Single character wildcards ? PFCG, role, auth object
Hi community,
we want to implement a naming convention to control access to queries by query names, auth object S_RS_COMP, RSZCOMPID. The naming convention is e.g.: Z_xx_ST_yyy.
means:
digits 1-2: Z:_
digits 3-4: custom 2-digit identifier
digits 5-8: "_ ST _" stands for standard query
digits 9-30: custom name
we need to distinguish the users by the 2-digit identifier. but some power users are authorized for all standard queries, so we want to use a single character wildcard for digits 3-4. we tried with +, $, %, &, # and <blank>, but nothing worked.
also asterisk Z_ * STyyy does not work, it works like Z_ * then.
any idea? many thanks and
cheers,
Phil
Edited by: Phillip Lee on Jun 17, 2008 3:16 PM
Hi,
You are in BI 7.0? We also experienced smilar problem when we tried using wild character in 'Analysis authorization'. That wild character did not work. Finally we had to hard code without wild character.
Regards
S Meyyappan
Similar Messages
-
Audit tool which generates Users, Roles, Auth objects, and Values
Hi,
I have a list regarding authorization provided by auditors.
Here I want to know how the auditors generated the list.
Do you know the transaction code or the program ID.....?
Probably the data in the list was extracted from our system, and some data were manually processed or added.
Hard to write down but fields and examples appear in the list;
-FIELDS-
User
Group
Full Name
Rule
Side
Operator
Role
Authorization
Attribute
Attribute Value
Associated Role
Associated Authorization
Associated Attribute
Associated Attribute Value
-EXAMPLES-
testuser01
group001
user01 test
Create Maintain Sales Order vs Create Maintain Customer Master Records
LHS
Any
Z_ROLETEST_001
Authorization=T-D524126500, Object=S_TCODE
TCD
FB01
Z_ROLETEST_002
Authorization=T-D524126600, Object=F_BKPF_BUK
ACTVT
1
Thank you in advance.
/Y.Shirako> Install ABAP on your system which provides files for them to crunch in an SQL (or similar) database.
> Tool extracts data via RFC calls into your system that is then processed externally.
Yes, the interfaces of those tools are often a hazard in themselves...
I typically recommend customers to delete them completely. Sometimes this comment also exists in the code itself, but who reads code now-a-days in GRC projects, and why should they have to? ;-(
This looks very much like one of those tools (where the SQL statements are built externally).
Cheers,
Julius -
Job role design - transaction role and auth object role
Hi all, please kindly comment following job role design:
(1) transaction role:
Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA. CO: maintain cost center, internal order HR: maintain org structure, personnel management.
The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
(2) authorization role
Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role. Objects of HR in HR role.
Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
User will be assigned transaction role + auth object role. For example, user of company A to perform MM and CO functions will be assigned
with MM transaction role + company A MM role + company A CO role.
Please let me know the pros and cons of above design. Thanks.
Regards,
Donald
* I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization roleBrent Van Dyck wrote:
Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
But splitting cube / characteristics / key figures or infotype / personel group / auth code into different roles can only go wrong.
Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
Cheers,
Julius -
How can I limit/control the addition of auth. objects to security roles?
Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
Edited by: Armando Salas on Nov 29, 2011 7:41 PMHi Armando,
Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
I hope this helps you
Regards
Eduardo -
Hello all,
Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
thanksI was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
There is a list of useful APO transactions here
http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
I can't help with the standard roles as I build my own. -
Cannot modify an authorization object in pfcg role for a business role
Hi Experts,
I have created two z pfcg roles from the standard business role CRM_UIU_SRV_PROFESSIONAL lets say by names zagent and zmanager. My requirement is actually to map these two pfcg roles two a service professional agent and service professional manager custom business roles respectively( I have created these custome business roles from standard business role servicepro) . I have identified an authorization object by name CRM_CO_SE which is basically used to check whether the user is authorized to create service contract transactions. So, in the agent pfcg role, I need to de activate or deselect this particular authorization object so that the agent will not be able to create service contract. (This is not a real time requirement, but an internal assignment). When I change this object in the pfcg by deselecting 'Allow' check box and try to generate, it is not getting generated. I have selected all the options from the 'Expert mode for the profile generation' and still the traffic indicator for that authorization object is yellow. Am I doing anything wrong?
Please help me.
Thanks
Ajith CHi Leon,
Thanks for helping me, I have restricted the unauthorized user from creating a new order by disabling the 'New' button by checking the business role in the code. The pfcg configuration, I am skipping it for now. I have one mnore requirement. When one clicks on any items in the search result for the Service Contracts, it opens the details of that service contract with an 'edit' button. I can disable this button using do_output_preparation method for the some business roles. However, I want to disable this after checking a condition. The condition is that, edit button should be active, only if that service order was created by the employee who has currently logged on. I am relatively new to CRM and I could not figure how I can check it during run time. Could any one please help me with this?
Thanks,
Ajith -
Auth objects required for creating super,power,end user roles
Hi ,
I need to create 3 roles according to the below requirement. can you tell me what auth objects req inorder to fulfill customer requirement.
1. Super User:
Have the access to Create/Modify/Delete own queries
Can create Variables, CKF, Structures, Formulas & RKF at the cube level (global)
2. Power User :
Have the access to Create/Modify/Delete own queries
Can create Structures, Formulas at the query level
3. End User
Have the access to run and navigate reports at the local level
Hope I will get reply soon
ThanksKarunakar -
Few things you have to keep in mind when you are giving access to the reports and queries.
S_RS_COMP only will not do.
have you assigned S_RS_COMP1 and S_RS_MPRO for info areas and multi/info providers.
and one more auth object S_RS_ICUBE for info cubes. you have to assign what ever the info cubes that you need to give access to the users.
Then only user will get full access.
precisely in order you can say,
S_RS_COMP
S_RS_COMP1
S_RS_ICUBE
and S_RS_MPRO.
These are main auth objects which are related to info cube, info area access and BEx access.
Hope this would give you clear pic. -
Manually added auth objects and Derived roles
If there are manually added auth objects in the parent role do they come across to the derived roles?
Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?yes, any auth objects will come across to derived roles when you click 'generate derived roles' from your parent role. basically its copying your parent role authorizations to derived roles except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles' from your parent role.
if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm -
FM to assign Single PFCG Roles to Composite PFCG Roles?
Hello everybody,
Can you tell me a Function Module which assigns/removes a Single PFCG Role to a Composite PFCG Role.
Regards MaxThank you very much for your quick answer. I am afraid the mentioned reports doesn't solve my problem.
I am looking for an ordinary function Module, which adds and removes PFCG Single Role to an PFCG Composite Role.
Best Regards,
Sebastian -
BI Role with Analysis Auth Object
Hi
How can i use Authorisation Object created in RECADMIN with all the list of Infoproviders in S_RS_COMP and S_RS_COMP1
So that user can perform mentioned action on the data providers mentioned in analysis authorization object.
As i need one place to list all the data targets user can access insted of maintaining in S_RS_COMP and S_RS_COMP1 and in Analysis Authorization object
Thanks in advanceThanks Everybody for giving suggestions; I really appreciate alll your efforts.
I followed step by step book of kamaljeet and findout that , I was missing to add related info objects of the inforprovider .added those info objects to auth analysis object.
Now query is working fine without errors;
problem is i am not able to restict the query since it showing all the data ; i am trying to put only few values in "0wbs_elemt " .
I added 0wbs_elemt in my analysis auth object;
Clicked on 0wbs_elemt and kept values in value authorizations and also kept wbsh in hierarchy name , selected type 1, HI 0.
still i am unable to restrict the data;
Functinal consultants build WBSE set up on a hierarchy. like
18ICT-07/2011
18ICT-07/2011-1
18ICT-07/2011-1-AUDTM
18ICT-07/2011-1-AUDTM-01
18ICT-07/2011-1-CETX_
18ICT-07/2011-1-CETX_-01
they want to restrict like if we are giving 181ct-07 then they want to access every thing under it;
same way like 181ct-08 etc etc..
looks like they want to restrict the date very granuler level like restriction on " Attribute Navigation "
Can anybody please do let me know how can we achieve Navigation Restriction.
Thanks. -
Hi All
In SU24 for a Tcode SU01 in S_TCODE the following auth objects are CM.
S_USER_AGR
S_USER_AUT
S_USER_GRP
S_USER_PRO
S_USER_SAS
& for Tcode PFCG
S_USER_AGR
S_USER_AUT
S_USER_GRP
S_USER_PRO
S_USER_SAS
I am developing a role initially with SU01 Tcode. For the auth object S_USER_AGR, I am giving 01,02,03,06 field values.
Later I add PFCG Tcode for same role P_TCODE. For the auth object S_USER_AGR , I am giving 22,21 field values.
My question is if the role is assigned to a user
1. will he be able to create, change, display, & delete roles using PFCG ????
2. What is the best way to restrict the users in create, change, display, & delete???
3. For PFCG Tcode none of the Auth. Objs (the objects that are added by adding SU01 or PFCG Tcode VIA MENU)are maintained in the role what would be the implication??
Thanks,
VJHi,
1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
3.Is there any T.code,from where i can associate a authorization object with a T.code.
You can use SU24 itself.
Hope it clarifies your queries.
Regards,
Gowrinadh -
Can we control Work center group links using auth object UIU_COMP
Hello All,
We are running into an issue while doing our PFCG role configuration.
I need to know if we can control Work center group links in a business role through auth object UIU_COMP.
We can control Workcenter's but not 'Work Center Group Links'.
Here is what we did:
- We have a business role Z_RA_DEFAULT.
- The Nav Bar Profile SRV-PRO for this business role has some work center group links that are checked in menu and visible.
- I'm trying to find the values in the auth object UIU_COMP to restrict Work center group links.
- Even though the values Work center group links are in menu and visible,
I want to remove these Work center group links from the screen using the auth object.
- If we remove the check from in menu and visible in the business role the Work center group links disapper from the screen.
Right now this is only way we are able to controle Work center group links.
Question:
- Can I use UIU_COMP to restrict Work center group links?
- any another auth object that controle Work center group links?
- any document/ website / info available which tells us what can we restrict with auth object UIU_COMP?
- or any other way of doing this... like code change, user exit, ....?
Really appreciate your help.
Thanks,
NasirI am not sure if I have understood the issue correctly, but still what stops you from actually creating a clone business role to your existing business role and deactivating the in menu visible work center group links. Use this new business role for users who need to be prevented from viewing the work center groups links in question.
If you are going to use authorization objects to control the visibility wont it impact all users (still defeating your original purpose?)
Again apologies in case I have got the question wrong. -
Hi all,
we are performing an upgrade from SAP 46C to ECC 6.0 and I download one Role from PFCG (46C).
I use a sandbox system ECC 6.0 for testing PFCG Upload but I obtain the popup message:
Incorrect release; see long text
Incorrect release; see long text
Message no. S#388
Diagnosis
The system release does not match the release in which the role was saved to the file.
Main Program: SAPLSHL2
Any ideas???
Thanks,
GBHi,
Best approach would be copy roles from 4.6C system into a 4.6C sandbox system and then upgrade the 4.6C sandbox system into 6.0. This method will ensure a consistent conversion of the 4.6 profiles and objects to ECC 6.0.
You can run SU25 after the upgrade to update your roles to include new auth objects/field/values/transactions of ECC 6.0 and also remove 4.6 C auth objects that are no longer in use.
This approach will definitely save lot of manual effort to upload roles into new ECC6.0 system and avoid any inconsistencies/ authorization errors in the upgraded system.
You can easily search this forum for more information on SU25
[Upgrade 46C to ECC 6 0 STEP BY STEP ---Developing;
Hope this helps!
Sandipan -
1 Business Role = 1 PFCG role
Hi,
We can assign 1 PFCG role to BR. But If user has 3-4 PFCG roles assigned to it in SU01 and only 1 of them is assigned to BR then will it affect the functioning of user in Web UI?
How does 1 PFCG role take care of all functions which user need to be done? Do we need too add all required authorization objects in single PFCG role?
Regards,
NikhilNikhil,
The functioning of user in Web UI is guided by SU01's 'Parameters' tab. The 'parameter value' for the 'Parameter ID' dictates the role and subsequent authorizations of the logged in user.
Ideally speaking, each business role should have a corresponding PFCG role containing only those authorization objects needed to fulfill the task being part of the Business Role. However, we may even skip this assignment. So a business role may not be assigned a PFCG role. Instead if the user is attached to multiple PFCG roles, all those authorizations would hold for the user.
Hope this helps.
Amar. -
Assignment pfcg-role to user and assignment pfcg-role to business role
Hello, Gurus!
What is the difference between direct assignment pfcg-role to user and assignment pfcg-role to business role? What is the effect from assignment pfcg-role to business role?
As I see authrizations from pfcg-role assigned to business role have no effect to user...
Best regards,
Artuк Litvinov.Artur,
The business role assignment does not give a user that PFCG role. Instead it is just a mapping table and does nothing more.
Therefore that UIU_COMP auth object must exist in the PFCG roles assigned to the user in order for them to use the webclient. In your scenario let's do the following:
You have pfcg roles:
RA
RB
You a have business role
B1
You have users:
Joe
Jack
Business Role B1 is assigned to role RA which contains UIU_COMP.
User Joe gets business role B1 and roles RB which does not have UIU_COMP. This will not let him use the webclient.
User Jack gets business role B1 and pfcg role RA. This will work because everything is there.
This means you need both the correct PFCG plus business role setup to make it work properly.
Take care,
Stephen
Maybe you are looking for
-
Interactive Captivate simulations not working correctly in Presenter
Hi, I'm looking for a fix for what appears to be a bug with importing interactive Captivate 2.0.0 (build 1177, originally a trial verson) files into Presenter 6.0.432 (in PowerPoint 2000 SP-3 9.0.8952 on a Windows XP computer). The course works fine
-
Process Chain load step in yellow status
We are having a process chain with a load step.The load step is run with init with data transfer. The load step is scheduled for the next time without changing the option to delta update.So the load step turned yellow with the background job log stat
-
Why does My video flicker grey after I insert a pic in a transition
Simple as my question title. Can't figure out why my video flickers grey after I insert a pic into a transition. Any help would be greatly appreciated
-
My Published Pieces: Eight ways to improve your SAP supply chain operations
Hello everyone, Fulfilling my promise to start sharing and contributing more towards the wonderful SAP SCN community, I've decided to share some of my widely-read and appreciated pieces, published over a period of time on SearchSAP.com website. These
-
Where can I download iTunes 8.2 from?
Having made the mistake of downloading the steaming pile of donkey doings that is iTunes 9 and having it all-but fry my 5th Gen iPod Video, the only way I could get my iPod back into anything like a workable state was to trash iTunes 9, download iTun