on 07-29-2008 1:33 AM
In SAP, there is a provision where we can create the authorization key and assign this key to the various user statuses in the user status profile.
The application is that when the user status is changed from one to other and if to the user status, the authorisation key is assigned then the authorised person should be only able to change the status.
But my query is that i have not come across any customization where a SAP user can be assigned to the auth. key so that he can only change the user status.
Can anybody let me know that whatever i understood, is it correct? And if yes, let me know where to assign the user to the authorisation key?
Thanks
Hi Raghunandan Iyer ,
In cutomerisation u can provide authorisation object like which will be useful in your PFCG role & autoriationconcept for tightning the roles & authorisation as per business requirment.
Until u dont customerise it u can not get it in the PFCG Activity.
Ramesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Iyer
Whenever a user status is set or deleted, the user's authorization to do so is checked. The status profile, the object type and the authorization key for the user status concerned are checked.
If, for example, you want to ensure that certain user statuses can be changed only by people in a particular group, you assign all those user statuses an authorization key.
Then use authorization object B_USERSTAT to give authorizations for those authorization keys.
The authorization object hence links the user with the authorization key.
Regards
Anil Kumar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Iyer,
Authorization object is assigned to user . Now for the combination of authorization object- b_userstat and user assign authorization ( say ZAPPROVER). See table- USRFB2
Now fot this authorization (ZAPPROVER) assign authorization values(userstatus profile which you have defined. since authorization key is defined in userstatus profile this inturn get assigned to user)
See table-USR12
Regards
Anil Kumar
Anil,
Thanks for the information. But can you guide me with the transaction code in SAP to find the authorisation object and the transaction code in SAP to assign the authorisation object to the user and then this combination of authorization object and user to the authorisation key.
I am aware about how to create the authorisation key and assign it to user status in user status profile.
Request you to let me know in details. Apart from the user statuses, can you tell me about the application of authorisation key in plant maintenance?
Thanks
Hi Iyer ,
Please see the below,if it solves your requirement
M/CS Autorisation Objects
SAP Standard Authorisation Objects:
I_ALM_ME: Mobile Asset Management (ACTVT)
I_AUART: Order Type (IWERK, AUFART)
I_BEGRP: Authorization Group (TCD, BEGRP)
I_BETRVORG: Business Operation (BETRVORG)
I_CCM_ACT: Configuration Control authorization object (CCACT, ACTVT)
I_CCM_STRC: Structure gap maintenance authority (ACTVT)
I_ILOA: Change location and accounting data in order (IWERK, AUFART)
I_INGRP: Maintenance Planner Group (TCD, IWERK, INGRP)
I_IWERK: Maintenance Planning Plant (TCD, IWERK)
I_KOSTL: Cost Centres (TCD, KOKRS, KOSTL)
I_QMEL: Notification Types (TCD, QMART)
I_ROUT: Task List (ACTVT)
I_ROUT1: Task Lists by PM Planning Plant, Work Sched., Status (TCD, IWERK, VAGRP, STATU)
I_SOGEN: Permit (SWERK, PMSOG)
I_SWERK: Maintenance Plant (TCD, SWERK)
I_TCODE: Transaction Code (TCD)
I_VORG_MEL: Business Operation for Notifications (QMART, BETRVORG)
I_VORG_MP: Business Operation for Maintenance Planning (MPTYP, BETRVORG)
I_VORG_ORD: Business Operation for Orders (AUFART, BETRVORG)
I_WPS_MEB: Maintenance Event Builder (DIWPSMEBAR)
I_WPS_REV: Revision authorization object (REVTY, ARBPL, WERKS, WPS_REV_AC)
S_NUMBER: Number Range Maintenance (NROBJ, ACTVT)
C_TCLA_BKA: Authorization for Class Types (KLART)
*Authorisation Tables:*
TOBJ: Authorisation objects
TOBJT: Authorisation object texts
AGR_1250: Authorisation object assigned to role
AGR_USERS: Users assigned to a role
AGR_TCODES: Assignment of roles to Tcodes
Authorisation Objects for System-Statuses:
Order: I_VORG_ORD (AUFART, BETRVORG)
(REL = BFRE, TECO = BTAB, delete component = RMKL)
Notification: I_VORG_MEL (QMART, BETRVORG (NOPR = PMM2, NOCO = PMM4))
Maint. plan: I_VORG_MP (MPTYP, BETRVORG)
User-Exits:
CPAU0001: Enhancement for Authorization Check in Task Lists
IMRC0005: Measure point: Exit in AUTHORITY_CHECK_IMPT
IWOC0003: PM/SM authorization check of ref. object and planner group
QQMA0026: PM/SM: Auth. check when accessing notification transaction
QQMA0030: Check validity of status change
BADIs:
DIP_SET_USERSETTINGS: Initial Object Check in DP Processor
INST_AUTHORITY_CHECK: PM/CS Enhanced Authorization Checks
IWO1_ORDER_BADI: Maintenance, Service, and Refurbishment Order
NOTIF_AUTHORITY_01: Additional Authorization Checks for the Notification
WORKORDER_GOODSMVT: PM/PP/PS/PI orders: auto. goods movement
Authorisation Groups:
These can be created via TCode SM30 and table T370B. They can then be assigned to the following objects:
a. Equipment (IE02)
b. Functional Locations (IL02)
c. Maintenance plans (IP02)
d. Entry List for Measurement Documents (IK32)
e. Object links (IN05, IN08)
f. User-statuses
Authorisation Debugging:
TCode SU53: Evaluate Authorization Check
Hello Raghu,
This is done by Basis users who defines the roles in the system & assigns those roles to users. Every transaction where you set/change user status has Auth objects . Basis persons defines the Auth objects values as required. One of the Auth object is for field ,Auth key -->one you defined using the node for Auth key.If you dont defined the Auth key value, the Auth object value is kept blank..
Hope this helped..
Thanks
Vinay
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
108 | |
12 | |
11 | |
6 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.