Hi Sandhya,

Regarding manually adding auth object to a role, if any user faces problem like he is not authorized to some authorization object or in missing authorizations cases we will be adding auth objects to a role.

other case is like if you add suppose some transaction sM30 to menu tab of pfcg you will get s_Tabu_dis auth objects automatically popped up in your profile you will maintain those values say

Actvt = 02

Auth group = Zdev

then this will allow only zdev group to change the records of table.

if user also wants display auth to zbasis group then you will insert manually this authorization object and give display auth to zbasis group.

yes authorization check is performed on these manually added auth objects.

When you create a new authorization object you will go to su24 transaction and add this newly created authorization object to the transaction in which you want this auth object to be checked and transport it across all systems in the landscape (D,Q,P) just by adding newly created auth object won't sap to check this object while executing this transaction you need to write authority check coding in the corresponding transaction.

Hope this helps,

Thanks,

Rakesh.T

Hi Sandhya,

The most common scenario when the need to add auth.object manually to a role arises is when an access is denied to an user for an authorization object for appropriate values missing from his/her user profile.On analysing the Su53 dump, we can find the object with it's required value which stopped the user to carry out an action.

To provide access to the auth.object to the user we can either modify any of his exsiting role to incorporate this auth. obj with the value by adding it manually or find if any other role existing in the system can be provided to him or ..........depending on how the business approves it.

We add new auth.object to a txn thorugh SU24 when we've created a new custom t-code and want to ensure that the new auth. object is included whenever this t-code is added to any role through the menu in PFCG.

Thanks,

Saby..

Please put a little bit of effort into searching (on your own steam) before asking questions which could very easily be answered by yourself from the system documentation, help.sap.com, previous threads, etc...

Cheers,

Julius

Hi,

Here is the answer for your question.

When you add authorization objects manaully.

e.g. ME21N - Create Purchase order

ME28 / ME29N - Release Purchase order

For this transaction, you want to restrict the users to create purchase order only for the selected Purchasing document type (A), but at the same time, you want the same user to change the purchase order belongs to some other Purchase order type(B).

So, the user must be able to create Purchase order only for Purchase document type A, but at the same time, the user can only change the purchase order belong to other purchase document type (B).

In that case, you can add the object M_BEST_BSA manually and restrict like the following:

Standard Document Type in Purchase Order M_BEST_BSA

Activity 01, 03

Purchasing Document Type Z101

Manual Document Type in Purchase Order M_BEST_BSA

Activity 02, 03

Purchasing Document Type Z102

When you add authorization object in SU24

For e.g. If the developer is creating a program with the authority-check (for any Z_Object type), in that case use the transaction in SU24 and added this object with Check/Maintain indicator. So, when you add the transaction into the role, the object will come up automatically.

Onething, you can notice here, if you are not maintaing this object in SU24, and trying to add the object manually in the role directly, the restriciton will not work.

Regards

Anandm