The scope of the customer-specific authorization object
Dears,
Could someone please feedback about the scope of the customer-specific authorization object; e.g. if we are to create a customer-specific authorization object to replace authorization object P_ORGIN in the HR module, to be able to add an extra authorization field to the newly created authorization object, the scope of the newly create authorization object (which will have a new validation code generated by report RPUACG00) will be the whole ERP system ?
The worry is caused by the fact that P_ORGIN is already used in several authorization roles granted to users in the different ERP modules (i.e. FI, SD, MM, CS), so the replacement would affect these modules.
Thanks.
Reda
Hello Reddy,
We are about to implement the HCM module (We are now in the testing
phase), on the same client as that of our SAP ERP implementation.
We need to authorize on the personnel number grouped by 'Payroll Area'
in transactions PA30, PA40
In authorization object P_ORGIN, the field VDSK1 is already used to
authorize on an attribute : cost center (organizational key) for each
organizational unit, so we can't configure it to authorize on other
fields from info type 0001 (e.g. Payroll Area).
We need to continue using the conventional / general authorization and
not the structural authorization, to stay in compliance with our
authorization schema already implemented in our FI, MM, SD & CS modules.
( Also, as per thread : Steps for creating structural authorization profile using trans. OOSP
the structural authorization cannot be used to authorize on Payroll Area.)
We need to go through the HR module implementation without any changes
in the ABAP code.
So, the last way out is the custom-specific authorization object, and as I mentioned before, the authorization object P_ORGIN was already used in other ERP modules; e.g. FI, MM, SD & CS,
( Note : I haven't started yet implementing this solution.)
Thanks.
Reda
Similar Messages
-
Issue with context specific authorization object P_ORGINCON.
Hello Experts,
The context specific authorization object doesn't evaluate the
structural profile it is assigned to when more than one structural
authorization is assigned to a user.
Please read the below scenario for issue description as follows:
User ZHR_ACT13 is assigned two roles namely ZHR_HRD and ZHR_DEPT_HEAD.
He is the manager for employee ID 167 and is not the manager of employee ID 17.
Role ZHR_HRD has no read/write authorization for Infotype 6. ZHR_HRD is also assigned to structural authorization ALL which is meant for viewing all the objects with no restriction of any relationship.
Role ZHR_DEPT_HEAD has read authorization for infotypes 6 for only the subordinates i.e. the structural authorization ZDEPT_HEAD of viewing only the subordinates data is assigned to this role. Also this structural authorization ZDEPT_HEAD is assigned to infotype 6 using
authorization object P_ORGINCON.
But now the manager ZHR_ACT13 is able to read infotype 6 data for employee ID 17 who is not his subordinate even though only structural authorization ZDEPT_HEAD is assigned to infotype 6 using P_ORGINCON. We
expect that user ZHR_ACT13 must be able to read infotype 6 data only for employee ID 167 and not for employee ID 17.
Please kindly help resolve this issue.
Thanks & Regards,
Roshan.This has been resolved.
-
Is TREX required for the customer specific catalog views in SAP ERP E-com
Hi gurus,
I see there are few ramp-up sap notes for enabling the customer specific catalog views of Product catalog in SAP ERP E-commerce scenario.
Any one who has already implemented them know if TREX is mandatory for having catalog views?
specifically for XECOM 5.0 and ECC 6.0
Thank youSee [Note 696095 - ISA R/3 4.0: Collective note on Catalog Views|https://service.sap.com/sap/support/notes/696095]
See the first line in the Reasons and Prerequisites:
Important: The catalog views functionality is only available from ISA 4.0 SP4 on, we recommend to use the latest SP. It is also only available with TREX as catalog engine
This is true for recent versions too.
The requirement is behind how the solution is implemented. VIEWS_ID is actually published to TREX for optimized extraction of customer views. -
User List for a specific Authorization Object
Hi all,
i am looking for a way to get a list of all users assigned to a specific Authorization Object with specific values. The FM 'authority_check' is the other way arround and not that what i need. Do someone have an idea.
Many thanks in advance.
AliHi,
Try this FM
SUSR_USER_AUTH_FOR_OBJ_GET
Check this FM
AUTHORIZATION_DATA_READ_SELOBJ
Rgds,
Prakash
Message was edited by: Prakashsingh Mehra -
Querying roles containing specific Authorization Object
Hello!
We're using BI7 with new considerations about security. I want to get all roles that contains a specific Authorization Object, I've tried using TX SUIM, but had no success.
Is there any report, transaction or something else where to find this info?
I hope you can help!
Regards!
BernardoBernardo,
If "new security model authorization objects" means analysis authorizations (SAP's official naming for objects mantained by RSECAUTH), those used in roles can be retrieved again using tcode SE16: just query AGR_1251 but this time providing S_RS_AUTH for field OBJECT. The result set shows roles that contain analysis authorizations. If you want only the roles which have specífic analysis authorization, just provide its name for field LOW. Be sure to fill in this field with all capital letters.
On the other hand table RSECVAL keeps the values defined for analysis authorizations.
Hope this helps.
Regards,
Fernando -
Error for customer specific Authorization check (User Exit)
Dear Experts,
I am facing a problem in PM.
I have created a maintenace plan for calibration via t code IP42 and mentioned the order type PM05. Scheduling is done for the order. I got the order number.
I have released the order and got the inspection lot number.
While entering the results recording through t code QE17, the reluts are out of the specified range, i have given the valuation Rejected, immediately system is giving an error message as below:
"Error for customer specific Authorization check (User Exit)"
Though there is no user exit activated in the system, this message is coming and not allowing the result recoring for rejection.
If I'm entering the result recording within the specified range, then valuation is Accepted and its allowing to save.
I have checked the following user exits:
QQMA0002: QM: Authorization Check for Entry into Notif. Transaction
QQMA0026: PM/SM: Auth. check when accessing notification transaction.
The above 2 User Exits are not active.
I have also checked a note 429066. But it says incase of any dump for that user exit only its applicable and more over the current version of the system is ECC 6.0 packae 15, where as that note is applicable upto 4.6C.
Please some one help me on this issue.
Thanks and Regards,
Praveen.Dear Pete,
I have cheked with my technical team, There is no hotpacks updated recently. This is the implementaion project I'm in, so performing the cycle for the first time.
Any how I got it solved, in T code QE17, after entering the Inspection lot in next screen goto menu path Settings - User settings - Defects recording mention the reprt type and tick on Reprt type Changable.
At the time of result recording if the valuation is Rejected then it ask for defects recording close that window if not rwequired then save, the error message no longer apperaing now.
Regards,
Praveen -
Want the Customer specific validations at the time of asset posting
Dear all,
I want to implement Customer specific validations at the time of asset posting(ABZON , F-90 , F-91).Please tell which user-exit should I use??
AINT0004 is working only for ABZON.
AINT0001 is not as per my requirements!!
Regards,
AmiyaHi Amiya ,
u can achieve thru Validations / Substitutions OB28. But u have limitations in the implementations of Logic .
regards
Prabhu -
Creating the customer specific catalog view....
Hi All,
I am working for e-Commerce with mySAP ERP scenario where the customer wants to implement customer specific Catalog View. As it is not a standard functionality provided by SAP. So, I was searching through the SAP notes on how to implement it and found the note 998453 and 998458 which details on how this can be achieved.
I implemented the relevant SAP Notes i.e. 998453, 998458, 677319 and 677320 in a system. However, the appropriate result is not appearing. This is my perception; some customizing setting will also be required for the same. Moreover would be the possibility, I have missed some technical steps.
On this regards only, Could you provide me some reference documents or suggestion based upon these notes which help me in implementation? Apart form that, Could you suggest me any another approach for implementing the catalog view? This is really great help from your end.
Regards,
Ashutosh Jainit is done...
-
Custom Made Authorization Object ZPLANT
Hi
We have custome made auth objects; zplant, zcountry, zsalesrg etc. We are getting problems with one of the report we created; based on a MP. When user access the report, some of them getthe error that "Warning you do not have authorization to read object ZPLANT Authorization at plant".
The user has access to 4 plants and can access other reports based on the Infocubes that is used in the MP. Also some of the user gets warning for ZSALESORG etc..
We are getting this error only for the newly created report; Have any of you faces such type of problem? If yes then can you advice me how to resolve it?
Thanks in advance
IshiHi there again,
Sorry my mistake, it is S_RS_ICUBE instead of S_RS_CUBE. In that authorization you can specify the InfoCubes or MultiCubes alloweded to display. Your multiprovider might be included or not in that object.
S_RS_COMP and S_RS_COMP1 is for BEx.
You can include this:
S_RS_COMP:
Activity: 03, 16 (display and execute)
InfoArea: * (all of them, or sepcify an InfoArea where the InfoProviders which contains the queries are)
InfoCube: * (all of them, or specify the InfoProviders which have the queries you want the users to run)
Name (ID) of a reporting compo: * (all of them)
Type of a reporting component: CKF, QVW, REP, RKF, STR, VAR
S_RS_COMP1:
Activity: 03, 16 (display and execute)
Name (ID) of a reporting compo: * (all of them)
Type of a reporting component: * (all of them)
Owner (Person Responsible) for: * (all of them)
You can also use transaction RSSMQ to execute a query with another user and analise the authorizations of that user.
Diogo. -
Issue regarding the customer specific price
Hi Guru:
Please see my case as below:
1 I created the table condition 805 (sold to specific price) and 806 (ship to specific) and had assigned these two table conditions to the access sequence ca01,and I created the condition type ca01,I assigned the access sequence ca01 and price procedure caa001 in it,and finally I maintained them in ovkk with the specific sales organization/distribution/division channel.
2 Then I maintained the price condition type via vk11 as below,please note that sold to 1 linked with ship to 16,
sold to 1 ,material 64,50 eur/kg
ship to 16,material 64,55 eur/kg
3 And I went to the transaction va01 and was going to place the sales order for them to have a test,it looks good for picking 1 as sold to as well as ship to,and the price of material 64 is 50 eur/kg
But when I chose customer 1 as sold to whereas 16 as ship to,the price of the material 64 still be 50 eur/kg
My question is that normally the price of ship to specific should override the one with sold to specific,so based on my example above,the price of material 64 should be 55 eur/kg
So am I missing something in customization? Please help to fix!Hi,
U have assigned Access Seq - tables in following sequence as per result u have written
805 Exclusive Ticked
806 Exclusive Ticked
Now in both tables records maintained ...
Now when u run order .. system goes to first table --- condition record found so it will never go to second table which is Ship to.
Hence the way you have defined logic is wrong.
Desired Logic - If u need that if Ship to Diferent frm sold to then pick price from ship to or if ship to and sold to are same pick price from sold to.
If this is what u had desired. then u can maintain only one table with Ship-to and maintain prices for all ship to. so even the sold to in sap is ship to unless we specify seperately so if u maintain for all ship to the result will be as u desired like
Condition record in Ship to table - (delete sold to table from access seq)
1. Customer 1 - 50
2. Customer 2 - 55
Now if u run order and give sold to 1 then by default ship to = 1 so price 50 now if u chnage ship to in this order to 16 then price will be 55.
Regards
Krishna -
HR Authorization : Custom Authorization Object for P_ORGIN
Hi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
but still it is taking the P_ORGIN objectOnline Help
<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a> -
Authorization Object: P_ORGXX - fields can be from a custom infotype ?
I need to create a customer-Specific Authorization Object, but the documentation states that we can use any of the fields in IT0001, and also customer-specific additionald fields. But we need to know if those additional fields can be from a custom infotype.
If it is not possible, we need to replicate the std P_ORGXX and the way it validates the field pa0001- SACHZ. But with fields from a custom infotype. Is there any way to do it?
I hope you can help me with this.
Regards,Hi,
Try the link from SAP as reference for authorization object creation and how functionality for authorization object works w/ infotype.
http://help.sap.com/saphelp_470/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm
http://help.sap.com/saphelp_470/helpdata/en/16/b8b83b5b831f3be10000000a114084/content.htm
Thanks,
Ameet -
How to check the access right for a specific SAP object like MaterialMaster
Hi!
How can I check if I have the right to change a specific object like a material or document in SAP vie RFC. I need a remote able function which tells me, if I have enough rights! Or, if such a function does not exist, how can I write my own ABAP code to do this?
Thanks,
KonradHi,
When initiating a transaction, a system program performs a series of checks to ensure the user is authorized.
1. The program checks whether the transaction code exists in table TSTC.
2. The program checks whether the transaction code is locked by the administrator (transaction code SM01).
3. The program checks whether the user has the authority to start the transaction. Authorization object S_TCODE (transaction start) contains the authorization field TCD (transaction code). The user must have the appropriate authorization for the transaction code to be started (for example, FK01, Create Vendor).
4. The program checks whether an authorization object is assigned to the transaction code. If this is the case, the program checks whether the user has an authorization for this authorization object. The transaction code/authorization object assignment is stored in table TSTCA.
Note: An SAP program controls steps 1 through 4. It displays an automatic message to the user if an authorization attempt fails in the step.
5. The system performs authorization checks in the ABAP program using the ABAP statement AUTHORITY-CHECK.
Regards
Sudheer -
B2C scenario customer specific discount when customer login to the B2C site
Hi E-Commerce gurus,
We want to implement a customer specific discount scenario when the customer login to the B2C web site afterwards that easily see the customer specific discount as soon as duration of the login process. We have also succeed sales org-material scenario that according to our given below function module calculates a discount rate covers all the material within the related sales organization and also shows the indicator of discount rate on the every material pictures at the web site.
Moreover we have configured an access sequence for condition ZB2I(discount condition) that related with Sales Org.-Customer then we replicate the CNACRMPRCUS666 condition table from ECC to CRM with all values but we can not calculate and display the discount rate on the web site when the customer log on the site and/or going to the basket.
Is there any available BADI, BAPI on ABAP and JAVA Stack. How can we display the spesific customer discount rate when the customer log on the site and/or going to the basket?
Kind Regards,
Fahrettin
DATA : lv_time_stamp TYPE timestamp.
DATA : BEGIN OF ls_product,
product_guid TYPE comt_product_guid,
indirim TYPE prct_cond_rate,
END OF ls_product,
lt_product LIKE TABLE OF ls_product.
DATA : ls_shop_s TYPE crmm_isa_shop_h,
ls_vrt TYPE comm_pcat_vrt.
CALL FUNCTION 'CRM_ISA_SHOP_READ'
EXPORTING
iv_shop_id = iv_shop_id
IMPORTING
es_shop_h = ls_shop_s
EXCEPTIONS
shop_not_found = 1
OTHERS = 2.
IF sy-subrc <> 0.
RAISE shop_not_found.
ENDIF.
SELECT SINGLE * INTO ls_vrt
FROM comm_pcat_vrt
WHERE guid = ls_shop_s-pcat_vrt_guid.
IF sy-subrc <> 0.
RAISE shop_not_found.
ENDIF.
CONVERT DATE sy-datum TIME sy-uzeit INTO TIME STAMP lv_time_stamp
TIME ZONE sy-zonlo.
CLEAR ev_indirim.
SELECT SINGLE kbetr AS indirim
INTO ev_indirim
FROM cnccrmprsap350
WHERE sales_org EQ ls_vrt-sales_org
AND timestamp_from LE lv_time_stamp
AND timestamp_to GE lv_time_stamp
AND kschl EQ 'ZB2I'.
ev_indirim = - ev_indirim / 10.
SELECT DISTINCT product AS product_guid kbetr AS indirim
INTO CORRESPONDING FIELDS OF TABLE lt_product
FROM cnccrmprcus518
WHERE timestamp_from LE lv_time_stamp
AND timestamp_to GE lv_time_stamp
AND kschl EQ 'ZB2I'.
LOOP AT lt_product INTO ls_product.
ls_product-indirim = - ls_product-indirim .
IF ls_product-indirim GT 90.
ls_product-indirim = ls_product-indirim / 10.
ENDIF.
MOVE-CORRESPONDING ls_product TO et_list.
APPEND et_list.
ENDLOOP.
SORT et_list .
ENDFUNCTION.Hi,
As per my knowledge if you want to implement customer specific discount then you should use ISA B2B instead of ISA B2C. ISA B2B gives you this facility which you want to implement on B2C.
Also How you will distinguish User in B2C to display specific prise. Your discount price is based on Sales Org or base on user?
As your ABAP program is working fine but you are not getting it on web site then you have to write custom java code and collect all the required information on ISA side then pass it to RFC's import parameter and get the result back and display result on ISA B2C.
eCommerce Developer -
How can I limit/control the addition of auth. objects to security roles?
Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
Edited by: Armando Salas on Nov 29, 2011 7:41 PMHi Armando,
Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
I hope this helps you
Regards
Eduardo
Maybe you are looking for
-
HT4623 Phone does not work after update
After update 6.1.4 phone cannot find signal to function even though wireless works. Cannot reload update...says it's up to date. Reboot nothing, Reset, nothing. Really beginning to dislike this piece of junk. Just need a phone that works.
-
I just loaded the newest version of iTunes. Now iTunes will not load dur to missing files.
I just loaded the newest version of iTunes on a pc with WindowsXP. As soon as I attempted to open iTunes, I received a message that it could not open due to missing files. This is the second upgrade in a row that this has happened to me. What is g
-
Message no. RM109 The quantity at RP is less than the quantity at next RP
Hello everyone, I am getting an error in regards to a reporting point. I tried going into MF4R to reset the reporting points and when I do I get the following message: The quantity at RP 0220 is less than the quantity at the next RP Message no. RM10
-
[svn:fx-trunk] 13699: -update textLayout, osmf, and flash-integration
Revision: 13699 Revision: 13699 Author: [email protected] Date: 2010-01-21 15:28:17 -0800 (Thu, 21 Jan 2010) Log Message: -update textLayout, osmf, and flash-integration -to build proper _rb swcs with the recent localized properties that have
-
ERROR: The network you selected cannot be extended
I just bought a new Airport Extreme duel-mode router, and I want to use it to extend my network. I go to the wireless settings, and choose to "Extend A Network" then I choose the network that I want to extend. The problem is that when I selected the