Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Interpretation of authorization provided

Go to solution
Former Member

‎03-15-2016 9:50 AM

0 Kudos

Dear Experts,

I am trying to identify users who have access to specific transaction codes. 


Considering T.Code ME11 (Create Purchase Information Record) as an example, following are the queries that i have.  Kindly advise.

a) Does an user need to have Field "ACTVT" updated as 01 (Create) for ALL the below authorization objects OR would the user be able to create with ANY ONE of the objects ?

Authorization ObjectAuthorization Object Text
M_EINF_EKGPurchasing Group in Purchasing Info Record
M_EINF_EKOPurchasing Organization in Purchasing Info Record
M_EINF_WRK Plant in Purchasing Info Record
V_KOND_VEACondition: Auth. For Use/Appl./Cond.Type/Table
V_KONH_EKOPurchasing Organization in Master Condition
V_KONH_VKSCondition: Authorization For Condition Types

b) If the Field "ACTVT" is updated as * (Wildcard) - Does this mean that the user has access to all the activities (including create) ?

c) If the user is given access to the above authorization object (Ex. M_EINF_EKG) , BUT field (Ex. EKGRP (Purchasing Group)) is not updated ie., BLANK, would that mean that the user would not be able to create info record even though he has access to ME11 ?

d) If the respective field (for ex) EKGRP is given a value of * (Wildcard) - Would this mean that the user would have access to all the purchasing groups ?

Appreciate your time for reading this query and your response.  Please let me know if i am not clear on my query.

Thanks !

Uday

1 ACCEPTED SOLUTION

Go to solution
yakcinar
Active Contributor

‎03-15-2016 10:05 PM

0 Kudos

Hello Uday,

You can run SU22 transaction to check the standart transactions authorization objects assignments.

In below resultant screenshot which auth objects will be checked with which filed values can be seen in the SU22 result screen for ME11 tx.


In ME11 program these authorization objects are checked with AUTHORITY-CHECK function. So if a user want to use that authority (s)he needs to have those auth objects with the required field values.


b) Yes, * (star) means all activities are valid for that role for users in that role as well.


c) Yes, you should maintain EKGRP field. You can do that maintaining organizational levels of the role. $EKGRP means it is coming from Org Level.


d) Yes, * means Full access.


I think I understood your question after carefull reading of 3 times.



Regards,

Yuksel AKCINAR

Preview file
253 KB
5 REPLIES 5

Go to solution
yakcinar
Active Contributor

‎03-15-2016 10:05 PM

0 Kudos

Hello Uday,

You can run SU22 transaction to check the standart transactions authorization objects assignments.

In below resultant screenshot which auth objects will be checked with which filed values can be seen in the SU22 result screen for ME11 tx.


In ME11 program these authorization objects are checked with AUTHORITY-CHECK function. So if a user want to use that authority (s)he needs to have those auth objects with the required field values.


b) Yes, * (star) means all activities are valid for that role for users in that role as well.


c) Yes, you should maintain EKGRP field. You can do that maintaining organizational levels of the role. $EKGRP means it is coming from Org Level.


d) Yes, * means Full access.


I think I understood your question after carefull reading of 3 times.



Regards,

Yuksel AKCINAR

Preview file
253 KB

Go to solution
Former Member
In response to yakcinar

‎03-16-2016 3:43 AM

0 Kudos

Thanks Yuksel.  That helps.  Appreciate your time on this.

1. Quick followup question on (c) -


c) If the user is given access to the above authorization object (Ex. M_EINF_EKG) , BUTfield (Ex. EKGRP (Purchasing Group)) is not updated ie., BLANK, would that mean that the user would not be able to create info record even though he has access to ME11 ?

and your answer - c) Yes, you should maintain EKGRP field. You can do that maintaining organizational levels of the role. $EKGRP means it is coming from Org Level.

Just to confirm my understanding, if the field EKGRP is not maintained or blank - the user would not be able to create an info record - am i correct ?

2. Is there any table that can give the details as in SU22 as i do not have access to maintain the authorization defaults ?

Thanks !

Uday

Go to solution
Former Member
In response to yakcinar

‎03-16-2016 3:49 AM

0 Kudos

For the second question, did a quick search and understood the relevant tables are USOBT (Relation transaction > authorization object) and USOBX (Check table for table USOBT).  Kindly advise if this is correct and also your advise on the first query.

Thanks !

Uday

Go to solution
yakcinar
Active Contributor
In response to yakcinar

‎03-16-2016 7:19 AM

0 Kudos

Hello Uday,

Yes, you can run ME11 but you cannot create records for any EKGRP. You must maintain the field with required EKGRP group.

2. Yes, you can run SE16 forr the table AGR_1251.

For criteria if you use object S_TCODE and field TCD (not sure about this. Check it) you can display all roles with assigned transaction list.

You can use any auth object to check.

Be careful about field values. There is LOW and HIGH value fields in the table. That means the value is between LOW and HIGH. eg: if object=S_TCODE, FIELD=TCD and LOW= A* and HIGH=M* then this role is authorized the transactions from A* to M*.

You can use AGR_USERS for the user-rorle assignments.

Regards,

Yuksel AKCINAR

Go to solution
Former Member
In response to yakcinar

‎03-16-2016 8:58 AM

0 Kudos

Great, that helps.  Appreciate your quick response.