Hello Ri,
Everytime you change anything in a role profile you have to generate the related profile to that role, otherwise the changes won't affect to the user authorizations. Also, take a look to the Authorization Profile Status, it says 'Profile Comparison needed' which means you have to adjust the role profile.
In case this is a derived role you have to adjust and derive the profile of all the child roles from the father role.
Best regards.
Hi
ML81N is a splendid little transaction with several options in securing it - the user can enter or approve or revoke so tracing as already advised by Martin will help so long as you understand the functionality properly.
Also, check how the config has been set up for one step or two step 'receipts'
Kind regards
David
I don't think this is an authorization issue. I think that the budget entry is posted and therefore cannot be deleted, if you can undo the posted budget entry, then you will be able to delete it.
In the Document Overview window, click on a preposted document to select it. Click on Document on the Menu Bar and then choose Undo. An undone document cannot be recalled. Instead, a new one must be created.
Meta
Hi Brent,
I have re looked at the trace and found what I am looking for, many thanks for the helpful advice
Regards
Debbie
I Would create different roles for the different systems (DEV/TEST and Production).
In some companies, the Development team only has display access in production and if really needed, they use a firefighter procedure to solve any problems in production. In dev/test they have broader roles with development authorizations.
Hope this helps!
Hi Berry,
thank you so much for your answer. Yes this is a requirement for a newly installed SAP system, and also the business needs look to reduce SoD conflicts (not SOX).
Look forward for your thoughts,
Regards,
Rodolfo
following option is not getting highlighted even though the user is having full access. How to highlighted this option any specific auth obj that controls the option. The txt is FMBB
Thanks Varun, it will definetely help. !!
I've found some other roles under:
SAP_BC_*
SAP_BC_DWB_*
Regards,
R
Hello Meta,
thanks for your answer;
I've found this roles that can help;
SAP_BC_DWB_ABAPDEVELOPER ABAP Developer
SAP_BC_DWB_PROJECT_MANAGER Development Project Leader
SAP_BC_DWB_WBDISPLAY ABAP Developer: Display Authorization
maybe you have some others??
Regards,
R
Thank you for your response A.
If possible we'd like to avoid a time consuming process of changing queries that do not prompt the user with a selection screen yet only allow them access to company code or cost centers they are authorized to.
3.5 security allowed this without a prompt screen. Is there any comparable functionality on 7.0?
Thanks again,
Chuck Jines
The SAP_BC_DWB_WBDISPLAY is ABAP display only I think (pls correct me if I'm wrong) and this will give to little authorizations to display in production for them.
We used the display roles in production that we have created per module (FI, MM, et cetera). and assigned them to one composite display role.
The template roles can be a good start for the non production systems, but in our case they where to limited and they needed more authorizations, also for the functional modules. So we ended up creating a new developer composite role that was a combination of the basic ABAPdeveloper role with additional functional roles.
The result is that they have many authorizations in the non production system and additional compensenating controls where needed to minimize the risk. The good thing is that they don't need critical authorizations in the production system and we can monitor the usage of the firefighter use in the production system.
Hi
"I think we have a problem with the date, i think that make this error"
There is something wrong with the role - has it been downloaded/uploaded? If so the deleted again and create more correctly.
Are there custom authorisation objects in the client being loaded to?
Is this role being uploaded from a different system (business) so the fields in SU24 do not match?
Please provide the exact steps which produce this scenario
Kind regards
David
once check in SUIM changes for user id .......
regards
sanath
When I try to run the installer on the SNC client add-on it indicates the add-on is already present (only option is to uninstall).
The trace produces the attached file.
Yes, <SID> and <DOMAIN> contain appropriate values *(which are all caps), but have been redacted out of this log.
Hello folks,
I'm having an authorization-based problem with the ESS/MSS-Teamcalendar WDA-Application which uses the resources of the Internet Graphics Server.
CL_IGS_DATA===================CM006 call function 'PIGFARMDATA' destination rfcdestination exporting type = farm_type tables ddic = m_ddictable data = m_datatable content_descr = m_content_descr content = m_content exceptions communication_failure = 1 message msg_text system_failure = 2 message msg_text.
So.... the data is sent to the pigfarm and the pigs transform it into an interactive graphic that comes back in form of an xstream. "Smart piggies! Oink! Oink!"....
. This process however fails with a communication error "Fehler beim Öffnen einer RFC-Verbindung (CPIC-CALL: 'ThSAPOCMINIT' : cmRc=2 thRc", unless I assign SAP_ALL/SAP_NEW to the enduser. What makes the whole thing exceptionally nerv-wrecking for me is, that I can neither debug nor trace what's happening inside this RFC-FM (so I can't just go for ST01 and see which permissions are missing). I'm not acquainted enough with Security/Authorization stuff to just 'know' what goes wrong here, I always rely on Debugging/ST01, so I'm kind of stuck here...
Bottom line: how or rather with what means do I find out which authorizations are missing here without being able to trace via ST01?
Any help/hints/devastating criticism is welcome and appreciated
Cheers, Lukas
hi
1. If it is derive role All you need to do is to generate the authorization profile and save it.
Come out and you fill find it green.
2. if it is A Master role do push it to all the derive role
regards
sanath
IGS is an exernal server program. So rfcdestination is a type tcp/ip destination.
You can check and trace it in SMGW external security to see whether it is problems with starting or registering the program ID at the gateway.
It is unlikely that pfcg authorizations have anything to do with it, but note that ST01 is application server specific so first turn it on for other servers to see whether a command is being run via call back to a different app server and an application check (s_log_com??) is failing there?
Cheers,
Julius
Add s_rfc or/and s_rfcacl object
sap_all/sap_new does not include this authorisations
In that case there would be a dump in ST22.
Same user context call backs also dont check S_RFC by default.
I place my bets on the application server switch where the IGS is started and s_log_com because of the SAP_ALL working.
Otherwise I would normally have tipped on the SMGW restrictions. Mindlessly asetting param gw/reg_no_conn_info too high is the most common cause of problems there...
Cheers,
Julius
Hi
Hi again, as you have already been asked by many people before - is this a derived role.
Which system - DEV, QA or PRD are you showing in your screen shots. The more RELEVANT information and feedback you provide then the better the responses.
1. SYSTEM which is it:
DEV
QA
PRD
2. Role type:
Single
Derived
Parent (imparting of some kind)
3. Show the steps when trying to correct the problem in screenshots:
In DEV, delete the new role and create it again. OR .... Watch for profile collisions if transporting to QA (where you shouldn't be updating org levels anyway) but is that where the problem is?
4. Or - have you already solved the problem - which was:
Kind regards
David
Message was edited by: David Berry Trying to gather more pertinent info...