on 09-30-2016 11:48 AM
Hello Experts,
I have created below authorization profile for one sales org.
Now I assigned the user to it and he can open up only that specific organizational unit , edit information inside and add new users in PPOMA.
But when he tries to add an owner to one position inside his org unit, he gets below error message.
Do you know if I am missing some access inside my authorization profile?
Thank you.
Best regards,
Elena
Looks like the profile contains the evaluation path OOSP, which is not sufficient for the owner since its object type is BP. So search for an evaluation path that includes access to Business partners & add this to your authorization profile.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I haven't worked with BPs, but you can try this:
1) Through SM30, check the table T77UA to confirm which structural authorization profile is assigned to the user. You can skip this step if you have already verified this.
2) Edit that auth.profile (T77PQ). Assuming it is ORG_90 as in your screenshot, you can add another row in the same profile:
a)Copy the current row & keep all entries the same except Evaluation path.
b)To see the list of possible evaluation paths which will allow access to the Business partner object , hit F4 in the Eval path field in the newly added row.
c) Enter From object type O, via object type S, and To object type BP.
d) The system will then give you the list of evaluation paths that meet your requirement. You can randomly assign one from this list & see if it solves your problem. If it doesn't, try another & so on.
You can try CACS_CDT and then CACS_GP to begin with.
Hi Elena,
This authorization issue might also be because of access missing in PLOG authorization object.
Because all the access regarding changes in PPOMA check for authorization to PLOG.
Please run a trace and check if the authorization is failing on PLOG.
BR,
Anish
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Anish,
It looks like, please check below screenshot:
The thing is that if I assign the same user to authorization profile ALL - which is the standard one from SAP, the same user will then have access to add an owner.
It looks to me that is somehow related to the access I give in the authorization profile.
Apologize for any misunderstanding from my end, I am not a security person.
Thank you.
Best,
Elena
Hi,
Firstly the user should have the relevant entry in OOSB. If the entry is not there then the PD profile is not mapped to the user. If the above thing is fine then you can check if the authorization to the target user is coming from this PD profile or not. Execute report RHBAUS02 in SE38, keep threshold as 1 and un-check test. then Execute. After the execution execute another report RHBAUS00 and mention this test ID there. in the output, the target user's perner should appear. If this doesnt appear then we can conclude that the issue is with the PD profile.
Anish
The same evaluation path should be fine as per my knowledge. You can use those 2 reports just to check what objects are coming for this user from this PD profile. It doesn't matter if the T77UU table is maintained or not. Running the first report will maintain it. I was just using these 2 tables to check if this target user is coming in the authorization from this PD profile or not.
Hi Elena,
The screen that you have attached
is not the correct one. What you can do is run the transaction & just as when its showing the no authorization area, then only you generate this screen which will show the required authorization area. Anyhow you can also check the authorization parameters in the user details whether the required parameters are assigned for that User
Thanks,
Kaushik
Hello Kaushik,
I have no access to the screen while the error message pops up on it, so once I have clicked ok on that, I check su53.
The objects on the user should not be a problem as the user has access to the owners if I assign him to an authorization profile with full access to all objects: ALL.
Best,
Elena
Hi,
Yes, that is the correct way to check via using SU53 for missing authorization, but, my suggestion is when the user faces the error which shows no authorisation by clicking in some field of a t-code, then only you open a new session & run the su53. If you are not doing like this means, the SU53 will show Last Authorization was Successful. Anyways also giving full authorisation to any user might go against your company rule & if if any SPRO changes or any thing deletion happens, via that id then, that person can literally put the blame on you saying that he was not trying to delete but anyhow deleted, & also if some data deleted, you know the kind of trouble we face in our companies. So, I would better suggest to give the required authorisation only.
Thanks,
Kaushik
User | Count |
---|---|
97 | |
11 | |
11 | |
6 | |
6 | |
4 | |
4 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.