there satellite system authorization will be different but not in solman.
    In addition check this security guide
    https://websmp104.sap-ag.de/~form/sapnet?_SHORTKEY=00200797470000075728&_OBJECT=011000358700007187872005E
    Hope it ans ur query.
    Regards
    Prakhar
    Edited by: Prakhar Saxena on Mar 12, 2010 3:22 AM

  • BW authorizations for universe connections

    Hello experts,
    Is it possible to use a universe without giving the user 0BI_ALL authorization? We want the same user to connect via BICS and universe and if we use 0BI_ALL for universe connections, the analysis authorizations for BICS doesn't work.
    Any idea on how to have row security levels on both connections at same time?
    We are using BW 7.0 and BO 4.0 SP5.
    Many thanks in advance.

    Hello David,
    using BI Authorizations in BW and then adding data level security in the Universe on top of that will only lead to situations like you have now.
    Data Level security goes into BW alone or into the Universe alone, mixing both will lead to issues and remember that the Universe has far less capabilities in this area.
    0BI_ALL is only related to data level security, so the fact that you see the request for 0BI_ALL in the trace clearly shows that your defined data level security entries contradict each other somehow and that BW then requires 0BI_ALL for the user to give the data that was requested.
    like I said above, not a good idea to mix those data level security concepts. all data level security should be in BW already.
    Also - why even use the Universe inbetween ?
    regards
    Ingo Hilgefort, SAP

Maybe you are looking for