cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization issue while using structural authorization concept.

Go to solution
Former Member

on ‎09-30-2016 11:48 AM

0 Kudos

Hello Experts,

I have created below authorization profile for one sales org.

Now I assigned the user to it and he can open up only that specific organizational unit , edit information inside and add new users in PPOMA.

But when he tries to add an owner to one position inside his org unit, he gets below error message.

Do you know if I am missing some access inside my authorization profile?

Thank you.

Best regards,

Elena

Show replies
Show replies
Answer
View Entire Topic
former_member237472
Explorer
‎09-30-2016 12:44 PM
0 Kudos

Hi Elena,

This authorization issue might also be because of access missing in PLOG authorization object.

Because all the access regarding changes in PPOMA check for authorization to PLOG.

Please run a trace and check if the authorization is failing on PLOG.

BR,

Anish

Show replies
Show replies
Former Member
‎09-30-2016 12:56 PM
0 Kudos

Hi Anish,

I ran an authorization trace and is not a PLOG authorization issue.
User has the necessary access on that side.

Thank you for the help.

Elena

former_member237472
Explorer
‎09-30-2016 1:05 PM
0 Kudos

Hi,

Well then does the user have access to Relationship Infotype (1001) in P_ORGINCON?

Former Member
‎09-30-2016 1:22 PM
0 Kudos

Hello Anish,

It looks like, please check below screenshot:

The thing is that if I assign the same user to authorization profile ALL - which is the standard one from SAP, the same user will then have access to add an owner.
It looks to me that is somehow related to the access I give in the authorization profile.

Apologize for any misunderstanding from my end, I am not a security person.

Thank you.

Best,
Elena

former_member237472
Explorer
‎09-30-2016 1:40 PM
0 Kudos

Hi,

Firstly the user should have the relevant entry in OOSB. If the entry is not there then the PD profile is not mapped to the user. If the above thing is fine then you can check if the authorization to the target user is coming from this PD profile or not. Execute report RHBAUS02 in SE38, keep threshold as 1 and un-check test. then  Execute. After the execution execute another report RHBAUS00 and mention this test ID there. in the output, the target user's perner should appear. If this doesnt appear then we can conclude that the issue is with the PD profile.

Anish

Former Member
‎09-30-2016 1:45 PM
0 Kudos

Hello Anish,

I have no entries in table T77UU. This is used to improve the performance in case of big structures.

Therefor running the specified reports won't give me any result.

Do you know any evaluation path that might help me reach the owner?

Thanks.
Elena

former_member237472
Explorer
‎09-30-2016 1:51 PM
0 Kudos

The same evaluation path should be fine as per my knowledge. You can use those 2 reports just to check what objects are coming for this user from this PD profile. It doesn't matter if the T77UU table is maintained or not. Running the first report will maintain it. I was just using these 2 tables to check if this target user is coming in the authorization from this PD profile or not.

Former Member
‎09-30-2016 1:57 PM
0 Kudos

This is what I got back from the first report.

former_member237472
Explorer
‎09-30-2016 1:59 PM
0 Kudos

have you entered "1" in threshold value?

Also have you checked if the entry for this user exists in OOSB with the relevant PD profile.

kaus19d
Active Contributor
‎09-30-2016 2:06 PM
0 Kudos

Hi Elena,

The screen that you have attached

is not the correct one. What you can do is run the transaction & just as when its showing the no authorization area, then only you generate this screen which will show the required authorization area. Anyhow you can also check the authorization parameters in the user details whether the required parameters are assigned for that User

Thanks,

Kaushik

Former Member
‎09-30-2016 2:15 PM
0 Kudos

The default value was 1,000 and I thought those were just decimals, I have now just entered 1.
It got added to the table and then the second report generated the indexes.

In OOSB user is assgined to the authorization profile.

I still face the same issue even after running the reports.

Former Member
‎09-30-2016 2:22 PM
0 Kudos

Hello Kaushik,

I have no access to the screen while the error message pops up on it, so once I have clicked ok on that, I check su53.
The objects on the user should not be a problem as the user has access to the owners if I assign him to an authorization profile with full access to all objects: ALL.

Best,
Elena

kaus19d
Active Contributor
‎10-01-2016 3:20 PM
0 Kudos

Hi,

Yes, that is the correct way to check via using SU53 for missing authorization, but, my suggestion is when the user faces the error which shows no authorisation by clicking in some field of a t-code, then only you open a new session & run the su53. If you are not doing like this means, the SU53 will show Last Authorization was Successful. Anyways also giving full authorisation to any user might go against your company rule & if if any SPRO changes or any thing deletion happens, via that id then, that person can literally put the blame on you saying that he was not trying to delete but anyhow deleted, & also if some data deleted, you know the kind of trouble we face in our companies. So, I would better suggest to give the required authorisation only.

Thanks,

Kaushik

Ask a Question