topic Re: Authorization Object inative in PFCG in Application Development and Automation Discussions

Authorization Object inative in PFCG

Former Member — Fri, 08 Jan 2010 10:19:18 GMT

Hi,

We created an authorization object for a Z BSP application that is used in htm page.

When I try to create a role allowing that authorization object in PFCG, auth. object remains inactive and there is no possibility to active it.

Does anyone knows how I can activate this object ?

Many thanks.

Re: Authorization Object inative in PFCG

Former Member — Fri, 08 Jan 2010 10:50:29 GMT

Hi, a bit more information would be very useful:

What exactly do you mean by the auth object remains inactive?

1. The object is inactive status in the authorisations tab of the role?

2. The auth object does not restrict the user?

3. Something else

Re: Authorization Object inative in PFCG

Former Member — Fri, 08 Jan 2010 11:34:51 GMT

This message was moderated.

Re: Authorization Object inative in PFCG

Former Member — Fri, 08 Jan 2010 11:35:33 GMT

This message was moderated.

Re: Authorization Object inative in PFCG

Former Member — Fri, 08 Jan 2010 12:25:49 GMT

Sorry,

The object is inactive status in the authorisations tab of the role

Re: Authorization Object inative in PFCG

Former Member — Fri, 08 Jan 2010 12:43:45 GMT

Thanks for the info, do you get an error message when you try to activate it again?

Also, is the role a derived role?

Re: Authorization Object inative in PFCG

Former Member — Fri, 08 Jan 2010 12:52:13 GMT

No error message and it's a basis role, newly created.

Thanks

Re: Authorization Object inative in PFCG

Former Member — Fri, 08 Jan 2010 15:23:44 GMT

Hi Alexandre,

Two more checks required:

1 - Try adding a manual instance of this object. Once done do you see the object in status "Manually" or inactive.

2 - Try addind this object in tcode entry of SU24 with proposal marked as "yes". Then add this Tcode in a role and check the standard instance of the object which gets pulled in the authorization tab. Is it again inactive?

Re: Authorization Object inative in PFCG

Former Member — Fri, 08 Jan 2010 22:09:28 GMT

Please compare the entries for this Z-object to another Z-object which does work in table DD05L and TADIR and TOBJ. Is anything missing or different?

Another possibility is that the object name might have existed in the past already and was deleted. This deletion might have been done in a "dirty" way instead if manually adding the object entry to the transport request.

If it left orphaned data behind (which dirty updates often do...) then it could have created an inconsistency which is now reappearing.

If an authority-check against the object in a program could not pass the syntax checks, then including the object in the PFCG role data does not make sense either.

There is a way to bypass this in the program, but that will not help you in PFCG (that is the beauty if syntax checks...

If you can create a manual authorization in SU03 for the object and can assign it to a profile in SU02 (as a test ) - then this would be my best guess at the explanation for this behaviour. You still need to fix it though...

Cheers,

Julius

Re: Authorization Object inative in PFCG

Former Member — Sat, 09 Jan 2010 13:02:31 GMT

Hi,

Please check the object is activated in SU03 -> Authorization -> Activate.

Regards,

Shrinivasan KV

Re: Authorization Object inative in PFCG

Former Member — Sat, 09 Jan 2010 20:23:41 GMT

I think you are mistaken here between the active version of an authorization and a likely problem with the authorization object itself in the object respository.

But, it cannot be excluded that there is an authorization name collision for the object with another (possibly manual) one, if the profile name was entered manually or someone reset the number range.

I am not sure how the system reacts to this. Forcing an inactive authorization in the role data already would be a likely candidate.

Cheers,

Julius

Re: Authorization Object inative in PFCG

Former Member — Sun, 28 Aug 2011 05:01:42 GMT

I was having the same problem. I was adding an auth object S_ASAPIA of class BC_Z to role (both manually or via Selection Criteria, the authorization is in the selection criteria list) but for some reason I could not make it active, the authorization is brought into the role as inactive. After some digging I realized the problem by looking up the authorization object in SU03. When I tried to check for authorizations associated with the authorization object in SU03 I got an error message:

No fields have been maintained for this object

Message no. 01231

Checking table TOBJ I realized that this is not the only such problem:

Here are 4 objects in my ECC system that have the same problem. ([ObjectID] [Object Class ID])

K_ORGUNIT CO

S_ASAPIA BC_Z

S_RS_PPMAD RS

ZSTAT BC_A

I found these auth objects by searching for blanks in the field FIEL1 in table TOBJ.

By the way I also found a number of objects that were not assigned to a valid Authorization Object Class. PFCG will not allow you to add these objects at all, even though they do exist in table TOBJ. ([ObjectID] [Object Class ID])

CRMCONFMOD CRM

CRM_WSC CRM

CRM_WST CRM

PLM_LAYOUT PLMB

RSCRMBUPA RSAN

RSCRMEXTR RSAN

RSCRM_TG RSAN

RSDMEENGIN RSAN

RSDMEMBW RSAN

RSDMEMODEL RSAN

S_ESH_T_BG TST

S_ESH_T_MT TST

S_ESH_T_PR TST

I found these objects by copying all the classes in table TOBC and filtering out all the records in table TOBJ using exclude values in the field OCLSS. The resulting list is those objects not assigned to a valid object class.

Note that most of this data was SAP delivered.

Hope this helps to answer this Q.

Re: Authorization Object inative in PFCG

Former Member — Sun, 28 Aug 2011 05:46:21 GMT

Thank you for sharing your observation!

An object would need at least one field and be assigned to a class - that makes sense

Particularly if they still have active checks in any code, then you should report them to SAP to clean up.

Old thread now assumed closed.

Cheers,

Julius