Alternatively, maybe the user has another P_PERNR authorization for IT 0316 where PSIGN is "*" (overriding the one where it's "E").
You may also want to check the AUTHC field of that P_PERNR authorization. The authorization for approving is "E" and not "W" if I'm not mistaken.
Good luck,
Brent
That is why we require a short summary of given authorizations to the user: P_ORGIN(CON//XX/XXCON) / P_PERNR values of the whole objects and the trace. Any further debug else than the main switches is (sadly) only a wild guess of the cause, but could lead to a solution.
Hello,
We are facing a strange issue. We have some sales orders. When user is trying to Access VA02 and modify a contract, We are getting an error as "No authorization to change this sales document". We could change some sales orders. We have observed two things here,
A) if a sales order has items in it,--> "No authorization to changes this sales document"
B) if a sales orders has no items in it --> "No problem with the authorization, we can modify the order".
Document type used for this sales order is ZC02. We have given ZC02 in role and 01,02,03,43,C1 and C2 activities in the roles along with proper Org values. still we are not able to open the sales order with change mode.
Could you please help me resolve this issue??
Hi,
From the security Perspective it is advisable to give full access of one module to any user ID.
we need to create new roles according to the business requirement and add those roles to particular user ID.
Regards
Venkat
Have you run SU53? What does it say is the problem?
Steve.
Yes Steve, i had run SU53 it says that the object Z_REPT_DEV and activity 99 is missing. We have even tried giving this object and activity. Still it does not work.
That is a custom authorization object and not a standard SAP one, right? My guess, in that case, is that the code that implements that auth object, presumably in a user exit or BAdI in VA02, is incorrect. That must be your code - time to speak to the person that wrote it?
Steve.
sapnote - 312682 - has been very helpful with this issue. Regards, Shivraj
Dear All
We were able to solve this issue , by using Enhancement for tcodes where Sales Office is used (i.e va01 , va02 , va03 , va21 , va22 , va23).
You have to check auth object for Sales Office (V_VBKA_VKO) in enhancement and manually add this object in PFCG Role for all the users where required.
Regards
Urvish
Hi Shruthi,
After removing the roles in CUA system, please run Distribution on the errors in SCUL. If it still shows as errors, then you might have not removed exceeded roles from the user, so remove more role assignments from user in CUA.
If the above tip does not work, then go to the child system and check the Inbound errors in BD87. If there are any errors please re-process them, so that it should solve the problem.
Thanks
Sridhar
Hi Julius,
Thanks for the detailed explanation.
I have one doubt over STEP 3 of SU25 where I need your expert views.(EHP 4.0 to EHP 6 ECC 6)
We have performed the SU25 steps(Only 2A,2B and 2C) and follow below approach:
1. After running above steps we make changes in role manually and capture them in TR.
2. Changed SU24 manually and stor ethem in TR.
3.Move SU24 Tr and Role Tr in quality.
Question is we did not move Step 3 transports and testing is completed in quality is it wise to move Step 3 transports and sync Quality and Dev. now or it will create Impact which required tetsing?
Hi Ajay,
You have to create the sap logon pad entry with SNC enabled. So please follow below steps to create the system entry with SNC, so that you it won't ask for user name/password when you try login from GUI.
- Create a New System entry with Connection type 'Group/Server selection'
- Input only 'Description' , 'System id' & 'Message server', then after you press TAB key, the 'Group server' & 'Instance comes.
-Then click Next and keep a tick mark on 'SNC Enable'. Save it and try login now.
Thanks
Sridhar
Hello
Please check below URL for User Import Format:
Regards,
Tapan Goyal
Now isn't a good time to sync them up while they are in Quality
Hi Experts,
We need to withdraw authorization to do revoke teco from all end users. Please see the below image. I want to stop users to do revoke technical
completion. what is the authorization object for it? Please help me.
Asad
Unfortunately, it does not contain start and end dates. 
Thanks for the help though.
Hi Donald,
If the user having validity expired role in his user master SU01, then the expired role can be seen under 'Role' tab in SU01 with 'Valid to' date, but the role relevant profile will be removed from user at the time of role expiration date.
So when you search for users based roles (Case 1), the SUIM lists all users who are assigned to that particular role, irrespective of expired role assignments. So in Case 1, please follow below step for accurate results.
1. (Case 1) SUIM -> User -> Users by Complex Selection Criteria -> by Role (either specify ZCR or ZSR) the result is:
UserA
UserB
2. Then select all users in SUIM output (UserA & UserB), and click on 'In Accordance with Selection' button. So that you can see the users and the (ZCR) ZSR role 'Valid to' (End Date) date for each user.
By doing second step here, you will get the accurate results. This is how the SUIM works.
Thanks
Sridhar
>point begging removed by Moderator - last warning!<
Hi,
the behaviour should be as is described in note #642359. I suggest to recheck the values you have in s_user_val-auth-fields...
b.rgds, Bernhard
Thanks Angela... I'll try this.
Hi All,
I have a query. I am working on security based product where in our current functionality role is assigned to user based on position.
EX:
Current Scenario:
role1, role2, role3, role4 are assign to position P1.
and that position P1 is assign to USER so USER is able to have those roles.
Now, Required functionality is:
Every position has one HRPOSITION maintained in our product. so now all roles should assign to user based on HRPOSITION.
********************************************************
My colleague is saying, To achieve this, we have a BAPI. I got some word as hint for that BAPI which is : HR*INITIAL*DATA*. It can be in any combination.
I tried to find in se37, even did goggling but couldn't succeed.
This is what I got as requirement. May be, I am not understanding the requirement or understanding but not able to get the desire output.
Please help. Thanks in advance