Update after addition of authorization objects

Hi,
I had inserted an authorization objects in my zprogram.
The testing is completed.
My question:
1. is there any other place which I need to update this object information eg. SU24 / SU22
2. if it is required, what's the impact if I did not do it?
3. Can I transport this to "LIVE" client?
Please assist.
TIA

Hi Colin,
Authorisation object needs to be added in the profile of the user who is supposed to execute the program. If you dont do that,no user will be able to execute the program.
Inform Basis Team to take care of assigning authorisation object to the profiles of desired user who will execute the program.
You can transport objects to any client but Basis Team needs to assign the objects to the profile in all the concerned clients.
Cheers,
Vikram
Pls reward for helpful replies!!

Similar Messages

How can I limit/control the addition of auth. objects to security roles?

Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
Edited by: Armando Salas on Nov 29, 2011 7:41 PM

Hi Armando,
Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
I hope this helps you
Regards
Eduardo

Authorization objects for FM (EA-PS) after upgrade

Hi,
We are upgrading from ERP 4.6c to ECC 6.0 (IS-PS 462 to EA-PS 6.00).
On preliminary tests we have found that we need to add a few authorization objects to the users, but we want to minimize that.
We opted to deactivate BAdi implementation "FMBS_ADDON_AUTH_FI" and to mark the two checks inside IMG "Activate Old Authorization Check"
Although we have found authorization issues with objects:
F_FICA_FTR and
F_FICA_FCD
Is there a list of Objects that we need to add to the roles that I can review? or maybe an OSS Note or SDN article about this?
Best regards,
Nelson

Hi, I have been studying this, and I have found that the error message I saw yesterday definitely speaks to the problem I have been having.
I created a test role with one transaction, then went into SU24 for that transaction and made a new auth check with display 03. After I updated that role in PFCG (maintaining the new authorization), I went back to SU24, changed that new auth check by removing 03.
When I went back into the role in expert mode, the maintained authorization was gone and replaced with a new standard authorization with no values.
My concern is that wherever the authorization checks are coming from, their construction is corrupt! I'm not even sure that the original auth checks are OK -- if they had values that were later taken out, I am concerned that they will cause this error I am seeing.
I'm getting ready to upload the auth check tables from QA back to the Sandbox, but I'm not sure that will solve the problem if there is another cause for this. Is there some other setting/selection that someone must have clicked on that is now causing this problem? I still don't have a clear answer on that, and I would love to know.
Thanks,
Ed

Authorization objects for EA-PS after upgrade

Hi,
We are upgrading from ERP 4.6c to ECC 6.0 (IS-PS 462 to EA-PS 6.00).
On preliminary tests we have found that we need to add a few authorization objects to the users, but we want to minimize that.
We opted to deactivate BAdi implementation "FMBS_ADDON_AUTH_FI" and to mark the two checks inside IMG "Activate Old Authorization Check"
Although we have found authorization issues with objects:
F_FICA_FTR and
F_FICA_FCD
Is there a list of Objects that we need to add to the roles that I can review? or maybe an OSS Note or SDN article about this?
Best regards,
Nelson

Hi, I have been studying this, and I have found that the error message I saw yesterday definitely speaks to the problem I have been having.
I created a test role with one transaction, then went into SU24 for that transaction and made a new auth check with display 03. After I updated that role in PFCG (maintaining the new authorization), I went back to SU24, changed that new auth check by removing 03.
When I went back into the role in expert mode, the maintained authorization was gone and replaced with a new standard authorization with no values.
My concern is that wherever the authorization checks are coming from, their construction is corrupt! I'm not even sure that the original auth checks are OK -- if they had values that were later taken out, I am concerned that they will cause this error I am seeing.
I'm getting ready to upload the auth check tables from QA back to the Sandbox, but I'm not sure that will solve the problem if there is another cause for this. Is there some other setting/selection that someone must have clicked on that is now causing this problem? I still don't have a clear answer on that, and I would love to know.
Thanks,
Ed

New Authorization Objects after system upgrade

Hi All ,
I require the list of all new Authorization Objects that have been added to the system after System Update.
Regards
Anthony D'souza

Hi Jurjen Heeck ,
see my previous post
I did 'nt get this.
SAP_NEW is your friend here
does the SAP_NEW profile contains all the new authorization Objects.
Regards,
Anthony

Mass update to FILENAME field in S_DATASET authorization object

We are migrating to a new fileserver with a new hostname, and so I've been asked to update about 1900 instances of the S_DATASET authorization object for the new FILENAME value. I'd like to do this programmatically if possible.
What I've learned so far is that I need to update the value in table USR12, but the value is encoded. When I look at the table in SE16, I do not see the encoded value field. The value does show in UST12, but I'm told this is an unreliable table.
So I'd like to know..
1. How can I look at the value if not in SE16?
2. Is there an API I can use to encode/decode the value? If not, where is the specification on how to build it?
If this is better addressed in a different forum, which one should I try next?
Thanks,
Dan

Hi there,
Okay I started a few tests and made a bit of progress, but am running into the problem that if I don't check the authority first using the FM and want to test what happens when the user is not authorized, then the bugger dumps (as expected and mentioned in the note)...
But the behaviour as you have described:
>
> Path                   Saveflag Fs_noread Fs_nowrite Fs_Brgru
> =============================================================
> *                                 X         X            DUMY
> /temp/FI/..                       X         X            DUMY
> /temp/FI               X                                 FIFI
>
... is correct, and I found something interesting in the F1 on the spth-path field which explains this.
> Caution:
> - If you enter paths generically in the table SPTH, the most precise specification counts.
> - If you select the no-read or no-write fields in the table SPTH, this overrides the authorization group.
So, the DUMY is not needed as the check does not use it in those cases, and "/temp/FI/.." is anyway more specific than "*" so the system would have used it for DUMY anyway. But that is irrelevant... because if the begru field is empty in the FM, then the check is not performed.
So, the only check which is effective to protect the path, is:
Path                   Saveflag Fs_noread Fs_nowrite Fs_Brgru
=============================================================
/temp/FI               X                                           FIFI
... and the "fs_noread" and "fs_nowrite" flags should be understood as "no protectable authority to read" and "no protectable authority to write" and not the activity field which the authority is being checked against. This is coming from the S_DATASET check (which is already known at that time to the function module).
Using these flags, you can leave the entries in the table without having to delete them if you want to turn them off and on temporarily. Perhaps an "active / inactive" switch would have been clearer...
form CHECK_PERMISSION using ISPTH_HEAD type SPTH
                            MODE       type CLIKE
                            SUBRC      type SY-SUBRC.
data: ACTIVITY like AUTHB-ACTVT.
   SUBRC = 0.
   case MODE.
     when 'R'.
          ACTIVITY = '03'.
     when 'W'.
          ACTIVITY = '02'.
     when 'D'.
          ACTIVITY = '02'.
   endcase.
   if ISPTH_HEAD-FS_BRGRU <> SPACE. "Here it is... for BEGRU checks there must be a value...
      authority-check object 'S_PATH'
          id 'FS_BRGRU' field ISPTH_HEAD-FS_BRGRU
          id 'ACTVT'    field ACTIVITY.
       if SY-SUBRC <> 0.
          SUBRC = 3.
       endif.
   endif.
endform.
Cheers,
Julius

Authorization object for additional data of material

Hi,
in our Authorization there some user they can use MM01/MM02 only for specific
Maintenance Statuses - object M_MATE_STA (say L - Storage, X - Plant stocks, Z - Storage location stocks).
We also want, that this user are not allowed to change some additional data, but i don't know, if there
is some Authorization object.
Has anyone an idiea?
thanks.
Regards, Dieter

Have a look at M_MATE_MAN. Help text below:
Definition
This object determines whether a user is authorized to maintain material master data at client level.
Data at client level includes fields that cannot be maintained for each organizational unit (for example, for each plant or sales organization). It includes the following data in particular:
Material descriptions
Long texts (except sales texts and the material memo)
Units of measure
EANs
However, it does not include the objects of other applications that you can assign to a material when maintaining the material master record (for example, document assignment or classification) since separate authorizations can be given for objects of this kind.
Note
Even if a user does not have the authorization to display data at client level, the following data is still displayed for the material nevertheless:
Material descriptions and base unit of measure
Deletion flag on the initial Flag Material for Deletion screen
Defined fields
Fields Possible values Meaning
ACTVT 01 User may create data.
02 User may change data.
03 User may display data.
06 User may change deletion flags.
Edited by: Nick WW on May 27, 2011 9:27 AM

Update the authorization object value for more than 1000 role

I need to remove one of the activity value (06) from authorization object S_SCD0.
I do a search and found out that there are more than 1000 roles which having the activity value = 06 for authorization object S_SCD0.
However, I don't think I can create a SCAT script to update all these 1000 roles and I believe its going to be a very tedious if I am going to manually change it one-by-one. Hence, I am wondering is there any standard program/function which I can use to automate the above changes for all these 1000 over roles.
Kindly advise.
Thanks

Direct update the table is the easiest way, but should be discourage for the obvious reason.
Should take a step back, take a long term view, when you need to update 1000 roles, maybe a role redesign might be needed. For example, if you can change the role model to derive role model, once update to the parent role will take care of all the child role.
Thanks,
Lye

Authorization Object for Update Function Module

Hi
I have a Update Function Module and that FM should be executed based on the Authorization Object .
I had created a Auth Object with Proper roled assigned to user and i also did the following
AUTHORITY-CHECK OBJECT <Obj Name>
ID 'ACTVT' FIELD '38'.
If Sy-subrc EQ 0.
<Process the following>
End IF.
But the Auth Object is not working correctly like in the ebugging eventhough my role is not assigned to this Auth Object
it is giving me sy-subrc as 0 (but in my case it must be not be zero.)
Is it anything like Auth Object wont work on Update function Module or else is there any different approach we need to follow
to acheive the functionality .
Kindly share the inputs
K.Nadesh Kumar

Hi
The issue is resolved
K.Nadesh Kumar

Query on new Authorization Objects after Upgrade&SAP_NEW profile

Dear Experts,
We have upgraded our system from 4.5 to 7.0 version, i was checking what are the new authorization Objects introduced after upgrade comparing older system ojects. I got few objects which are new in upgraded system,
But when i check SAP_NEW profile, and in the latest profile SAP_NEW_7000 profile i can not see all those new Ojects which are new.
generally SAP_NEW should contain all new objects which come after upgrade? i can see those in SAP_ALL but not in SAP_NEW
is there any issue in system? how should I know and where should i check what are the new Objects come in upgrade,
Please advise.
Thanks#Regards,
Vijay

Hi Jurjen Heeck ,
see my previous post
I did 'nt get this.
SAP_NEW is your friend here
does the SAP_NEW profile contains all the new authorization Objects.
Regards,
Anthony

Addition of New Authorization Objects in DMS

Dear All,
How to add new authorization objects in DMS?
For ex: I have defined Projects in additional data through class/characterstics, now i want to bring that field in to authorization control and want control document creation with respect to characterstics values(Projects).
Looking for documents or step by step procedures
Kindly help me.
Thanks in advance
[email protected]

Hi
Im not so sure but you can create an Auth Key using BS52
You can add it to Auth obj of Class/ characteristic
You can get a list of auth obj in SUIM
Niranjan
Let me know if it helps...!!!

Open Authorization Objects in role after role Transport

Hi All,
I have transported a R/3 (ECC6, support) role from Dev to QA and Dev (Multiple clients). After transport, Role has authorization tab with status (green) but when i display authorization data i found one new open authorization object (yellow).
I already have generated profile before tranporting. Role is also okay in Dev other clients (We have multiple clients in Dev) with status green and no open authorizations (yellow)
Any feedback/suggestions ?
Thanks in advance
Khasim.

This happens when PFUD runs at the same time as you are generating the role. Refer to this note: 355030 - Loss of authorizations after profile generation. Another remote reason could be if your source (DEV) and target (QA) systems use different characters sets. (Note #535554).
If it is the former case, re-transporting your role may just be the solution for you. Just re-generate the role in DEV and initiate a new transport.
Hope this helps.
Ashutosh

Newly Created authorization Objects after SAP Upgrade

Can someone tell me whether there is any transaction or table that display the added object authorizations after a Sap Upgrade ?
Thanks in advance.

Also, you can check SAP_NEW profile which shows which authorization objects have been added in which release.

Need authorization object to update my authorization

Dear SDN's,
When i am double click to view the data sourse it is giving message
"You have no authorization for data source "
"You require authorization for the authorization object for the data source DW workbench - data source (Release>BW 3.X) wih the filed values stated above and activity 4 "
For the above authorization issue
which authorization object is required for updating my authorization ?
Thanks and Kind Regards,
Lakshman Kumar G

Dear Gaurav,
Thanks for the solution.
Is there any authorization object for replicate the data source ?
Thanks and Kind Regards
Lakshman Kumar G

Authorization objects in RAR not updated

Hi everyone,
i'm facing an issue with RAR (GRC 5.3, SP10): i've just imported the authorization objects from SAP (SE38 -> /VIRSA/ZCC_DOWNLOAD_SAPOBJ -> saved in UTF8 format), but when i look the function in the rule architet the authorization objects setting are not the same:
Example: in SAP the transaction F-04 needs the auth obj F_BKPF_BLA/BUK/KOA (i use transaction SU22 to check the auth obj) and the export file has the same settings:
F-04     F_BKPF_BLA     ACTVT
F-04     F_BKPF_BLA     BRGRU
F-04     F_BKPF_BUK     ACTVT     01
F-04     F_BKPF_BUK     BUKRS     $BUKRS
F-04     F_BKPF_KOA     ACTVT
F-04     F_BKPF_KOA     KOART     $KOART
In RAR the transaction F-04 is in the function AP01, AR01, AR02, GL01. The transaction has different settings in every function: in AP01 there is only F_BKPF_KOA in status active, in AR01 there are F_BKPF_BUK and KOA in status active,...
I re-generated all the rules, but the settings are still the same.
I think the settings must be the same.
Am i right?
Thanks in advance!
Luigi

Luigi,
The function has all the associated auth objects, right? All the auth objects/permissions may not be enabled in the function. As you are using standard SAP ruleset, SAP has determined that the combination of F-04 and associated enabled auth objects create violation when assigned with another set of tcodes and auth objects. You can always enable all the auth objects if that is what makes sense as per your business.
Can you go through the RAR config guide to get an understanding on this?
Regards,
Alpesh

Update after addition of authorization objects

Similar Messages

Maybe you are looking for