Table authorisation

Similar Messages

• Table authorisation group for a group of user ?

  Hi all,
  Is it possible to give read only authorisation for my ztable to enduser. i dont want to give tcode. Is it possible to do anything in Authorisation group .( normally is use &nc& ) can i create authorisation group and do something in that ? if yes can you people tel me how to do it ?
  thanks,
  Siva

  Hi Neelima,
  Is this the source of ur answer
  http://www.saptechies.com/how-to-assigncreate-authorization-group-for-a-table/
  Stop copying pasting answers from different sources, If u know the answer then only reply
  кu03B1ятu03B9к

• Table authorisation not working in RSA3

  Hi All,
     I come across a problem, I have linked a R/3 table to an authorization group so that its data will be viewable to only those who are authorized for that group. Its working fine when anyone tries to view the data from SE16. But in case i have attached it to an extractor its data is viewable to everyone who has rights for RSA3. Why authorization group check is not working with RSA3? What i need to do in order to avoid that. Pls guide.
  Regards:
  Jitendra

  Hi Shanti,
  Thanks for replying.
  I am working on WD for Java.
  Can you please give me your table sorter Java file?
  I think there may be issues in versions.
  Previous server was ep 7.00 and now when code is moved to ep 7.01 sp05 patch 1, the table sort doesnt seems to work. even though I checked all the codes are there in the new system.
  Thanks and Regards,
  Nuzhat

• Resource Permission stored in DB

  Hi Everyone
  My customer is using a forms application that he needs to migrate to ADF.
  The new application should reuse the existing tables, PL/SQL APIs to such an extent that the old forms application should be available at the same time with the new ADF application as the existing forms will be gradually migrated to ADF over a longer period of time.
  In this application there is one menu which is unique. Customer has a table AUTHORISATION to store the permissions on some menu entries (submenu or executable) . Each executable menu entry has a form (fmb) and some columns (with possible values 0 or 1) for the actions allowed on that form:
  VIEW - 1 if view action is allowed, 0 if not
  CREATE - the same
  UPDATE - the same
  DELETE - the same
  Although he is aware that this is not a very strong security model as users can connect to sqlplus and update the table manually, customer would like to keep this table and to continue using that even in ADF, and not to use Weblogic security provider to manage roles (using SQLAuthenticator for example) in the application as this would be too tedious for him. To make the problem more complicated users can login to the application and then choose the DB they wish to connect to, so this AUTHORISATION table is specific to each DB instance. So there are multiple AUTHORISATION tables (one table in each DB instance), but the user_id/username is the same in all of these tables.
  In the ADF application, each form will be equivalent to a taskflow where the same operations would be allowed in page fragments. For example in the taskflow there will be a page fragment to display a list of records, another to display a detail of a record, another that allows to create a new record and so on. The access to the taskflow and within the taskflow needs to be driven by the same table. One taskflow will appear in the menu only once, that is for sure.
  I have considered using a resource permission to define a logical entity on a menu entry, and then using expressions such as
  #{securityContext.userGrantedResource
  ['resourceName=myPanel1;
  resourceType=myLayoutPanel;
  action=myAction']}
  to control the access/navigation in the application. However I find it quite hard to adapt is to the current situation. I have build the necessary components so I can extract all the contents of this table and wrap it inside a sessionScope managed bean so that the access to these permissions to be available from anywhere within the user session.I can code the hard way in the application to control access and navigation(by example creating a generic pageFlow managed bean for each taskflow that will have boolean properties for each operation and this managed bean will be initialized at the beginning of the taskflow, then use this managed bean in EL expressions to control the permissions to the actions). There will be a team of developers that willl build each taskflow and there are many taskflows which follows exactly the same pattern (list of records->details/create/delete).I need to make sure there is a easy way to encapsulate all this using security EL if possible so that each developer should work in a consistent manner based on a taskflow template for example that they need to follow/implement.
  I am using JDev version 11.1.2.2
  Not sure if my approach is the right one, or anyone has better ideas. Please advise.
  Thank you in advance
  Edited by: Dan Cretu on 31 oct. 2012 23:46

  Hi
  Thanks Peter for the helpful hints. I am also using one page, main.jsf (in fact there is a taskflow with several method calls to perform some initialization after login and at the end user end up in the same page). I am also using dynamic tabs pattern to show all the taskflows in regions. I have not yet begun the design of the templates ( this is next on my list once I finish designing the security/permission layer), but your experience is really helpful as it very much ressembles what I have. This should help me a lot to design these CRUD taskflows in the same manner as forms.
  For view permission and navigation I plan to implement this in the custom NavigationHandler class specified in faces-config.xml. As for the CRUD operations within the taskflow or I plan on using a router activity or a method call activity that would act like a router in order to encapsulate more complex logic if necessary (Haven't decided yet). The real challenge is when the CRUD operations are called from another taskflow opened in another tab. For example, from Departments taskflow to try and add a new employee which is in another taskflow. I guess the employee taskflow will need to have a parameter in order to define the operations to be performed in this taskflow (and use this parameter in a router activity for example) and if the operation is allowed the proper page/fragment for the creation would be shown in the new tab. Still a lot of ideas to put in practice and I need to think ahead of some potential problems in order to make everyone's life easier afterwards :-)
  Kind regards

• SM30/SM31 and SE16 access in Production systems - Confusion

  Hi Security Experts,
  Could any one give some information why SE16 or Sm30/SM31 access should not be granted directly in production systems even if its for a custom tables which are assigned to authorisation groups?
  I have been going through lot of forums where every one says access to tcodes should be restricted or access need to provided in alternate way but i could not see the clear information on why this is should not be granted?
  I can think of risk providing to standard table authorisation groups but i don't understand the reason why custom table access via SM30/Sm31/Se16 should be restricted?
  Could any one explain the implications of granting the access directly, if possible please provide information from audit point of view.
  In our company there are many users who have got access to SM30/Sm31 to maintain z* tables which are assigned to authorisation groups, is this  a security risk?
  Please shed some light on this. Your information is much helpful in clearing my doubts and is much appreciated.
  Thanks,
  Sandhya

  What you should also consider is that S_TABU_RFC lets you remotely turn the S_TABU_DIS checks off for specific tables if you create a view to them.
  It means that the calling application has taken care of the security before the call and the application user authorizations are correct and the view is correctly designed.
  Normally display activity in the debuger (s_develop actvt 03 object type DEBUG) is sufficient in the remote system to see everything in the target system - depending on the authorizations of the technical SYSTEM or COMMUNICATION user. These should ideally not access tables directly.
  For table / view comparisons you can use a "current user" destination (or use trusted RFC).
  It is unrealistic to restrict users to trouble shoot local problems, so you should ideally implement only the business scenarios for the RFC steps and those should be BAPI application type and not direct table access or generic interfaces to run programs, perform subroutines, install programs, etc.
  It is quite easy (with lots of time) to build a catalog of access from the (remote) application to datavia APIs, but you must first get away from the direct table access and control the client access to the generic functions and transactions.
  SE16 / Sm30 and many reports and function modules which can very easily be started by adventurous users which offer exactly that.
  If the users are doing axactly that then from a security administrator perspective you can only try to restrict it and process "tickets" all day long... 
  Cheers,
  Julius
  Edited by: Julius Bussche on Oct 2, 2011 9:12 PM

• How to display the data at Table level though we don't have authorisations

  Hi Friends,
  While i'm trying to check the entries of a Table, it's ending up by showing status messg. as 'no authorisations to display the contents' !!!
  Even in debuggin mode, i tried by passing AUTH check (by changin subrc value), but went vain as showing same message
  Please help me out, Thanks
  Best Regards,
  Suren
  Moderator message: please do not ask how to circumvent authorization checks, rather apply for the missing roles.
  Edited by: Thomas Zloch on Dec 1, 2010 11:58 AM

  Try function module CALL_TRANSACTION_FROM_TABLE for SE16 transaction code.

• Tables in which authorisation data of a user is stored

  Hello All,
  Could any one tell, in which table the authorisation data(profiles, roles) of a user is stored?
  Example: for the user ABC may have SAP_ALL assigned, so in which table I will be able to see this information with
  respect to the user?
  Thanks in advace,
  Pradeep

  Hi,
  Data for user - profiles assignment are in table UST04 and for user-roles in Agr_users, Agr_define.
  HTH
  Regards,
  Dhruv Shah

• How to implement authorisation on table columns

  Can anyone suggest a smart way to use Weblogic platform capabilities to implement
  a table column security/authorisation "control". ie. control on a column by column
  basis who can view or update a column? Scenario - a primary data owner "owns"
  a set of records in a database, but would like to give (or delegate) selected
  access to groups of users to view and/or update the content of certain fields
  in the recordset.
  Seems like this is probably not that uncommon a requirement but can't seem to
  find any design patterns for this.

  Dean Tine wrote:
  Can anyone suggest a smart way to use Weblogic platform capabilities to implement
  a table column security/authorisation "control". ie. control on a column by column
  basis who can view or update a column? Scenario - a primary data owner "owns"
  a set of records in a database, but would like to give (or delegate) selected
  access to groups of users to view and/or update the content of certain fields
  in the recordset.
  Seems like this is probably not that uncommon a requirement but can't seem to
  find any design patterns for this.The first question is, if you are going through an application server
  why do you need to do anything clever at all? You can check the role of
  authenticated users and grant or deny access based on that (i.e. some
  dynamically generated SQL dependent on role)?
  If you really need support at the DBMS level, you can use SQL VIEWs.
  Create a view containing the appropriate columns and grant permissions
  to that view to the appropriate users. With an app server you will need
  multiple connection pools though and it quickly gets messy.
  Alternatively use stored procedures. Depending on your DBMS this might
  be required (if views aren't updatable) or could give better
  performance. Or worse performance.
  Robert

• Table whihc contains the roles and its authorisations

  i have to view all the authorisations and the roles in which they are present .
  Please let me know the table for the Same

  Hi,
  From table AGR_USERS , you can see the roles corresponding to any user.
  From table AGR_TCODES, you will get the tcodes corresponding to any role.
  Hope this solves your problem
  Well this will tell you the roles with respect to the users.
  Also you can into transaction PFCG and search the roles, go to change mode for that particular role and there under authorizations see the objects clicking on change authorization objects.
  reward with points.

• How to create cutom authorisation group for custom table?

  Hi,
  I created once custom table.
  i want to allow only some users to create entries.
  how can i achieve this?
  if with creation of z authorisation group tell me procedure
  thanks in advance.

  Hi,
     See to this link it may help you.
     How to create Authorization group
     Custom Authorization Objects

• Authorisations maintained in custom tables

  Hello Everbody,
  I just have a small question regarding AC.
  For some workflows, authorisations are maintained in custom tables in our system. E.g. a workflow process for asset approval where a certain user can only approve the asset if it is below a certain limit... This limit is maintained in a simple table...
  Can AC also handle scenarios like that and check with RAR for "SoD" or "sensitive access"?
  Thanks
  Andreas

  Hello Andreas,
    Exploring the feature of Supplementary Rules in RAR should help you in this scenario. You can maintain reference for a table where you have this limit is maintained.
  Regards, Varun

• Reasign authorisation group at table maintenance generator

  Hi All,
        I have a table, assigned with authorisation group as &NC&. Now I need to change to authorisation group created newly.
  If i change with newly created authorisation group in table maintenance generator level.
  My Qus:1. Need to generate the table maintenance generator for this again.
  2. Will it affect the users assigned to authorisation group.
  3. Wht i need to do to change this, and wht are its effects if i change the authorisation group.

  Hi,
  If the user is not assigned for the role he has to be assigned for that role.
  one role is assigned to authorization group.
  basis consultants will add the role of that group to that particular user.
  otherwise he cant change the entries of the table.
  so consult basis consultant for security role assignment.
  Thanks
  Parvathi

• Authorisation object on table

  Hi,
  I have a z table with table maintenance generator in which company code, plant, storage location , material, quantity are the fields.
  Now i want to provide the authorisation object on the table using the companycode field.How can i do this?

  the table maintenance generator will have created a function group with the name of the table (default). go to SE56 (name of the table -> display) click on button Fn.Gr.Text, next button Main program -> in the bottom part of that function group you will find a section named
    User-defined Include-files (if necessary).                    *
  you can code your authority check there ...

• What is authorisation object  in table maintanance generator

  Hi,
  what is authorisation object and authorisation group in table maintanance generator
  can u pls let me know what are these??  and y do we need these?
  Thanks in advance
  Rama

  hi,
  Access to the transactions SM30 and SE16 is often regarded as a security risk on productive system. But with the right use of the authorization object S_TABU_DIS and the rarely used S_TABU_LIN, this isn’t so.
  With S_TABU_DIS you have the option to control access to groups of tables, and you have the option to distinguish between Update and Display access. If you don’t want to give access to an entire table group, it’s quite easy in transaction SE54 to create a new authorization group and to reassign one or more tables/view to this group, thus achieving control of access to these specific tables.
  If you’re anxious about giving access to an entire table group, due to the fact that some tables have an open interface which allows table maintenance even in transaction SE16, the check this report – developed and posted to the SAP Fans security forum by John A. Jarboe.
  With the authorization object S_TABU_LIN you can even go a step further and control access to a table on record level, based on the key fields of the table. You can find an overall presentation of the object here.
  The How-To guide below will demonstrate how to set up and use this authorization object.
  The example is based on a small table ZMYTABLE. I have created a maintenance view and parameter transaction based on SM30 around this table.
  Please notice that the parameter transaction is calling SM3o in update mode.
  If the object is to be used with SE16 you’ll need to implement OSS note 763269.
  S_TABU_LIN Customizing
  We can find the customizing entries in the IMG under SAP NetWeaver à Application Server àSystem Administration àUsers and Administration à Line-oriented Authorizations.
  First we need to define the organizational criteria’s. 
  In here create new criteria by pushing the “New entries” button.
  In this example we will like to control access based on the key field Country, in order to do so create a criteria called Z_Country_Grp, with the name Country Grp. If we flag the table-ind flag the criteria will affect maintenance of all tables whose key fields are related to the domains specified in the attribute later.
  In this example we only want to control the access to the specific table ZMYTABLE – so we will leave it blank
  Save the entry and assign it to a transport request.
  Now mark the created line and switch to attributes
  Create a new entry with the data shown below.
  Save it and assign it to the transport request.
  Notice that you can have up to 8 organizational criterion attributes.
  Now we need to assign a table and a field to our attribute
  In order to do so mark the attribute and switch to Table Fields
  In here create a new entry and assign, in this example, the table ZMYTABLE, and the field name country to the attribute.
  Please notice that only Key fields can be used !
  Save and assign to transport request
  Now we are ready for activating our organizational criteria – this is the second bullet in the IMG
  Just check the active flag and the check is activated.
  Incorporate the authorization object in a role
  We have now implemented the authorization check; next step is to implement it in the required roles.
  In this example I have created a parameter transaction – ZMYTRANSACTION - using SM30 around the table ZMYTABLE. I have create a small test role ICC_TEST, including only the transaction ZMYTRANSACTION, and a few “support” transactions.
  In the authorization part – I have inserted the object S_TABU_LIN manually – (best practice is of course to assign it in SU24), but a manual insert will also do the trick J
  Now when we change one the authorization fields by pushing the pencil – the profile generator will ask us for the criteria.
  Here we chose the Z_COUNTRY_GRP criteria that we have created.
  We’ll now get the following popup, in this case we will grant change access, so we choose 02 – Change for activity
  In the list below we’ll see the Organizational Attributes that we have created – we have the option to use up to 8 attributes – in the example we had only defined one attribute – “Country Grp”  - we assign the value DK – thus only granting access to records with DK in the key field country.
  To transfer the selection back to the profile generator press th transfer button  or press F5.
  Now we just need to generate the profile and assign it to a test user.
  Now when this test user signs on to and executes the transaction only entries for Cty DK is displayed.
  If the transaction is executed by a user with SAP_ALL all records are displayed,
  Important Links For u:[http://www.sapsecurity.co.uk/sap-authorisation-objects.html]
  Thanks And if helpful please reward points

• Analysis Authorisation Table

  Hi all,
  I've just started working on a new project and am familiarising myself with the build. Part of this is the BI analysis authorisations, of which there are over a hundred. Rather than attempt to view these inividually is there a table that can give me this info, rather like AGR_1251 but for analysis auths?
  Thanks,
  Nick.

  Hi,
  tables of analysis authorization for RSECADMIN are
  RSECHIE_CL Change log of hierarchy authorizations
  RSECUSERAUTH BI Analysis authorization  assignment to users
  RSECUSERAUTH_CL BI Analysis authorization assignment to users
  RSECTXT_CL Change log of authorization texts
  RSECVAL_CL Change log of Authorization Value Status
  RSECBIAU Changes to Authorization (Last Changed By]
  You can  find more table start with  RSEC*  just check with F4 in SE16.
  Hope this helps
  Edited by: connecpk on Feb 1, 2010 4:49 PM