Tcode and authorization objects

Similar Messages

• Problem while loading texts and authorization objects file in RAR

  Hi all,
         i am getting internet explorer error while loading the texts and authorization objects text files in RAR .actually we uploaded rule file before this,does this step causes any error ?if so how to resolve this error.do i need to remove all rules/risks and then load text and authorization files? is there any shortcut to renove all risks generated in one shot? please reply me soon to resolve this.
  Thanks,
  Joseph.

  Hi Joseph,
  Please make sure to convert both the files in UTF-8 encoding format and then try to upload the files again. This should resolve the issue and if not then please paste the logs here.
  Regards
  Harleen

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• 0Orgunit(hierarchy) and authorization object display getcell error in Webi

  Hello,
           We are facing with GetCellData error in WebI to SAP BEx Query.
           This works perfectly fine in Bex for a particular test user who has access to particular org unit value.
           But in Webi we are getting this Getcelldata error.
          Tried all the options and message as recommended in sdn group.
          mdxtest returns no value.
          looked at all below messages but no luck.
  GetCellData error in WebI to SAP BEx Query
  Re: SAP BO WebI Report on top of BI Bex Query with Authorization Variable
  in the rsecadmin, we get the same error like mentioned in below message
  Hierarchy Authorization doesn't work for MDX but works for BEx Query.
  Is any authorization required for this user to execute and view the authorized values in Webi?
  or we have to assign any authorization ?(0BI_ALL is not assigned).
  Please find below screenshots of BEx query auth log or Webi auth log (differences)
  Bex auth log:
  The Following Attributes Are Authorized and Thus Are Visible
  0BBPPURGRPX
  0BBPPURORGX
  0BBP_BUYID
  0BBP_ISCOMP
  0BUS_AREA
  0COMP_CODE
  0CO_MST_AR
  0CRMSALGRPX
  0CRMSALOFFX
  0CRMSALORGX
  0CRMSRVTGRP
  0CRM_SALGRP
  0CRM_SALOFF
  0CRM_SALORG
  0CRM_SRVORG
  0LEAVERS
  0LOGSYS
  0MAST_CCTR
  0PERS_AREA
  0PERS_SAREA
  0PLANT
  0PURCH_ORG
  0PUR_GROUP
  0SALESORG
  0SALES_GRP
  0SALES_OFF
  This above log is missing for mdxtest auth log.
  Is this the issue?
  Any quick reponse or help really appreciated.
  Regards,
  Ravi
  Edited by: Ravi Gadicherla on Feb 28, 2010 5:36 PM

  Hi,
      Here is the log of MDXtest:
  Buffering the Authorization Data  
    Buffering for InfoProvider 0PA_C01 and Users HRTEST93  
  InfoObject Properties Defined
  Reading of Directly Assigned Authorizations
  Direct Assignment Does Not Include Universal Authorization 0BI_ALL
  Reading the Indirect Assignments with Authorization Object S_RS_AUTH
  Does user have OBI_ALL?
  No, the User Does Not Have Universal Authorizion 0BI_ALL
  Negative Entry in SU53 Result of Failed Check for 0BI_ALL
  Indirect assignments found; no universal authorization
  Regards,
  Ravikanth

• F9K3 and authorization object in su24

  Hello,
  We want to add authorization object F_KNA1_BUK to new role for check in F9K3 transaction.
  The problem is it is not being checked. I tried to debug and stop on authority-check but it's not stopping on this object.
  But the object is showned in transaction SU24 - as CHECK / NO.
  So it should be checked during F9K3 transaction run, correct?
  Anyone knows what we're missing here ?
  Thank You in advance for help,
  Best regards,
  Artur

  Hi,
  What appears in SU24 is not a reliable indicator of what is actually checked.  It may be that F_KNA1_BUK is checked at some point depending on either how the tx is used or what menu options are used but I wouldn't bet my house on it.
  Cheers

• Barcodes and authorization objects

  PLS TELL ME ABOUT THE AUTHORIZATION OBJECTS WHILE WE R CREATING THE
  TRANSACTION FOR ANY  USER DEFINED REPORT .
  22. WHAT IS THE use OF BAR CODES IN ANY WINDOW OF SCRIPT . AND HOW TO INSERT BARCODE IN WINDOW.PLS TELL IN DETAIL?

  Ideally, if in a role autorization is not provided for STMS, then the user id will not allow to use transaction code STMS.
  However, if SAP_All is provided, in that case, user will have access to all Transaction Codes.
  Regards,
  Rajesh Banka

• TCT* Info objects and Authorization objects

  When defining an authorisation object do I need to include TCT* info objects as fields in the authorisation object and if so why and which ones are required - if this is different for different scenario could someone elaborate? Thanks

  Hi,
  yes... you need to include the TCT fields as you would like to restrict the users based on the infoproviders and the time duration.
  Since in any organozation you have many type of users like the super users who can access anything...end users who have access to areas related to them only and may be some other kind as well.
  Suppose if a user is beloging to FICO department and he is only suppose to use the reports based on GL cubes then you will create an authorization object where you will give the values for authorization relavent objects like company codes,sales org and additionally you will maintain the value for the cube in 0TCAIPROV field.
  when you assign the user to this object he will only see the data in the queries based on the FICO cube and that too for the company codes specified in the authorization object.
  Now if there is another user who can see the data for all the company codes and all the areas but only for certain duration then you will create a new authorization object where you will not give any values for any object but will keep it as * but will maintain 0TCAVALID objects and give the validity period here.
  Thanks
  Ajeet

• Authorization objects in RAR not updated

  Hi everyone,
  i'm facing an issue with RAR (GRC 5.3, SP10): i've just imported the authorization objects from SAP (SE38 -> /VIRSA/ZCC_DOWNLOAD_SAPOBJ -> saved in UTF8 format), but when i look the  function in the rule architet the authorization objects setting are not the same:
  Example: in SAP the transaction F-04 needs the auth obj  F_BKPF_BLA/BUK/KOA (i use transaction SU22 to check the auth obj) and the export file has the same settings:
  F-04     F_BKPF_BLA     ACTVT          
  F-04     F_BKPF_BLA     BRGRU          
  F-04     F_BKPF_BUK     ACTVT     01     
  F-04     F_BKPF_BUK     BUKRS     $BUKRS     
  F-04     F_BKPF_KOA     ACTVT          
  F-04     F_BKPF_KOA     KOART     $KOART     
  In RAR the transaction F-04 is in the function AP01, AR01, AR02, GL01. The transaction has different settings in every function: in AP01 there is only F_BKPF_KOA in status active, in AR01 there are F_BKPF_BUK and KOA in status active,...
  I re-generated all the rules, but the settings are still the same.
  I think the settings must be the same.
  Am i right?
  Thanks in advance!
  Luigi

  Luigi,
    The function has all the associated auth objects, right? All the auth objects/permissions may not be enabled in the function. As you are using standard SAP ruleset, SAP has determined that the combination of F-04 and associated enabled auth objects create violation when assigned with another set of tcodes and auth objects. You can always enable all the auth objects if that is what makes sense as per your business.
  Can you go through the RAR config guide to get an understanding on this?
  Regards,
  Alpesh

• Authorization object for Command Button

  Hi all,
  How can I create the Authorization object for command button which is on application server.
  if you do not have auth when you click on that command button, it should be say 'you dont have auth'.
  please help me in this.
  regards,
  Ajay reddy

  Hi,
  Tcode for Authorization Objects are,
  su20----> for defineing authorization field ,
  su21-----> for authorization class,
  su22------> for assignement authorization object
  To create an authorization object:
  1) Execute transaction SU21
  2) Double-click an Object Class to select a class that should contain
  your new auth object
  3) Click on CREATE (F5)
  4) (If creating custom field) - Click the 'Field Maintenance' button -->
  Click on CREATE (Shift+F1)
  5) Enter the Name for the New Authorization field and the corresponding
  Data Element and SAVE
  6) Confirm the Change Request data for the new Authorization Field
  7) Go back two screens (F3-->F3)
  8) Enter the Authorization field name and document the object:
  9) SAVE and ACTIVATE the documentation
  10) Save the new Authorization Object
  11) Confirm the change request data for the Authorization Object and
  EXIT SU21
  12) Finally, the SAP_ALL profile must be re-generated
  Regards,
  hema.

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• Authorization object to restrict a particular customer code in a sales org

  Hi,
  I have a requirement whereby a sap user who is assigned to Sales organization A needs to access a particular customer from sales organization B. However the sap user has no access to sales organization B. However the requirement is such that the sap user cannot be given access to all the customers in Sales organization B. He must only access one particular customer from Sales organization B and not all the customers in Sales organization B.
  The problem here is if we give the sap user access to Sales organization B, then the sap user can access all the customers in Sales organization B. So how can we give access only to a particular customer in the Sales organization B?
  Is there any authorization object which can accomplish this?

  Hi.
  You can use The Authorization object
  <b>V_KNA1_VKO</b>
  Tcode for Authorization objects: SU21
  Tcode for Authorization FIELDS: SU20
  Statement to perform Auth. Check  AUTHORITY-CHECK(See F1 HELP)
  <b>Reward if Helpful</b>

• PR05 authorization object

  Hi,
  Please tell me how can we find the authorization object for an tcode PR05.
  Problem is users are able to approve their own trips in PR05 T-code. for that i want necessary authorization objects and values.
  I need now for PR05 the authorization object.
  Thanks
  zeni

  Hi,
  Its no like finding the authorization object for an tcode PR05.
  You have to create an authorization for tcode PR05 and for creating this authorizations please follow the below steps
  Tcode for Authorization Objects are,
  su20----> for defineing authorization field ,
  su21-----> for authorization class,
  su22------> for assignement authorization object
  To create an authorization object:
  1) Execute transaction SU21
  2) Double-click an Object Class to select a class that should contain
  your new auth object
  3) Click on CREATE (F5)
  4) (If creating custom field) - Click the 'Field Maintenance' button -->
  Click on CREATE (Shift+F1)
  5) Enter the Name for the New Authorization field and the corresponding
  Data Element and SAVE
  6) Confirm the Change Request data for the new Authorization Field
  7) Go back two screens (F3-->F3)
  8) Enter the Authorization field name and document the object:
  9) SAVE and ACTIVATE the documentation
  10) Save the new Authorization Object
  11) Confirm the change request data for the Authorization Object and
  EXIT SU21
  12) Finally, the SAP_ALL profile must be re-generated
  Please reward points if it helps
  Thanks
  Vikranth

• BI authorization objects not appearing in RAR, error while generating role

  Hi
  I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
  (a)  In Risk Analysis and Remediation (RAR) component, I am creating Functions and
        Risks for Business Intelligence (BI) module. For that I have downloaded the
        descriptive text and authorization object data from BI development system and
        uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
        RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
        Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
        the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
        authorization objects for the actions in them.
  (b)  In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
         in DBI 100 and I put the  BI transaction codes in authorization data , I get the
         authorization objects . Risk analysis is also being done successfully. But at the time
         of Role generation in background mode , it is giving an error message :
         Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
         I am thus unable to generate any role in DBI 100.
  (c)  In Compliance User Provisioning (CUP), I have imported a standard role from DBI
        100. Then I have added Functional Area, Business Process, Subprocess  and
        Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
         gives an error Error creating request. But requests are getting created and roles are
         being assigned to users in ECC development  systems using the same Initiator, CAD, stage
         and path.
  Can anyone please help me ?

  -

• Authorization Object Related To Movement Type

  Hi,
  I meet one problem, one user want to check which user can use MB1A t-code with movement type 201 and 202, but I know there are some authorization object related to movement type and I want to use suim with mb1a t-code and authorization object to check the user, but I don't know the authorization object about movement type in MB1A t-code, does anyone can help?

  Go to SU24, enter the transaction code and press execute.
  Here you can see the all authorization object whose are used for the transaction code MB1C.
  Regards
  Dev

• Wanted: Dictionary-/ Metadatatable for the Mapping of the (old,3.5.) Authorization Object to the (Auth.relevant) InfoObject

  Hi,
  I am looking for the concrete BW's dictionary-/ metadatatable(s)
  which contain/describe the
  Mapping of the (old,3.5.) Authorization Object to the (Auth.relevant) InfoObject
  of  the transaction "RSSM-Authorization for Reporting"
  For example:
  I got 3.5 Auth.Object ZCOMP_CODE and want to know to which   (Auth.relevant) InfoObject
  this is mapped, basically what's in the usage of this Authorization Object.
  ThanXs
  Martin

  Hi,
  As of now, your authorizations still in 3.x. so please check the below tables.
  RSSBAUTHGEN - it holds info provider and authorization object
  RSSBAUTHGENERATD - it have user name and info provider
  RSSBAUTHTRACE
  RSSBAUTHTRUSER
  RSSBAUTVAL
  RSSAUTHHIER
  RSSAUTHHIERNODE
  Coming to 7.x , Above mentioned T code kumar is enough to handle authorization concepts.
  There is best document about 3.x and 7.x comparison on Google.
  please search for it by using search term "An Expert Guide to new SAP BW Security Features"
  Written by Marc Bernard
  Thanks