Standard authorization

Similar Messages

• How to use Standard Authorization Object 'M_MATE_WRK'  in SE38?

  Hi all,
  We have developed one program which calculates the commercial price of the material   
    and update the same in the material master.
  Now we want to implement authorization checks at Plant Level.
  For this purpose I am Using 'M_MATE_WRK' which is standard authorization object.
  But in my Program when I am checking for it, its giving the sy-subrc value as 0.
  This indicates that either it is successful or the object is not active for this particular  program. In my case I know that its the second case only.
  So now somewhere i need to 'Check' this object for this particular Program.
  I have checked SU22 , SU24 but couldn't figure out where should i do the respective  setting.
  I am working on ECC 6.0
  Please help me on this.
  Bare with me if i am asking a silly question.

  Hello All,
  The Problem is resolved now.
  Actually it was the first case only.
  When i created the new user id and checked i realized that its working fine and there was
  some mistake while checking previously.
  Anyways thanks for ur reply.

• How to add authorization field to a standard authorization object

  Hi All,
  I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
  But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
  How to limit user to can only create & change X order type and only display the rest of order type?
  I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
  regards,
  Andre

  Hi,
  your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
  The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
  Cheers

• Standard authorization concept versus analysis authorizations

  Hi
  I am bit confused about the necessity of maintaining both.
  Example:
  I have designed an analysis authorizations for CO (Controlling), named CO_001:
  InfoProvider: 0COOM_C02
  Thereafter I have put the authorization object S_RS_AUTH into a role (standard authorization object) with CO_001 as value in BIAUTH.
  Is there still a need to maintain authorization objects for Business Explorer or Business Planning, like:
  S_RS_COMP (limiting to the InfoProvider mentioned in the analysis authorization)
  S_RS_PLSE (limiting to a special aggregation level of the appropriate InfoProvider mentioned in the analysis authorization)
  What happens when there is no limitations maintained in the role for these auth objects, "*"?
  Which concepts dominates the other one?
  Thanks
  BEO

  Hi BEOplanet,
  S_RS_COMP will give you access to the Infoprovidor in BEx so this will be access level security.
  Then Analysis authorization will give you the data level security within the infoprovidor (like what data you can see within the infoprovidor)
  There fore you need to maintain both S_RS_COMP and Analysis Authorizations.
  To your question ,if you have maintained the cube 0COOM_C02 in Analysis Authorization and S_RS_COMP has only 0PA_01 then the Query will fail since you dont have access to the cube 0COOM_C02 in S_RS_COMP.
  Regards,
  Karthik.

• How to get standard authorizations  saritha reddy

  Hello Basis Gurus.
  iam using one month trail version of crm 5.0.
  my client is 100. i entered password wrong then the login failed. then i entered thru 066 and 000 clients. but its not allowing me to copy any standards. its says u r not authorized . i entered thru 066 client and created a new Id thru su01. but the same problem its not allowing me to copy any standards .
  Pls tell me how to log on to 100 client or how to get standard authorizations.
  pls give me u r valuable solution to me problem
  Many Thanks
  saritha
  [email protected]

  Hi
  See the doc related to Authorization concept and do accordingly
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  <b>Reward points for useful Answers</b>
  Regards
  Anji

• What is standard authorization object for  Personal development  P_PLOG

  Hi,
  Recently i got a object in HR and i dont have any experince in HR.Could you guide me how to asssign standard authorisation object for the personal development p_plog? how to see the infotypes and what is the header field in innfotypes?

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• Standard authorization object for Infotype 41

  hi
  Just wondering did anyone came across standard profile that can define access based on date types?
  thanks

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• Standard authorization role for CRM implementation team member

  Hello,
  We are starting SAP CRM implementation project (7.0) and I would like to avoid giving sap_all authorizations to functional consultants in development environment. Unfortunetly I can't find standard customizer profiles like the ones in ERP system exists.
  So the objective is to have quite broad role or profile with no restrictions in customization and functional area. However it's important not to have Basis authorizations in this role/profile. Hope that someone can give me a hint in this direction.
  Thnak you,
  Jahoo

  Hi,
  as soon as the implementation team member should also do developments my experience is that without SAP_ALL you will have much trouble. Therefore in our dev-system each consultant will have SAP_ALL authorization. Of course only in the DEV-System.
  Kind regards
  Manfred

• USE Standard Authorization object in Z Program

  Hi Experts,
  I have already checked other threads regarding this but could not resolve my problem.
  I have created a Z program to update Material Master. I need to use the Authorization object  M_MATE_STA in my program for performing authorization check. Please help me how can I do that?
  Thanks

  hI,
     below is a similar code...
  CONSTANTS:  lc_authobj  TYPE char15 VALUE 'F_BKPF_BUK',
  AUTHORITY-CHECK OBJECT lc_authobj
             ID lc_id_bukrs FIELD v_bukrs
             ID lc_id_actvt FIELD lc_activity.
    IF sy-subrc NE 0.
    ENDIF.
  Amol

• Urgent - create Standard Authorization Roles

  Hi experts,
  we urgently need to establish some basic roles for our key users and basic users, so they can create/run BeX querys and workbooks as part of the Test User's phase.
  Based on several posts in SDN we have seen that a valid role template would be S_RS_RREDE for key users and S_RS_RREPU for normal users.
  However, I cannot find those roles neither in tx PFCG nor at the Business Content.
  What am I missing? How can I fin those template roles (or any other that can apply)?
  Thanks and bets regards,
  Enric

  have you followed these instructions :
  For 3.x authorizations:
  Roles in BW (Authorization Objects)
  for 7.0 authorizations :
  /thread/509708 [original link is broken]
  here you find a good Authorization Objects Overview:
  http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/frameset.htm
  Use TA PFCG to create a new role. http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6866e07211d2acb80000e829fbfe/frameset.htm

• Two authorizations objects with OR function instead of AND

  Hi,
  We have created two authorization (RSECADMIN) objects for a CRM InfoProvider:
  Organizational responsible
  Delivery unit.
  Both the two authorized relevant InfoObjects are used in the query.
  In the query we have used a two authorization variables.
  Now only values in the authorizations are checked where Organizational responsible are true AND Delivery unit are true.
  Is it possible to check the authorization where:
  Organizational responsible is true OR Delivery unit is true??
  Please help!
  Regards,
  Jos.

  Hi,
  hmmm Andreas, I must comment on that:
  what is required is to show any record having Object1 = True OR Object2 = TRUE.
  Logically it is the same than asking:
  Don't show records having (Object1 NOT True) AND (Object2 NOT True), correct me if I am wrong there (this is pure Boolean math...)
  Because BW doesn't support this it doesn't mean that ANY system cannot do it.
  Simply put with SQL
  SELECT * FROM TABLE
  WHERE OBJ1 = TRUE OR OBJ2 = TRUE works perfectly in ANY RDBMS.
  also
  SELECT * FROM TABLE
  WHERE NOT OBJ1 <> TRUE AND OBJ2 <> TRUE would work as well.
  It is just that BW always perform an AND when you filter two different objects.
  Jos could achieve what he wants by setting up some restricted key figures and work it out with conditions but definitively not with standard authorizations.
  Alternatively, as I already mentioned, compounding objects would work but not without modeling effort. Finally I believe that with user exits it would also be possible... I don't have time but I would as well investigate bringing both objects along with the provider in a multi and verify if that couldn't be done by semi/standard means finally...
  hope this shed some lights on the issue....
  regards,
  Olivier.

• Authorization issue with Company code/ Cost center combination

  Hi,
  I am currently trying to restrict user access by company code and cost center combination.
  We have roles defined for each user and I am trying to use the standard authorization object A_S_KOSTL in this role . It seems that since it is not a 'maintianed' object no activity can be assigned to this autorization object.
  currently the values are :
  company Code : 1110 , 1112, 1114
  Cost Center : *
  i am getting sy-subrc as 0 even when i test for company code : 1110 for a user with the above role.
  My code is :
  AUTHORITY-CHECK OBJECT 'A_S_KOSTL'
      ID 'BUKRS' FIELD '1110'.
  F sy-subrc EQ 0.
    AUTHORITY-CHECK OBJECT 'A_S_KOSTL'
    ID 'KOSTL' FIELD '*' .
    IF sy-subrc EQ 0.
      MESSAGE 'Success with KOSTL also' TYPE 'S'.
    ELSE.
        MESSAGE 'Success with BUKRS only' TYPE 'S'.
    ENDIF.
  ELSE.
        MESSAGE 'Failure' TYPE 'S'.
  ENDIF .
  I get a subrc NE 0 for the KOSTL part. The test passes for BUKRS.
  Please advise on how to proceed.
  Thanks and Regards
  Soumya

  Okay, I misread the "NE". Sorry.
  Have you done a syntax check on it?
  Also compare to:
  AUTHORITY-CHECK <object>
  ID 'KOSTL' '*'.
  I cannot confess to ever have done a "full" AUTHORITY-CHECK myself, but it is most likely the same as with DUMMY ->  you should not use the FIELD statement as '' value if the data element does not know what a '' is...
  Cheers,
  Julius

• Posting authorization restriction in t-code F-02

  I have created a scenario for park/post for special GL entries. for that I will be using f-02 to hold the invoice and fb11 to post the invoice.
  I need to restrict the authorization of posting in F-02 so that the user can only held the invoices. any possibility to restrict the posting rights? I dont want to go on screen variants? cant it be done from second level authorization?
  Looking forward for the feedback!

  @Vinod Vemuru
  I have checked, system is still allowing to post the document.
  I have trace the system for authorization check in ST01, I can see system has checked just the activity as 01 to post the document.
  @Obaid Javed
  I don't think it can be possible through any standard authorization object. You may have to go for your own custom authorization object or you may go for the exit or badi to restrict that.

• Authorization objects for BP in CRM 2007

  Hi,
  right now i'm struggling with the standard authorizations for the BP in the WEB UI.
  We want to restrict access to BP by role.
  There is the standard object B_BUPA_RLT which worked before in SAP GUI.
  The object is still relevant but in our system just the general rights to the BP are controlled. The value roletype really doesnt change anything. E.g. I just enter roletype customer and change, but I then can change all roletypes.
  The new object CRM_BPROLE just controlls the assignment of roles.
  Thus it doesnt help.
  Thanks
  Andreas

  Hi Andreas,
     THE new role CRM_BPROLE also controls the change access to Business Partners. We have implemented it over at our client site. I  think one step that you might be missing is implementing the BADI. The authority check is deactivated by default. FOr that you have to implement the BADI through the following path
  >>Master Data - Business Partner - Accounts and Contacts- Business Add-Ins Implementation: Filtering of BP Roles by Authorization
  Reward points if it helps.
  Thanks,
  Anand
  Edited by: Anand on May 7, 2008 1:59 AM

• Authorization at Sales Order Change (Item level)

  Hello Experts,
  Is there any standard authorization object at sales order for adding new items? As I want to restrict some users to add new item lines at sales order change ( VA02 )
  Regards,
  Amr

  Hello,
  How can I use this object V_VBAK_AAT to disallow users to add
  some item lines from VA02 but users can change any other functions
  at the sales order (e.g. update pricing conditions)?
  As I see on this object V_VBAK_AAT, If I revoked ACTVT = 02 'Change',
  It will revoke all change functions from users.
  I think the best solution for your requirment would be to seek the help of Basis folk to create a new User ID which would be having access to Change mode of Sales Order (VA02). Then you can restrict addition of Material line item with the help of Technical consultant by putting up code in following User exit.The logic in the code will be addition of Material line item will be restricted if the User Name is the newly created one...
  1:- MV45AFZB -- USEREXIT_CHECK_VBAP
  2:- MV45AFZZ -- USEREXIT_MOVE_FIELD_TO_VBAP
  3:- MV45AFZZ -- USEREXIT_SAVE_DOCUMENT_PREPARE
  Regards,
  Sarthak
  PS : On information note, you can refer the t-code SU24 to see the standard authorization object for change mode of Sales Order.