Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Auth Object Issue

Former Member
0 Kudos

I encountered a strange problem today,

On the CRM system a user requested access to a data source from Tcode RSO2, and he mentioned that he had access to it couple of months back.( he had authorization to RSO2 but not to that particular Datasource)

When i tried to query the system to see which roles RSO2 was in i could fine none, i queried the system for profiles with auth object s_tcode and value RSO2, i got a couple of profiles.

when i pulled up one of the Z profiles and tried changing the role the system was not giving me an option to insert this particular auth object( No object exists)

what is more strange is that this auth object exists in Q and not in Dev.

when i say object did not exist i mean, if i try and insert an object manually in a role, the system does not show this particular auth object (S_RO_OSOA)

They are on CRM 2007 and BW 3.5

I started at this client only 4 days back and the gentleman who was incharge of authorizations left before i came in.

can anyone tell me how i should go about investigating this problem?

thankyou

15 REPLIES 15

Former Member
0 Kudos

Hi,

Have you checked the authorisations on the BW side as well?

If the transaction in CRM is accessing data in BW, your user will need authorisations on the BW system as well as on CRM.

Check what the users have on each system. If nothing obvious missing on either side, get someone to help you do an authorisation trace on both systems whilst attempting the function that is giving the issues.

0 Kudos

Thanks chris for the response,

He did have the authorizations in BW, and i also traced to see what he is missing and it clearly mentions S_RO_OSOA - but then if i try and insert that auth object manually i am unable to find it. The system says no object exists/ does not show up on the tree!!

0 Kudos

Guys,

I have tried SU53 and it says it needs auth object S_RO_OSOA, but as i mentioned i am unable to add this particular auth object in the system.

infact i cannot see this auth object in suim or in pfcg--> auth tab --> insert auths.

This authorization is present in QAS.

Do yall think there was some kind of half hearted upgrade -> lol

and why cannot i see replies from others in this forum but can see them in my mailbox?

0 Kudos

seshank

Note 979183 - Authorization check "DataSource in OLTP", S_RO_OSOA

Not sure if this applies to your PI_BASIS level, but it may indeed be a u201Chalf hearted upgradeu201D

Hope this helps.

PJ

0 Kudos

seshank

The following note is also interesting:

Note 981689 - Excluding entire BW system in ROAUTH for extraction

PJ

0 Kudos

> and why cannot i see replies from others in this forum but can see them in my mailbox?

There was a technical problem with the website's caching which took a few hours for the caches to clear. This made new threads look a bit strange for a while.

The problem is now solved though.

Cheers,

Julius

Former Member
0 Kudos

>

> I encountered a strange problem today,

> On the CRM system a user requested access to a data source from Tcode RSO2, and he mentioned that he had access to it couple of months back.( he had authorization to RSO2 but not to that particular Datasource)

>

SUIM changed access for user in the last 2 months.

Research changes (last 2 months) currently assigned security roles for user.

>

> when i pulled up one of the Z profiles and tried changing the role the system was not giving me an option to insert this particular auth object( No object exists)

>

> what is more strange is that this auth object exists in Q and not in Dev.

>

> when i say object did not exist i mean, if i try and insert an object manually in a role, the system does not show this particular auth object (S_RO_OSOA)

> thankyou

That object does not exist in CRM and BW. The following are relevant auth objects for RSO2.

S_ADMI_FCD

S_APPL_LOG

S_CTS_ADMI

S_DATASET

S_DEVELOP

S_DOKU_AUT

S_GUI

S_TABU_CLI

S_TABU_DIS

S_TCODE

S_TRANSLAT

S_TRANSPRT

>

> can anyone tell me how i should go about investigating this problem?

>

> thankyou

Add the transaction on a test role and trace the auth object it requires. Have the user test it for you.

Good Luck!

Edited by: John Navarro on May 19, 2009 7:07 PM

0 Kudos

John,

thanks for the reply, i did check the changes for the user and nothing seems to hav changed in terms of his authorizations.

I am looking at which auth objects the T code pulls if i put it in a role, strangely mine pulls only S_tcode!!!

0 Kudos

>

> John,

> thanks for the reply, i did check the changes for the user and nothing seems to hav changed in terms of his authorizations.

> I am looking at which auth objects the T code pulls if i put it in a role, strangely mine pulls only S_tcode!!!

I'm assuming he has some invalid variant for this tcode.

Login with a user with SAP_ALL (preferable you) in the sandbox and turn ON trace for authorization. Have him walk you through running the transaction. Check the trace and see if it really calls for S_RO_OSOA.

I think you can take it from here.

Regards,

-John N.

0 Kudos

Hi Sehshak,

None of the SAP BW tcodes have maintained relation with this authroization object S_RO_OSOA.

It must be added via manualy while creating SAP role whenver it need in data source authroizations.

I beleive it has been maintained in Authority check statements of the ABAP programms.thats why it is checking while execution.

In BI 7.0 version we have tried to add it manually it is working.

Surprise why it is not working from your side only in Prod?

0 Kudos

Hi,

Please check any one deleted the object S_RO_OSOA from the development system.

While deleting the same a transport request will be created. Kindly check any deletion transport request is created in the development system.

Check the log for the usage of tcode SU21 and any transport requests created and deleted in the development system for this object.

Refer the SAP Note : 979183.

Edited by: Shrinivasan Venkatachalam on May 21, 2009 4:23 PM

0 Kudos

Hari,

RSO2 is a Tcode to maintain Data, and it has to pull the S_RO_XX auth objects.

We are on CRM 2007/BW 3.5 and this case seems to be one of the improper patch application.

or the BW API for CRM has not been installed properly.

Former Member
0 Kudos

seshank

You can have the user run SU53 when u201Cnot authorizedu201D to see what access is missing.

Also, SU24 can be used to see all the objects that are checked for RSO2.

Hope this helps.

PJ

Former Member
0 Kudos

Improper BW api installation on CRM 2007 system.

0 Kudos

Seshank

Thanks for bringing this issue, i have similar issue we are on a dual path system and authorization object S_RO_OSOA exists in one system but not in other system, it does not show up in SU24

were you able to fix this issue ? if so please let me know if any note was applied or what was done

thanks

sri