Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Authorization Object inative in PFCG

Go to solution
Former Member

‎2010 Jan 08 10:19 AM

0 Likes
5,376

Hi,

We created an authorization object for a Z BSP application that is used in htm page.

When I try to create a role allowing that authorization object in PFCG, auth. object remains inactive and there is no possibility to active it.

Does anyone knows how I can activate this object ?

Many thanks.

1 ACCEPTED SOLUTION
Read only

Go to solution
Former Member

‎2011 Aug 28 6:01 AM

0 Likes
3,362

I was having the same problem. I was adding an auth object S_ASAPIA of class BC_Z to role (both manually or via Selection Criteria, the authorization is in the selection criteria list) but for some reason I could not make it active, the authorization is brought into the role as inactive. After some digging I realized the problem by looking up the authorization object in SU03. When I tried to check for authorizations associated with the authorization object in SU03 I got an error message:

No fields have been maintained for this object

Message no. 01231

Checking table TOBJ I realized that this is not the only such problem:

Here are 4 objects in my ECC system that have the same problem. ([ObjectID] [Object Class ID])

K_ORGUNIT CO

S_ASAPIA BC_Z

S_RS_PPMAD RS

ZSTAT BC_A

I found these auth objects by searching for blanks in the field FIEL1 in table TOBJ.

By the way I also found a number of objects that were not assigned to a valid Authorization Object Class. PFCG will not allow you to add these objects at all, even though they do exist in table TOBJ. ([ObjectID] [Object Class ID])

CRMCONFMOD CRM

CRM_WSC CRM

CRM_WST CRM

PLM_LAYOUT PLMB

RSCRMBUPA RSAN

RSCRMEXTR RSAN

RSCRM_TG RSAN

RSDMEENGIN RSAN

RSDMEMBW RSAN

RSDMEMODEL RSAN

S_ESH_T_BG TST

S_ESH_T_MT TST

S_ESH_T_PR TST

I found these objects by copying all the classes in table TOBC and filtering out all the records in table TOBJ using exclude values in the field OCLSS. The resulting list is those objects not assigned to a valid object class.

Note that most of this data was SAP delivered.

Hope this helps to answer this Q.

12 REPLIES 12
Read only

Go to solution
Former Member

‎2010 Jan 08 10:50 AM

0 Likes
3,362

Hi, a bit more information would be very useful:

What exactly do you mean by the auth object remains inactive?

1. The object is inactive status in the authorisations tab of the role?

2. The auth object does not restrict the user?

3. Something else

Read only

Go to solution
Former Member
In response to Former Member

‎2010 Jan 08 12:25 PM

0 Likes
3,362

Sorry,

The object is inactive status in the authorisations tab of the role

Read only

Go to solution
Former Member
In response to Former Member

‎2010 Jan 08 12:43 PM

0 Likes
3,362

Thanks for the info, do you get an error message when you try to activate it again?

Also, is the role a derived role?

Read only

Go to solution
Former Member
In response to Former Member

‎2010 Jan 08 12:52 PM

0 Likes
3,362

No error message and it's a basis role, newly created.

Thanks

Read only

Go to solution
Former Member
In response to Former Member

‎2010 Jan 08 3:23 PM

0 Likes
3,362

Hi Alexandre,

Two more checks required:

1 - Try adding a manual instance of this object. Once done do you see the object in status "Manually" or inactive.

2 - Try addind this object in tcode entry of SU24 with proposal marked as "yes". Then add this Tcode in a role and check the standard instance of the object which gets pulled in the authorization tab. Is it again inactive?

Read only

Go to solution
Former Member

‎2010 Jan 08 11:34 AM

0 Likes
3,362

This message was moderated.

Read only

Go to solution
Former Member

‎2010 Jan 08 11:35 AM

0 Likes
3,362

This message was moderated.

Read only

Go to solution
Former Member

‎2010 Jan 08 10:09 PM

0 Likes
3,362

Please compare the entries for this Z-object to another Z-object which does work in table DD05L and TADIR and TOBJ. Is anything missing or different?

Another possibility is that the object name might have existed in the past already and was deleted. This deletion might have been done in a "dirty" way instead if manually adding the object entry to the transport request.

If it left orphaned data behind (which dirty updates often do...) then it could have created an inconsistency which is now reappearing.

If an authority-check against the object in a program could not pass the syntax checks, then including the object in the PFCG role data does not make sense either.

There is a way to bypass this in the program, but that will not help you in PFCG (that is the beauty if syntax checks...

If you can create a manual authorization in SU03 for the object and can assign it to a profile in SU02 (as a test ) - then this would be my best guess at the explanation for this behaviour. You still need to fix it though...

Cheers,

Julius

Read only

Go to solution
Former Member

‎2010 Jan 09 1:02 PM

0 Likes
3,362

Hi,

Please check the object is activated in SU03 -> Authorization -> Activate.

Regards,

Shrinivasan KV

Read only

Go to solution
Former Member
In response to Former Member

‎2010 Jan 09 8:23 PM

0 Likes
3,362

I think you are mistaken here between the active version of an authorization and a likely problem with the authorization object itself in the object respository.

But, it cannot be excluded that there is an authorization name collision for the object with another (possibly manual) one, if the profile name was entered manually or someone reset the number range.

I am not sure how the system reacts to this. Forcing an inactive authorization in the role data already would be a likely candidate.

Cheers,

Julius

Read only

Go to solution
Former Member

‎2011 Aug 28 6:01 AM

0 Likes
3,363

I was having the same problem. I was adding an auth object S_ASAPIA of class BC_Z to role (both manually or via Selection Criteria, the authorization is in the selection criteria list) but for some reason I could not make it active, the authorization is brought into the role as inactive. After some digging I realized the problem by looking up the authorization object in SU03. When I tried to check for authorizations associated with the authorization object in SU03 I got an error message:

No fields have been maintained for this object

Message no. 01231

Checking table TOBJ I realized that this is not the only such problem:

Here are 4 objects in my ECC system that have the same problem. ([ObjectID] [Object Class ID])

K_ORGUNIT CO

S_ASAPIA BC_Z

S_RS_PPMAD RS

ZSTAT BC_A

I found these auth objects by searching for blanks in the field FIEL1 in table TOBJ.

By the way I also found a number of objects that were not assigned to a valid Authorization Object Class. PFCG will not allow you to add these objects at all, even though they do exist in table TOBJ. ([ObjectID] [Object Class ID])

CRMCONFMOD CRM

CRM_WSC CRM

CRM_WST CRM

PLM_LAYOUT PLMB

RSCRMBUPA RSAN

RSCRMEXTR RSAN

RSCRM_TG RSAN

RSDMEENGIN RSAN

RSDMEMBW RSAN

RSDMEMODEL RSAN

S_ESH_T_BG TST

S_ESH_T_MT TST

S_ESH_T_PR TST

I found these objects by copying all the classes in table TOBC and filtering out all the records in table TOBJ using exclude values in the field OCLSS. The resulting list is those objects not assigned to a valid object class.

Note that most of this data was SAP delivered.

Hope this helps to answer this Q.

Read only

Go to solution
Former Member
In response to Former Member

‎2011 Aug 28 6:46 AM

0 Likes
3,362

Thank you for sharing your observation!

An object would need at least one field and be assigned to a class - that makes sense

Particularly if they still have active checks in any code, then you should report them to SAP to clean up.

Old thread now assumed closed.

Cheers,

Julius