Track-specific Authorization

Similar Messages

• Issue with context specific authorization object P_ORGINCON.

  Hello Experts,
  The context specific authorization object doesn't evaluate the
  structural profile it is assigned to when more than one structural
  authorization is assigned to a user.
  Please read the below scenario for issue description as follows:
  User ZHR_ACT13 is assigned two roles namely ZHR_HRD and ZHR_DEPT_HEAD.
  He is the manager for employee ID 167 and is not the manager of employee ID 17.
  Role ZHR_HRD has no read/write authorization for Infotype 6. ZHR_HRD is also assigned to structural authorization ALL which is meant for viewing all the objects with no restriction of any relationship.
  Role ZHR_DEPT_HEAD has read authorization for infotypes 6 for only the subordinates i.e. the structural authorization ZDEPT_HEAD of viewing only the subordinates data is assigned to this role. Also this structural authorization ZDEPT_HEAD is assigned to infotype 6 using
  authorization object P_ORGINCON.
  But now the manager ZHR_ACT13 is able to read infotype 6 data for employee ID 17 who is not his subordinate even though only structural authorization ZDEPT_HEAD is assigned to infotype 6 using P_ORGINCON. We
  expect that user ZHR_ACT13 must be able to read infotype 6 data only for employee ID 167 and not for employee ID 17.
  Please kindly help resolve this issue.
  Thanks & Regards,
  Roshan.

  This has been resolved.

• Project Specific Authorization

  Hi Everyone,
  My requirement is to implement Project specific Authorization means I want to restrict users to access other projects running in the same plant..Suppose there are four projects A, B, C and D..now there will be four project managers and four teams as well. Now our Client wants that the member of one project could not access the things of other projects...now SAP has given standards only for transaction authorization one can be restricted to access a particular transac but how to restricts at project level.....suppose project manager of project A having a access of CJ2B now he can open any  of the project so we need to configure the users in such a way that he can only able to open his project..the moment he tries to open some other project to which he not assigned the system should give him error message like " you are not authorized to access this project."
  hope I am able to clarify the requirement please give your feedback and solution for this...
  thanks in advance

  same as Restrict project's access on PS
  cheers
  thorsten

• Documentation on Crystal-specific authorizations

  Does anyone have any additional documentation on how best to configure the various authorizations that are required for using Crystal Reports in an SAP environment. I have found the documentation/directions in the Install and Config guide to be vague and not helpful in trying to understand which authorizations are absolutely necessary for various functions.
  For instance, is the "Crystal Consumer" or viewer role necessary for someone who is only going to view scheduled instances and not view reports on demand? What specific authorization is needed to allow for on-demand viewing? Any help or tips on how to configure authorizations would be appreciated. Thanks!
  Edited by: Mike Garrett on Jan 21, 2009 6:13 PM

  Hi Mike,
  The Install and Admin guide for the Integration for SAP solutions has a section describing what authorizations are required for different connectivity tasks.
  However in the case where the user is viewing an instance, no authorizations are required because this is a report with saved data thus no connection to the database is required.
  In case you are thinking of the publications, I will elaborate further on how this feature works.  When a publication is created for multiple users, the database is hit once per added user to retrieve the record set of that user based on his/her authorizations.  Once this is completed, a report instance is created for each one of these users which only that user has access to.  We describe this type of publication as multipass bursting where data is requested from the database per recipient.
  thanks
  Mike

• User List for a specific Authorization Object

  Hi all,
  i am looking for a way to get a list of all users assigned to a specific Authorization Object with specific values. The FM 'authority_check' is the other way arround and not that what i need. Do someone have an idea.
  Many thanks in advance.
  Ali

  Hi,
  Try this FM
  SUSR_USER_AUTH_FOR_OBJ_GET
  Check this FM
  AUTHORIZATION_DATA_READ_SELOBJ
  Rgds,
  Prakash
  Message was edited by: Prakashsingh Mehra

• Querying roles containing specific Authorization Object

  Hello!
  We're using BI7 with new considerations about security. I want to get all roles that contains a specific Authorization Object, I've tried using TX SUIM, but had no success.
  Is there any report, transaction or something else where to find this info?
  I hope you can help!
  Regards!
  Bernardo

  Bernardo,
  If "new security model authorization objects" means analysis authorizations (SAP's official naming for objects mantained by RSECAUTH), those used in roles can be retrieved again using tcode SE16: just query AGR_1251 but this time providing S_RS_AUTH for field OBJECT. The result set shows roles that contain analysis authorizations. If you want only the roles which have specífic analysis authorization, just provide its name for field LOW. Be sure to fill in this field with all capital letters.
  On the other hand table RSECVAL keeps the values defined for analysis authorizations.
  Hope this helps.
  Regards,
  Fernando

• Error for customer specific Authorization check (User Exit)

  Dear Experts,
  I am facing a problem in PM.
  I have created a maintenace plan for calibration via t code IP42 and mentioned the order type PM05. Scheduling is done for the order. I got the order number.
  I have released the order and got the inspection lot number.
  While entering the results recording through t code QE17, the reluts are out of the specified range, i have given the valuation Rejected, immediately system is giving an error message as below:
  "Error for customer specific Authorization check (User Exit)"
  Though there is no user exit activated in the system, this message is coming and not allowing the result recoring for rejection.
  If I'm entering the result recording within the specified range, then valuation is Accepted and its allowing to save.
  I have checked the following user exits:
  QQMA0002: QM: Authorization Check for Entry into Notif. Transaction
  QQMA0026: PM/SM: Auth. check when accessing notification transaction.
  The above 2 User Exits are not active.
  I have also checked a note 429066. But it says incase of any dump for that user exit only its applicable and more over the current version of the system is ECC 6.0 packae 15, where as that note is applicable upto 4.6C.
  Please some one help me on this issue.
  Thanks and Regards,
  Praveen.

  Dear Pete,
  I have cheked with my technical team, There is no hotpacks updated recently. This is the implementaion project I'm in, so performing the cycle for the first time.
  Any how I got it solved, in T code QE17, after entering the Inspection lot in next screen goto menu path Settings - User settings - Defects recording mention the reprt type and tick on Reprt type Changable.
  At the time of result recording if the valuation is Rejected then it ask for defects recording close that window if not rwequired then save, the error message no longer apperaing now.
  Regards,
  Praveen

• The scope of the customer-specific authorization object

  Dears,
  Could someone please feedback about the scope of the customer-specific authorization object; e.g. if we are to create a customer-specific authorization object to replace authorization object P_ORGIN in the HR module, to be able to add an extra authorization field to the newly created authorization object, the scope of the newly create authorization object (which will have a new validation code generated by report RPUACG00) will be the whole ERP system ? 
  The worry is caused by the fact that P_ORGIN is already used in several authorization roles granted to users in the different ERP modules (i.e. FI, SD, MM, CS), so the replacement would affect these modules.
  Thanks.
  Reda

  Hello Reddy,
  We are about to implement the HCM module (We are now in the testing
  phase), on the same client as that of our SAP ERP implementation.
  We need to authorize on the personnel number grouped by 'Payroll Area'
  in transactions PA30, PA40
  In authorization object P_ORGIN, the field VDSK1 is already used to
  authorize on an attribute : cost center (organizational key) for each
  organizational unit, so we can't configure it to authorize on other
  fields from info type 0001 (e.g. Payroll Area).
  We need to continue using the conventional / general authorization and
  not the structural authorization, to stay in compliance with our
  authorization schema already implemented in our FI, MM, SD & CS modules.
  ( Also, as per thread : Steps for creating structural authorization profile using trans. OOSP
  the structural authorization cannot be used to authorize on Payroll Area.)
  We need to go through the HR module implementation without any changes
  in the ABAP code.
  So, the last way out is the custom-specific authorization object, and as I mentioned before, the authorization object P_ORGIN was already used in other ERP modules; e.g. FI, MM, SD & CS,
  ( Note : I haven't started yet implementing this solution.)
  Thanks.
  Reda

• Deleting document specific authorization (ACL in EasyDMS)

  Hi,
  Is there a way to delete document specific authorization assigned using the Authorization tab in EasyDMS? The requirement is to have authorizations based on roles and auth objects (defined in PFCG) to take effect.
  Thanks,
  Lashan

  Hi Lashan,
  some time ago our developement created the following report for deleting ACL entries of a document info record. Maybe this can be useful for you too. Below you find the report coding:
  *& Report  Z_ACL_DLETE_FOR_DIS
  REPORT  Z_ACL_DLETE_FOR_DIS.
  TABLES: draw.
  DATA: lt_draw   TYPE draw  OCCURS 0 with header line.
  WRITE:/1 'LIST OF DIRs WITH ACLs DELETED' COLOR COL_HEADING INTENSIFIED ON,
        /2 '          DIR KEY                   ' COLOR COL_HEADING.
  SELECTION-SCREEN BEGIN OF BLOCK dms_block10 WITH FRAME TITLE text-001.
  SELECT-OPTIONS: s_dokar FOR draw-dokar MEMORY ID cv2,
                  s_doknr FOR draw-doknr,
                  s_doktl FOR draw-doktl,
                  s_dokvr FOR draw-dokvr.
  SELECTION-SCREEN END OF BLOCK dms_block10.
  SELECT * FROM draw INTO TABLE lt_draw
      WHERE dokar IN s_dokar AND
            doknr IN s_doknr AND
            doktl IN s_doktl AND
            dokvr IN s_dokvr.
  LOOP AT lt_draw.
  Delete from DMS_GUID where dokar = lt_draw-dokar and doknr = lt_draw-doknr
  and doktl = lt_draw-doktl and dokvr = lt_draw-dokvr.
  if sy-subrc = 0.
  write:/ lt_draw-doknr,lt_draw-dokar ,lt_draw-dokvr, lt_draw-doktl.
  endif.
  ENDLOOP.
  Best regards,
  Christoph

• Tracking of Authorizations

  Hi All,
  Is there any way to track the log of over-writing a particular user's authorizations in SBO? More specifically, if someone need to know when a user's authorizations are amended and what has been changed.
  Regards.

  When the Authorizations window is open, you can tranck the changes through Tools / Change log.

• Work Center specific Authorization

  Hi all,
  My specific requirement is we have 7 various plants and each plant having 2 work centers and planner groups like one is for Elect and other is Mech. Now my client wants that particular plant only have the authorization for its particular work center and planner group.
  Means if plant 1 having work center Elect1 and mech1, this plant is not authorize to make notification or order of plant2 work centers say Elect2 and Mech2. Is it possible? What am I suppose to do for that?
  Thanks,
  Anish

  Hi Anish,
  Nothing is required to be done by Functional Consultant. You just need to contact your basis team.
  You have to provide him role/profile for which you want to change authorization for auth object C_AFVG_APL.
  This auth object will have fields as below
  1) Plant
  2) Work center
  3) Action
  The following values are used for the actions:
  01: Create
  02: Change
  03: Display
  41: Assign PS texts
  42: Allocate materials
  43: Assign PRTs
  44: Assign activity elements
  You need to tell him for your role/profile - which plant, which work center and which action should be allowed.
  So accordingly user will have only those limited authorization.

• Status and Tracking System Authorization Objects

  Hello,
  I'm having questions on how to create roles for users to access the Status and Tracking System.
  I've assigned the following Authorization Objects to my user
  R_STS_PT
  Activity: 16 Execute
  Subplan: *
  Planning sequence: *
  R_STS_CUST
  Activity: 16 Execute
  R_STS_SUP
  Activity: 16 Execute
  And still when i try to execute STS (T-Code: BPS_STS_START) or Customize (T-Code: BPS_TC) i get an error saying "Without Authorization for the transaction BPS_STS_START" and "Without Authorization for the transaction BPS_TC"!
  Can anyone help me, please! Waht am i missing?
  Thanks

  Hello Stephen
  Thank you very much for the help.
  Still i have some other questions that you or someone can help me.
  By now, my Planning Coordinator can already access to BPS_TC, and my Planning Responsible access to BPS_STS_START.
  The "normal" users must onle have the Authorization Object R_STS_PT.
  I still have this issue that i'm not getting at.
  I have created a user where i've assigned total access to Execute STS and Customizing.
  Assigned the 2 transactions BPS_TC and BPS_STS_START and gave them the Auth. Objects R_STS_SUP and R_STS_CUST.
  Issue: When my user tries to "Define Subplan" and "Define Planning Session" i get this error:
  "No maintenance authorization for requested data
  Message no. SV052
  Diagnosis
  You have attempted, in change mode, to access data for which you have no authorization."
  Can anyone help me on this please.
  Thanks
  Vitor

• Plant Specific Authorization of  VA42,VA02,VF03

  Hi,
  I have to provide authorization for Change or Display of Contract Orders,Sale Orders, Billing docs for the Users of the plant in which they were created and for other Plant users i need to restrict. For example, If a billing doc was created in Plant 1100,then users of the Plant 1100 should only have the authorization for Change or Display of that billing doc. For other Plant Users it should throw an error message 'This billing doc belongs to another Plant'. Please guide how can i do this? What input i have to take from Basis Consultant?
  Regards
  K Srinivas

  Please guide in arriving at solution.
  Regards
  K Srinivas

• Can I get a list of users who have a specific authorization role?

  Hello,
  I'm wondering if there is a BAPI or FM that takes as input a single authorization role and gives me back a list of all users who have that role?
  Thx.
  Andy Jacobs

  hi,
  please check the below FM
  'PRGN_1001_READ_USER_ASSIGNMENT'
  jaffer ,
  Please reward the helpful answers.

• Keeping track of authorization(updation )

  hi all,
  i am working on jdeveoper with jsp. i am handelling authorization module. in this module the user will view the data and authorise. This will be updated in the database. In that i want to restrict number of authorization for each user loged on. so that the user can athorise only 10 or 20 times for each log on.
  thanx in advance.
  null

  Maintain the number of rows updated in a session variable, and set up your sessions to expire when the browser is closed. If you want to allow the user to log off and back on again without closing the browser, then reset the count to zero when the user logs off.