To read an authorization profile.
Hi,
I am trying to provide authorization in a HR report. An administrative person can execute the report. At this momet, a user can see the information of all employees. Instead, the users should be restricted for a group of employees whos organizational key has been assigned in his authorization profile. I am trying this with P_ORGIN authorization object. I can use P_orgin with single static organizational key. But, in this report, I have different sets of organization key for different administrative users. Fot this reason, I will need to read the users authorization profile to get the set of organizational key. Can anyone tell me how can I read the authorization profile for a particular user who is using the sytem so that the program can check the set of organizational key. I am using R/3 version 4.6C.
Or more generally (for multiple users:
REPORT ztest NO STANDARD PAGE HEADING LINE-SIZE 255.
TABLES: usref,
usr11.
DATA: BEGIN OF itab OCCURS 0.
INCLUDE STRUCTURE usref.
DATA: END OF itab.
DATA: BEGIN OF itab1 OCCURS 0.
INCLUDE STRUCTURE usref.
DATA: END OF itab1.
DATA: BEGIN OF itab2 OCCURS 0,
user LIKE usref-user,
profile LIKE usref-profile,
ptext LIKE usr11-ptext,
END OF itab2.
DATA: old_prof LIKE usref-profile,
prof_desc LIKE usr11-ptext.
itab-user = sy-uname.
APPEND itab.
itab-user = 'USERNAME'.
APPEND itab.
CALL FUNCTION 'SUSR_GET_PROFILES_OF_USER'
TABLES
users = itab
profiles = itab1.
SORT itab1 BY profile.
LOOP AT itab1.
IF itab1-profile <> old_prof.
SELECT SINGLE ptext INTO prof_desc
FROM usr11
WHERE langu = sy-langu
AND profn = itab1-profile
AND aktps = 'A'.
old_prof = itab1-profile.
ENDIF.
itab2-user = itab1-user.
itab2-profile = itab1-profile.
itab2-ptext = prof_desc.
APPEND itab2.
ENDLOOP.
SORT itab2 BY user profile.
LOOP AT itab2.
WRITE: /001 itab2-user, itab2-profile, itab2-ptext.
ENDLOOP.
Rob
Similar Messages
-
How to get all authorization objects for a certain authorization profile
Hi ABAP experts,
I have the following problem: for a certain authorization profile of a role (created with transaction PFCG) I would like to get all contained authorization objects: e.g. for the contained object PLOG I would like to know/read all corresponding parameter values.
So:
- where are these values stored (dictionary table)?
- is there already a FM or a report to read all authoriation values for a certain authorization profile?
Thanks in advance.
Best regards,
OliverHi,
check the following it might useful for you:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
if helpful reward points are appreciated -
Query related to Authorization profile.
Hi Professionals,
Please help me out as I'm not a BASIS consultant but PP.....
We've created Users profile and assigned them profiles that contain a particular bunch of Transaction codes module wise.
Now we want to to create and assign such a Authorization profile to Users which will contain all Display transaction codes either related to all modules OR that particular module only say PP, MM, FI, CO etc.....
For example
MM03- Display material master
CS03- Display material BOM
CR03- Display work center
ME53N- Display Purchase requisition etc.
Is there any standard profile for that that are already provided by SAP? If it's there, how do we know that are related to what module?
Suppose if we assign such profiles, what will be implications related to future and user discipline?
Thanks & Regards,
Abu ArbabHi Abu, don't worry about being a PP consultant, most of us here are not Basis either, rather we focus on security.
There are no standard roles delivered by SAP which give this. There are standard SAP display roles but none will include all the display transactions for a module.
What you should do is get each functional team to list the dispay transactions which are used by the business processes which they have configured. There is no point in creating a display role with 500 transactions if the business processes only requires 30 transactions. Access is more usually required for business processes rather than module so you would often need to combine your modular display roles to cover a single process.
By building the roles to include the transactions you use rather than are available, you also avoid one of the mistakes often seen with using standard SAP roles - users having wider authorisations than they require to perform their job. -
How to make changes in Authorization profile?
Dear Guru's
In R/3 4.7 i used to change authorization profile in tcode SU02.where as in ecc 6.0 i dont find any change option it shows "Generated profile can only be displayed"
I want to remove the particular tcode from that authorization profile.please help.
Regards
AKIAki
In new SAP versions, they have replaced direct profile generation with Roles concept and all the new profiles are attached to the roles. Follow this link and read it completely and understand the concept.
http://help.sap.com/saphelp_bw21c/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm
You cannot change a profile directly, instead you will have to insert authorization from the existing profile into a new role and generate a new profile for that role.
Goto PFCG, create some new Z role. Save it, then goto authorizations tab, in the profile text box enter the profile name you want to edit authorization of. Goto change authorization Data. make the required changes. Then in the menu on top left hand side you will see a red and white ball press that and generate profile. Now you have a new role with required authorization. You can attach the role to required users.
Rahul -
Roles and their authorization profiles time period
Can roles and their authorization profiles be assigned to a user for a limited time period?
please reply
Thanks
Edited by: tracey_hrecc6.0 on Nov 1, 2010 5:24 PMHi,
It is possible.
Read below links for more details
http://help.sap.com/saphelp_mic10/helpdata/en/69/1810a4c51144dc833353183155ec88/content.htm
http://www.sap-img.com/basis/frequently-asked-questions-on-authorization.htm
http://help.sap.com/saphelp_wp/helpdata/en/cd/cc5664d22a11d296110000e82de14a/content.htm
Regards
S.Ravi
Edited by: S.Ravi-at-SAP on Nov 25, 2010 5:36 AM -
Authorization Profile for attributes into qeries
Hi all,
I've a big problem in a Bex environment.
Some users-id cannot see the kf-type attributes of 0material, but they can see only characteristic-type attributes. In general this happens for all characteristics with kf-type attributes.
Instead with my user-id (sap_all) the query is ok.
I believe the problem depends of the authorization profile.
Every user has a lot of profiles.
How can I do for detecting the restrictions of these users?
Do you know the specific profile that limits the display of the attributes?
Does it exists a t-code to identify the auth.profile used from a query?
Thanks in advance.
ClaHi Claudia,
It seems that key figure authroization has been set up in your system. You need to assign the role that would give the users access to these key figures. You can run the report by any other user's auth, through transaction RSSMQ.
Hope this helps... -
Authorization profile to call "IL01"
Hi Fox,
As there is an authorization profile which allows users to access access the transaction "IL01" I wonder if anybody knows which is appropriate authorization. If possible I would like to know how to find it myself in the future.
Furthermore I would like to know how to find other authorization profiles which are required to call functions within the transaction "IL01" like "Material where used-List" (ctrl. + F5) .
Thanks for you help
kamiHi,
If you don't have authorization for the transaction 'IL01', enter this transaction and in another window open transaction SU53. This will display the authorization check failed details. From there you can find out the the authorization object checked.
Regards,
Soumya. -
MSE-provided location used with ISE Authorization Profile
Hello Everyone,
Can MSE-provided location be used in an ISE Authorization Profile?
Thanks much,
David D.Yes, ISE 1.2 can used this feature if it is used with Merridian or Ironmobile integration. and This is still in Road Map.
-
Acitivate authorization profile
I have no authorization to do SU02,
Is there a BAPI or FM that can be used to activate authorization profile?
Edited by: Heyman52 on Jul 8, 2010 4:07 AMHi,
Use tcode: OOSP Authorization Profiles
The authorization profiles are specified in the T77PR table (Definition of Authorization Profiles). -
Create Authorization Profile Manually
Dear Experts,
I want to know the Tcode through which I can create Authorization Profile.
I know that through PFCG we can create a Role and from there we can generate a Profile, But how can i create a profile without creating a Role.
I think this is possible because the Profile : SAP_ALL does not have a role.
Regards>
Mishra.Manas wrote:
>
Tcode through which I can create Authorization Profile
>
> It's actually the task of a SOX or Security Consultant. If you have rights to acess SU02 you can do it.
> Go to Profiles------>Create.
> Here you can create a profile without a role being generated.
It is nothing to do with a SOX consultant unless that person is also a security administrator. -
Training Authorization Profile
I would like to create Authorization profile for Training Authorization by adding object P, L, D, E. and allow user only to be able to maintain those employees in specific cost center.
I tried to add object "K" with specific cost center value, but it is not working.
we can achieved the same by addiing a record for each "P" object with employee number value and it is working fine. But this is not a practical way.
Please if you have any idea let us know how to d this.
M. KhalidHi,
If you don't have authorization for the transaction 'IL01', enter this transaction and in another window open transaction SU53. This will display the authorization check failed details. From there you can find out the the authorization object checked.
Regards,
Soumya. -
Secure ACS 4.2 Authorization Profiles
Hi,
I have two user groups and I want to use my first group to use with authentication to the network devices. Second group should be only used for 802.1x network access and no access to network devices. How can we do it with the authorization profiles, any example?
ThanksHello,
First of all, take backup (as a precaution to be able to restore config if something goes wrong) then proceed witht the following:
- Remove the windows domain configuration (group mapping...etc) from the server before changing the domain.
- Change the domain membership then reboot.
- follow the post-installatino tasks for ACS (check this link): http://tiny.cc/zr6huw.
- Configure the external database again on the ACS (group mapping, unknown user policy..etc).
You need to notice also that if the new domain controller is Windows Server 2008 R2, that is not supported in ACS 4.x.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Can I creat the structural authorization profile in batch?
Hi All:
I have a question.
I need to creat structural authorization profile in transaction code OOSP, it's OK if I enter new entries in the OOSP and then maintenance the authorzation profile like object type; object ID; Eval. path and so on.
But there are so many new entries need to be created that I want to use lsmw to realize batch in put.
But when I use the transaction code "OOSP' to record the screen during the LSMW, I failed to see the "athorization profile maintenance" screen , that is, I can enter new entry, give it a name and text still, but cannot maintenance the authorzation profile like object type; object ID; Eval. path. In other words,the "athorization profile maintenance" screen is missing during the LSMW recording screen!
Can anyone tell me what's the reason?Hi All:
I have a question.
I need to creat structural authorization profile in transaction code OOSP, it's OK if I enter new entries in the OOSP and then maintenance the authorzation profile like object type; object ID; Eval. path and so on.
But there are so many new entries need to be created that I want to use lsmw to realize batch in put.
But when I use the transaction code "OOSP' to record the screen during the LSMW, I failed to see the "athorization profile maintenance" screen , that is, I can enter new entry, give it a name and text still, but cannot maintenance the authorzation profile like object type; object ID; Eval. path. In other words,the "athorization profile maintenance" screen is missing during the LSMW recording screen!
Can anyone tell me what's the reason? -
No authorization to read the authorization object
Hi all,
We have implemented (on Bw 3.0B) authorization profiles using <b>0TCTAUTH</b> and <b>0ORGUNIT</b>. It works fine, but when an user deactivates the hierarchy (by using the option on Bex), there is an error "Brain 804 No authorization to read the authorization object".
I've seen that there is an Oss note <i>(N 844408 No Authorization after deactivating display hierarchy)</i> and it seems to be a support packages problem.
Is there someone who could tell me if there is another solution to resolve this problem before installing Support Pakage ?
Thank u allHi Alessandro,
You are right no way other than support packages .
Following note may help you.
a> 844408
b> 695523
Hope this will help you.
Suneel -
Hi,
We are using R/3 4.7, LSO 2.0
The purpose is that some user should be allowed to view/book only certain courses. This is done by the Course creator. For this he is using Authorization Profile. Is there anyother way other than this.
We have course groups and course subgroups created. We have created an authorization profile which stores the ID of the Group objects and saves. It is then assigned to the user.
The issue is this has to be done in production server. The server is set to not modifiable. For this we need to copy all the object type & ID from the production server and then create a new profile and then move using Transport Request to the production server from development server.
Do any one have idea that would have the same authorization profiles without breaking the client modifiable lock or transport request from development server.
Thank you,
Regards,
BoobalanHi,
If you don't have authorization for the transaction 'IL01', enter this transaction and in another window open transaction SU53. This will display the authorization check failed details. From there you can find out the the authorization object checked.
Regards,
Soumya.
Maybe you are looking for
-
My 5 yr old 2 GHz Intel Core Duo 20" iMac, right after I disconnected an external HD that had been on the desktop (i.e. I forgot to eject it properly), started displaying video anomalies (lines); testing (TechTool Deluxe 3.1.3) indicates the video is
-
Volume of junk mail getting through
In the last few days it appears there's a good deal more obvious junk mail getting through the Mail app's filtering process. Is there something I can do, or has something changed in the software? I checked, and my prefs are set correctly to filter ju
-
Could not perform unpadding: invalid pad byte.
Hello All In my config file I have 2 references to connection pool files.. In the files I have the following tag. <password-encrypted>{3DES}I8OqBHafh35fn6iVd6YXxw==</password-encrypted> When I try to run my connection pools are not getting initalized
-
Hi All, I need to install Oracle Business Intelligence Suite Enterprise Edition, Informatica PowerCenter and Power Connect Adapters. In addition i want to install analytics for Supply Chain and Order Management Fusion Edition, Financial Fusion Editio
-
Experts, We are trying to install the .net connector server for AD 11.1.1.5.0 connector server using 32 bit Windows 2003 server. But after this step: From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-1.1.0