Question: If there is a message in SU53 saying "T-DV76526201 Exists in user buffer" for the role T-DV76526201, and then below I would find the list of the transaction codes affected, does that mean that there was an error or is it just an informational message?
Are all messages appearing in SU53 just error messages or even infomational messages?
Answer:
SU53 records the last authorisation failure for a user. The first block shows the system's authorisation requirement and the list below shows the authorisations present for that object for a particular user.
Answer:
I have seen the message you are talking about. The SU53 actually states something about an authorization existing in the user buffer but it still fails. I have found this is a throwback to pre-4.5 where the user must log off and back on again and it will usually work then. give it a shot.
_________________
SU53 Authorization Check
SAP Auditor role/authorization
Question: Is there a SAP role for SAP auditor (internal control)? Is there a role to view the Implementation Guide customizing settings?
Answer:
Is there a SAP role for SAP auditor (internal control)? Is there a role to view the Implementation Guide customizing settings?
If you are still looking for the SAP delivered roles like S:A_SHOW etc, then rather go back to doing your accounting on paper.
S_USER_ALL
Question: Hi...
I am about to administrate users and roles on a SAP system. Previously I was always given SAP_ALL, but this time I wanted more adequate access rights. I therefore requested the profile S_USER_ALL (All Authorizations for user and authorization maintenance).
But... only to find out that it did not include any value for TDC (transaction code) or the authorization object S_USER_VAL (which gives access to change values in PFCG).
Anybody with experience in this ares
What profiles/roles are you guys using for user/role administration
Thanks for any reply
Answer:
Requirements will depend on your segregation of duties for user and role/profile adminsitration.
We developed our own and did not depend on the SAP provided Roles.
Assign your self SAP_ALL in a test client, set up a trace and run through your actions to see what auths and values you need.
S_TRANSPRT versus S_CTS_ADMI
Question: We're trying to restrict rights to release transports (DTRA); one role has most activities for S_TRANSPRT but not 43 (release). However, one user with this role managed to release a transport. The same role has S_CTS_ADMI with activity * (all activities); is this effectively "overriding" the restrictions in S_TRANSPRT ?
Can't find any info on this elsewhere... tried SAP, SDN...
thanx...
Answer:
look into Su24 and Su21 and from there into the documentation, this will give the requested info
Answer:
The SAP documentation is (as often is the case) very opaque, to say the least. I think we have a decent idea of the relation between these objects, even though we haven't found a clear, logically structured explanation on exactly what are the limitations and interoperability of the two objects. Probably never will...
Answer:
Tronds,
I guess the generic problem here is that values were granted
for the activity field based on the principle "ALL - except (43)".
I advocate the 'need-to-have'.
Check whether activity 75 is in. This allows you to release
other users' objects.
S_TCODE with * Value
Question: Does anyone know the name of the report or how to find no standard Values such as ranges or * in the S_Tcode object. I think there is an SAP report but don't remember what it is.
Answer:
Look at report PFCG_AGRS_WITH_MANUAL_S_TCODE
Also use table AGR_TCODES and look for '*' by setting the selection option to "equals to" rather than blind entry of '*'
S_TCODE Lookup
Question: I need to be able to find all roles that have have a TCD value in S_TCODE of *.
How can I do that? Suim's logic seems to give all roles. I need the specific value to be a '*'.
Thanks for your help.
Answer:
Hi bluedevil,
I usually use SE16 on AGR_1251 table to get what you are looking for...
be sure about to use '=' single value selection option,
instead of '[*]' pattern selection option, in the tcode field.
hope this helps, regards.
_________________
S_TCODE is not in change mode
Question: Hi All
we are working on 4.7x1.10 SR1.
when we tried to add some transactions in Authorization object S_TCODE
it is showing us only in display mode rather it should be in change mode.
Is there any parameter that we need to add in 4.7 or what is the procedure to make S_TCODE as change mode?
pls help me out ........thanks in advance
Answer:
If you are using PFCG then the tcode needs to be added to the MENU not the authorization. If you are in SU02, Profiles created from PFCG cannot be changed in SU02
s_tcode display only problem
Question: Hi Guru's
How to allow user to see only Area Menu and SAp Menu but not the list of transactions asssigned to his role. I tried in 2 ways..
1. I blocked the User menu , which also blocks Area menu.
2. Deleted transaction code list from Menu of User role and generated the profile. So now in usermenu i can not see any transactions. It is worked.
Here problem is S_tcode is in Display mode only, so we can not add any additional transactions in future. I do not like to uncheck transaction codes in SE97.
Apart from these, is their any other ways to solve this.
Thanks in advance
Pranu
Answer:
Pranu
User menu vs Sap menu and restricting views of transaction ahve been discussed oin ths forum many times before. Usually in those discussions the question is asked "Why do you not want users to see transactions they are allowed to use? It does not add to security, so what is the purpose of hiding access?"
The display only status of S_TCODE has been disucssed a lot recently too. I'm not gonig to answer your question here, because the S_TCODE issue and the menu issue could both be answered by you using the search facility.
_________________
Sandi
~~~~
Apparently Father Christmas, the Easter Bunny, the Tooth Fairy and Star Wars aren't real
Answer:
"Why do you not want users to see transactions they are allowed to use? It does not add to security, so what is the purpose of hiding access?"
If you cannot trust your users enough to let them see the transactions they have access to, then your design should be changed to only give them the access that your risk profiling permits.
Security by obscurity is not proper security
S_TCODE check after upgrade to 4.7
Question: With the upgrade version to 4.7 regular transactions, do not work the
same way anymore.
Example transaction VL10H on the Tab ‘General Data’ there is column
named OriginDoc. When you click on one of these fields, it calls the
transaction VA03 (In version 4.6C) but now it is calls VA02 (In Version
4.7).
Why and how can I fix that without giving new roles with transactions
they did not have before and that used to run in the background without
requesting any S_TCODE check?
I have many requests for this kind of problem but for different roles
calling different S_TCODE. If I find a way to fix, one I will know for
all the other roles that call other S_TCODE’s.
Someone told me I could use SE97 to skip S_TCODE check BUT! What if the
transaction really require another transaction to work I do not want to
skip it otherwise we will have another kind of problem? Or I am wrong.
Please help
Nancy
Answer:
Sorry I did not find the one I posted yesterday and I thought I did not saved it.
Sorry for the duplicate of S_TCODE check after upgrade to 4.7
Nancy
Answer:
Dear Nancy,
In higher releases of SAP they are cleaning up their navigation paths. Upgrading, when you business process used a path which has changed (it became stricter to click on), does not mean that the process is any different.
You can call anything what you want. E.g. You can use SE97 to MAINTAIN the check on the CALLED tcode based on which tcode is CALLING it. But if the user can switch their sy-tcode, then the relationship changes. Take a look at table TCDCOUPLES.
SAP also provides other confusing messages though, which might be the case here. SU53 says "no auth tcode" ? But this may be caused by your having "BACK"ed (the ESC or OK problem) or the abap didn´t react sufficiently to the check and met a second auth fail, but gave you a message from either the one, or the other and a SU53 from the last check failed... i.e. the last one before '/nsu53'... not necessarily the one which gave you a "message" or caused your navigation path to change.
The change of the called transaction you mentioned (i.e. from VA03 -> VA02) may also be having an implication based on an application auth object check at tcode start, and not the tcode itself. Check SE93 for VA02.
For this you need to look beyond the tcode and compensate for SAP´s max-confusion-strategy. SU53, PFCG, ST01 and the SoD tools loitering around SAP are fully integrated into this strategy.
Kind regards,
Verne
Answer:
The only thing I found in the table TCDCOUPLES is an entry for
TCODE CALLED
VL10H VA03
VL10 VA02
But I am really in VL10H and I keeps having the message
You are not authorize to use the transaction VA02 !!!
I went in SE97 I created a list of called transactions for VL10H
Do not check VA02
Check Warning VA03
Do I have something else to do after what I did or when I use the role everything will work whitout any other configation.
I really need to know how to configure VL10H to call VA03 instead of VA02. Even with the table TCDCOUPLES or SE97 I am not able to change this setting !!!!
Need help
Nancy
Answer:
You will need to,
1. Call SAP and report the problem, or
2. Search on OSS for a fix
3. Debug the code and see if it is configurable in a table ( probably is not and TDCOUPLES has nothing to do with your want, It must be in the code).
Answer:
The last person who called SAP got 335277 - VL10: VA03 instead of VA02 in display of orders
You will need to work together with your developer and application person for the area.
An afterthought: That is also why, when you have outsourced your development work and application consulting, you will need to get yourself a Miles-and-More card and learn at least one exotic foreign language.
S_TCODE
Question: Is there a way to insure that the values in S_TCODE are only the tcodes assigned to the role thru the menu tree? We are try to prohibit ranges and the value of * in the S_TCODE object.
Thanks,
Mark
Answer:
You can have a look through table AGR_TCODES, and look for * values. That's the way I usually do it
Answer:
This would have to be a manual process. Analyze the data under AGR_TCODES vs AGR_1251 S_TCODE,TCD.
Answer:
I beleive there is a report in SAP that gives you this the report is PFCG_AGRS_WITH_MANUAL_S_TCODE, you cannot prevent them for doing it just after the fact detec
S_TABU_LIN set up as organizational level
Question: Hello,
I have started to look at the use of S_TABU_LIN to restrict table record maintenance on BUKRS , KOKRS; WERKS and EKORG. What I want is to be able to set these restricitons as organizational levels as we are using template roles which by inheritance will be used at about 200 different companies.
Has anyone tried this ?
Is it possible or not ?
Answer:
You can create orglevels using the report SAP provides (PFCG_ORGFIELD_CREATE) . Note BUKRS already is an orglevel . SO test it before you go too far and read the results of the test results closely before you implement.
Answer:
This is not possible. It would mean 2 fields as OrgLevel:
First defining the field OrgCriteria definition as organzational level, and supplementary to that the needed values.
Both fields are in the object S_TABU_LIN. How would the system know which value belongs to whicht OrgCrit?
S_TABU_LIN
Question: Hi everyone
I am currently trying to test the limitations of the restrictions that can be enforced by using object S_TABU_LIN, this allows users to only see particular rows of a table depending the restrictions in place.
I am having problems when testing this, as I do not know many table names or what fields lay in what tables - can anyone suggest the values that should sit in S_TABU_LIN and the table/s this relates to?
I dont mind what it does or doesnt let me see because at the moment its simply for testing, i just want it to produce an authorisation error so can see it working and work from that.
Answer:
also does the role have to have access to the authorisation group (in S_TABU_DIS) which the table lies. For example if you are trying to restrict seeing parts of HR master data in S_TABU_LIN would you need authorisation group PA in S_TABU_DIS??
Creating New Organizational Levels
Question: We are creating derived roles, a master role with individual derived roles.
As we know the only values that don't get pushed down are the org. values.
However we are controlling on values that are not org levels. So I would like to make them org levels, for instance company code.
I know you can create org levels in SE38 with PFCG_ORGFIELD_CREATE.
However if you do this will it make company code an org value in every role that it exists?
If so do we have to go into every role or will a value be populated automatically from the role itself?
Is it possible to pick and chose which role you want the new org levels to adhere to?
Any help would be greatly appreciated!!!
Thanks!
Answer:
I know you can create org levels in SE38 with PFCG_ORGFIELD_CREATE.
However if you do this will it make company code an org value in every role that it exists?
Yes
If so do we have to go into every role or will a value be populated automatically from the role itself?
IIRC Values in the fields will become populated as org levels without any further action required from you
Is it possible to pick and chose which role you want the new org levels to adhere to?
No. This is the downside to creating org levels. You can force individual fields in roles to ignore org level behaviour but this is on a role by role basis and not practical to maintain. If you find yourself needing to do this then your design does not suit creating additional org levels.
Answer:
If you create an org level from a field you have already used you may not get the desired results. If you have mixed values in different authorizations where they need to be descrete for different object, the creation of the org level will combine ALL the values into all the authorizations. So be careful and analyse the results of the report BEFORE commiting the results.
Answer:
Test mode
Create org level field KOSTL
Update authorization value proposals (SU24 data)
Conflicts (manual follow-up needed)
Values collected in role: SAP_CA_CL_MAINTAIN
Original values:
Authorization objectAuthorization Values
I_KOSTL T_P092043200
New org level values:
*
Values collected in role: SAP_ESSUSER
Original values:
Authorization objectAuthorization Values
P_TRAVL T_8000022406
P_TRAVL T_8000022407 *
New org level values:
*
Values collected in role: SAP_HR_REPORTING
Original values:
Authorization objectAuthorization Values
P_TRAVL T_P092020100 *
New org level values:
*
01
Thanks so much for your help!!!
Answer:
Looking at my last reply, I didn't get the entire message in.
What is in the last reply is the report that you run PFCG_ORGFIELDS_CREATE, and the results that I get.
My question is why does it say (manual follow up needed) for some of the roles.
All roles affected are at the end of the report. But it lists out conflicts above the list.
Creating new authorization object
Question: Hi all,
Is it possible to create new authorization object, fields for that and the values. If yes, please guide me regardint the same.
_________________
Regards,
Sailesh K
Answer:
New Authorisation object can be created using transaction SU21 and fields for that can be created in SU20. You need to assign a class for athorisation object
creating custamizing autharization objects
Question: Hi
I am new to sap security can any body explain how to create custamizing autharization objects , i know we can create through su21 any body explain briefly
Answer:
Read the documentation in SU21.
NOte: First look for an appropriate SAP standard object before you create deviations from the standard.
Creating Authorization profile
Question: Hi,
We normally use Role(PFCG) and authorization profiles are generated automatically .
I need to create Authorization profile in 3.1h .Both simple and Composite.
Can anyone guide me how to do?
Is it through su02? what has to be added in Object ? and in Authorization?
Thanks.
Answer:
You create and modify Authorization roles in SU02. The values assigned to each authorization object must be determined by members of each business unit. Either that or you asign no values to any of the parameters and let the users test each transaction assigned to the role and determine the different org levels and parameters through testing. It is a long process however if the business cannot help you define the roles it is the only other way to do it.
Answer:
And I assume you will need to create custom authorisations as well. That is done through SU03.
creating authorization levels
Question: hello,
I found note that names a report that needs to be run so that I can
change a field and make it organizational level(done it). But when I look at that field within a certain object in the PFCG, its still yellow like before, and I cant find it under the button "organizatinal level"......do I have to somehow generate my new organizational level field? And in that case how, because the su24 and others are just for transactions.
grateful for some help
//Vinnie
Answer:
1. Did you run the reports in test mode and not change mode?
2. are you relying on the text name or the technical value of the field. The program PFCG_ORGFIELD_CREATE uses the techincal name and there are several fields that look the same in text but are not technically, Company code and Company come to mind.
Note that if you create the org level and then decide to remove it there is a bug in the PFCG_ORGFIELD_DELETE program that corrupts the SU24 entries the the customer adds that are not in the SAP source table. you will have to corrext these manually.
Answer:
Hello,
I managed to create a organizational level object running the report. But normally when you see standard organizational levels they appear red until they are filled in. When I look in the object containing the field I changed, and add it to a role, its still yellow. That is my problem, it doesnt really change and it does not show under the button organizational level. So what do I have to do to see it there, and also to see the field red in the object.
thank you in advance
Vincent
_________________
6-years experience. Prepared to work all over the globe, but so far Sweden and Denmark. Speak english, swedish, finish and spanish fluently.
Answer:
Was the object added by you in SU24 or was it SAP delivered?. GO to SU24 and remove the object from the tcode that is brining it in and readd and see if it correts itself.
Answer:
the object I used is ygo_sec_op and is not connected to any tcode......I checked that too..............more ideas please......maybe we can solve this:)
//Vincent
_________________
6-years experience. Prepared to work all over the globe, but so far Sweden and Denmark. Speak english, swedish, finish and spanish fluently.
Answer:
ygo_sec_op? the "Y" implies a customer developed object. The report that creates the org level manipulates the customer table in SU24 and then changes AGR_1251, but it your ygo_sec_op was not changed then the code may ignore MANUALY inserted objects (highly possible I did not pay attention to this part of the code). So it may be working as designed.
The best practice it to tie all required objects to a tcode and configure it in SU24 with the most restrictive access ( usually view if the tcode has to be shared between change and view) and the you ADD manual authorization to increase access with the priviso that you have a standard to support its inclusion in the role. If you have a manual ( there are some exceptions) without a standard, this would indiate to you that the tcode needing the access has been removed and the MANUAL should also be removed.
Try removing the object fromthe role, exit PFCG entirely and re-open the role and add it back ( the exit entirley may not be needed in all cases).
Answer:
thanks for your input, stupid me playing with y fields.
It works fine for the standard fields, but not for the customized ones, atleast it seems like. Just like you said.
thanks for your help
cheers
Vincent
_________________
6-years experience. Prepared to work all over the globe, but so far Sweden and Denmark. Speak english, swedish, finish and spanish fluently.
Answer:
Custom Fields ot Objects? you can add the fields in the table and link your custome fieild to an SAP variable. Table USorg is the link between Field and variable in table USVAR. If you add a USVAR then you MUST transport talbe USVART to get it to work in the other systems ( you should take USVAR as well).
Did removing the object and re-add help or is it truely a 'Y' onject and new fields?
Creating an auth group and assigning a table
Question: How do I create an new auth group and assign a table to this group in S_TABU_DIS
Answer:
Tcode SUCU, The "group" does not have to exist but you can create one in SE54
Create authorization object
Question: Hello,
I need to restrict access for a specific field of a table.
Can you tell me how to know the authorization object links to this field AND how to create a auth. object ?
Thanks.
Answer:
There is no easy way doing this. Auth Object(s) for standard tables are S_TABU_DIS, S_TABU_CLI. You can use this to restrict access to display only or client specific tables. However if that requirement is mandatory you need to create a custom t.code to display table restricting the field.
Answer:
What do you mean by the statement "restrict specific field of a table?"
Can you be a bit more specific in your problem?
_________________
Regards
Vijay
Answer:
One option could be S_TABU_LIN, but I think you are better off with a custom transaction
Answer:
Exact.
We find a solution by creating a specific transaction.
What is an Authorisation Object?
An Authorisation Object is a structured group of Authorisation Fields that can be populated with Authorisation Values
