Transaction to check authorization objects that failed

Similar Messages

• Authorization Objects that allowed/disallowed FI Postings

  Hi All,
  May I know what are the Authorization Objects that allowed/disallowed FI Postings?
  Thanks,
  Teo

  Dear:
                  Here is the list of FI objects i have maintained to allow or disallow the transactions into Customer, Vendor, Co code, GLs e..t.c Hope it will be helpful for your.
  F_AVIK_BUK     FI        Payment Advice: Authorization for Company Codes            
  F_BKPF_BED     FI        Accounting Document: Account Authorization for Customers   
  F_BKPF_BEK     FI        Accounting Document: Account Authorization for Vendors     
  F_BKPF_BES     FI        Accounting Document: Account Authorization for G/L Accounts
  F_BKPF_BLA     FI        Accounting Document: Authorization for Document Types      
  F_BKPF_BUK     FI        Accounting Document: Authorization for Company Codes       
  F_BKPF_BUP     FI        Accounting Document: Authorization for Posting Periods     
  F_BKPF_GSB     FI        Accounting Document: Authorization for Business Areas      
  F_BKPF_KOA     FI        Accounting Document: Authorization for Account Types       
  F_BKPF_VW      FI        Acc. Document: Change/Display Default Vals for Doc.Type/PKey
  F_BL_BANK      FI        Authorization for House Banks and Payment Methods          
  F_BNKA_BUK     FI        Banks: Authorization for Company Codes         
  Regards

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• RSSM: Checks Authorization Objects for Infoprovider are not activ

  Hello,
  we have BW 3.5 and we use RSSM Authorization Objects.
  When we create a new cube with an Infoobject that is authorization relevant, in our development-system in rssm the flags for the checks are automatically activ.
  When we transport the new cube to our production-system, the flags in RSSM for the authorization object are not activ.
  Sometimes the new infoprovider is not in the list of the infoprovider in rssm, so we have to "update check status" with the appropriate icon.
  My question:
  It is possible, that when we import the new cube in our production-system, that all authorization objects are activ??

  Hi,
  Normally system would check all the authorization relevant objects whenever a new Info cube is imported and in case if you want to transport these changes to Production system manually then follow the below listed steps:
  1) In Development system, check or un-check the authorization relevancy using the transaction RSSM on a given Info provider
  2) These changes are stored in table RSSTOBJDIR
  3) Create a manuall transport request and include these entries covering the required Authorization objects manually. 
  R3TR TABU RSSTOBJDIR
  Ex: If Info object 'A' is authorization relevant in Development system but not in Production system and you want to transport this change to Production system then include object 'A' table entries manually.
  Hope this helps.
  Cheers
  Bala Koppuravuri

• LDB PNP authorization check authorization object

  Hi,
  I have used LDB PNP for HR reports.
  We are using the authority check also, but the problem is all the records/data for all the people is being read by the report where some of the people data should not have been read as they belong to some other personal area that the role of the executer (user).
  Hence it appears that authorization check is not working properly.
  Following is how I am using it, Please suggest corrections or alternate way to correct this issue.
      rp-provide-from-last p0002 space gwa_outlist-begda 
                                                      gwa_outlist-begda.
      IF pnp-sw-found NE '1' OR
          pnp-sw-auth-skipped-record EQ '1'.
          EXIT.
      ELSE.
          ls_tab-vorna = p0002-vorna.
          ls_tab-nachn = p0002-nachn.
      ENDIF.
  Please reply with the corrections ore alterations,
  Thanks in advance.
  Akash.

  Hi,
  (1)
  Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
  So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
  ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
  (2)
  In some case you do not work with LDB report, then you need to do the authority check by yourself. General function  AUTHORITY_CHECK is what you need.  AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
  P_ORGIN    HR: Master Data
  PLOG       Personnel Planning
  P_PCLX     HR: Clusters
  P_TCODE    HR: Transaction codes
  Sample of checking personal area:
  CALL FUNCTION 'AUTHORITY_CHECK'
       EXPORTING
            FIELD1              = ' PERSA'
            OBJECT              = 'P_ORGIN'
            USER                = 'SAPSUPPORT1'
            VALUE1              = 'Z001'  
       EXCEPTIONS
            USER_DONT_EXIST     = 1
            USER_IS_AUTHORIZED  = 2
            USER_NOT_AUTHORIZED = 3
            USER_IS_LOCKED      = 4
            OTHERS              = 5.  
  IF SY-SUBRC NE 2.
  MESSAGE E001(01) RAISING AUTH_FAILED.
  ENDIF.
  Reward if helpful pls!

• Authorization objects generated by a transaction

  Hola buenas tardes, tengo un problema con unos roles. Actualmente existe una transaccion llamada FDTA la cual me muestra unos TXT para tranferencias Bancarias tanto de HR como de FI, resulta que el personal de HR puede ver los TXT de FI y los de FI tambien puede ver los de HR, como puedo saber que objetos genero esa transaccion, o como puedo determinar que campo es el que limita esta opcion? 
  Gracias por su atencion,

  Hola Juan Carlos,
  Deberías poder ver desde la PFCG, agregando la transacción desde el menú, todos los objetos de autorización pertenecientes a dicha transacción. Para saber en que objetos le está fallando al usuario, dile que ejecute cuando le da el error la transacción SU53, esta pantalla te dará el objeto de autorización en cuestión.
  Hi Juan Carlos,
  You should be able to see all authorization objects for a transaction, by adding it first on the transaction menu from PFCG. Furthermore, if you want to troubleshoot specific auhtorization objects, instruct the user to execute transaction SU53. This screen will show you specific authorization object that failed at that moment.

• Authorization object for parameter transactions

  Hi all,
  I'm trying to restrict transaction VL10h for shipping point,this transaction is a parameter transaction and is not controlled by an authorization object directly.when I run a trace , transaction Vl10x shows up. The authorization object that is being checked is V_LIKP_VST.
  Note : The requirement is when the user executes transaction VL10h he/she should be able to display only those shipping points they are authorized to.
  Please advice.
  Thanks,
  Mohan.

  Hi Mohan,
  For transaction VL10H you can specify values for the following fields in authorization object V_LIKP_VST:
  -Activity:
  01     Create or generate
  02     Change
  03     Display
  04     Print, edit messages
  18     Deliveries from coll. proc.
  24     Archive
  25     Reload
  85     Reverse
  -Shipping point: Here you must set the restriction for each group of users that are allowed for the maintenance of the shipping points that are used for delivery processing.
  You can restrict the access through these fields.
  Regards,
  Leandro

• Authorization object creation for transaction MIGO

  Hi,
  We have created the auth object for acct asignment category with values as activity & acct assignment category.
  But when assigned to respective users, its still allowing to perform the transactions.
  Basically I am using this object for doing Goods Reciept tcode MIGO.
  As in if auth object carries value 'K' in this object i.e. for cost center then other user with value 'P' i.e. project wont be allowed to perform the MIGO for POs with 'K'.
  Kindly tell me the specifications for the auth object, so that it will restrict users from performing the MIGO.
  Regards,
  Krutika

  hi!
  1) identify the infoobject which must have restricted access. I think it is Profit Center in your case or may be PSP element
  2) in infoobject maintainance screen check Whether it is marked as Authorization relevant(RSD1)
  3) goto RSSM and create a new authorization object and add your infoobject to it.
  4) in PFCG role maintainance screen add create a new role Project Management and addt eh users to it. under the authorizations tab go to maintaina authorizatioons and add your authorization object that you create in RSSM. and maintain the correct values with in it.
  with regards
  ashwin

• Authorizations in CRM 2007 - How to check missing authorization objects?

  Hi,
  In our project we are currently busy with the set up of authorizations.
  I did create the necessary PFCG and Business roles.
  For the PFCG roles, I did create all of them by copy of the standard SAP_CRM_UIU_FRAMEWORK so that the user can  access to the web layout.
  Now I need to give authorizations for other CRM objects, my question is: How can I see which objects are missing to displaying or creating activities in the new WEB Layout?
  In the old days we used the SU53 to check the authorization objects that were missing, how can we do it now in this new release? I tried it and didn't worked out.
  Thx
  Regards
  Hugo

  Hi,
  For report CRMD_UI_ROLE_PREPARE you have to input a business role - not a PFCG role. Are you doing that?
  Are you getting no results at all in ST01 or are all results just with return code 0?
  You have to remember to set a filter for your user in ST01 before activating the trace. Another thing to check is if you are using several application servers. I would imagine the trace has to be activated on the same application server as the Web UI. You can change the application sever in SM51.
  /Anders

• Creation of a new Authorization object

  Hi ,
  I need to create a new Authorization group and add three existing tables to it.
  Kindly suggest a way.
  Regards.

  Authorization Field
  Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the database table TACT and the customer-specific table TACTZ.
  Maintenance using transaction SU20.
  Authorization Object
  Repository object that forms the basis for authorizations. An authorization object comprises up to 10 authorization fields. The combination of authorization fields, which represent data and activities, is used for authorization assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
  Maintenance using transaction SU21.
  Authorization
  Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
  Maintenance in transaction SU03 or generation from transaction PFCG (profile generator for role maintenance).
  Authorization Profile
  Grouping of several individual authorizations or further authorization profiles. Can be entered in the user master record instead of individual authorizations. An authorization can be assigned to authorization profiles as often as you wish.
  Maintenance in transaction SU02 or generation from transaction PFCG (profile generator for role maintenance).

• Checking authorization of a tcode//

  can i check the authorization objects of a tcode?
  i want to assign a user with only a tcode not with the full role.
  is there any way that i cud asssign a user with a tcode only with out creating a new role, cud i view some how what particular authorization a tcode is using
  thanks
  akshat

  Akshat,
  are you sure that's a good idea...?
  First of all - use SU24 to check the objects that are defined for the TCode. Additionally, an authoritzations trace with ST01 will give you certainty.
  If you add the TCode manually, you lose that connection. I..e, when you remove the TCode, the user might still have the objects, and these may be harmful in conjunction with a different TCode, meaning that the user will have access to stuff you don't want him to.
  We recommend assigning transactions only via the menu, and maintaining SU24 properly.
  Kind regards,
  Frank.

• Authorization object for ML81N

  Hi
  I am trying to know what is the authorization object that controls :
  when going to transaction ML81N and you click on the colorful icon on the right (configuration) it opens the table settings window
  what is the authorization object for the administrator button
  regards

  well.......to be honest, i did my research based on some intuition and some research
  I know that the settings could be changed not only for the transaction you mentioned, but i remember that i was taught that this could be changed for Sales order transactions too, which suggests that this is not bound to a specific transaction but more on a "generic plane"
  whenver it is system wide settings, the first think i check for (just a habit) is on S_ADMI_FCD, earlier experiences taught me a lot on the importance of this object, make sure that you never have a * for this object (at least that is my personal learning and opinion)
  Good luck for the future

• Authorization objects to avoid users to access workbook design mode

  Hi all,
  Does anyone knows an authorization object that stops the user to enter workbooks design mode?
  We use workbook protection but this disables most of the workbook properties.
  Many thanks,
  Mazzz

  Hi..
  see this thread.. hope it helps..
  How to prevent workbook users from saving workbooks
  You must set up security to control who can save workbooks, where they can be saved, and which workbooks appear in the BEx Browser for a specific user.
  Workbooks can also be created in the BEx Analyzer. After executing a query, choose Save u2192 Save as new workbook.
  Securing Workbooks
  In order to save a workbook, a user needs two authorization objects. The two objects listed below are the minimum authorizations a user needs to save workbooks.
  S_GUI: Authorization for GUI activities
  S_BDS_DS: Authorizations for document set
  Using both S_GUI and S_BDS_DS will enable a user to save workbooks to their Favorites folder.
  The authorization object S_GUI has one field, Activity. The activity field must be set to 60. For S_BDS_DS, the user needs activities 03 and 30. The Class Type field should be set to OT.
  Saving Workbooks to Roles
  If a user wants to save aworkbook to a location where it can be easily accessed by others, they need to save to a Role rather than saving the workbook in their own Favorites folder. Saving to a Role means saving to a security role.
  You may want to set up roles specifically for saving workbooks. You can then assign the role to all parties who need to share workbooks.
  Another option is to not allow users to save workbooks, but rather only allow power users to save workbooks. This is done to maintain the roles and to ensure that the workbooks are manageable. This also prevents users from changing workbooks saved by other users.
  In order to save workbooks to roles, a user needs:
  S_USER_AGR: Authorizations: Role check
  S_USER_TCD: Transactions in roles
  The authorization object S_USER_AGR has two fields:
  Activity and Role Name.
  Activity field -Must have at least values 01, 02 and If the user can delete workbooks, they will also need value 06.
  Role Name, you should enter the specific roles you have created for saving
  workbooks. Use proper naming convention for roles so that the roles can be restricted pretty easily.  The role name is the name of a role that will be used to hold workbooks. Saving a workbook to a role actually updates the Menu portion of a role, so object S_USER_AGR is a required object.
  Authorization object S_USER_TCD has one field
  Transaction Code. The user needs value RRMX in this field.
  Once a workbooks is saved, the data and the layout is saved in the workbook. For security reasons, we recommend that users save workbooks without the data. To save the workbook without the data, the users selects from following menu path from the BEx Analyzer: Tools > All queries in Workbooks > Delete results
  Sathya
  Edited by: sathya prasad anumolu on Jul 30, 2008 4:58 PM

• Authorization object to display specfic layout

  hi all,
  i have an ALV output having some colomns to display.
  we have been asked to display some additional colomns apart from existing ones.
  1)Bottler Affiliation"      2) SAP Payer Customer"     3) AAG (vbrk-ktgrd)        4) Legacy Bill To Customer"     5)SAP Sold To
  Customer"             6)SAP Sold to Customer Name     7)"Legacy Ship To  Customer"
  colommns 3),6) are the added ones in my case.
  what the req is use authorization objects that allow the new columns to be displayed for specfic roles only.
  so how to proceed in this case??

  Hi,
  I'm assuming this is a customer program not a standard one, so I would do the following.
  Create a new authorisation object for each column you want to allow/hide
  In the ALV program, where you build the field catalogue check each authorisation object
  If the object check passes add that column to the field catalogue, if it fails don't add it
  Add the authorisation objects to the roles that are permitted to view the columns
  Regards,
  Nick

• About authorization object

  Hi basis guys........
  i am not able to give print request.its showing authorization error
  "no authorization for LOCAL PRINTER" and "output could not be issued"
  i checked su53 screen. and i assigned that activity in authorization object.
  even then its showing authorization problem.
  Is there any object to add to get printing ?
  and what is "s_gui" object ? is that works?
  Please tell me your suggestions
  Regards........nagendra.

  Hi
  Check whether for the user a printer is assigned or not. Only the printer which is assigned to the user in SU01 can be used by the user.
  What u can try is assign the Local Printer in default printer for that particular user.
  Also if you have assigned the authorization object that was missing then there should not be a problem.
  Regards
  Sumit Jain
  [reward with points if the answer is useful]