User List for a specific Authorization Object

Similar Messages

• BAPI to get all user lists for input object,authorizations, and profiles

  Hi Experts,
  BAPI to get all user lists for input specific object, authorizations, profiles and values?
  Any useful answer will be rewarded with suitable points.
  Thanks,
  Rohan

  Hi
  use the fun module/Bapi's
  BAPI_USER_GET_DETAIL
  BAPI_USER_LOCPROFILES_ASSIGN
  BAPI_USER_LOCPROFILES_DELETE
  BAPI_USER_LOCPROFILES_READ
  BAPI_USER_PROFILES_ASSIGN
  BAPI_USER_PROFILES_DELETE
  SUSR_BAPI_USER_PROFILES_ASSIGN
  SUSR_BAPI_USER_PROFILES_DELETE
  also you can use the tables UST12 for user based authorizations
  AGR_USERS   -roles assignment for users
  AGR_PROF  - Profile data for roles
  AGR_DEFINE - Auth Profiles for users
  See the AGR_* and US* tables further
  Reward points if useful
  Regards
  Anji
  Message was edited by:
          Anji Reddy Vangala

• Restricting Authorization for a specific Info-object

  Dear All,
  I have a scenario where I have to restrict the account managers by specific channels.
  I have 2 info-objects, Sold-to party and Sales Channel. Sales Channel is defined as attribute of the the Sold-To Part info-object.
  I was exploring the BI authorizations concept in SCM 2007.
  I created a authorization called "Test" and assigned the info-object Sales Channel in the authorization and restricted it for one value. This authorization along with 0BI_ALL I have added to the role under BI authorizations.
  However in interactive demand planning, I cannot restrict by the sales channel. It allows me to load data for all the channels.
  If I remove 0BI_ALL object, then I cannot load anything in interactive planning.
  Does anyone have a step by step proceedure for using the BI authorization concept?
  Regards,
  Kedar

  Yes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).
  Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.
  Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.
  You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".
  Things to consider:
  1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.
  2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.
  3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom  authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.
  4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.
  This is probably enough to get you going, reply back if you have specific questions or issues.
  I've been thru this in a painful way, sometimes the best things learned are learned the hard way

• Error for customer specific Authorization check (User Exit)

  Dear Experts,
  I am facing a problem in PM.
  I have created a maintenace plan for calibration via t code IP42 and mentioned the order type PM05. Scheduling is done for the order. I got the order number.
  I have released the order and got the inspection lot number.
  While entering the results recording through t code QE17, the reluts are out of the specified range, i have given the valuation Rejected, immediately system is giving an error message as below:
  "Error for customer specific Authorization check (User Exit)"
  Though there is no user exit activated in the system, this message is coming and not allowing the result recoring for rejection.
  If I'm entering the result recording within the specified range, then valuation is Accepted and its allowing to save.
  I have checked the following user exits:
  QQMA0002: QM: Authorization Check for Entry into Notif. Transaction
  QQMA0026: PM/SM: Auth. check when accessing notification transaction.
  The above 2 User Exits are not active.
  I have also checked a note 429066. But it says incase of any dump for that user exit only its applicable and more over the current version of the system is ECC 6.0 packae 15, where as that note is applicable upto 4.6C.
  Please some one help me on this issue.
  Thanks and Regards,
  Praveen.

  Dear Pete,
  I have cheked with my technical team, There is no hotpacks updated recently. This is the implementaion project I'm in, so performing the cycle for the first time.
  Any how I got it solved, in T code QE17, after entering the Inspection lot in next screen goto menu path Settings - User settings - Defects recording mention the reprt type and tick on Reprt type Changable.
  At the time of result recording if the valuation is Rejected then it ask for defects recording close that window if not rwequired then save, the error message no longer apperaing now.
  Regards,
  Praveen

• Issue with context specific authorization object P_ORGINCON.

  Hello Experts,
  The context specific authorization object doesn't evaluate the
  structural profile it is assigned to when more than one structural
  authorization is assigned to a user.
  Please read the below scenario for issue description as follows:
  User ZHR_ACT13 is assigned two roles namely ZHR_HRD and ZHR_DEPT_HEAD.
  He is the manager for employee ID 167 and is not the manager of employee ID 17.
  Role ZHR_HRD has no read/write authorization for Infotype 6. ZHR_HRD is also assigned to structural authorization ALL which is meant for viewing all the objects with no restriction of any relationship.
  Role ZHR_DEPT_HEAD has read authorization for infotypes 6 for only the subordinates i.e. the structural authorization ZDEPT_HEAD of viewing only the subordinates data is assigned to this role. Also this structural authorization ZDEPT_HEAD is assigned to infotype 6 using
  authorization object P_ORGINCON.
  But now the manager ZHR_ACT13 is able to read infotype 6 data for employee ID 17 who is not his subordinate even though only structural authorization ZDEPT_HEAD is assigned to infotype 6 using P_ORGINCON. We
  expect that user ZHR_ACT13 must be able to read infotype 6 data only for employee ID 167 and not for employee ID 17.
  Please kindly help resolve this issue.
  Thanks & Regards,
  Roshan.

  This has been resolved.

• The scope of the customer-specific authorization object

  Dears,
  Could someone please feedback about the scope of the customer-specific authorization object; e.g. if we are to create a customer-specific authorization object to replace authorization object P_ORGIN in the HR module, to be able to add an extra authorization field to the newly created authorization object, the scope of the newly create authorization object (which will have a new validation code generated by report RPUACG00) will be the whole ERP system ? 
  The worry is caused by the fact that P_ORGIN is already used in several authorization roles granted to users in the different ERP modules (i.e. FI, SD, MM, CS), so the replacement would affect these modules.
  Thanks.
  Reda

  Hello Reddy,
  We are about to implement the HCM module (We are now in the testing
  phase), on the same client as that of our SAP ERP implementation.
  We need to authorize on the personnel number grouped by 'Payroll Area'
  in transactions PA30, PA40
  In authorization object P_ORGIN, the field VDSK1 is already used to
  authorize on an attribute : cost center (organizational key) for each
  organizational unit, so we can't configure it to authorize on other
  fields from info type 0001 (e.g. Payroll Area).
  We need to continue using the conventional / general authorization and
  not the structural authorization, to stay in compliance with our
  authorization schema already implemented in our FI, MM, SD & CS modules.
  ( Also, as per thread : Steps for creating structural authorization profile using trans. OOSP
  the structural authorization cannot be used to authorize on Payroll Area.)
  We need to go through the HR module implementation without any changes
  in the ABAP code.
  So, the last way out is the custom-specific authorization object, and as I mentioned before, the authorization object P_ORGIN was already used in other ERP modules; e.g. FI, MM, SD & CS,
  ( Note : I haven't started yet implementing this solution.)
  Thanks.
  Reda

• Error in eRecruitment configuration step Define user list for support teams

  Hi Erecruitment experts,
  I am new to SAP Erecruitment and trying to get the system running in ERP 6.00 with EP7.
  When I progress the customising steps under technical settings -->User administration --> Define user list for support teams, I am facing problem of ABAP Dump.
  It says
  Error in the ABAP Application Program
  The current ABAP program "SAPLHR_RCF_CUST_01" had to be terminated because it
  has come across a statement that unfortunately cannot be executed.
  Key words are
  "MESSAGE_TYPE_UNKNOWN" " "
  "SAPLHR_RCF_CUST_01" or "RCF_CUST_F01"
  "CHECK_VALID_USR"
  I think there is a link between Object types CP, BP and relation ships A650, A209 etc in this process.
  Can some one guide me how to overcome this error.
  Tks
  Dhina

  Hi all
  I got them fixed, as they are due to BP creation integration issue.
  Thanks and regards
  Dhina

• To create a mailing list for a specific ou

  Dear all,
  I am trying to define an emailing list for a specific ou members! using dynamic ldap search filters!
  I have already working lists for all domain, and for static lists! but not a restricted dynamic ldap :(
  i used many queries and all result with:
  Your message cannot be delivered to the following recipients:
  Recipient address: [email protected]
  Reason: no addressees: [email protected]
  The queris i used are many:
  ldap:///dc=ju,dc=edu,dc=jo??sub?(&(objectclass=inetMailUser)(ou=eman ou))
  or
  ldap:///dc=ju,dc=edu,dc=jo??sub?(&(|(objectclass=person)(objectclass=groupofuniquenames))(ou=eman ou))
  in the provisioning guide there is a paragraph that i didn't understand!
  NOTE iPlanet Messaging Server also supports dynamic lists based on the attribute memberURL from the objectclass groupofurls. Netscape
  Directory Server 4.x allows creating of dynamic groups using this attribute and messaging server can take advantage of any groups that may have already been defined using memberURL.
  version of our messaging server and we don't have delegated administrator installed yet?!!:
  iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)
  libimta.so 5.2 HotFix 1.21 (built 18:35:22, Sep 8 2003)

  You do not need to have iDA installed to use dynamic groups. In fact, iDA does not deal with dynamic groups.
  There is a whole series of pages in the Admin guide:
  http://docs.sun.com/source/816-6009-10/users.htm#15141
  about creating dynamic groups. Let's give that a try, please.

• Querying roles containing specific Authorization Object

  Hello!
  We're using BI7 with new considerations about security. I want to get all roles that contains a specific Authorization Object, I've tried using TX SUIM, but had no success.
  Is there any report, transaction or something else where to find this info?
  I hope you can help!
  Regards!
  Bernardo

  Bernardo,
  If "new security model authorization objects" means analysis authorizations (SAP's official naming for objects mantained by RSECAUTH), those used in roles can be retrieved again using tcode SE16: just query AGR_1251 but this time providing S_RS_AUTH for field OBJECT. The result set shows roles that contain analysis authorizations. If you want only the roles which have specífic analysis authorization, just provide its name for field LOW. Be sure to fill in this field with all capital letters.
  On the other hand table RSECVAL keeps the values defined for analysis authorizations.
  Hope this helps.
  Regards,
  Fernando

• BAPI for creation of Authorization Objects in BI 7.0

  Hi BW Gurus,
  Greetings!!!
  Is there any BAPI Available for creation of Authorization Objects in BI 7.0.
  The data will be transferred through flatfiles.
  Kindly provide me the info as earliest as possible.
  Best Regards,
  Priya

  Got the Workaround...
  Priya

• How to find user exits for a specific field

  hi,
      How can we find a user exit for a specific fields .
  as i know Three ways to search user-exits
  1. SE80 look includes in a packages with name user-exits
  2.  by zreport which will fetch user-exit in a T-CODE
  3. SMOD
  but what if we have to find a user-exit for particular field for e.g bupla(bussiness place) in MIRO.
  Please suggest me.
  Thanks and  Regards ,
  Rahul Singh.

  Hi Rahul,
  Here is the procedure to create field exits.
  Step by step procedure for creating Field Exits
  There are eight steps to creating a field exit:
  Step 1: Determine Data Element
  Step 2: Go To Field Exit Transaction
  Step 3: Create Field Exit
  Step 4: Create Function Module
  Step 5: Code Function Module
  Step 6: Activate Function Module
  Step 7: Assign Program/Screen
  Step 8: Activate Field Exit
  Step 1: Determine Data Element
  u2022     Before you can begin adding the functionality for a field exit, you must know the corresponding data element.
  Step 2: Go To Field Exit Transaction
  u2022     The transaction to create field exits is CMOD.
  u2022     You can use the menu path Tools -> ABAP/4 Workbench -> Utilities -> Enhancements -> Project management.
  u2022     From the initial screen of transaction CMOD, choose the Text enhancements -> Field exits menu path.
  u2022     After choosing this menu path, you will be taken to the field exits screen. From here, you can create a field exit.
  NOTE : Even though you use transaction CMOD to maintain field exits, you do not need to create a project to activate field exits.
  Step 3: Create Field Exit
  u2022     From the field exit screen of transaction CMOD, choose the Field exit -> Create menu path.
  u2022     After choosing this menu path, a dialog box will prompt you for the appropriate data element .
  u2022     Enter the data element name and click the u2018Continueu2019 pushbutton.
  u2022     Now, you will be able to create the function module associated to the data elementu2019s field exit.
  Step 4: Create Function Module
  u2022     You will automatically be taken to the Function Library (SE37) after entering a data element name and clicking the u2018Continueu2019 pushbutton.
  u2022     In the u2018Function moduleu2019 field, a function module name will be defaulted by the system based on the data element specified. This name will have the following convention:
  FIELD_EXIT_<data element>
  u2022     You can add an identifier (an underscore followed by a single character ).
  u2022     The first function module for a data elementu2019s field exit must be created without an identifier.
  u2022     To create the function module, click on the u2018Createu2019 pushbutton, choose menu path Function module -> Create, or press u2018F5u2019.
  u2022     After choosing to create the function module, you will get the warning: "Function module name is reserved for SAP". This message is just a warning so a developer does not accidentally create a function module in the field exit name range. By pressing u2018Enteru2019, you will be able to go ahead and create the function module.
  u2022     Before coding the function module, you will have to specify the function modules attributes -- function group, application, and short text.
  Step 5: Code Function Module
  u2022     From the function moduleu2019s attributes screen, click on the u2018Source codeu2019 pushbutton or choose the Goto -> Function module menu path to the code of the function module.
  u2022     Here you will add your desired functionality for the field exit.
  u2022     Remember that field exitu2019s function module will have two parameters -- one importing parameter called "INPUT" and one exporting parameter called "OUTPUT". These parameters will be set up automatically by the system.
  u2022     You must remember to assign a value to the OUTPUT field. Even if the value does not change, it must be moved from the INPUT field to the OUTPUT field.
  Step 6: Activate Function Module
  u2022     After coding the function module, you must remember to activate it.
  u2022     Use the Function module -> Activate menu path to activate the function module.
  u2022     At this point, you can return to the field exit transaction.
  u2022     You should be able to 'green arrow' back to this transaction.
  u2022     When you return to the field exit transaction, you will see an entry for the newly created field exit.
  u2022     At this point, the field exit is global. That is, it applies to all screens that use a particular data element. On any screen that uses the data element, the corresponding field exit function module will be triggered, once it is active.
  u2022     Also, the field exit will not be triggered yet because it is inactive.
  Step 7: Assign Program/Screen
  u2022     This step is only needed if you want to make a field exit local.
  u2022     To make a field exit local, select the field exit and click on the u2018Assign prog./screenu2019 pushbutton.
  u2022     In the dialog box , indicate the appropriate program name and screen number.
  This information indicates that the field exit is local to the specified screen in the specified program.
  u2022     In the dialog box, you determine which function module gets executed for the field exit by specifying the identifier in the u2018Fld. Exitu2019 field.
  u2022     If this field is left blank, the function module triggered will be 'FIELD_EXIT_<data element>'.
  u2022     If a single-character identifier is entered into the field, the function module triggered will be 'FIELD_EXIT_<data element>_<identifier>'.
  Step 8: Activate Field Exit
  u2022     The field exit must be active for it to be triggered by the system.
  u2022     Activate the field exit by choosing the Field exit -> Activate menu path.
  u2022     After assigning the field exit to a change request, its status will change to u2018Activeu2019 and it will be triggered automatically on the appropriate screen(s).
  NOTE : In order to activate the field exit the profile parameter abap/fieldexit = YES must be set on all application servers
  Execute the transaction SE38 with PROGRAM NAME - RSMODPRF
  Then give the Data Element Name for which field you want to create the exit(Just cross check with your field data element) and execute.
  then it takes you to SE37 with the function module name FIELD_EXIT_<DATA ELEMENT NAME> and then create the same function module.
  and in the coding part, You can write your logic to display the output of that field. and activate it.
  once you complete the above,
  Again execute SE38 transaction with program RSMODPRF and again click on Execute button without any Data Element Name. Now you select the data element which you have created and click on Assign prog/ Screen button and assign the program name and screen number of the filed and click on the menu Field Exit and Activate.
  Hope it helps.
  Regards
  Radhika
  Edited by: Radhika Pande on Nov 26, 2009 7:58 AM

• BAPI to get all user lists for specific inputs

  Hi Experts,
  Is there any BAPI to get all input related user lists when I give input specific object, authorizations, profiles and values?
  Thanks,
  Rohan

  Hi
  use the fun module/Bapi's
  BAPI_USER_GET_DETAIL
  BAPI_USER_LOCPROFILES_ASSIGN
  BAPI_USER_LOCPROFILES_DELETE
  BAPI_USER_LOCPROFILES_READ
  BAPI_USER_PROFILES_ASSIGN
  BAPI_USER_PROFILES_DELETE
  SUSR_BAPI_USER_PROFILES_ASSIGN
  SUSR_BAPI_USER_PROFILES_DELETE
  also you can use the tables UST12 for user based authorizations
  AGR_USERS   -roles assignment for users
  AGR_PROF  - Profile data for roles
  AGR_DEFINE - Auth Profiles for users
  See the AGR_* and US* tables further
  Reward points if useful
  Regards
  Anji
  Message was edited by:
          Anji Reddy Vangala

• Error in retrieving user list for a particular group in CMC (BOXI R2)

  The following error message is shown
  "There was an error while retrieving data from the server: Failed while trying to get role member list using class CSecRfcRemoteUsersActGrp in method CSecSAPR3Binding::GetChildrenInternal(). Error code: 2. Description: NO_AUTH."
  Is the problem on BO side or R/3 side?

  hi,
  I assume we are talking about the CMC / SAP Authentication area.
  The user entered here needs to have specific authorizations assigned. Please look at the installation guide for the SAP Integration Kit which lists those authorizations.
  thanks
  Ingo

• How to check the access right for a specific SAP object like MaterialMaster

  Hi!
  How can I check if I have the right to change a specific object like a material or document in SAP vie RFC. I need a remote able function which tells me, if I have enough rights! Or, if such a function does not exist, how can I write my own ABAP code to do this?
  Thanks,
  Konrad

  Hi,
  When initiating a transaction, a system program performs a series of checks to ensure the user is authorized.
  1. The program checks whether the transaction code exists in table TSTC.
  2. The program checks whether the transaction code is locked by the administrator (transaction code SM01).
  3. The program checks whether the user has the authority to start the transaction. Authorization object S_TCODE (transaction start) contains the authorization field TCD (transaction code). The user must have the appropriate authorization for the transaction code to be started (for example, FK01, Create Vendor).
  4. The program checks whether an authorization object is assigned to the transaction code. If this is the case, the program checks whether the user has an authorization for this authorization object. The transaction code/authorization object assignment is stored in table TSTCA.
  Note: An SAP program controls steps 1 through 4. It displays an automatic message to the user if an authorization attempt fails in the step.
  5. The system performs authorization checks in the ABAP program using the ABAP statement AUTHORITY-CHECK.
  Regards
  Sudheer

• How to get users' login logout time for user IDs for a specific date?

  Dear All,
  There is a case I being requested to retrieve the Userid, User Name,
  User Group, User Dept, Date, Login Time, Logout Time in a specific date, for example, 21.05.2009.
  How should I retrieve the information? The user want to input specific date and user group then return the details that mentioned above.
  I try with SUIM->Users->By Logon Date and Password Change... but I can't specific the date that I want ...
  I try with SM19 (Security Audit Log), but unfortunately in my system this is not activated.
  I've seek for SAP's advise, and they say need to ask abaper to developr a report in order to get such details....
  Do you guys have any other methods?
  Do you guys know which tables will contain the details as mentioned above?
  Best Regards,
  Ken

  Unfortunately without the audit log, you're going have a hard time finding this information.  As mentioned, ST03N will give you some information.  If your systems daily workload aggregation goes back to the date you require then you'll be able to get a list of all users who logged on that day.  ST03N doesn't keep time stamps just response times.
  My only idea is VERY labor intensive.  If your DB admin can retrieve a save of the database from that day then table USR02 will hold a little more information for you.  It will contain last login times for that day.  If your system backup policy happened to have saved the contents of folder "/usr/sap/<SID>/<instance>/data" then you potentially have access to all the data you require.  The stat file will have recorded every transaction that took place during that day.  If that file is restored you could use program RSSTAT20 to query against it.
  Good luck and turn on the audit log as it makes your life much easier!