topic Re: Authorisation Objects in Application Development and Automation Discussions

Authorisation Objects

Former Member — Fri, 17 Oct 2008 04:03:05 GMT

Hi Everyone,

I am bit confused about authorisation objects, when do we add them manually in a role? Is authorisation check is performed in these manually added objects? In what scenarios we add new auth object to a tcode through su24? Please let me know

Your answere are much appreciated.

Regards,

Sandhya

Re: Authorisation Objects

Former Member — Fri, 17 Oct 2008 04:17:29 GMT

http://help.sap.com/saphelp_banking463/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm

Re: Authorisation Objects

Former Member — Fri, 17 Oct 2008 04:22:55 GMT

Hi Sandhya,

Regarding manually adding auth object to a role, if any user faces problem like he is not authorized to some authorization object or in missing authorizations cases we will be adding auth objects to a role.

other case is like if you add suppose some transaction sM30 to menu tab of pfcg you will get s_Tabu_dis auth objects automatically popped up in your profile you will maintain those values say

Actvt = 02

Auth group = Zdev

then this will allow only zdev group to change the records of table.

if user also wants display auth to zbasis group then you will insert manually this authorization object and give display auth to zbasis group.

yes authorization check is performed on these manually added auth objects.

When you create a new authorization object you will go to su24 transaction and add this newly created authorization object to the transaction in which you want this auth object to be checked and transport it across all systems in the landscape (D,Q,P) just by adding newly created auth object won't sap to check this object while executing this transaction you need to write authority check coding in the corresponding transaction.

Hope this helps,

Thanks,

Rakesh.T

Re: Authorisation Objects

Former Member — Fri, 17 Oct 2008 05:00:29 GMT

Hi,

adding to rakesh's reply.

in R/3 if the check indicators are maintained properly, there wont be any necessity to add an authorization object manually.

and mostly we are required to do it for the HR transactions.

take an example of hr transaction PE03, now for this we do not have authorization object P_ORGIN OR P_ORGXX maintained, where we have to insert manually.

regards,

kavitha

Re: Authorisation Objects

Former Member — Fri, 17 Oct 2008 07:27:32 GMT

Hi Sandhya,

The most common scenario when the need to add auth.object manually to a role arises is when an access is denied to an user for an authorization object for appropriate values missing from his/her user profile.On analysing the Su53 dump, we can find the object with it's required value which stopped the user to carry out an action.

To provide access to the auth.object to the user we can either modify any of his exsiting role to incorporate this auth. obj with the value by adding it manually or find if any other role existing in the system can be provided to him or ..........depending on how the business approves it.

We add new auth.object to a txn thorugh SU24 when we've created a new custom t-code and want to ensure that the new auth. object is included whenever this t-code is added to any role through the menu in PFCG.

Thanks,

Saby..

Re: Authorisation Objects

Former Member — Fri, 17 Oct 2008 09:04:12 GMT

Please put a little bit of effort into searching (on your own steam) before asking questions which could very easily be answered by yourself from the system documentation, help.sap.com, previous threads, etc...

Cheers,

Julius

Re: Authorisation Objects

Former Member — Sun, 19 Oct 2008 08:21:41 GMT

Hi,

Here is the answer for your question.

When you add authorization objects manaully.

e.g. ME21N - Create Purchase order

ME28 / ME29N - Release Purchase order

For this transaction, you want to restrict the users to create purchase order only for the selected Purchasing document type (A), but at the same time, you want the same user to change the purchase order belongs to some other Purchase order type(B).

So, the user must be able to create Purchase order only for Purchase document type A, but at the same time, the user can only change the purchase order belong to other purchase document type (B).

In that case, you can add the object M_BEST_BSA manually and restrict like the following:

Standard Document Type in Purchase Order M_BEST_BSA

Activity 01, 03

Purchasing Document Type Z101

Manual Document Type in Purchase Order M_BEST_BSA

Activity 02, 03

Purchasing Document Type Z102

When you add authorization object in SU24

For e.g. If the developer is creating a program with the authority-check (for any Z_Object type), in that case use the transaction in SU24 and added this object with Check/Maintain indicator. So, when you add the transaction into the role, the object will come up automatically.

Onething, you can notice here, if you are not maintaing this object in SU24, and trying to add the object manually in the role directly, the restriciton will not work.

Regards

Anandm

Re: Authorisation Objects

Former Member — Sun, 19 Oct 2008 08:41:40 GMT


> Onething, you can notice here, if you are not maintaing this object in SU24, and trying to add the object manually in the role directly, the restriciton will not work.

Actually, this urban legend is amusing because it encourages people to maintain SU24 - but it is not true.

Imagine all the missing authority-checks in a BI system if this were true...

The only restriction is that you cannot turn the authority-check OFF (=> No Check) as it has no transaction context (in SU24) for this.

It has no impact on turning checks ON in customer SAP systems.

Cheers,

Julius