Urgent - create Standard Authorization Roles

Similar Messages

• Standard authorization role for CRM implementation team member

  Hello,
  We are starting SAP CRM implementation project (7.0) and I would like to avoid giving sap_all authorizations to functional consultants in development environment. Unfortunetly I can't find standard customizer profiles like the ones in ERP system exists.
  So the objective is to have quite broad role or profile with no restrictions in customization and functional area. However it's important not to have Basis authorizations in this role/profile. Hope that someone can give me a hint in this direction.
  Thnak you,
  Jahoo

  Hi,
  as soon as the implementation team member should also do developments my experience is that without SAP_ALL you will have much trouble. Therefore in our dev-system each consultant will have SAP_ALL authorization. Of course only in the DEV-System.
  Kind regards
  Manfred

• How to create a authorization role for new Multiprovider

  I have a new InfoCube and a new Multiprovider on top of that cube. I would like to find how to create a role for new New Multiprovider. Can someone please provide me the step by step procedure to do this.
  Thanks
  Arjun

  Hi,
  You can check if there is a log when creating virtual machines. Hyper-V event logs are stored in the Event Viewer under "Applications and Services Logs", "Microsoft", "Windows". If yes, you can create a event rule monitor for that.
  http://technet.microsoft.com/en-us/library/hh457593.aspx
  Niki Han
  TechNet Community Support

• Authorization role - Purchase Order by Material Groups

  Hello experts,
  I would like to create an authorization role where he could limit the creation of purchase orders by material groups. However, I checked all the authorization and noticed that at the level of purchases there is no authorization that allows me to such behavior. Is there any way to limit the creation of purchase orders for material group, that is, I have two material groups, and intend to have a function that only allows me to create purchase orders with materials of material group X and another function that only allow me to create purchase orders with materials of material group Y.
  To limit the creation of material master by material group I used authorization:
  Materials Management: Master Data                            MM_G
  Material Master: Material Groups                             M_MATE_WGR
  There exist any authorization to use for Materials Management: Purchasing - MM_E that allows me to limit the purchase orders by materials group?
  Thanks in advance,
  Best regards,
  José Pereira

  Hi,
  There is not such Authorisation Object in Standard SAP which will control the PO creation/change/display based on Material Groups.
  You need to create a Z-Authorisation object in T-code SU21 under Object Class MM_E and then same to be added for T-Codes ME21N/ME22N/ME23N.
  And then you need to call user exit or BAdi (ME_PROCESS_PO_CUST) and call this object with help of ABAPer.

• Authorization Role for S_ALR_87099918

  Hi all,
  I am not sure if this is the right place to post this one (if it is not, please tell me which one is, i have tried to search the forum, but can't seem to find the place to post about this "security" problem)
  Currently having a trouble while creating the authorization role for transaction s_alr_87099918 (primary cost planning : depreciation / interest).
  I have already maintained the authorization objects:
  -  A_A_VIEW and
  - A_PERI_BUK
  Checked with Su53, but no missing authorization object or anything
  While executing the transaction, the system said "no records were found", when i execute it with another ID, there are results. I have checked the parameter input-ed, both are already the same.
  I am wondering if anyone has ever experienced this before? 
  What can be the possible cause and the solution?
  Thank you so much
  Regards, Erwin
  Edited by: Erwin Hartono on Dec 3, 2010 9:39 AM

  Sorry, my deepest apologies, i think i found the right place to post this

• Creating standard roles transaction

  Hello,
  Please let me know transaction code of standard roles creation in SAP Business Workflow.
  Regards,
  Amey

  Create Roles 
  The role also contains the authorizations users need to access the transactions, reports, web-based applications and so on, contained in the menu.
  You can assign a role to an unlimited number of users.
  Procedure
  To create a single role:
  1.     Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy Access. You go to the role maintenance.
  2.     Specify a name for the role.
  The roles delivered by SAP have the prefix 'SAP_'. Do not use the SAP namespace for your user roles.
  SAP does not distinguish between the names of simple and composite roles. You should adopt your own naming convention to distinguish between simple and composite roles.
  3.     Choose Basic maintenance (in the Profile, Other objects menu).
  4.     Choose Create.
  5.     Enter a meaningful role description text. You can describe the activities in the role in detail.
  You may use an existing role as a reference.
  6.     Assign transactions, programs and/or web addresses to the role in the Menu tab. The user menu which you create here is called automatically when the user to whom this role is assigned logs on to the SAP System. You can create the authorizations for the transactions in the role menu structure in the authorizations tab.
  If you want to call the transactions in a role in another system, enter the RFC destination of the other system in the Target system field.
  You should only use RFC destinations which were created using the Trusted System concept () to guarantee that the same user is used in the target system. This is only necessary if you want to navigate via the Easy Access Menu in the SAPgui.
  If you use the Workplace Web Browser, you can use any destination containing a logical system with the same name.
  If the Target system field is empty, the transactions are called in the system in which the user is logged on.
  You can also specify a variable which refers to an RFC destination. Variables are assigned to the RFC destinations in the transaction SM30_SSM_RFC.
  To distribute the role into a particular target system, specify the target system (its Release must be 4.6C) and choose Distribute. This function is most useful when you use the Workplace.
  You can create the user menu:
  o     from the SAP menu
  You can copy complete menu branches from the SAP menu by clicking on the cross in front of it in the user menu. Expand the menu branch if you want to put lower-level nodes or individual transactions/programs in the user menu.
  o     from a role
  this function copies a defined role menu structure in the same system into the current role. You can also copy the menu structure of a role delivered by SAP. Click on the menu branches and copy them.
  o     from an area menu
  You can copy area menus (SAP Standard and your own) into a role menu. Choose an area menu from the list of menus and copy the transactions you want.
  o     Import from file
  See Upload/Download roles.
  o     Transaction
  You can put a transaction code in the user menu directly.
  o     Program
  This function puts programs, transaction variants or queries in the user menu. They need not be given a transaction code.
  ABAP Report
  Choose a report and a variant. You can skip the selection screen.
  You can generate a transaction code automatically and copy the report description by setting checkboxes.
  SAP Query
  Enter a user group and query name. If the query has a variant, you can specify it. You can also specify a global query. See  Query work areas.
  Transactions with variants
  The system administrator can create transaction variants in the SAP System  Personalization. Transaction variants adjust complex SAP System transactions to customer business processes, by e.g. hiding superfluous information and adding other information such as pushbuttons, text or graphics. You can put a transaction variant call in a user menu by entering the transaction code and variant which you created in the transaction SHD0.
  BW report
  Include a Business Information Warehouse report. Enter the report ID.
  ReportWriter, Search, Report
  These function put other application-specific report types in the user menu.
  o     Others
  Enter other objects:
  Web address or file
  Enter internet/intranet links with a descriptive text and the web address. You can enter a file name if the browser can call an application.
  Drag and relate component
  Enter the component name.
  Knowledge Warehouse link
  Use the Document field possible entries help. Choose the information object type. You go to a selection screen in which you can search for the object in the Knowledge Warehouse.
  There are other pushbuttons for editing the user menu. Choose a menu entry with the cursor before you call one of the following functions.
  Function:     Meaning
    Create folder
  Group transactions, programs, etc. in a folder
    Change node text
  Change a menu entry text
    Move down
  Move a menu entry down one place
    Move up
  Move a menu entry up one place
    Delete nodes
  Delete a menu entry
  Any subnodes are also deleted.
    Delete all nodes
  Delete the complete role menu
    Translate node
  Translate a menu entry
    Documentation
  Display the documentation of transactions, programs, etc.
    Find doc.
  Find programs
  You can restructure the menu by Drag & Drop.
  The Menu tab status is red if no menu nodes are assigned. If at least one menu node is assigned, the status is green.
  You can assign Implementation Guide (IMG) projects or project views to a role under Utilities  Customizing auth. Do this to generate IMG activity authorization and assign users. The authorization to perform all activities in the assigned IMG projects/project views is generated in profile generation. You make the assignments in a dialog box. Choose Information to display more information on using this option.
  7.     Save your entries.
  You have created a role.

• How to create authorization role for just displaying query prefix Q and X.

  Hi Expert,
  I hope someone can help me on how to create authorization role for just displaying and executing  BEX  Queries prefix Q and X. I'm currently using SAP BI 7.1.
  Actually, I already created one role called : Z_FORINDO_ONLYDISPLAY_QX
  where I only put in the Authorization Component (in the Role Maintenance - Tcode 'pfcg'):
  -->Manually Business Information Warehouse
      --> Manually Business Explorer - Components
  Activity : Display, Execute, Enter, Include, Assign
  InfoArea : *
  InfoCube : *
  Name(ID) of a reporting component : *
  Type of a reporting component : Calculated key figure, Restricted key figure, Template structure
      --> Manually Business Explorer - Components
  Activity : Display, Execute
  InfoArea : *
  InfoCube : *
  Name(ID) of a reporting component : Q* , X*
  Type of a reporting component : Query
  But, the problem is I still can make changes on that queries (Q* and X*). Even, I still can run query with prefix Z. I use S_RS_RREPU Tamplete for Query Display and execution.
  Please assist. Very much appreciate your help. Thanks.
  Edited by: nadiyah salleh on Mar 18, 2008 11:22 AM

  Question close. This issue has been resolved.

• Basic steps in creating an authorization group/role?

  Hi,
  What are the basic steps followed in creating an authorization group and role?

  HI,
  http://help.sap.com/saphelp_wp/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm
  Steps,
  Go to PFCG
  Enter role name say ZSALES ORDER PROCESSING and click on single role
  Enter discription and save
  Then click on MENU tab,then click on transaction and maintain t-codes like VA01,VA02,VA03 and click on assign transactions and save
  Then click on AUTHORIZATION tab and click to Change autorization data,then it will ask for orgz. level maintain orgz.data or click on FULL Authorization
  Then you can able to see modules from where the the transaction code belongs(SD)
  Expand it to lower level node and maintain autorization for Perticular sales document, sales area
  Then save and click on GENEREATE ICON (Shift+F5)
  Now go to tab USER and assign users
  Click on user comparision >> Complete comparision
  Now when the assigned user log in syatem system will display this role for user and he/she may authorization for perticular sales document and sales area depending uppon your authorization provided in this role.
  You can see existing roles and copy from existing one
  kapil

• How to add authorization field to a standard authorization object

  Hi All,
  I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
  But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
  How to limit user to can only create & change X order type and only display the rest of order type?
  I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
  regards,
  Andre

  Hi,
  your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
  The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
  Cheers

• What is standard authorization object for  Personal development  P_PLOG

  Hi,
  Recently i got a object in HR and i dont have any experince in HR.Could you guide me how to asssign standard authorisation object for the personal development p_plog? how to see the infotypes and what is the header field in innfotypes?

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• Standard authorization object for Infotype 41

  hi
  Just wondering did anyone came across standard profile that can define access based on date types?
  thanks

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• Best practice for standard security role

  Hi, I'd like to know which is the best practice for standard role use, some people tell me that a standard role should never be used, that a copy must be made and assign the users to the copy, but then, why should SAP bother creating the standard role?

  They are provided as a template for you, and you can copy them into a different namespace and make changes there before generating the profiles and authorizations.
  Why you should use a copy of them is because SAP will also update them sometimes. If transactions change in the standard menues with SP's and upgrades, then you will find them in transaction SU25.
  If you do a search on "standard AND roles" in the SDN then you will also find more detailed infos and opinions on the use of them.
  Cheers,
  Julius

• Best practices / preferred usage of SAP standard (delivered) roles

  Dear Experts,
  When going about designing roles for a new system, what is the preferred usage on SAP standard/delivered roles?  I was thinking of using them as a "base", then tweaking auth objects here and there to make the roles work but the more I work with them, I find it may be better to create roles entirely from scratch.  A lot of the time, I find a lot of inactivated auth objects or objects that seem to not really be needed when looking at the t-codes offered in the menu (S_TCODE).
  In that case, I figured it might be cleaner if I started creating roles and adding t-codes via the Menu and maintaining only the auth objects that are proposed in PFCG (and adding a few if necessary).
  Do people typically build their roles around these the standard SAP role set or is it preferred to create your own and only use the SAP standard roles as reference (i.e. the t-codes offered in the menu, etc.)?
  Thanks for any insights!

  > When going about designing roles for a new system, what is the preferred usage on SAP standard/delivered roles?
  Those are provided by SAP as a reference so that you can consult with the Authorization Structure of a Standard Position / Task for which you are going to create your own role. For e.g. what are the TCodes, values of Objects should be given to users for their tasks.
  I was thinking of using them as a "base", then tweaking auth objects here and there to make the roles work but the more I work with them, I find it may be better to create roles entirely from scratch.
  Absolutely! Please do not use SAP delivered roles for you use and also don't try to alter any values.
  A lot of the time, I find a lot of inactivated auth objects or objects that seem to not really be needed when looking at the t-codes offered in the menu (S_TCODE).
  >
  > In that case, I figured it might be cleaner if I started creating roles and adding t-codes via the Menu and maintaining only the auth objects that are proposed in PFCG (and adding a few if necessary).
  >
  > Do people typically build their roles around these the standard SAP role set or is it preferred to create your own and only use the SAP standard roles as reference (i.e. the t-codes offered in the menu, etc.)?
  >
  Yes.. as reference.. as you say..
  Regards,
  Dipanjan

• How to get standard authorizations  saritha reddy

  Hello Basis Gurus.
  iam using one month trail version of crm 5.0.
  my client is 100. i entered password wrong then the login failed. then i entered thru 066 and 000 clients. but its not allowing me to copy any standards. its says u r not authorized . i entered thru 066 client and created a new Id thru su01. but the same problem its not allowing me to copy any standards .
  Pls tell me how to log on to 100 client or how to get standard authorizations.
  pls give me u r valuable solution to me problem
  Many Thanks
  saritha
  [email protected]

  Hi
  See the doc related to Authorization concept and do accordingly
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  <b>Reward points for useful Answers</b>
  Regards
  Anji

• When to create new authorization objects

  Hi Experts,
  I am learning SAP Security.
  I have one question , what is the necessity of creating new authroization field and object , when SAP gives a huge list of objects /fields.
  Is there any reason behind like, whenever a customised transaction is created, a new authorization object or filed has to be created?
  Regards,
  Rekharaj

  Trick is to find not only a standard authorization object with the same field you are looking for, but an object already assigned to the users with those roles with the same semantic for all it's fields - so that you can simply reuse the existing concept which is also assigned to the sets of users.
  Often you will find "base" function modules and classes you can use to do all that work for you. Just call them at the correct location in the code and dont forget to check the return code and react to it.
  If you use BAPI APIs to access or process data, then many of them make these same semantically correct checks "out of the box".
  Cheers,
  Julius