XI data authorization

Similar Messages

• Master data authorization  by geography

  Hi,
  we need to build master data authorization based on geography. need is to have a flexible way of assigning visibility to master data (accounts/ contacts) to sales teams based on the geographical distribution. e.g a sales rep from California should be authorized to view accounts based out of california and no other region.
  can you recommend some ways to achieve this. we know we can define sales orgs to achieve this but we are looking for a more flexible way dont want to change sales org as it has a dependency on back end ERP too.
  thanks
  RH

  Hi RH
  You probably want to look at the Access Control Engine (ACE) - it is designed to meet your requirement.
  Here's a link to get you started. Check out the IMG as well.
  Cheers
  Dom
  http://help.sap.com/saphelp_crm40/helpdata/en/04/0177f9bb67ac4cafb84bb4d4c1d8fc/frameset.htm

• HR Master Data Authorization

  Dear Guys
  I am facing a problem regarding HR Authorization. We are not able to access Header information of few Personnel numbers and also have full HR Authorization.
  When we copy same SAP ID to other SAP ID data becomes visible with out any change in authorization. 
  Please resolve the issue.
  Thanks

  Hi,
  are you using structural authorization? please check if user id A (original) has a structural authorization, use tcode OOSB and SM30 (Table T77UU), maybe that's the reason why when the copied ID can access the same personnel that is access by ID A.
  In authorization when we say that the ID can't view the main header of the personnel that means there's missing authorization for the said ID.
  When structural authorization is in place, it should both satisfy the normal authorization and the structural authorization.
  hope this help
  Fred

• HR master data authorizations Personnel Sub Area (PSA) wise

  Hi Experts,
  The requirement is to restrict HR masterdata access PSA wise.
  Example:-
  There are 2 PSAs i.e. 1000 & 2000 for which, there are two different HR admin who are responsible for the maintenance of the HR masterdata for their respective PSAs.
  The requirement is, the HR admin of 1000 PSA should have the authorization of create/change/display of 1000 PSA & should have only the display authorization for 2000 PSA. HR admin of 1000 PSA can not modify the details of other PSAs.
  Like the same way, HR admin of 2000 PSA should have the authorization of create/change/display of 2000 PSA & should have only the display authorization for 1000 PSA.
  I have managed to handle the same through org key (VDSK1). But the issue is, the HR admin of 1000 is only able see the data upto the period when the employee was in 1000 PSA. For e.g. if employee no. 789654  was in 1000 PSA from 1.1.2014 to 31.03.2014 & he was transferred to 2000 PSA on 1.4.2014, then the HR admin of 1000 is able to see the data upto 31.03.2014 only. And HR admin of 2000 PSA is able to see the data from 1.4.2014 onwards & not the past data.
  During a transfer action, I am manually changing the org key when I am transferring the employee from one PSA to other PSA.
  Requirement
  My requirement is that, after the transfer also, the HR admin of the 1st PSA (1000) should be able to only view the current employee data & but he can not change anything and the same way HR admin of 2000 PSA should be able to view the past data but should not able to change the past data.
  How it will work in Training & Event Mgt? Will the system restricts the HR admin from booking an employee of other PSA also?
  Please help..
  Regards,
  Daniel

  Hi Omid,
  Thanks for your reply. I saw your link where you have suggested for custom authorization object. Does it require any other development other than creating the custom object?
  I have managed to achieve the PSA wise authorization by using org key. But the problem is, the current HR administrator is not able to see the past data. For e.g. if employee no. 789654  was in 1000 PSA from 1.1.2014 to 31.03.2014 & he was transferred to 2000 PSA on 1.4.2014, then the HR admin of 1000 is able to see the data upto 31.03.2014 only. And HR admin of 2000 PSA is able to see the data from 1.4.2014 onwards & not the past data.
  My requirement is; the current HR admin can view all the past and current data but not authorized to create/change or delete anything once the employee is transferred from his PSA.   
  Regards,
  Daniel

• Data Authorization for info-objects

  Dear Experts,
  We have designed a query in costing displaying the plan and actual costs by cost center. Our requirement is that that users shoul be able to see only those cost centers in the query which are relevant to them? How can I acheive this without creating multiple queries?. Is there any authorizatin abject that I can use for this purpose? 
  Regards
  Suneeth

  Hi,
  Pls check the below
  Data Warehousing Workbench u2013 objects/S_RS_ADMWB
  Authorizations for working with individual objects of the Data Warehousing Workbench. In detail, these are: source system, InfoObject, monitor, application component, InfoArea, Data Warehousing Workbench, settings, metadata, InfoPackage, InfoPackage group, Reporting Agent settings, Reporting Agent package, documents (for metadata, master data, hierarchies, transaction data), document store administration, (Customer) Content system administration, broadcast settings.
  Data Warehousing Workbench u2013 InfoObject/S_RS_IOBJ
  Authorizations for working with individual InfoObjects and their subobjects.
  Until Release 3.0A, only general authorization protection was possible using authorization object S_RS_ADMWB. General authorization protection for InfoObjects still works as in the past. Special protection using S_RS_IOBJ is only used if there is no authorization for S_RS_ADMWB-IOBJ.
  Regards,
  Marasa.

• ERM - Role Data Authorization

  Hello everyone
  Does ERM add authorization objects checked by transactions inserted  during role creation? Whenever I create a role with ERM it is generated in backend but with no authorization data. I presume It should include at least the S_TCODE object.
  Is this a task that should be done manually from ERM for each transaction added to a role?
  Thanks!
  Jaime

  Hi Jaime,
      ERM will offcourse add the authorization data when the transaction code is added to the role. For this to work, you need to make sure that you have run all the necessary background jobs (org value sync, activity value sync, tcode sync) successfully.
  Regards,
  Alpesh

• Interface data authorization

  Dear sirs, I need your expertize regarding the authorizations in FI.
  I am working on a financial management and budgetting project where we started to create the documents through transaction FMBB. Now we need to accept the alternative way of creating the documents, receive the documents from external system through the interface (through XI messaging). But before we really accept the documents we need to check whether the user who has sent the document (I have his username in SAP) can create a document based on his FIKRS auth.
  Of course this is not so simple, because the user who delivers the document data from XI is the XI service user running with SAP all. Can anybody suggest a way I could check the rights throught the authority check?
  Thank you, regards Otto

  Hi,
  may be you could try to create the document(or other business transaction) using the XI communication user in　your ECC system.i think the user which has sap_all profile has enough right.but the exactry right it  need should be check by authorized check(may be you could let your basis team who can do some trace help you )

• Transaction level report with data authorizations

  hi experts,
  In my project, we have many MIS reports which is been widely used by thousands of users. The current reports are designed in such a way that any user can view other user's data if they are coming in same hierarchy.
  This has to be changed as, user A should see only his city data only, visa versa for user B also.
  Is it possible to read their user name and generate query only for his city?
  Or we need to implement BI authorizations?
  if so how should i do for existing users & queries?
  kindly revert back to me ASAP.
  jeeva

  hi,
  object level authorization could solve ur issue.
  Autorization in BI
  http://www.*********************/bw_security/bw_security_auth_obj_2.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
  Ramesh

• BI Variable authorization issue

  Hello Experts,
  Please help me with the below issue. I have implemented Variable authorizations as below.
  1)I have marked Cost Center and Profit Center info objects as Auth relevant.
  2) Created a global Variables for CC and PC with processing by authorization & user exit.
  3) Created analysis authorization for the info object 0cost center and Profit Center and added value as $ ZCOST.
  4) Created the include program ZSECTEST in the user exit to check the Variables.
  I have created only one analysis authorization with both CC and PC fields and restricted to Variables.
  Scenario 1: If the Query that was built on the Cube has only CC data authorizations are working fine by picking the values from the table. u2013 Working
  Scenario 2 : I have a query that was created on MP which has cube A with CC and cube B with PC data.
  (system checks if the user has access both info objects since both were auth relevant fields)
  When user ran the query u2013 custom code checks the table and gets the CC and PC values to the query variable screen.
  Issue: If the query has both CC and PC data for the given date it was showing results fine.
  If the query has only CC data and no PC data then query is giving message saying no data available.
  My requirement is even there is not PC data for that date I want to display the CC data.
  Thanks in Advance.
  Thanks,
  Kumar.

  Hello Sandipan,
  Thanks for the quick response.  Primary key has been already defined in the table.  Issue is I have only one analysis authorization created with fileds  CC and PC restrcited to variables VAR1 and VAR2 respectively.
  When I execute the query in the variable selection screen values are coming fine as below from the custom table. (works)
  Variable selection screen :                   
  Cost Center   -    1,2,3,4
  Profit Center   -     A,S,D,F
  Date               -   10/2010
  In the above example if the query has only CC data for that date - I get error no data available because system is fetching for the  combination of CC 1,2,3,4 and PC A,S,D,F .  I guess some aggregation auth are missing.
  When I execute the same query with SAP_ALL and BI_ALL I get results with only CC - because PC data on this query was not available for that date.
  My requirement is  even if the PC data was not avaiable for that date I want to display all the CC realted  data.
  Thanks,
  Kumar.

• Authorization issue - help request

  Hi guys,
  One of the consultants is having an authorization issue ( He is not abele to run a t-code)
  I ask him to run a su53 report and i am not sure how to proceed with this.
  Please help.
  Here are the details from the SU53 report.
  DISPLAY AUTHORIZATION DATA FOR USER VYXXXX
  User : VYXXX                       profile parameter authorization buffering    4
  Authorization Object: F_KNA1_GRP
  Description
  Authorization check failed:
        + Authorization object F_KNA1_GRP Customer Account Group Authorization
              Activity                                08
              Customer Account Group     ZM01
  Users Authorization Data :
        +  Authorization object F_KNA1_GRP Customer Account Group Authorization
                 Authorization  T-PD19002300
                Authorization  T-UG39000900
                Authorization  T-UG39001000
  Please help me guys what need to  be performed.
  Regards,
  Vamsi.

  Hi Vamsi,
  SU53 shows us the last failed authorization for a user. However, it might not only be the failed authorization object failed.
  Hence, "just to learn" , you can use transaction ST01 to enable and run a trace for particular users. Be sure to use in a test environment first, and with proper filters. (for a particular user only).
  Then check-> which auth object is failing.
  RC=4 means a object value is failing.
  RC=12 means an object is missing!
  Check, which tcode is calling that object and this tcode is present in which role. Then.........proceed.
  You can check the SAP documentation on running traces on the help portal of SAP.  I think you will find the answer yourself by troubleshooting more and may be massaging some test roles here and there!
  Likewise, if you are new to security, I would encourage you to start by reading some books on SAP security. Authorizations made easy is a good book to start with.
  Let me know if you have any questions
  EOD for me :P . take care
  Abhishek

• Manage BOBJ folder authorization with Solution Manager

  Hi Expert,
  At first I'll speak about our landscape, it include SAP BW as DWH, BO 4.1 for WEBI reporting (it is a migration project, the universes are connected to the infocube BW) and solution manager as central system for the monitoring and authorization management.
  I'm new on BO, and I'm facing this question: is it possible with abap role Sol Man to manage the authorization for the folders on BOBJ launch pad?
  I'm thinking if it is possible to create an abap role with menu hierarchy, and to import this into BOBJ (like with enterprise portal) in order to post the webi report into a specific folder with it's own authorization roles.
  I know that it's possible to import abap role from BW to BO, so it should be possible also from sol man, but this concerns the 'data' authorization.
  has anyone faced this issue?
  Thank you in advance.
  Lucia

  Unfortunately, this is not possible and big limitation regarding the integration with BO and BW. You need to import the rolesand assign them to folders manually...
  You could automate it if you know SDK but you will have to evaluate if it's worth the effort

• HR Authorization issue for specfic User

  Dear all,
  One of the HR user , he can run payroll on particular site ,
  i have assigned Org key of site to master data on the particular role .
  User tried to run payroll using pa30 with personnel no (one of store user) .
  but system is not take any value and its not showing any error also .
  For example pls check below detail i have tried my user id and system has shows below details of the user (below details is one of the store user ).
  Personnel no.   2941
  Name         A  Mohammed Younus
  Personnel ar ZOSO                            EE group   A
  Subarea      STCH                            EE subgrp  3E
  Kindly suggest to resolve the issue
  Note : 1, i have deleted the user and i have recreated role .
  2, i have copied another user role (he can run payroll) to effected user ,even though he cant able to run payroll.
  Edited by: satheesh0812 on Dec 17, 2010 9:29 AM

  Dear all,
  I dont thing so there is no issue with Role  ,only issue with Structure Auth..
  Becoz pls check below Authorization Object.
  Changed    HR: Master Data
    Authorization level            E, M, R, W
    Infotype                       *
    Personnel Area                 *
    Employee Group                 *
    Employee Subgroup              *
    Subtype                        *
    Organizational Key             20000156, 20000157, 20000201
  In OOSP for particular Org key .
  Auth profile              Auth.Profile name
  CTHR_CHENNAI     CTHR_Chen
  Auth profile             No  Plan Vers Obj Type   Object I         Maint Eval.path Status vec
  CTHR_CHENNAI     1     01               O                   20000156              O-S-P     12
  CTHR_CHENNAI     2     01               O                  20000157             O-S-P     12
  CTHR_CHENNAI     3     01               O                  20000201            O-S-P     12
  In OOSB details
  IN OOSB I have assigned Authorization profile to UserXXX, user can see all employee details in PA30 except one employee details , can
  User name Autho.profile                           Start date        End date            Exclustion Display Objects
  XXXX          CTHR_CHENNAI                     01.01.2005     31.12.9999
  If i give Autho.profile --> all instead of CTHR_CHENNAI ..
  HR executive can able see all employee details in PA30 ...
  Let me know where exactly issue is there ...
  Kindly suggest...

• HR infotype authorization

  Dear all,
  I am created role for example "A" which is authorizes to only creation of infotype for example 0002 in role "A" master data
  Authorization level            w,R   
  Infotype                       0002
  Personnel Area                 *   
  Employee Group                 *   
  Employee Subgroup              *   
  Subtype                        *   
  Organizational Key             * 
  but i am unable to understand how to give only infotype change and delete authorization to role "B"
  please guide me and also what is the simple definition of ( what function in authorization in simple way )
  S (write locked record; unlock if the last person to change the record is not the current user),
  E (write locked record),
  D ( change lock indicator )
  Regards
  Rayyan

  Shahid,
  There is not a way to seperate the Create/Change/Delete functionality on HR Infotypes for objects like P_ORGIN. Unfortuntally these are the limiation of SAP HR Security only using the "W" authorizaiton. At my client we had to build processes around this and ensure correct HR Master Data group was centralized for responsibity and authorizations as well as turned on audit logging for reporting.
  Thanks,
  Matt

• HR Authorization Issue (How can it be achieved)

  Hi Gurus,
  Our SAP HR PA data authorization is by Org Key using P_ORIGIN security object. As a result, HR Users who have the access for the Org Key can view records of employees belonging to that particular Org Key.
  The problem comes when an employee is transferred from old Org Key to new Org Key. As a result, HR user can still view  those records in PA infotypes for the prior periods when IT0001 org key was the old one.
  Requirements: Our HR Head wants to completely block these kind of employees whose org key has been changed to the new one. Since HR Users dont have the authorization for the new Org Key; they should not be able to view PA IT0001 records for period which still have the value for old org key.
  Any way to implement this kind of check ? Or any way to control security access by Pernr (so that we could block some pernrs from being viewed by HR user).
  Please provide your insight..
  Note: We have not activated P_ORGXX in our system.

  Hello Amit,
  Try to use organizational key (VDSK1) to restrict access to HR personnel information. When we change the value in the VDSK1 field from users not able to view PA data only for those employees for which they have responsibility. Use P_ORGIN and organization key (VDSK1) to do this.
  Cheers and Regards.
  Jaime

• How to use authorization object P_PERNR ?

  Hi, Gurus~
  In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
  So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
  Authorization level:  W,S,D,E
  Infotype: 0008
  Interpretation of assignment personnel number: E
  Subtype: *
  and then, i maintain her master data 0105's subtype 0001-system user name as 00041
  i think she shouldn't maintain her own 0008 now ,but she still can maintain it
  i want to know why and how to solve it, did i do it in the right way?
  Thank you in advance!

  P_PERNR   HR: Master Data - Personnel Number Check
  You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
  The following values are possible for the PSIGN field:
  I   =          Authorization for personnel number assigned, that is for own personnel number
  E  =          Authorization for all personnel numbers excluding own personnel number
  You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
  This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
  Example of Personnel Number Check P_PERNR
  The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
  The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
  PSIGN = I
  INFTY = *
  SUBTY = * AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0008
  SUBTY = *
  In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
  The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
  As the following examples illustrate, inconsistent authorizations can be granted.
  Example 1:
  AUTHC = *
  PSIGN = I
  INFTY = 0014
  SUBTY = M* AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0014
  SUBTY = *
  The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
  The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
  The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
  Example 2:
  AUTHC = *
  PSIGN = *
  INFTY = *
  SUBTY = *
  This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
  As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
  Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
  If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
  P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.