05-19-2009 4:26 AM
I encountered a strange problem today,
On the CRM system a user requested access to a data source from Tcode RSO2, and he mentioned that he had access to it couple of months back.( he had authorization to RSO2 but not to that particular Datasource)
When i tried to query the system to see which roles RSO2 was in i could fine none, i queried the system for profiles with auth object s_tcode and value RSO2, i got a couple of profiles.
when i pulled up one of the Z profiles and tried changing the role the system was not giving me an option to insert this particular auth object( No object exists)
what is more strange is that this auth object exists in Q and not in Dev.
when i say object did not exist i mean, if i try and insert an object manually in a role, the system does not show this particular auth object (S_RO_OSOA)
They are on CRM 2007 and BW 3.5
I started at this client only 4 days back and the gentleman who was incharge of authorizations left before i came in.
can anyone tell me how i should go about investigating this problem?
thankyou
05-19-2009 9:38 AM
Hi,
Have you checked the authorisations on the BW side as well?
If the transaction in CRM is accessing data in BW, your user will need authorisations on the BW system as well as on CRM.
Check what the users have on each system. If nothing obvious missing on either side, get someone to help you do an authorisation trace on both systems whilst attempting the function that is giving the issues.
05-19-2009 2:29 PM
Thanks chris for the response,
He did have the authorizations in BW, and i also traced to see what he is missing and it clearly mentions S_RO_OSOA - but then if i try and insert that auth object manually i am unable to find it. The system says no object exists/ does not show up on the tree!!
05-19-2009 8:18 PM
Guys,
I have tried SU53 and it says it needs auth object S_RO_OSOA, but as i mentioned i am unable to add this particular auth object in the system.
infact i cannot see this auth object in suim or in pfcg--> auth tab --> insert auths.
This authorization is present in QAS.
Do yall think there was some kind of half hearted upgrade -> lol
and why cannot i see replies from others in this forum but can see them in my mailbox?
05-21-2009 3:50 PM
seshank
Note 979183 - Authorization check "DataSource in OLTP", S_RO_OSOA
Not sure if this applies to your PI_BASIS level, but it may indeed be a u201Chalf hearted upgradeu201D
Hope this helps.
PJ
05-21-2009 3:52 PM
seshank
The following note is also interesting:
Note 981689 - Excluding entire BW system in ROAUTH for extraction
PJ
05-23-2009 10:06 AM
> and why cannot i see replies from others in this forum but can see them in my mailbox?
There was a technical problem with the website's caching which took a few hours for the caches to clear. This made new threads look a bit strange for a while.
The problem is now solved though.
Cheers,
Julius
05-19-2009 6:04 PM
>
> I encountered a strange problem today,
> On the CRM system a user requested access to a data source from Tcode RSO2, and he mentioned that he had access to it couple of months back.( he had authorization to RSO2 but not to that particular Datasource)
>
SUIM changed access for user in the last 2 months.
Research changes (last 2 months) currently assigned security roles for user.
>
> when i pulled up one of the Z profiles and tried changing the role the system was not giving me an option to insert this particular auth object( No object exists)
>
> what is more strange is that this auth object exists in Q and not in Dev.
>
> when i say object did not exist i mean, if i try and insert an object manually in a role, the system does not show this particular auth object (S_RO_OSOA)
> thankyou
That object does not exist in CRM and BW. The following are relevant auth objects for RSO2.
S_ADMI_FCD
S_APPL_LOG
S_CTS_ADMI
S_DATASET
S_DEVELOP
S_DOKU_AUT
S_GUI
S_TABU_CLI
S_TABU_DIS
S_TCODE
S_TRANSLAT
S_TRANSPRT
>
> can anyone tell me how i should go about investigating this problem?
>
> thankyou
Add the transaction on a test role and trace the auth object it requires. Have the user test it for you.
Good Luck!
Edited by: John Navarro on May 19, 2009 7:07 PM
05-19-2009 8:53 PM
John,
thanks for the reply, i did check the changes for the user and nothing seems to hav changed in terms of his authorizations.
I am looking at which auth objects the T code pulls if i put it in a role, strangely mine pulls only S_tcode!!!
05-20-2009 3:54 PM
>
> John,
> thanks for the reply, i did check the changes for the user and nothing seems to hav changed in terms of his authorizations.
> I am looking at which auth objects the T code pulls if i put it in a role, strangely mine pulls only S_tcode!!!
I'm assuming he has some invalid variant for this tcode.
Login with a user with SAP_ALL (preferable you) in the sandbox and turn ON trace for authorization. Have him walk you through running the transaction. Check the trace and see if it really calls for S_RO_OSOA.
I think you can take it from here.
Regards,
-John N.
05-21-2009 11:00 AM
Hi Sehshak,
None of the SAP BW tcodes have maintained relation with this authroization object S_RO_OSOA.
It must be added via manualy while creating SAP role whenver it need in data source authroizations.
I beleive it has been maintained in Authority check statements of the ABAP programms.thats why it is checking while execution.
In BI 7.0 version we have tried to add it manually it is working.
Surprise why it is not working from your side only in Prod?
05-21-2009 3:05 PM
Hi,
Please check any one deleted the object S_RO_OSOA from the development system.
While deleting the same a transport request will be created. Kindly check any deletion transport request is created in the development system.
Check the log for the usage of tcode SU21 and any transport requests created and deleted in the development system for this object.
Refer the SAP Note : 979183.
Edited by: Shrinivasan Venkatachalam on May 21, 2009 4:23 PM
05-21-2009 8:04 PM
Hari,
RSO2 is a Tcode to maintain Data, and it has to pull the S_RO_XX auth objects.
We are on CRM 2007/BW 3.5 and this case seems to be one of the improper patch application.
or the BW API for CRM has not been installed properly.
05-19-2009 8:09 PM
seshank
You can have the user run SU53 when u201Cnot authorizedu201D to see what access is missing.
Also, SU24 can be used to see all the objects that are checked for RSO2.
Hope this helps.
PJ
05-21-2009 8:05 PM
07-28-2009 10:02 PM
Seshank
Thanks for bringing this issue, i have similar issue we are on a dual path system and authorization object S_RO_OSOA exists in one system but not in other system, it does not show up in SU24
were you able to fix this issue ? if so please let me know if any note was applied or what was done
thanks
sri