Single character wildcards ? PFCG, role, auth object

Similar Messages

• Audit tool which generates Users, Roles, Auth objects, and Values

  Hi,
  I have a list regarding authorization provided by auditors.
  Here I want to know how the auditors generated the list.
  Do you know the transaction code or the program ID.....?
  Probably the data in the list was extracted from our system, and some data were manually processed or added.
  Hard to write down but fields and examples appear in the list;
  -FIELDS-
  User
  Group
  Full Name
  Rule
  Side
  Operator
  Role
  Authorization
  Attribute
  Attribute Value
  Associated Role
  Associated Authorization
  Associated Attribute
  Associated Attribute Value
  -EXAMPLES-
  testuser01
  group001
  user01 test
  Create Maintain Sales Order vs Create Maintain Customer Master Records
  LHS
  Any
  Z_ROLETEST_001
  Authorization=T-D524126500, Object=S_TCODE
  TCD
  FB01
  Z_ROLETEST_002
  Authorization=T-D524126600, Object=F_BKPF_BUK
  ACTVT
  1
  Thank you in advance.
  /Y.Shirako

  > Install ABAP on your system which provides files for them to crunch in an SQL (or similar) database.
  > Tool extracts data via RFC calls into your system that is then processed externally.
  Yes, the interfaces of those tools are often a hazard in themselves...
  I typically recommend customers to delete them completely. Sometimes this comment also exists in the code itself, but who reads code now-a-days in GRC projects, and why should they have to? ;-(
  This looks very much like one of those tools (where the SQL statements are built externally).
  Cheers,
  Julius

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• APO roles and auth objects

  Hello all,
  Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
  thanks

  I was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
  http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
  There is a list of useful APO transactions here
  http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
  I can't help with the standard roles as I build my own.

• Cannot modify an authorization object in pfcg role for a business role

  Hi Experts,
  I have created two z pfcg roles from the standard business role CRM_UIU_SRV_PROFESSIONAL  lets say by names zagent and zmanager. My requirement is actually to map these two pfcg roles two a service professional agent and service professional manager custom business roles respectively( I have created these custome business roles from standard business role servicepro) . I have identified an authorization object by name CRM_CO_SE which is basically used to check whether the user is authorized to create service contract transactions. So, in the agent pfcg role, I need to de activate or deselect this particular authorization object so that the agent will not be able to create service contract. (This is not a real time requirement, but an internal assignment). When I change this object in the pfcg by deselecting 'Allow' check box and try to generate, it is not getting generated. I have selected all the options from the 'Expert mode for the profile generation' and still the traffic indicator for that authorization object is yellow.  Am I doing anything wrong?
  Please help me.
  Thanks
  Ajith C

  Hi Leon,
  Thanks for helping me, I have restricted the unauthorized user from creating a new order by disabling the 'New' button by checking the business role in  the code. The pfcg configuration, I am skipping it for now.  I have one mnore requirement. When one clicks on any items in the search result for the Service Contracts, it opens the details of that service contract with an 'edit' button. I can disable this button using do_output_preparation method for the some business roles. However, I want to disable this after checking a condition. The condition is that, edit button should be active, only if that service order was created by the employee who has currently logged on. I am relatively new to CRM and I could not figure how I can check it during run time. Could any one please help me with this?
  Thanks,
  Ajith

• Auth objects required for creating super,power,end user roles

  Hi ,
  I need to create 3 roles according to the below requirement. can you tell me what auth objects req inorder to fulfill customer requirement.
  1.     Super User: 
       Have the access to Create/Modify/Delete own queries
       Can create Variables, CKF, Structures, Formulas & RKF at the cube level (global)
  2.     Power User :
       Have the access to Create/Modify/Delete own queries
       Can create Structures, Formulas at the query level
  3.     End User
       Have the access to run and navigate reports at the local level
  Hope I will get reply soon
  Thanks

  Karunakar -
  Few things you have to keep in mind when you are giving access to the reports and queries.
  S_RS_COMP only will not do.
  have you assigned S_RS_COMP1 and S_RS_MPRO for info areas and multi/info providers.
  and one more auth object S_RS_ICUBE for info cubes. you have to assign what ever the info cubes that you need to give access to the users.
  Then only user will get full access.
  precisely in order you can say,
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  and S_RS_MPRO.
  These are main auth objects which are related to info cube, info area access and BEx access.
  Hope this would give you clear pic.

• Manually added auth objects and Derived roles

  If there are manually added auth objects in the parent role do they come across to the derived roles?
  Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

  yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
  yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
  if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
  http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

• FM to assign Single PFCG Roles to Composite PFCG Roles?

  Hello everybody,
  Can you tell me a Function Module which assigns/removes a Single PFCG Role to a Composite PFCG Role.
  Regards Max

  Thank you very much for your quick answer. I am afraid the mentioned reports doesn't solve my problem.
  I am looking for an ordinary function Module, which adds and removes PFCG Single Role to an PFCG Composite Role.
  Best Regards,
  Sebastian

• BI Role with Analysis Auth Object

  Hi
  How can i use Authorisation Object created in RECADMIN with all the list of Infoproviders in S_RS_COMP and S_RS_COMP1
  So that user can perform mentioned action on the data providers mentioned in analysis authorization object.
  As i need one place to list all the data targets user can access insted of maintaining in S_RS_COMP and S_RS_COMP1 and in Analysis Authorization object
  Thanks in advance

  Thanks Everybody for giving suggestions; I really appreciate alll your efforts.
  I followed step by step book of kamaljeet and findout that , I was missing to add related info objects of the inforprovider .added those info objects to auth analysis object.
  Now query is working fine without errors;
  problem is i am not able to restict the query since it showing all the data ; i am trying to put only few values in "0wbs_elemt "  .
  I added 0wbs_elemt in my analysis auth object;
  Clicked on 0wbs_elemt and kept values in value authorizations and also kept wbsh in hierarchy name , selected type 1, HI 0.
  still i am unable to restrict the data;
  Functinal consultants build WBSE  set up on a hierarchy. like
  18ICT-07/2011
        18ICT-07/2011-1
              18ICT-07/2011-1-AUDTM
                    18ICT-07/2011-1-AUDTM-01
              18ICT-07/2011-1-CETX_
                    18ICT-07/2011-1-CETX_-01
  they want to restrict like if we are giving 181ct-07 then they want to access every thing under it;
  same way like 181ct-08  etc etc..
  looks like they want to restrict the date very granuler level like  restriction on " Attribute Navigation   "
  Can anybody please do let me know how can we achieve  Navigation Restriction.
  Thanks.

• Same Auth Objects CM in su24

  Hi All –
  In SU24 for a Tcode SU01 in “S_TCODE” the following auth objects are CM.
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  & for Tcode PFCG
  S_USER_AGR
  S_USER_AUT
  S_USER_GRP
  S_USER_PRO
  S_USER_SAS
  I am developing a role initially with SU01 Tcode. For the auth object S_USER_AGR, I am giving 01,02,03,06 field values.
  Later I add PFCG Tcode for same role “P_TCODE”. For the auth object S_USER_AGR , I am giving 22,21 field values.
  My question is if the role is assigned to a user
  1.     will he be able to create, change, display, & delete roles using PFCG ????
  2.     What is the best way to restrict the user’s in create, change, display, & delete???
  3.     For PFCG Tcode none of the Auth. Obj’s (the objects that are added by adding SU01 or PFCG Tcode VIA MENU)are maintained in the role what would be the implication??
  Thanks,
  VJ

  Hi,
  1.What is the purpose behind the calling of multiple Tcodes thru a single T.code .I mean to say, suppose, i require a C.Code object to be associated with a T.code for doing that, why i am connecting it to C.Code object of some other T.codes.
  Many tcodes are customized to limit the access / risk. The best example is with SM30. If an user want to maintain a table, you can create a custom transaction which skips the intial screen (user don't need to enter the table name) and allows the user to edit the right or only one table rather than many.
  You can connect your custom authorization object to F-67, it will not affect FBV1. the settings from FBV1 can be overwritten with the entries in F-67. use transaction SE93 to see more details and customization in transaction F-67.
  2.If i assign a C.Code (let say 1000)thru object F_BKPF_BUKRS to a user,does it mean that,i don't need to assign that C.code to user again for access related to C.code 1000 in the accounting document area.Or is there anything like that, the C.Code access will be coded globally for that user for all C.code related access for FI, MM and SD.
  Once you assign the authorization to a company code 1000 it means user has access to this company code across modules. This is subject to the transactions and thier authorization objects attached to them in other modules. Note that all the transactions doesn't perform authorization check for Company code.
  3.Is there any T.code,from where i can associate a authorization object with a T.code.
  You can use SU24 itself.
  Hope it clarifies your queries.
  Regards,
  Gowrinadh

• Can we control Work center group links using auth object UIU_COMP

  Hello All,
  We are running into an issue while doing our PFCG role configuration.
  I need to know if we can control Work center group links in a business role through auth object UIU_COMP.
  We can control Workcenter's but not 'Work Center Group Links'.
  Here is what we did:
  - We have a business role Z_RA_DEFAULT.
  - The Nav Bar Profile SRV-PRO for this business role has some work center group links that are checked in menu and visible.
  - I'm trying to find the values in the auth object UIU_COMP to restrict Work center group links.
  - Even though the values Work center group links are in menu and visible,
  I want to remove these Work center group links from the screen using the auth object.
  - If we remove the check from in menu and visible in the business role the Work center group links disapper from the screen.
  Right now this is only way we are able to controle Work center group links.
  Question:
  - Can I use UIU_COMP to restrict Work center group links?
  - any another auth object that controle Work center group links?
  - any document/ website / info  available which tells us what can we restrict with auth object UIU_COMP?
  - or any other way of doing this... like code change, user exit, ....?
  Really appreciate your help.
  Thanks,
  Nasir

  I am not sure if I have understood the issue correctly, but still what stops you from actually creating a clone business role to your existing business role and deactivating the in menu visible work center group links. Use this new business role for users who need to be prevented from viewing the work center groups links in question.
  If you are going to use authorization objects to control the visibility wont it impact all users (still defeating your original purpose?)
  Again apologies in case I have got the question wrong.

• PFCG Role Upload Issue

  Hi all,
  we are performing an upgrade from SAP 46C to ECC 6.0 and I download one Role from PFCG (46C).
  I use a sandbox system ECC 6.0 for testing PFCG Upload but I obtain the popup message:
  Incorrect release; see long text
  Incorrect release; see long text
  Message no. S#388
  Diagnosis
  The system release does not match the release in which the role was saved to the file.
  Main Program: SAPLSHL2
  Any ideas???
  Thanks,
  GB

  Hi,
  Best approach would be copy roles from 4.6C system into a 4.6C sandbox system and then upgrade the 4.6C sandbox system into 6.0. This method will ensure a consistent conversion of the 4.6 profiles and objects to ECC 6.0.
  You can run SU25 after the upgrade to update your roles to include new auth objects/field/values/transactions of ECC 6.0 and also remove 4.6 C auth objects that are no longer in use.
  This approach will definitely save lot of manual effort to upload roles into new ECC6.0 system and avoid any inconsistencies/ authorization errors in the upgraded system.
  You can easily search this forum for more information on SU25
  [Upgrade 46C to ECC 6 0 STEP BY STEP ---Developing;
  Hope this helps!
  Sandipan

• 1 Business Role  = 1 PFCG role

  Hi,
  We can assign 1 PFCG role to BR. But If user has 3-4 PFCG roles assigned to it in SU01 and only 1 of them is assigned to BR then will it affect the functioning of user in Web UI?
  How does 1 PFCG role take care of all functions which user need to be done? Do we need too add all required authorization objects in single  PFCG role?
  Regards,
  Nikhil

  Nikhil,
  The functioning of user in Web UI is guided by SU01's 'Parameters' tab. The 'parameter value' for the 'Parameter ID' dictates the role and subsequent authorizations of the logged in user.
  Ideally speaking, each business role should have a corresponding PFCG role containing only those authorization objects needed to fulfill the task being part of the Business Role. However, we may even skip this assignment. So a business role may not be assigned a PFCG role. Instead if the user is attached to multiple PFCG roles, all those authorizations would hold for the user.
  Hope this helps.
  Amar.

• Assignment pfcg-role to user and assignment pfcg-role to business role

  Hello, Gurus!
  What is the difference between direct assignment pfcg-role to user and assignment pfcg-role to business role? What is the effect from assignment pfcg-role to business role?
  As  I see authrizations from pfcg-role assigned to business role have no effect to user...
  Best regards,
  Artuк Litvinov.

  Artur,
  The business role assignment does not give a user that PFCG role.  Instead it is just a mapping table and does nothing more. 
  Therefore that UIU_COMP auth object must exist in the PFCG roles assigned to the user in order for them to use the webclient.  In your scenario let's do the following:
  You have pfcg roles:
  RA
  RB
  You a have business role
  B1
  You have users:
  Joe
  Jack
  Business Role B1 is assigned to role RA which contains UIU_COMP.
  User Joe gets business role B1 and roles RB which does not have UIU_COMP.  This will not let him use the webclient.
  User Jack gets business role B1 and pfcg role RA.  This will work because everything is there.
  This means you need both the correct PFCG plus business role setup to make it work properly.
  Take care,
  Stephen