cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization issue while using structural authorization concept.

Go to solution
Former Member

on ‎09-30-2016 11:48 AM

0 Kudos

Hello Experts,

I have created below authorization profile for one sales org.

Now I assigned the user to it and he can open up only that specific organizational unit , edit information inside and add new users in PPOMA.

But when he tries to add an owner to one position inside his org unit, he gets below error message.

Do you know if I am missing some access inside my authorization profile?

Thank you.

Best regards,

Elena

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-30-2016 12:21 PM
0 Kudos

Looks like the profile contains the evaluation path OOSP, which is not sufficient for the owner since its object type is BP. So search for an evaluation path that includes access to Business partners & add this to your authorization profile.

Show replies
Show replies
Former Member
‎09-30-2016 12:55 PM
0 Kudos

Hello Tania,

Thank you for the suggestion, unfortunately I don't have that much knowledge in regards to these evaluation paths.
Do you know one that provides both access  to org units and BPs?

Your help is much appreciated.

Elena

Former Member
‎10-01-2016 6:48 AM
0 Kudos

I haven't worked with BPs, but you can try this:

1) Through SM30, check the table T77UA to confirm which structural authorization profile is assigned to the user. You can skip this step if you have already verified this.

2) Edit that auth.profile (T77PQ). Assuming it is ORG_90 as in your screenshot, you can add another row in the same profile:

a)Copy the current row & keep all entries the same except Evaluation path.

b)To see the list of possible evaluation paths which will allow access to the Business partner object , hit F4 in the Eval path field in the newly added row.

c) Enter From object type O, via object type S, and To object type BP.

d) The system will then give you the list of evaluation paths that meet your requirement. You can randomly assign one from this list & see if it solves your problem. If it doesn't, try another & so on.

You can try CACS_CDT and then CACS_GP to begin with.

Former Member
‎10-03-2016 8:51 AM
0 Kudos

Hello Tania,

Thank you for all the helpful answers.

It looks like the object which was missing was actually CP.

I have added below additional entry and user can now also add an owner to the positions.

All your indications, lead me into the right direction.

Have a productive week!

Best regards,

Elena

Former Member
‎10-03-2016 9:20 AM
0 Kudos

You're welcome, Elena! You actually solved it yourself, but i appreciate the update!

Answers (1)

Answers (1)

former_member237472
Explorer
‎09-30-2016 12:44 PM
0 Kudos

Hi Elena,

This authorization issue might also be because of access missing in PLOG authorization object.

Because all the access regarding changes in PPOMA check for authorization to PLOG.

Please run a trace and check if the authorization is failing on PLOG.

BR,

Anish

Show replies
Show replies
Former Member
‎09-30-2016 12:56 PM
0 Kudos

Hi Anish,

I ran an authorization trace and is not a PLOG authorization issue.
User has the necessary access on that side.

Thank you for the help.

Elena

former_member237472
Explorer
‎09-30-2016 1:05 PM
0 Kudos

Hi,

Well then does the user have access to Relationship Infotype (1001) in P_ORGINCON?

Former Member
‎09-30-2016 1:22 PM
0 Kudos

Hello Anish,

It looks like, please check below screenshot:

The thing is that if I assign the same user to authorization profile ALL - which is the standard one from SAP, the same user will then have access to add an owner.
It looks to me that is somehow related to the access I give in the authorization profile.

Apologize for any misunderstanding from my end, I am not a security person.

Thank you.

Best,
Elena

former_member237472
Explorer
‎09-30-2016 1:40 PM
0 Kudos

Hi,

Firstly the user should have the relevant entry in OOSB. If the entry is not there then the PD profile is not mapped to the user. If the above thing is fine then you can check if the authorization to the target user is coming from this PD profile or not. Execute report RHBAUS02 in SE38, keep threshold as 1 and un-check test. then  Execute. After the execution execute another report RHBAUS00 and mention this test ID there. in the output, the target user's perner should appear. If this doesnt appear then we can conclude that the issue is with the PD profile.

Anish

Former Member
‎09-30-2016 1:45 PM
0 Kudos

Hello Anish,

I have no entries in table T77UU. This is used to improve the performance in case of big structures.

Therefor running the specified reports won't give me any result.

Do you know any evaluation path that might help me reach the owner?

Thanks.
Elena

former_member237472
Explorer
‎09-30-2016 1:51 PM
0 Kudos

The same evaluation path should be fine as per my knowledge. You can use those 2 reports just to check what objects are coming for this user from this PD profile. It doesn't matter if the T77UU table is maintained or not. Running the first report will maintain it. I was just using these 2 tables to check if this target user is coming in the authorization from this PD profile or not.

Former Member
‎09-30-2016 1:57 PM
0 Kudos

This is what I got back from the first report.

former_member237472
Explorer
‎09-30-2016 1:59 PM
0 Kudos

have you entered "1" in threshold value?

Also have you checked if the entry for this user exists in OOSB with the relevant PD profile.

kaus19d
Active Contributor
‎09-30-2016 2:06 PM
0 Kudos

Hi Elena,

The screen that you have attached

is not the correct one. What you can do is run the transaction & just as when its showing the no authorization area, then only you generate this screen which will show the required authorization area. Anyhow you can also check the authorization parameters in the user details whether the required parameters are assigned for that User

Thanks,

Kaushik

Former Member
‎09-30-2016 2:15 PM
0 Kudos

The default value was 1,000 and I thought those were just decimals, I have now just entered 1.
It got added to the table and then the second report generated the indexes.

In OOSB user is assgined to the authorization profile.

I still face the same issue even after running the reports.

Former Member
‎09-30-2016 2:22 PM
0 Kudos

Hello Kaushik,

I have no access to the screen while the error message pops up on it, so once I have clicked ok on that, I check su53.
The objects on the user should not be a problem as the user has access to the owners if I assign him to an authorization profile with full access to all objects: ALL.

Best,
Elena

kaus19d
Active Contributor
‎10-01-2016 3:20 PM
0 Kudos

Hi,

Yes, that is the correct way to check via using SU53 for missing authorization, but, my suggestion is when the user faces the error which shows no authorisation by clicking in some field of a t-code, then only you open a new session & run the su53. If you are not doing like this means, the SU53 will show Last Authorization was Successful. Anyways also giving full authorisation to any user might go against your company rule & if if any SPRO changes or any thing deletion happens, via that id then, that person can literally put the blame on you saying that he was not trying to delete but anyhow deleted, & also if some data deleted, you know the kind of trouble we face in our companies. So, I would better suggest to give the required authorisation only.

Thanks,

Kaushik

Ask a Question